This page explains how to view, understand, and apply role recommendations for projects, folders, and organizations. Role recommendations help you enforce the principle of least privilege by ensuring that principals have only the permissions that they actually need.
Before you begin
-
Enable the IAM and Recommender APIs.
Understand role recommendations.
Review the Best practices for role recommendations.
Optional: If you want to view and manage role recommendations for non-basic and custom roles, ensure that you have an organization-level activation of the premium tier of Security Command Center. For more information, see Billing questions.
Required IAM roles
This section describes the IAM roles and permissions that you need in order to work with role recommendations.
View recommendations
To get the permissions that you need to view role recommendations, ask your administrator to grant you the following IAM roles on the resource that you want to view recommendations for (project, folder, or organization):
-
Role Viewer (
roles/iam.roleViewer
) -
IAM Recommender Viewer (
roles/recommender.iamViewer
) -
To view project-level recommendations in the Google Cloud console:
Project IAM Admin (
roles/resourcemanager.projectIamAdmin
) -
To view folder-level recommendations in the Google Cloud console:
Folder IAM Admin (
roles/resourcemanager.folderIamAdmin
) -
To view organization-level recommendations in the Google Cloud console:
Organization Admin (
roles/resourcemanager.organizationAdmin
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to view role recommendations. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to view role recommendations:
-
iam.roles.get
-
iam.roles.list
-
recommender.iamPolicyRecommendations.get
-
recommender.iamPolicyRecommendations.list
-
recommender.iamPolicyInsights.get
-
recommender.iamPolicyInsights.list
-
recommender.iamPolicyLateralMovementInsights.get
-
recommender.iamPolicyLateralMovementInsights.list
-
To view recommendations in the Google Cloud console:
resourcemanager.RESOURCE.getIamPolicy
, whereRESOURCE
is the resource type that you want to view recommendations for (projects
,folders
, ororganizations
)
You might also be able to get these permissions with custom roles or other predefined roles.
Apply and dismiss recommendations
To get the permissions that you need to view, apply, and dismiss role recommendations, ask your administrator to grant you the following IAM roles on the resource that you want to manage recommendations for (project, folder, or organization):
-
Role Viewer (
roles/iam.roleViewer
) -
IAM Recommender Admin (
roles/recommender.iamAdmin
) -
To manage project-level recommendations:
Project IAM Admin (
roles/resourcemanager.projectIamAdmin
) -
To manage folder-level recommendations:
Folder IAM Admin (
roles/resourcemanager.folderIamAdmin
) -
To manage organization-level recommendations:
Organization Admin (
roles/resourcemanager.organizationAdmin
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to view, apply, and dismiss role recommendations. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to view, apply, and dismiss role recommendations:
-
iam.roles.get
-
iam.roles.list
-
recommender.iamPolicyRecommendations.get
-
recommender.iamPolicyRecommendations.list
-
recommender.iamPolicyInsights.get
-
recommender.iamPolicyInsights.list
-
recommender.iamPolicyLateralMovementInsights.get
-
recommender.iamPolicyLateralMovementInsights.list
-
recommender.iamPolicyRecommendations.update
-
resourcemanager.RESOURCE.getIamPolicy
, whereRESOURCE
is the resource type that you want to manage recommendations for (projects
,folders
, ororganizations
) -
resourcemanager.RESOURCE.setIamPolicy
, whereRESOURCE
is the resource type that you want to manage recommendations for (projects
,folders
, ororganizations
)
You might also be able to get these permissions with custom roles or other predefined roles.
Review and apply recommendations
The easiest way to review and apply your recommendations is to use the Google Cloud console. Additionally, if you want to automatically create a custom role when you apply a recommendation, you must use the Google Cloud console.
You can also review and apply recommendations with the Google Cloud CLI and the Recommender API.
Console
In the Google Cloud console, go to the IAM page.
Select a project, folder, or organization.
In the list of principals that have access to your project, find the Security insights column.
For each role granted to a principal, this column shows any security-related insights. These insights highlight patterns in how your principals access resources. For example, some insights highlight excess permissions, or permissions that a principal does not need. Other insights highlight service accounts with lateral movement capabilities:
If there is a recommendation available to address an insight, the Google Cloud console displays the Recommendation available icon.
If there are recommendations to review, click a Recommendation available icon to get details about the recommendation.
If the recommendation is to replace the role, the role recommendation always suggests a set of predefined roles that you can apply.
