Domain-Wide Delegation Permissions
GCP Cloud Infrastructure Entitlement Management (CIEM) product editions fall into two main categories: CIEM Basic and CIEM Advanced. CIEM Advanced facilitates domain-wide delegation, allowing a Google Workspace super administrator to entrust a service account with the capability to gather Google Identity and Access Management (IAM) and Workspace resources. This is crucial for conducting routine cloud scans and IAM evaluations. Following is a comparative list of features supported across both editions:
GCP Users
Permissions | CIEM Basic | CIEM Advanced (Domain-Wide Delegation) |
---|
Risk Findings | - Editor Role Applied
- Owner Role Applied
- Inactive
| - No MFA
- Admin
- Editor Role Applied
- Owner Role Applied
- Inactive
|
Profiling Label | Learning | Learning |
Permissions Calculation | Available | Available |
Highest Access Evaluation | Available | Available |
Risk Scoring | Available | Available |
Role Remediations | Available | Available |
Download CSV Reports | Available | Available |
GCP Service Accounts
Permissions | CIEM Basic | CIEM Advanced (Domain-Wide Delegation) |
---|
Risk Findings | - User Managed Key
- Access Key(s) Not Rotated
- Multiple Access Keys Active
- Owner Role Applied
- Inactive
- Admin
| - Lateral Movement
- User Managed Key
- Access Key(s) Not Rotated
- Multiple Access Keys Active
- Owner Role Applied
- Inactive
- Admin
|
Profiling Label | Learning | Learning |
Permissions Calculation | Available | Available |
Highest Access Evaluation | Available | Available |
Risk Scoring | Available | Available |
Role Remediations | Available | Available |
Download CSV Reports | Available | Available |
GCP Groups
Permissions | CIEM Basic | CIEM Advanced (Domain-Wide Delegation) |
---|
Risk Findings | - Editor Role Applied
- Owner Role Applied
- Admin
| - Inactive
- Admin
- Editor Role Applied
- Owner Role Applied
|
Profiling Label | Learning | Learning |
Permissions Calculation | Unavailable | Available |
Highest Access Evaluation | Available | Available |
Risk Scoring | Unavailable | Available |
Role Remediations | Unavailable | Available |
Download CSV Reports | Available | Available |
GCP Roles
Permissions | CIEM Basic | CIEM Advanced (Domain-Wide Delegation) |
---|
Risk Findings | InactiveAdmin | |
Profiling Label | Learning | Learning |
Permissions Calculation | Available | Available |
Highest Access Evaluation | Available | Available |
Risk Scoring | Available | Available |
Role Remediations | Available | Available |
Download CSV Reports | Available | Available |
Membership Evaluation | Unavailable | Available |