Access control with IAM

This page explains how to configure access control for Cloud Customer Care's support services.

Before you begin

What is Identity and Access Management (IAM)

Google Cloud offers IAM, which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (identity) has what access (roles) to which resource by setting IAM policies. IAM policies grant specific role(s) to a principal, giving the principal certain permissions. For example, for a given resource, such as a project, you can assign the Tech Support Viewer role (roles/cloudsupport.techSupportViewer) to a Google Account and that account can view support cases in the project, but cannot manage support cases.

Access considerations

If you have transitioned from Silver, Gold, or Platinum Support, keep in mind that support cases are no longer accessible through the Google Cloud Support Center (GCSC). After you enable Standard, Enhanced, or Premium Support, you can manage access to transitioned cases by granting IAM roles to users, groups, or domains.

Organization-level Cases

Customer Care cases can be created within either organizations or projects.

In order to manage organization-level cases, the user must have the resourcemanager.organizations.get permission at the organization level, or else they won't be able to select the organization in the Google Cloud console.

The simplest way to grant this permission is to grant the user the roles/resourcemanager.organizationViewer role on the organization. This role only grants the resourcemanager.organizations.get permission.

NOTE: Granting a user the Organization Viewer role is not the same as granting a user the Viewer role at the Organization level. This is a common point of confusion. The Organization Viewer role does not give the user access to view any resources within the organization, it only allows the user to see that the organization exists.

In addition, the user must have the relevant Technical Support IAM permissions, which are described in the following sections.

Customer Care IAM roles

With IAM, every support user must have the appropriate permissions to view and manage cases and users. Users gain these permissions when you add them to an IAM role, a group that belongs to a role, or a domain assigned to a role.

The following table lists the IAM roles available to Cloud Customer Care users, the associated permissions to which resources, and the lowest resource level that you can apply the permissions to.

Role Permissions

(roles/cloudsupport.admin)

Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information.

Lowest-level resources where you can grant this role:

  • Organization

cloudsupport.accounts.*

  • cloudsupport.accounts.create
  • cloudsupport.accounts.delete
  • cloudsupport.accounts.get
  • cloudsupport.accounts.getIamPolicy
  • cloudsupport.accounts.getUserRoles
  • cloudsupport.accounts.list
  • cloudsupport.accounts.purchase
  • cloudsupport.accounts.setIamPolicy
  • cloudsupport.accounts.update
  • cloudsupport.accounts.updateUserRoles

cloudsupport.operations.get

cloudsupport.properties.get

resourcemanager.organizations.get

(roles/cloudsupport.techSupportEditor)

Full read-write access to technical support cases (applicable for GCP Customer Care and Maps support). See the Cloud Support documentation for more information.

cloudasset.assets.searchAllResources

cloudsupport.properties.get

cloudsupport.techCases.*

  • cloudsupport.techCases.create
  • cloudsupport.techCases.escalate
  • cloudsupport.techCases.get
  • cloudsupport.techCases.list
  • cloudsupport.techCases.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudsupport.techSupportViewer)

Read-only access to technical support cases (applicable for GCP Customer Care and Maps support). See the Cloud Support documentation for more information.

cloudsupport.properties.get

cloudsupport.techCases.get

cloudsupport.techCases.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudsupport.viewer)

Read-only access to details of a support account. This does not allow viewing cases. See the Cloud Support documentation for more information.

Lowest-level resources where you can grant this role:

  • Organization

cloudsupport.accounts.get

cloudsupport.accounts.getUserRoles

cloudsupport.accounts.list

cloudsupport.properties.get

To add a user, group, or domain to a role, see Granting IAM roles.

Support Account Administrator

Users with the Support Account Administrator role (roles/cloudsupport.admin) can manage the purchased support service and how it is billed.

The Support Account Administrator is responsible for administering policies for the organization's support account, including:

  • Assigning new support users
  • Modifying roles for existing support users
  • Managing support billing

This role can only be granted at the organization level.

Support Account Viewer

The Support Account Viewer role (roles/cloudsupport.viewer) can view account information for the service. They cannot view or edit support cases; to do so they must be assigned a Tech Support Viewer or Tech Support Editor role.

This role can only be granted at the organization level.

Tech Support Editor

The Tech Support Editor role (roles/cloudsupport.techSupportEditor) can manage support cases, including viewing, creating, updating, escalating, and closing cases.

You can grant this role at the organization, folder, and project levels. For example, if you grant the Tech Support Editor role to a Google group on a specific project, all members of the group can manage support cases for that project.

You can also grant this role at multiple levels of the resource hierarchy to establish different permissions for nested resources. For example, if you have the Tech Support Viewer role for the organization and Tech Support Editor role on a project, you can view support cases across the organization, but only edit cases for the project.

Tech Support Viewer

The Tech Support Viewer role (roles/cloudsupport.techSupportViewer) can view support cases and account information.

This role can be set at the organization, project, and folder levels. For example, you can grant the Tech Support Viewer role to a Google group on a specific folder within a project, which enables members of that group to view the support cases in the folder.

Granting IAM roles

Users, Google Groups, or domains must have the resourcemanager.organizations.setIamPolicy permission on the organization to add users to the Customer Care IAM roles. You can give a user or group that permission by granting them the Organization Administrator role (roles/resourcemanager.organizationAdmin).

For example, if your organization would like users granted the Support Account Administrators role to also be able to add and remove users and groups from the other Customer Care IAM roles, then an Organization Administrator can do the following:

  • Create a Google Group for the users (MyCompanySupportAdmins).
  • Assign the Google Group (MyCompanySupportAdmins) the Organization Administrator role.
  • Assign the Google Group (MyCompanySupportAdmins) the Support Account Administrator role.

In the example, members of the Google Group (MyCompanySupportAdmins) can assign users and groups to IAM roles in the organization because the group has been granted the setIamPolicy permission when granted the Organization Administrator role. As new Support Account Administrators join the organization, add them to the Google Group (MyCompanySupportAdmins) to grant them the desired roles.

To grant an IAM role to a user, group, or domain:

  1. In the Google Cloud console, go to the IAM page.
    Go to the IAM page

  2. From the top menu, click Add.

  3. Specify a user, Google Group, or domain.

  4. Select a Support role. For best security practices, we strongly recommend giving the principal the least amount of privilege needed.

  5. Click Save.

What's next

Understand how to manage support cases in the Google Cloud console.