We are struggling with the following issue, and I will admit it my be an isolated problem related to our enterprise but I guess others might have had the same issue. .
While setting up the G Suite, with the scope of initially doing access reviews for GCP I’ve discovered that out of the box, the connector only returns Workspace roles.
Now, in order to see a bit more, we need to enable Cloud Resource Management, but that brings in in both IAMRoles and iamResourcePermission, and the connector ends up failing after retreiving around 14K iamResourcePermissions.
I would like to “convince” the connector to ignore the iamResourcePermissions, and only focus on the other entitlement types.
I’ve seen no possibility to aggregate only specific permissions from the GUI, and in the API I tried to remove the schema for the iamResourcePermission, to remove the entitlement toggle to them, all without success.
Has anyone managed to find a solution to this issue?
If I read your statement correctly you only want the Workspace roles and IAMRoles, but not the iamResourcePermissions.
Can you limit which ‘resources’ are visible to the service account, i.e. don’t give the service account access to the iamResourcePermissions?
I’m not familiar with GCP, but that might be a path to look into.
Thanks for the suggestion!
We actually struggled to get this off the ground, we wanted to go with a limited read-only permission set to start with, and the connection failed.
We ended up having to assign the exact permissions stated on the SailPoint documentation page, which is like Directory Admin.
We don’t use Google Workspace, we actually only have it as an entry point to GCP (which is our focus).
We might look into it, but the Google Workspace connector seems to be quite sensitive to the permissions it has.
Have you looked into the Google Workspace SaaS connector?
Together with the connectivity customizers you may be able to filter out what is being read. (or maybe it just works out-of-the box with your 14k+ iamResourcePermissions!)
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.