Organization admin role granted to some user identity
Category: IAM, Keys & Secrets Changes
Use Cases: Detect, Audit
Data Sources: Audit Logs - Admin Activity
| BigQuery | Chronicle |
|---|---|
| SQL | YARA-L |
Grant a user the Organization Administrator role over GCP test project
| Name | Description | Type | Default Value |
|---|---|---|---|
| project | Name of GCP test project | String | test-project |
| user | Name of user account to grant role to | String | test-user |
gcloud projects add-iam-policy-binding #{project} --member=user:#{user} --role=roles/resourcemanager.organizationAdmin
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
},
"authenticationInfo": {
"principalEmail": "[email protected]",
"principalSubject": "user:[email protected]"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/373.0.0 command/gcloud.projects.add-iam-policy-binding invocation-id/94c895ff58154d4a97979bf492f1a615 environment/None environment-version/None interactive/True from-script/False python/3.8.9 term/xterm-256color (Macintosh; Intel Mac OS X 21.3.0),gzip(gfe)",
"requestAttributes": {
},
"destinationAttributes": {
}
},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
"authorizationInfo": [
{
"resource": "projects/1234",
"permission": "resourcemanager.projects.setIamPolicy",
"granted": true,
"resourceAttributes": {
"service": "cloudresourcemanager.googleapis.com",
"name": "projects/1234",
"type": "cloudresourcemanager.googleapis.com/Project"
}
}
],
"resourceName": "projects/1234",
"serviceData": {
"@type": "type.googleapis.com/google.iam.v1.logging.AuditData",
"policyDelta": {
"bindingDeltas": [
{
"action": "ADD",
"role": "roles/resourcemanager.organizationAdmin",
"member": "user:[email protected]"
}
]
}
},
"request": {
"policy": {
"auditConfigs": [
{
"service": "allServices",
"auditLogConfigs": [
{
"logType": "ADMIN_READ"
},
{
"logType": "DATA_READ"
},
{
"logType": "DATA_WRITE"
}
]
}
],
"bindings": [
{
"members": [
"serviceAccount:[email protected]"
],
"role": "roles/compute.serviceAgent"
},
{
"members": [
"user:[email protected]"
],
"role": "roles/resourcemanager.organizationAdmin"
}
],
"etag": "BwXV5mJiUPY="
},
"@type": "type.googleapis.com/google.iam.v1.SetIamPolicyRequest",
"resource": "1234"
},
"response": {
"@type": "type.googleapis.com/google.iam.v1.Policy",
"auditConfigs": [
{
"auditLogConfigs": [
{
"logType": "ADMIN_READ"
},
{
"logType": "DATA_READ"
},
{
"logType": "DATA_WRITE"
}
],
"service": "allServices"
}
],
"etag": "BwXYxoWIMbo=",
"bindings": [
{
"members": [
"serviceAccount:[email protected]"
],
"role": "roles/compute.serviceAgent"
},
{
"members": [
"user:[email protected]"
],
"role": "roles/resourcemanager.organizationAdmin"
}
]
}
},
"insertId": "sb2lxqd2pqg",
"resource": {
"type": "project",
"labels": {
"project_id": "1234"
}
},
"timestamp": "2022-02-24T17:00:38.615448Z",
"severity": "NOTICE",
"logName": "projects/1234/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2022-02-24T17:00:39.927837462Z"
}