In some cases, the role recommendation also suggests creating a new custom role at the project level. If a custom role recommendation is available, the Google Cloud console shows it by default. To switch to the predefined role recommendation, click View recommended predefined role.
Review the recommendation carefully, and make sure you understand how it will change the principal's access to Google Cloud resources. Except in the case of recommendations for service agents, a recommendation will never increase a principal's level of access. See How role recommendations are generated for more information.
To learn how to review recommendations in the console, see Review recommendations on this page.
Optional: If the recommendation is to create a custom role, update the Title, Description, ID, and Role launch stage as needed.
If you need to add permissions to the custom role, click Add permissions.
If you need to remove permissions from the custom role, clear the checkbox for each permission that you want to remove.
Take action on the recommendation.
To apply the recommendation, click Apply or Create and apply. If you change your mind in the next 90 days, use the recommendations history to revert your choice.
To dismiss the recommendation, click Dismiss, then confirm your choice. You can restore a dismissed recommendation as long as the recommendation is still valid.
Repeat the previous steps until you have reviewed all of your recommendations.
gcloud
Review your recommendations:
To list your recommendations, run the
gcloud recommender recommendations list
command:
gcloud recommender recommendations list \
--location=global \
--recommender=google.iam.policy.Recommender \
--RESOURCE_TYPE=RESOURCE_ID \
--format=json
Replace the following values:
RESOURCE_TYPE
: The resource type that you want to list recommendations for. Use the valueproject
,folder
, ororganization
.RESOURCE_ID
: The ID of the Google Cloud project, folder, or organization that you want to list recommendations for. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
.
The response is similar to the following example. In this example, a service
account has not used any permissions from the Compute Admin role
(roles/compute.admin
) in the past 90 days. As a result,
the role recommendation suggests that you revoke the role:
[
{
"associatedInsights": [
{
"insight": "projects/123456789012/locations/global/insightTypes/google.iam.policy.Insight/insights/279ef748-408f-44db-9a4a-1ff8865b9839"
}
],
"content": {
"operationGroups": [
{
"operations": [
{
"action": "remove",
"path": "/iamPolicy/bindings/*/members/*",
"pathFilter": {
"/iamPolicy/bindings/*/condition/expression": "",
"/iamPolicy/bindings/*/members/*": "serviceAccount:[email protected]",
"/iamPolicy/bindings/*/role": "roles/compute.admin"
},
"resource": "//cloudresourcemanager.googleapis.com/projects/example-project",
"resourceType": "cloudresourcemanager.googleapis.com/Project"
}
]
}
]
},
"description": "This role has not been used during the observation window.",
"recommenderSubtype": "REMOVE_ROLE",
"etag": "\"770237e2c0decf40\"",
"lastRefreshTime": "2020-01-09T06:06:17Z",
"name": "projects/123456789012/locations/global/recommenders/google.iam.policy.Recommender/recommendations/fb927dc1-9695-4436-0000-f0f285007c0f",
"primaryImpact": {
"category": "SECURITY",
"securityProjection": {
"details": {
"revokedIamPermissionsCount": 708
}
}
},
"priority": "P4",
"stateInfo": {
"state": "ACTIVE"
}
}
]
Review each recommendation carefully, and consider how it will change the principal's access to Google Cloud resources. To learn how to review recommendations from the gcloud CLI, see Review recommendations on this page.
To apply a recommendation:
Use the
gcloud recommender recommendations mark-claimed
command to change the recommendation's state toCLAIMED,
which prevents the recommendation from changing while you apply it:gcloud recommender recommendations mark-claimed \ RECOMMENDATION_ID \ --location=global \ --recommender=google.iam.policy.Recommender \ --RESOURCE_TYPE=RESOURCE_ID \ --format=FORMAT \ --etag=ETAG \ --state-metadata=STATE_METADATA
Replace the following values:
-
RECOMMENDATION_ID
: The unique identifier for the recommendation. This value appears at the end of thename
field in the recommendation. In the example shown above, the ID isfb927dc1-9695-4436-0000-f0f285007c0f
. -
RESOURCE_TYPE
: The resource type that you want to manage recommendations for. Use the valueproject
,folder
, ororganization
. -
RESOURCE_ID
: The ID of the Google Cloud project, folder, or organization that you want to manage recommendations for. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
. -
FORMAT
: The format of the response. Usejson
oryaml
. -
ETAG
: The value of theetag
field in the recommendation, such as"dd0686e7136a4cbb"
. Note that this value can include quotes. -
STATE_METADATA
: Optional. Comma-separated key-value pairs that contain your choice of metadata about the recommendation. For example,--state-metadata=reviewedBy=alice,priority=high
. The metadata replaces thestateInfo.stateMetadata
field in the recommendation.
