Domain-Wide Delegation Permissions

GCP Cloud Infrastructure Entitlement Management (CIEM) product editions fall into two main categories: CIEM Basic and CIEM Advanced. CIEM Advanced facilitates domain-wide delegation, allowing a Google Workspace super administrator to entrust a service account with the capability to gather Google Identity and Access Management (IAM) and Workspace resources. This is crucial for conducting routine cloud scans and IAM evaluations. Following is a comparative list of features supported across both editions:

GCP Users

PermissionsCIEM BasicCIEM Advanced (Domain-Wide Delegation)
Risk Findings
  • Editor Role Applied
  • Owner Role Applied
  • Inactive
  • No MFA
  • Admin
  • Editor Role Applied
  • Owner Role Applied
  • Inactive
Profiling LabelLearningLearning
Permissions CalculationAvailableAvailable
Highest Access EvaluationAvailableAvailable
Risk ScoringAvailableAvailable
Role RemediationsAvailableAvailable
Download CSV ReportsAvailableAvailable

GCP Service Accounts

PermissionsCIEM BasicCIEM Advanced (Domain-Wide Delegation)
Risk Findings
  • User Managed Key
  • Access Key(s) Not Rotated
  • Multiple Access Keys Active
  • Owner Role Applied
  • Inactive
  • Admin
  • Lateral Movement
  • User Managed Key
  • Access Key(s) Not Rotated
  • Multiple Access Keys Active
  • Owner Role Applied
  • Inactive
  • Admin
Profiling LabelLearningLearning
Permissions CalculationAvailableAvailable
Highest Access EvaluationAvailableAvailable
Risk ScoringAvailableAvailable
Role RemediationsAvailableAvailable
Download CSV ReportsAvailableAvailable

GCP Groups

PermissionsCIEM BasicCIEM Advanced (Domain-Wide Delegation)
Risk Findings
  • Editor Role Applied
  • Owner Role Applied
  • Admin
  • Inactive
  • Admin
  • Editor Role Applied
  • Owner Role Applied
Profiling LabelLearningLearning
Permissions CalculationUnavailableAvailable
Highest Access EvaluationAvailableAvailable
Risk ScoringUnavailableAvailable
Role RemediationsUnavailableAvailable
Download CSV ReportsAvailableAvailable

GCP Roles

PermissionsCIEM BasicCIEM Advanced (Domain-Wide Delegation)
Risk Findings
  • Inactive
  • Admin
    • Inactive
    • Admin
    Profiling LabelLearningLearning
    Permissions CalculationAvailableAvailable
    Highest Access EvaluationAvailableAvailable
    Risk ScoringAvailableAvailable
    Role RemediationsAvailableAvailable
    Download CSV ReportsAvailableAvailable
    Membership EvaluationUnavailableAvailable