Role recommendations help you identify and remove excess permissions from yourprincipals, improving your resources' security configurations.

Overview of role recommendations

Role recommendations are generated by the IAM recommender. TheIAM recommender is one of the recommenders thatRecommender offers.

Each role recommendation suggests that you remove or replace a role that givesyour principals excess permissions. At scale, these recommendations help youenforce the principle of least privilege by ensuring that principals have onlythe permissions that they actually need.

The IAM recommender identifies excess permissions usingpolicyinsights. Policy insights are ML-based findings about a principal's permissionusage.

Some recommendations are also associated withlateral movement insights. Theseinsights identify roles that allow service accounts in one project toimpersonate service accounts in another project. For more information, seeHowlateral movement insights are generated.

How policy insights are generated

Policy insights highlight the permissions in a principal's roles that theprincipal isn't using.

The IAM recommender generates policy insights by comparing aprincipal's total number of permissions with the permissions that the principalused in the last 90 days. If the role was granted fewer than90 days ago, the IAM recommender looks at theprincipal's permission usage in the time since the principal was granted therole.

There are a few ways in which a principal can use a permission:

• Directly, by calling an API that requires the permission

  For example, theroles.list method in theIAM REST API requires theiam.roles.list permission.When you call theroles.list method, you use theiam.roles.listpermission.

  Similarly, when you call thetestIamPermissions method for a resource, youeffectively use all of the permissions that you are testing.

• Indirectly, by using the Google Cloud console to work with Google Cloudresources

  For example, in the Google Cloud console, you can edit a Compute Enginevirtual machine (VM) instance, which requires different permissions based onwhich settings you change. However, the Google Cloud console also displaysthe existing settings, which requires thecompute.instances.getpermission.

  As a result, when you edit a VM instance in the Google Cloud console, youuse thecompute.instances.get permission.

To determine the permissions that the principal used, theIAM recommender uses aggregated IAM access data. Tolearn how to export the data that IAM recommender uses for theseinsights, seeExport data for role recommendations.

The IAM recommender also uses machine learning to identify permissionsin a principal's current role that the principal is likely to need in thefuture, even if the principal did not use those permissions recently. For moreinformation, seeMachine learning for policy insights on this page.

Policy insights aren't generated for all IAM roles that aregranted to principals. For more information about why a role might not have apolicy insight, seeAvailability on this page.

To learn how to manage policy insights, seeManage policy insights forprojects, folders, and organizations orManage policyinsights for Cloud Storage buckets.

Machine learning for policy insights

In some cases, a principal is likely to need certain permissions that areincluded in their current roles, but that they haven't used recently. Toidentify these permissions, the IAM recommender uses a machine learning(ML) model when generating policy insights.

This machine learning model is trained on multiple sets of signals:

• Common co-occurrence patterns in the observed history: The fact that auser used permission A, B, and C in the past provides a hint that A, B, and Cmight be related in some way and that they are needed together to carry out atask on Google Cloud. If the ML model observes this pattern frequentlyenough, the next time a different user uses permission A and B, the model willsuggest that the user might need permission C as well.

• Domain knowledge as encoded in the role definitions: IAMprovides hundreds of different predefined roles that are service-specific. Ifa predefined role contains a set of permissions, it is a strongsignal that those permissions should be granted together.

In addition to these signals, the model also usesword embedding to calculate howsemantically similar the permissions are. Semantically similar permissions willbe "close" to each other after embedding, and more likely to be grantedtogether. For example,bigquery.datasets.get andbigquery.tables.listwill be very close to each other after embedding.

All data used in the IAM recommender machine learning pipelinehask-anonymity, meaning that individuals inthe anonymized data set cannot be re-identified. To achieve this level ofanonymity, we drop all personally identifiable information (PII) such as theuser ID related to each permission usage pattern. Then we drop all usagepatterns that do not show up frequently enough across Google Cloud. Theglobal model is trained on this anonymized data.

The global model can be further customized for each organization usingfederated learning, a machine learningprocess that trains machine learning models without exporting data.