If the command succeeds, the response shows the recommendation in a
CLAIMED
state, as shown in the following example. For clarity, the example omits most fields:[ { "description": "This role has not been used during the observation window.", "recommenderSubtype": "REMOVE_ROLE", "etag": "\"df7308cca9719dcc\"", "name": "projects/123456789012/locations/global/recommenders/google.iam.policy.Recommender/recommendations/fb927dc1-9695-4436-0000-f0f285007c0f", "stateInfo": { "state": "CLAIMED", "stateMetadata": { "reviewedBy": "alice", "priority": "high" } } } ]
-
Get the allow policy for the project, then modify and set the allow policy so that it reflects the recommendation.
Update the recommendation's state to
SUCCEEDED
, if you were able to apply the recommendation, orFAILED
, if you could not apply the recommendation:gcloud recommender recommendations COMMAND \ RECOMMENDATION_ID \ --location=global \ --recommender=google.iam.policy.Recommender \ --RESOURCE_TYPE=RESOURCE_ID \ --format=FORMAT \ --etag=ETAG \ --state-metadata=STATE_METADATA
Replace the following values:
-
COMMAND
: Usemark-succeeded
, if you were able to apply the recommendation, ormark-failed
, if you could not apply the recommendation. -
RECOMMENDATION_ID
: The unique identifier for the recommendation. This value appears at the end of thename
field in the recommendation. In the example shown above, the ID isfb927dc1-9695-4436-0000-f0f285007c0f
. -
RESOURCE_TYPE
: The resource type that you want to manage recommendations for. Use the valueproject
,folder
, ororganization
. -
RESOURCE_ID
: The ID of the Google Cloud project, folder, or organization that you want to manage recommendations for. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
. -
FORMAT
: The format of the response. Usejson
oryaml
. -
ETAG
: The value of theetag
field in the recommendation, such as"dd0686e7136a4cbb"
. Note that this value can include quotes. -
STATE_METADATA
: Optional. Comma-separated key-value pairs that contain your choice of metadata about the recommendation. For example,--state-metadata=reviewedBy=alice,priority=high
. The metadata replaces thestateInfo.stateMetadata
field in the recommendation.
For example, if you marked the recommendation as having succeeded, the response shows the recommendation in a
SUCCEEDED
state. For clarity, this example omits most fields:[ { "description": "This role has not been used during the observation window.", "recommenderSubtype": "REMOVE_ROLE", "etag": "\"dd0686e7136a4cbb\"", "name": "projects/123456789012/locations/global/recommenders/google.iam.policy.Recommender/recommendations/fb927dc1-9695-4436-0000-f0f285007c0f", "stateInfo": { "state": "SUCCEEDED", "stateMetadata": { "reviewedBy": "alice", "priority": "high" } } } ]
-
REST
These instructions assume that you have authenticated
and set the GOOGLE_APPLICATION_CREDENTIALS
environment variable.
Review your recommendations:
To list all available recommendations for your project, folder, or organization, use the Recommender API's
recommendations.list
method.
Before using any of the request data, make the following replacements:
RESOURCE_TYPE
: The type of the resource that you want to manage recommendations for. Use the valueprojects
,folders
, ororganizations
.RESOURCE_ID
: The ID of the Google Cloud project, folder, or organization that you want to manage recommendations for. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
.-
PAGE_SIZE
: Optional. The maximum number of results to return from this request. If not specified, the server will determine the number of results to return. If the number of recommendations is greater than the page size, the response contains a pagination token that you can use to retrieve the next page of results. -
PAGE_TOKEN
: Optional. The pagination token returned in an earlier response from this method. If specified, the list of recommendations will start where the previous request ended. -
FILTER
: Optional. A filter expression to restrict the recommendations returned. You can filter recommendations based on thestateInfo.state
field. For example,stateInfo.state:"DISMISSED"
orstateInfo.state:"FAILED"
. PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.
