Stay organized with collections
Save and categorize content based on your preferences.
An Application Operator can add other Application Operators to the project
through the GDC console and access to project resources.
Before you begin
Permissions are required to set up or remove role bindings. Ask your Project
IAM Admin or Organization IAM Admin to grant you the Project IAM Admin role.
Set up role bindings
Work through the following steps to set up role bindings:
Console
Sign in to the GDC air-gapped appliance console.
For example, the following image signs in to the GDC console for
an organization named org-1:
Click Select project in the menu bar. Select one of the existing
projects you want to set up the role binding in, then click Open. The
selected project displays after your org name in the menu bar. The
following example shows the selected iam-test project:
In the navigation menu, click Identity & Access and Access.
Click Add member.
In the Identity provider dropdown menu, select an identity provider.
After Member type, choose whether you want to add individual users with
User, or groups with Group. The following example shows User
selected:
In the Username or group alias field, enter the username, email address,
or alias.
In the Roles drop-down list, select the role that you want to assign
to the user or group, such as Project Viewer. You can bind the
selected user or group with multiple roles at a time by clicking
Add Another Role.
PROJECT: the name of the project for which
you're setting up the role binding.
USER_ACCOUNT: the user account to which you
want to grant the role. This flag accepts either a user email address
with the identity provider prefix (user:idpprefix-user@example.com) or
a service account name with the service account project
(serviceAccount:projectName:serviceAccountName).
ROLE: the name of the predefined or custom role
you want to assign to the user.
Remove role bindings
When access is no longer required, remove a member and their associated roles,
permissions, and access.
To remove members, work through the following steps:
Console
Sign in to the GDC air-gapped appliance console.
Click Select project in the menu bar. Select one of the existing
projects you want to set up the role binding in, then click Open. The
selected project displays after your org name in the menu bar.
In the navigation menu, click Identity & Access and Access.
In the authorized members list, select a member. You can remove multiple
members at a time by selecting multiple members in the list.
Click Remove All Access to remove all the role bindings associated with
a member from your current project.
PROJECT: the name of the project from which
you're removing the role binding.
USER_ACCOUNT: the user account from which you
want to remove the role. This flag accepts either a user email address
with the identity provider prefix (user:idpprefix-user@example.com)
or a service account name with the service account project
(serviceAccount:projectName:serviceAccountName).
ROLE: the name of the predefined or custom
role you want to remove from the user account.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eApplication Operators can add other Application Operators to a project via the GDC console, granting them access to project resources.\u003c/p\u003e\n"],["\u003cp\u003eSetting up role bindings in the GDC console involves selecting a project, navigating to Identity & Access, adding a member, and assigning them roles.\u003c/p\u003e\n"],["\u003cp\u003eRole bindings can also be set up using the CLI, which requires exporting user credentials, email, role name, project namespace, and then applying a \u003ccode\u003eProjectRoleBinding\u003c/code\u003e or \u003ccode\u003eRoleBinding\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eTo remove role bindings in the GDC console, navigate to the Identity & Access section, select the member, and click "Remove All Access".\u003c/p\u003e\n"],["\u003cp\u003eRemoving role bindings via the CLI involves deleting the corresponding \u003ccode\u003eprojectrolebinding\u003c/code\u003e resource using a kubectl command.\u003c/p\u003e\n"]]],[],null,["# Grant access to project resources\n\nAn Application Operator can add other Application Operators to the project\nthrough the GDC console and access to project resources.\n\nBefore you begin\n----------------\n\nPermissions are required to set up or remove role bindings. Ask your Project\nIAM Admin or Organization IAM Admin to grant you the `Project IAM Admin` role.\n\nSet up role bindings\n--------------------\n\nWork through the following steps to set up role bindings: \n\n### Console\n\n1. Sign in to the GDC air-gapped appliance console. For example, the following image signs in to the GDC console for an organization named `org-1`:\n2. Click **Select project** in the menu bar. Select one of the existing projects you want to set up the role binding in, then click **Open** . The selected project displays after your org name in the menu bar. The following example shows the selected `iam-test` project:\n3. In the navigation menu, click **Identity \\& Access** and **Access**.\n4. Click **Add member** .\n5. In the **Identity provider** dropdown menu, select an identity provider.\n6. After **Member type** , choose whether you want to add individual users with **User** , or groups with **Group** . The following example shows **User** selected:\n7. In the **Username or group alias** field, enter the username, email address, or alias.\n8. In the **Roles** drop-down list, select the role that you want to assign to the user or group, such as **Project Viewer** . You can bind the selected user or group with multiple roles at a time by clicking **Add Another Role** .\n9. Click **Add**.\n\n### gdcloud\n\n1. Ensure you have the\n [gdcloud CLI installed](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-overview#download-and-install).\n\n2. Sign in using the `gdcloud auth login` command to authenticate with your\n identity provider. For more information, see\n [the gdcloud CLI authentication](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-auth#login).\n\n3. Set up role bindings for a project:\n\n gdcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e \\\n --member=\u003cvar translate=\"no\"\u003eUSER_ACCOUNT\u003c/var\u003e \\\n --role= \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name of the project for which you're setting up the role binding.\n - \u003cvar translate=\"no\"\u003eUSER_ACCOUNT\u003c/var\u003e: the user account to which you want to grant the role. This flag accepts either a user email address with the identity provider prefix (`user:idpprefix-user@example.com`) or a service account name with the service account project (`serviceAccount:projectName:serviceAccountName`).\n - \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: the name of the predefined or custom role you want to assign to the user.\n\nRemove role bindings\n--------------------\n\nWhen access is no longer required, remove a member and their associated roles,\npermissions, and access.\n\nTo remove members, work through the following steps: \n\n### Console\n\n1. Sign in to the GDC air-gapped appliance console.\n2. Click **Select project** in the menu bar. Select one of the existing projects you want to set up the role binding in, then click **Open**. The selected project displays after your org name in the menu bar.\n3. In the navigation menu, click **Identity \\& Access** and **Access**.\n4. In the authorized members list, select a member. You can remove multiple members at a time by selecting multiple members in the list.\n5. Click **Remove All Access** to remove all the role bindings associated with a member from your current project.\n6. When prompted, click **Remove Member** to confirm.\n\n### gdcloud\n\n1. Ensure you have the\n [gdcloud CLI installed](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-overview#download-and-install).\n\n2. Sign in using the `gdcloud auth login` command to authenticate with your\n identity provider. For more information, see\n [the gdcloud CLI authentication](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-auth#login).\n\n3. Remove role bindings for a project:\n\n gdcloud projects remove-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e \\\n --member=\u003cvar translate=\"no\"\u003eUSER_ACCOUNT\u003c/var\u003e \\\n --role= \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name of the project from which you're removing the role binding.\n - \u003cvar translate=\"no\"\u003eUSER_ACCOUNT\u003c/var\u003e: the user account from which you want to remove the role. This flag accepts either a user email address with the identity provider prefix (`user:idpprefix-user@example.com`) or a service account name with the service account project (`serviceAccount:projectName:serviceAccountName`).\n - \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: the name of the predefined or custom role you want to remove from the user account."]]