Access control

Premium Support lets you configure access control to Cloud Support for organizations using Cloud Identity and Access Management (Cloud IAM).

To get Premium Support for your organization, contact your Google Cloud Sales representative or request one.

Prerequisites

  • You must subscribe to a Premium Support plan.
  • You must have a Google Cloud organization and access to the organization.
  • You must have the Organization Administrator role (roles/resourcemanager.organizationAdmin) for your Google Cloud organization.

What is Cloud IAM

Google Cloud offers Cloud Identity and Access Management (Cloud IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. Cloud IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

Cloud IAM lets you control who (identity) has what access (roles) to which resource by setting Cloud IAM policies. Cloud IAM policies grant specific role(s) to a project member, giving the identity certain permissions. For example, for a given resource, such as a project, you can assign the Tech Support Viewer role (roles/cloudsupport.techSupportViewer) to a Google Account and that account can view support cases in the project, but cannot manage support cases.

Access considerations

When granting roles to users, keep in mind the following access considerations.

Support center access

For customers that have migrated to Premium Support from Silver, Gold, or Platinum Support plans, support cases are no longer accessible through the Google Cloud Support Center (GCSC). Once Premium Support is enabled, the migrated cases will only be accessible in the Google Cloud Console Support page.

Support Cloud IAM roles

With Cloud IAM, every Premium Support plan user must have the appropriate permissions to view and manage cases and users. Users gain these permissions when you add them to a Cloud IAM role, a group that belongs to a role, or a domain assigned to a role.

The following table lists the Cloud IAM roles available to Cloud Support users, the associated permissions to which resources, and the lowest resource level that you can apply the permissions to.

Role Title Description Permissions Lowest resource
roles/cloudsupport.admin Support Account Administrator Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information. cloudsupport.*
Organization
roles/cloudsupport.viewer Support Account Viewer Read-only access to details of a support account. This does not allow viewing cases. cloudsupport.accounts.get
cloudsupport.accounts.getUserRoles
cloudsupport.accounts.list
Organization

To add a user, group, or domain to a role, see adding users to Cloud Support Cloud IAM roles.

Support Account Administrator

Users with the Support Account Administrator role (roles/cloudsupport.admin) can manage the purchased support plan and how it is billed.

This role can only be granted at the organization level.

Support Account Viewer

The Support Account Viewer role (roles/cloudsupport.viewer) can view support account information. They cannot view or edit support cases; to do so they must be assigned a Tech Support Viewer or Editor role.

This role can only be granted at the organization level.

Tech Support Editor

The Tech Support Editor role (roles/cloudsupport.techSupportEditor) can view, edit, and escalate support cases.

This role can be granted at the organization, folder, and project levels. For example, you can grant the Tech Support Editor role to a Google group on a specific project, which enables members of that group to view, create, update, escalate, and close support cases for that project.

You can also grant this role at multiple levels of the resource hierarchy to establish different permissions for nested resources. For example, if you have the Tech Support Viewer role for the organization and Tech Support Editor role on a project, you can view support cases across the organization, but only edit cases for the project.

Tech Support Viewer

The Tech Support Viewer role (roles/cloudsupport.techSupportViewer) can view support cases and account information.

This role can be set at the organization, project, and folder levels. For example, you can grant the Tech Support Viewer role to a Google group on a specific folder within a project, which enables members of that group to view the support cases in the folder.

Adding users to Support Cloud IAM roles

Users, Google Groups, or domains must have the resourcemanager.organizations.setIamPolicy permission on the organization to add users to the Support Cloud IAM roles. You can give a user or group that permission by granting them the Organization Administrator role (roles/resourcemanager.organizationAdmin).

For example, if your organization would like users granted the Support Account Administrators role to also be able to add and remove users and groups from the other Support Cloud IAM roles, then an Organization Administrator can do the following:

  • Create a Google Group for the users (MyCompanySupportAdmins).
  • Assign the Google Group (MyCompanySupportAdmins) the Organization Administrator role.
  • Assign the Google Group (MyCompanySupportAdmins) the Support Account Administrator role.

In the example, members of the Google Group (MyCompanySupportAdmins) can assign users and groups to Cloud IAM roles in the organization because the group has been granted the setIamPolicy permission when granted the Organization Administrator role. As new Support Account Administrators join the organization, add them to the Google Group (MyCompanySupportAdmins) to grant them the desired roles.

To add a user, group, or domain to a Support Cloud IAM role, follow these steps.

  1. Sign in to the Google Cloud Console IAM & admin page as an organization administrator.
  2. Select Support from the side menu.
  3. Select the role to assign:
    • Support Account Administrator
    • Support Account Viewer
    • Tech Support Editor
    • Tech Support Viewer
  4. Specify the users, groups, or domains to add.

What's next

Understand how to manage support cases in the Google Cloud Console.