HTTP method and URL:
GET https://recommender.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/recommenders/google.iam.policy.Recommender/recommendations?pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN&filter=FILTER
To send your request, expand one of these options:
The response is similar to the following example. In this example, a service account in the
project example-project
has not used any permissions from the Compute Admin role
(roles/compute.admin
) in the past 90 days. As a result,
Recommender suggests that you revoke the role:
{ "recommendations": [ "name": "projects/123456789012/locations/global/recommenders/google.iam.policy.Recommender/recommendations/fb927dc1-9695-4436-0000-f0f285007c0f", "description": "This role has not been used during the observation window.", "lastRefreshTime": "2020-01-09T06:06:17Z", "primaryImpact": { "category": "SECURITY", "securityProjection": { "details": { "revokedIamPermissionsCount": 708 } } }, "priority": "P4", "content": { "operationGroups": [ { "operations": [ { "action": "remove", "path": "/iamPolicy/bindings/*/members/*", "pathFilter": { "/iamPolicy/bindings/*/condition/expression": "", "/iamPolicy/bindings/*/members/*": "serviceAccount:[email protected]", "/iamPolicy/bindings/*/role": "roles/compute.admin" }, "resource": "//cloudresourcemanager.googleapis.com/projects/example-project", "resourceType": "cloudresourcemanager.googleapis.com/Project" } ] } ] }, "stateInfo": { "state": "ACTIVE" } "etag": "\"770237e2c0decf40\"", "recommenderSubtype": "REMOVE_ROLE", "associatedInsights": [ { "insight": "projects/123456789012/locations/global/insightTypes/google.iam.policy.Insight/insights/279ef748-408f-44db-9a4a-1ff8865b9839" } ] }
Review each recommendation carefully, and consider how it will change the principal's access to Google Cloud resources. To learn how to review recommendations from the REST API, see Review recommendations on this page.
To apply a recommendation:
Mark the recommendation as
CLAIMED
:To mark a recommendation as
CLAIMED
, which prevents the recommendation from changing while you apply it, use the Recommender API'srecommendations.markClaimed
method.Before using any of the request data, make the following replacements:
RESOURCE_TYPE
: The type of the resource that you want to manage recommendations for. Use the valueprojects
,folders
, ororganizations
.RESOURCE_ID
: The ID of the Google Cloud project, folder, or organization that you want to manage recommendations for. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
.RECOMMENDATION_ID
: The unique identifier for the recommendation. This value appears at the end of thename
field in the recommendation. For example, if thename
field isprojects/example-project/locations/global/recommenders/google.iam.policy.Recommender/recommendations/fb927dc1-9695-4436-0000-f0f285007c0f
, the recommendation ID isfb927dc1-9695-4436-0000-f0f285007c0f
.ETAG
: The value of theetag
field in the recommendation, such as"dd0686e7136a4cbb"
. Use backslashes to escape quotes, for example,"\"df7308cca9719dcc\""
.STATE_METADATA
: Optional. An object that contains key-value pairs with your choice of metadata about the recommendation. For example,{"reviewedBy": "alice", "priority": "high"}
. The metadata replaces thestateInfo.stateMetadata
field in the recommendation.PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.
HTTP method and URL:
POST https://recommender.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/recommenders/google.iam.policy.Recommender/recommendations/RECOMMENDATION_ID:markClaimed
Request JSON body:
{ "etag": "ETAG", "stateMetadata": { "STATE_METADATA" } }
To send your request, expand one of these options:
The response shows the recommendation in a
CLAIMED
state, as shown in the following example. For clarity, this example omits most fields:{ "description": "This role has not been used during the observation window.", "stateInfo": { "state": "CLAIMED", "stateMetadata": { "reviewedBy": "alice", "priority": "high" } }, "etag": "\"dd0686e7136a4cbb\"", "recommenderSubtype": "REMOVE_ROLE" }
Get the allow policy for the project, then modify the allow policy so that it reflects the recommendation.
Update the recommendation's state to
SUCCEEDED
, if you were able to apply the recommendation, orFAILED
, if you could not apply the recommendation:SUCCEEDED
To mark a recommendation as
SUCCEEDED
, indicating that you were able to apply it, use the Recommender API'srecommendations.markSucceeded
method.Before using any of the request data, make the following replacements:
RESOURCE_TYPE
: The type of the resource that you want to manage recommendations for. Use the valueprojects
,folders
, ororganizations
.RESOURCE_ID
: The ID of the Google Cloud project, folder, or organization that you want to manage recommendations for. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
.RECOMMENDATION_ID
: The unique identifier for the recommendation. This value appears at the end of thename
field in the recommendation. For example, if thename
field isprojects/example-project/locations/global/recommenders/google.iam.policy.Recommender/recommendations/fb927dc1-9695-4436-0000-f0f285007c0f
, the recommendation ID isfb927dc1-9695-4436-0000-f0f285007c0f
.ETAG
: The value of theetag
field in the recommendation, such as"dd0686e7136a4cbb"
. Use backslashes to escape quotes, for example,"\"df7308cca9719dcc\""
.STATE_METADATA
: Optional. An object that contains key-value pairs with your choice of metadata about the recommendation. For example,{"reviewedBy": "alice", "priority": "high"}
. The metadata replaces thestateInfo.stateMetadata
field in the recommendation.PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.
