Before you begin
- In order to be eligible to use Access Approval and Access Transparency, your organization must meet specific support requirements. See the Requirements section of the Overview for details.
- Enable Access Transparency on the organization that this project belongs to.
- Ensure that you have been granted the Access Approval Config Editor.
Enrolling in Access Approval
In the Google Cloud Console, navigate to the project, folder, or organization where you want to enable Access Approval.
Select Security and then Access Approval.
Click Enable to enroll in Access Approval.
Select the services you want to enroll in Access Approval. By default, this setting will be inherited from the project's parent resource. If you would like to expand this scope, select the option to automatically enable Access Approval for all services.
In the email notifications settings, add users who should receive access request notifications for this project.
Setting up email notifications and permissions
Select Security and then Access Approval in the Google Cloud Console.
In the top right corner of the panel, click Settings.
Use the panel that appears to add users who should receive notifications on your behalf.
To save the notification settings, click Submit.
These users must have IAM roles with the appropriate permissions to view or approve an Access Approval request. To ensure these users have sufficient permissions, follow these steps:
Go to the IAM section of the Google Cloud Console for your project.
Grant whoever will be performing approvals for the project (either a service account or a human user) the IAM role Access Approval Approver on the project folder, or organization that you would like the person to have the role for.
Reviewing Access Approval requests
To review and approve an Access Approval request, follow these steps:
Under Security, go to Access Approval in the Google Cloud Console to see all your current approval requests.
- You can also click the link in the email sent to you with the approval request to be taken to this page.
To approve a request, press the Approve button. You also have the option to dismiss the request. Note that access continues to be denied even if you do not dismiss the request (subject to the bypass mechanisms detailed in the Overview). If you do not approve the access within 14 days, requests are automatically dismissed.
Once the request is approved, Google personnel with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame.
If the request is not approved, the Google employee's request is permanently denied.
Viewing historical Access Approval requests
In the Google Cloud Console, select Security and then Access Approval.
At the top of the Access Approval page, click the History tab.
A table appears that includes all requests that are approved, dismissed, or expired.
Unenrolling from Access Approval
In the Google Cloud Console, go to Security and then Access Approval.
Click Manage Settings and then click Unenroll.
To avoid incurring charges to your Google Cloud account for the resources used in this page, follow these steps.
- No additional steps are required to avoid incurring charges to your account.
- Learn about Approving Access Approval requests.