Quickstart

Access Approval ensures that Cloud Customer Care and engineering teams require your explicit approval whenever they need to access your customer content. For more information, see Overview of Access Approval.

This page explains how to set up Access Approval using the Google Cloud Console to receive email notifications of access requests on a project.

Before you begin

  1. To be eligible to use Access Approval and Access Transparency, your organization must meet specific support requirements. For more information, see Requirements for using Access Approval.
  2. Enable Access Transparency on the organization that this project belongs to. For more information, see Enabling Access Transparency.
  3. Ensure that you have the Access Approval Config Editor (roles/accessapproval.configEditor) Identity and Access Management (IAM) role. For more information about the IAM roles for Access Approval, see Access Approval roles.

Enroll in Access Approval

To enroll in Access Approval, do the following:

  1. In the Cloud Console, navigate to the project, folder, or organization for which you want to enable Access Approval.

  2. Go to the Access Approval page.

    Go to Access Approval

  3. To enroll in Access Approval, click Enroll.

    Enroll in Access Approval

  4. In the dialog box that opens, click Enroll.

    Access Approval disclaimer about increased support time

Select the services

To choose the services you want to enroll in Access Approval, do the following:

  1. On the Access Approval page in the Cloud Console, click Manage settings.

    Select Manage settings.

  2. By default, this setting is inherited from the project's parent resource. If you want to expand this scope, select the option to automatically enable Access Approval for all supported services. If you select this option, you can also use Access Approval for all the services that are supported in future.

    For the complete list of services that support Access Approval, see Supported services.

Set up email notifications and permissions

This section explains how you can add users who should receive Access Approval requests.

Granting the required IAM roles

The users who you want to be able to approve access requests must have the Access Approval Approver (roles/accessapproval.approver) IAM role. To grant this IAM role, do the following:

  1. Go to the IAM section of the Cloud Console for your project.

    Go to IAM

  2. Grant the Access Approval Approver (roles/accessapproval.approver) IAM role to whoever you want to be able to provide approvals. For information about granting IAM roles, see Grant a single IAM role.

    You can assign the role to either a service account or a human user. You can assign the IAM role for the project on the project folder, or for the entire organization.

Add approvers for Access Approval requests

To add approvers for access requests, do the following:

  1. In the Cloud Console, go to the Access Approval page.

    Go to Access Approval

  2. Click Manage settings.

  3. Use the panel that appears to add users who should receive notifications on your behalf.

  4. To save the notification settings, click Save.

Review Access Approval requests

To review and approve an Access Approval request, do the following:

  1. To see all your current approval requests, go to Access Approval page in the Cloud Console.

    Go to Access Approval

    To be taken to this page, you can also click the link in the email sent to you with the approval request.

  2. To approve a request, click Approve.

    You can also dismiss the request. Access continues to be denied even if you don't dismiss the request (subject to the bypass mechanisms detailed in the Overview). If you don't approve the Google employee's access request within 14 days, the request is permanently denied.

  3. Once the request is approved, Google personnel with [characteristics][approval-details] matching the approval (for example, same justification, location, or desk location) can access within the approved time frame.

View historical Access Approval requests

To view the list of all the approved, dismissed, and expired access requests, do the following:

  1. In the Cloud Console, go to the Access Approval page.

    Go to the Access Approval

  2. Click History.

    A table appears that includes all requests that are approved, dismissed, or expired.

Unenroll from Access Approval

If you want to unenroll from Access Approval, do the following:

  1. On the Access Approval page in the Cloud Console, click Manage settings.

  2. Click Unenroll.

  3. In the dialog box that opens, click Unenroll.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

  • No additional steps are required to avoid incurring charges to your account.

What's next