HTTP method and URL:
POST https://recommender.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/recommenders/google.iam.policy.Recommender/recommendations/RECOMMENDATION_ID:markSucceeded
Request JSON body:
{ "etag": "ETAG", "stateMetadata": { "STATE_METADATA" } }
To send your request, expand one of these options:
The response shows the recommendation in a
SUCCEEDED
state, as shown in the following example. For clarity, this example omits most fields:{ "description": "This role has not been used during the observation window.", "stateInfo": { "state": "SUCCEEDED", "stateMetadata": { "reviewedBy": "alice", "priority": "high" } }, "etag": "\"dd0686e7136a4cbb\"", "recommenderSubtype": "REMOVE_ROLE" }
FAILED
To mark a recommendation as
FAILED
, indicating that you were not able to apply it, use the Recommender API'srecommendations.markFailed
method.Before using any of the request data, make the following replacements:
RESOURCE_TYPE
: The type of the resource that you want to manage recommendations for. Use the valueprojects
,folders
, ororganizations
.RESOURCE_ID
: The ID of the Google Cloud project, folder, or organization that you want to manage recommendations for. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
.RECOMMENDATION_ID
: The unique identifier for the recommendation. This value appears at the end of thename
field in the recommendation. For example, if thename
field isprojects/example-project/locations/global/recommenders/google.iam.policy.Recommender/recommendations/fb927dc1-9695-4436-0000-f0f285007c0f
, the recommendation ID isfb927dc1-9695-4436-0000-f0f285007c0f
.ETAG
: The value of theetag
field in the recommendation, such as"dd0686e7136a4cbb"
. Use backslashes to escape quotes, for example,"\"df7308cca9719dcc\""
.STATE_METADATA
: Optional. An object that contains key-value pairs with your choice of metadata about the recommendation. For example,{"reviewedBy": "alice", "priority": "high"}
. The metadata replaces thestateInfo.stateMetadata
field in the recommendation.PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.
HTTP method and URL:
POST https://recommender.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/recommenders/google.iam.policy.Recommender/recommendations/RECOMMENDATION_ID:markFailed
Request JSON body:
{ "etag": "ETAG", "stateMetadata": { "STATE_METADATA" } }
To send your request, expand one of these options:
The response shows the recommendation in a
FAILED
state, as shown in the following example. For clarity, this example omits most fields:{ "description": "This role has not been used during the observation window.", "stateInfo": { "state": "FAILED", "stateMetadata": { "reviewedBy": "alice", "priority": "high" } }, "etag": "\"dd0686e7136a4cbb\"", "recommenderSubtype": "REMOVE_ROLE" }
Understand recommendations
Each recommendation includes information to help you understand why the recommendation was made.
Console
To help you understand why the recommendation was made, the Google Cloud console shows the principal's permission usage, as reported by the policy insight associated with the recommendation. For example, it might show a list like the following:
To help you understand the impact of applying the recommendation, the Google Cloud console also shows a color- and symbol-coded list of permissions. This list indicates how the principal's permissions will change if you apply the recommendation. For example, it might show a list like the following:
The types of permissions associated with each color and symbol are as follows:
Gray with no symbol: Permissions that are in both the principal's current role and the recommended roles.
Red with a minus sign
: Permissions that are in the principal's current role, but not in the recommended roles because the principal hasn't used them in the past 90 days.Green with a plus sign recommendations for service agents.
: Permissions that are not in the principal's current role, but are in the recommended roles. This type of permission appears only inBlue with a Machine learning icon machine learning that they are likely to need those permissions in the future.
: Permissions that are in both the principal's current role and the recommended roles, not because the principal has used the permissions in the past 90 days, but because Recommender has determined through
Some recommendations are also associated with lateral movement insights. Lateral movement insights identify roles that allow a service account in one project to impersonate a service account in another project. If a recommendation is associated with a lateral movement insight, the Google Cloud console also shows the following:
The service account's origin project: The project that the service account with impersonation permissions was created in.
