Hi Team,
We are working on integrating GCP with SailPoint. In the prerequisites, I noticed that the user requires super admin access, which provides access to the entire infrastructure and poses a significant risk for us. Could you help us find an alternative? Additionally, could you explain why Service Account Admin and Project IAM Admin access are necessary for this integration?
here’s the doc - In-built Roles
If you are looking to provision G Suite Roles, you will need to have Super Admin access. If you don’t care about managing G Suite Roles, then you should be able to use User Management Admin and Groups Admin.
Project IAM Admin provides permissions to control Policies on Projects. If you aren’t planning on doing this, then you could probably use some lower permissions like resourcemanager.projects.getIamPolicy, and not using resourcemanager.projects.setIamPolicy.
The connector will pull in all ServiceAccounts, which is why they are requesting the Service Account Admin permission. If you don’t plan to control Service Accounts, then try only including items like iam.serviceAccounts.get. That way the connector can still pull in the Service Accounts, but won’t be able to manage them.
https://documentation.sailpoint.com/connectors/g_suite/help/integrating_g_suite/custom_roles.html has a lot of good information.
*** I haven’t tried these reduced permissions, so you will likely need to do a lot of trial and error to get it going. Or you could contact Expert Services for help ***