Grant and revoke access

Every subject - a user or a group - follows a two-step process to gain access to the org admin cluster, and system and user clusters:

Org admin cluster access: Grant a subject with permissions in the org admin cluster using ClusterRoleBinding or RoleBinding to a predefined ClusterRole.
User cluster access: Create a ProjectRole and ProjectRoleBinding to propagate a Kubernetes Role and RoleBindings to Kubernetes Namespaces in system and user clusters, corresponding to the Project that the ProjectRole and ProjectRoleBinding are in.

Personas (IO, PA, AO) are not roles but are collections of user roles mapped to specific permissions and assigned to individual users.

Set up role bindings

You can set up role bindings that give team members access to resources at the organization or project level.

To get the permissions that you need to set up role bindings, ask your Organization IAM Admin to grant you the Organization IAM Admin role.

To assign a role to an authorized member, follow these steps:

Console

Sign in to the GDC console.
Click Select project to select an organization or project.
- To set up role bindings for an organization, select an organization.
- To set up role bindings for a project, select a project.
In the navigation menu, click Identity and Access > Access.
Click Add member.
In the Identity provider list, select an identity provider.
Choose whether you want to add individual users or groups.
In the Username or group alias field, enter the username, email address, or alias.
In the Role list, select the role that you want to assign to the user or group, such as Organization Viewer at the organization level or Project Creator at the project level.
Click Add.

The member appears in the Authorized member list.

CLI

Export the user credential that you use:

export YOUR_IAM_ADMIN_KUBECONFIG=YOUR_IAM_ADMIN_KUBECONFIG

Export the email account of the user that you want to assign the role, such as idpprefix-paul@example.com:
```
export USER_EMAIL=USER_EMAIL
```
Note: The user email needs to include the identity provider prefix.
Export the name of the role the user needs, such as project-creator. Refer to Role definitions to find the according role.
```
export ROLE_NAME=ROLE_NAME
```

Assign a user to a ClusterRole or a Role:

Assign a user to a ClusterRole:

kubectl create --kubeconfig ${YOUR_IAM_ADMIN_KUBECONFIG} \
clusterrolebinding ${USER_EMAIL}-${ROLE_NAME}-binding \
--clusterrole=${ROLE_NAME} --user=${USER_EMAIL}

For cases when a ClusterRole requires a RoleBinding instead of a ClusterRoleBinding, refer to the Role definitions to find out what binding type the role needs and create a RoleBinding in the namespace gpc-system instead:

kubectl create --kubeconfig ${YOUR_IAM_ADMIN_KUBECONFIG} \
rolebinding ${USER_EMAIL}-${ROLE_NAME}-binding \
--clusterrole=${ROLE_NAME} --user=${USER_EMAIL} --namespace=gpc-system

Assign a user to a Role:

Export the namespace where the binding must be created:
```
export BINDING_NAMESPACE=BINDING_NAMESPACE
```

Run the following commands to create a RoleBinding:

kubectl create --kubeconfig ${YOUR_IAM_ADMIN_KUBECONFIG} \
rolebinding ${USER_EMAIL}-${ROLE_NAME}-binding \
--role=${ROLE_NAME} --user=${USER_EMAIL} --namespace=${BINDING_NAMESPACE}

Remove role bindings

When access is no longer required, remove a member and their associated roles, permissions, and access.

To remove members, work through the following steps:

Console

Sign in to the GDC console.
In the navigation menu, click Identity and Access > Access.
In the Authorized members list, select a member.
Click Remove member.
When prompted, click Remove member to confirm.

CLI

Delete the ClusterRoleBinding to revoke the permission granted to the PA account:

kubectl --kubeconfig ${YOUR_IO_SECURITY_ADMIN_KUBECONFIG} \
delete clusterrolebinding ${PA_EMAIL}-pa

Revoke user access

If a member leaves your organization or team, you can revoke their access to Google Distributed Cloud (GDC) air-gapped. Revoking a user's access logs them out of Distributed Cloud and removes their roles and permissions. You can also list the user's activity and sessions from their start and end time.

To revoke a user's access, do the following:

Get the permissions that you need to revoke users. Ask your Organization IAM Admin to grant you the Org Session Admin (org-session-admin) role.
Revoke the user's access:
```
gdcloud admin auth revoke --accounts USER_EMAIL
```
Replace USER_EMAIL with the email of the user to revoke access.

After running the command, you see output similar to the following. This example revokes access from the user ariel@example.com:
```
Success: NUMBER of sessions revoked for user ariel@example.com
```
In this example, the variable NUMBER refers to the number of active sessions the user had.
Confirm you've revoked the user's access by running the gdcloud admin auth revoke command again. If successful, you see the following:
```
No sessions found for account: ariel@example.com
```

List all revoked users

To view all revoked users and their activity and sessions, do the following:

List all revoked users from their start and end time:

gdcloud admin auth list --format="csv(ACCOUNT, IDENTITY_PROVIDER, CREATION_TIME, EXPIRATION_TIME)"

If successful, you see output similar to the following:

account,identity_provider,creation_time,expiration_time
ariel@example.com,example-idp,2023-02-15 22:10:52,2023-02-15 23:10:52