Service accounts that can be impersonated in this project: A list of all of the service accounts in the current project that the service account with impersonation permissions can impersonate.
gcloud
For details on the fields of a recommendation, see the
Recommendation
reference.
To see the permission usage that this recommendation is based on, view the
policy insights that are associated with the recommendation.
These insights are listed in the associatedInsights
field. To view a policy
insight that is associated with the recommendation, do the following:
- Identify which insights in the
associatedInsights
field are policy insights. Policy insights have the insight typegoogle.iam.policy.insight
. This type appears afterinsightTypes
in theinsight
field. - Copy the policy insight's ID. The ID is everything after
insights/
in theinsight
field. In the preceding example, the insight ID is279ef748-408f-44db-9a4a-1ff8865b9839
. - Follow the instructions to get a policy insight, using the insight ID you copied.
Some recommendations are also associated with
lateral movement insights, which identify roles
that allow service accounts in one project to impersonate service accounts in
another project. These insights are also listed in the associatedInsights
field. To view a lateral movement insight that is associated with the
recommendation, do the following:
- Identify which insights in the
associatedInsights
field are lateral movement insights. Lateral movement insights have the insight typegoogle.iam.policy.LateralMovementInsight
. This type appears afterinsightTypes
in theinsight
field. - Copy the policy insight's ID. The ID is everything after
insights/
in theinsight
field. In the preceding example, the insight ID is279ef748-408f-44db-9a4a-1ff8865b9839
. - Follow the instructions to get a lateral movement insight, using the insight ID you copied.
REST
For details on the fields of a recommendation, see the
Recommendation
reference.
To see the permission usage that this recommendation is based on, view the
policy insights that are associated with the recommendation.
These insights are listed in the associatedInsights
field. To view a policy
insight that is associated with the recommendation, do the following:
- Identify which insights in the
associatedInsights
field are policy insights. Policy insights have the insight typegoogle.iam.policy.insight
. This type appears afterinsightTypes
in theinsight
field. - Copy the policy insight's ID. The ID is everything after
insights/
in theinsight
field. For example, if theinsight
field readsprojects/123456789012/locations/global/insightTypes/google.iam.policy.Insight/insights/279ef748-408f-44db-9a4a-1ff8865b9839
, then the insight ID is279ef748-408f-44db-9a4a-1ff8865b9839
. - Follow the instructions to get a policy insight, using the insight ID you copied.
Some recommendations are also associated with
lateral movement insights, which identify roles
that allow service accounts in one project to impersonate service accounts in
another project. These insights are also listed in the associatedInsights
field. To view a lateral movement insight that is associated with the
recommendation, do the following:
- Identify which insights in the
associatedInsights
field are lateral movement insights. Lateral movement insights have the insight typegoogle.iam.policy.LateralMovementInsight
. This type appears afterinsightTypes
in theinsight
field. - Copy the policy insight's ID. The ID is everything after
insights/
in theinsight
field. For example, if theinsight
field readsprojects/123456789012/locations/global/insightTypes/google.iam.policy.LateralMovementInsight/insights/13088eec-9573-415f-81a7-46e1a260e860
, then the insight ID is13088eec-9573-415f-81a7-46e1a260e860
. - Follow the instructions to get a lateral movement insight, using the insight ID you copied.
View, revert, and restore changes
After you apply or dismiss a recommendation for a project-level role binding, that action appears in the recommendations history.
To view the recommendations history:
In the Google Cloud console, go to the IAM page.
Select a project, folder, or organization.
Near the top of the screen, click Recommendations history.
The Google Cloud console shows a list of previous actions on your role recommendations.
To view details about a recommendation, click the
expander arrow.The Google Cloud console shows details about the action that was taken, including the principal that took the action:
(Optional) If necessary, you can revert the recommendation, which undoes the changes in the recommendation, or restore a recommendation that you dismissed.
To revert a previously applied change for a recommendation, click Revert. The Google Cloud console reverts the changes to the principal's roles. The recommendation no longer appears in the Google Cloud console.
To restore a recommendation that was dismissed, click Restore. The recommendation becomes visible on the IAM page in the Google Cloud console. No roles or permissions are changed.
What's next
- Learn more about Recommender.
- Learn how to use allow policy insights.
- Learn how to use lateral movement insights.