Google uses [Identity Access and Management (IAM)](https://cloud.google.com/iam/docs) to manage resources across an organization and roles and privileges provided to entities in an organization. A full IAM Policy is a set of role bindings from a principal to a resource. ## organizational hierarchy An organization can be delineated into folders, subfolders, projects and resources. For individuals, only projects and resources are available. Projects are the main organizational unit in GCP. The Project ID must be globally unique and is immutable. The Project number is assigned by Google and are also immutable. The Project name is for convenience and can be changed. Folders (and subfolders) are optional and can be used to reflect an organizational structure (e.g., the departments and teams). Policies are inherited from parent nodes. The effective policy at any level is the union of all relevant privilege including inherited privileges. ## roles Roles are collections of permissions on a resource. Basic roles are owner, editor, and viewer. Roles can be assigned at the organization level, folder level, project level, and resource level. Permissions are coded as strings like `bigquery.tables.delete` in the general format `resource.attribute.permission`. In production environments, basic roles should not be used. Instead use one of the other pre-defined roles or define a custom role with the most limited set of permissions possible (the **principle of least privilege**). The best way to create a custom role is to copy and edit a predefined role. When an organization starts with GCP, they are either already a Google Workspace customer, in which case Google associates the existing account with the GCP, or they created a Cloud Identity account. Every organization has a **super administrator** to manage the Workspace and GCP roles. The super admin can assign **Organization Admin** roles for GCP. The org admin can define IAM policies and role bindings. The **Organizational Viewer** role provides organization-wide viewer access (provided to the CTO for example). Roles are granted to a **principal**, which can be an email address associated with a Google account or a [[Google service account]] or a domain name from a Google Workspace account or Cloud Identity domain (which will include all users in the associated group). Two additional principles include `allUsers` for anyone on the internet or `allAuthenticatedUsers` for anyone signed in to Google. # Google service account A service account is used when scripts, APIs and other applications interact with [[Google Cloud Platform|GCP]]. The service account can be granted IAM roles to let it access resources. Service accounts can be user-managed or Google-managed. Provide a meaningful name so you can remember what the account is for later! # identity aware proxy [Identity aware proxy (IAP)](https://cloud.google.com/iap/docs) is a service from [[Google Cloud Platform]] that helps automate authentication for GCP web apps.