How role recommendations are generated

If a policy insight indicates that a principal does not need all of thepermissions in their role, the IAM recommender assesses the role todetermine if it could be revoked, or if there is another role that's a betterfit. If the role can be revoked, the IAM recommender generates a rolerecommendation to revoke the role. If there is another role that's a better fit,the IAM recommender generates a role recommendation to replace the rolewith a suggested role. This suggested role could be anew custom role, an existing custom role, or one or morepredefined roles. Except in the case ofrecommendations forservice agents, a role recommendation never suggests achange that increases a principal's level of access.

Role recommendations are generated based on only IAM accesscontrols. They do not take into account other kinds of access controls, likeaccess control lists (ACLs) and Kubernetesrole-based accesscontrol (RBAC). If you use other types of access controls, take extracare when you review your recommendations, and consider how those accesscontrols relate to your allow policies.

Additionally, role recommendations aren't generated for all IAMroles that are granted to principals. For more information about why a rolemight not have a role recommendation, seeAvailability on thispage.

Observation period

A role recommendation's observation period is the number of days ofpermission usage data that the recommendation is based on.

The maximum observation period for role recommendations is90 days. This means that the IAM recommender uses,at most, the most recent 90 days of permission usage data togenerate role recommendations.

The IAM recommender also doesn't start generating role recommendationsuntil it has a certain number of days of permission usage data. This durationis called theminimum observation period. By default, the minimumobservation period is 90 days, but, for project-level rolerecommendations, you can manually set it to 30 days or 60 days. For details, seeConfigure role recommendation generation.If you set theminimum observation period to fewer than 90 days, you'll getrecommendations sooner, but the accuracy of the recommendations might beaffected.

If it's been longer than the minimum observation period but less than90 days since the role was granted, the observation periodis the length of time since the role was granted.

New custom roles in role recommendations

When the IAM recommender suggests replacements for a role,it always suggests an existing custom role, or one or more predefinedroles, that appear to be a better fit for the principal's needs.

If the IAM recommender identifies a common permission usage patternin your organization that does not map to an existing predefined or custom role,it might also recommend that you create a new project-levelcustom role. This custom role includesonly therecommended permissions. You can modify the custom role recommendation by addingor removing permissions.

If you want to enforce the principle of least privilege as strictly as possible,choose the new custom role. The IAM recommender creates the customrole at the project level. You are responsible for maintaining and updating thecustom roles for your projects.

If you prefer to use a role that is maintained for you, choose the predefinedrole. Google Cloud updates these roles regularly by adding or removingpermissions. To be notified about these updates, subscribe to the news feed forthepermissions change log. When you choose thepredefined role, the principal continues to have at least a few permissions,and potentially a large number of permissions, that they have not used.

The IAM recommender recommends new custom roles only for roles grantedon a project. It doesn't recommend new custom roles for roles granted on otherresources, like folders or organizations.

Additionally, the IAM recommender doesn't recommend new custom roles inthe following cases:

• Your organization already has100 or more custom roles.
• Your project already has25 or more custom roles.

The IAM recommender recommends no more than5 new custom roles per dayin each project, and no more than15 new custom roles across theentire organization.

How lateral movement insights are generated

Lateral movement is when a service account in one project has permission toimpersonate a service account in another project. For example, a serviceaccount might have been created in project A, but have permissions toimpersonate a service account in project B.

These permissions can result in a chain of impersonations across projects thatgives principals unintended access to resources. For example, if a principalimpersonates the service account in project A, they can use that service accountto impersonate the service account in project B. If the service account inproject B has permission to impersonate other service accounts in other projectsin your organization, the principal can continue to use service accountimpersonation to move from project to project, gaining permissions as they go.

The IAM recommender generates lateral movement insights by identifyingroles that fit the following criteria:

• The principal that was granted the role is a service account that wasnotcreated in the project.

• The role includes one of the following permissions, which allow a principal toimpersonate a service account:

  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.implicitDelegation
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt

If a role fits these criteria, the IAM recommender generates a lateralmovement insight for the role. This insight contains information about theservice account's impersonation abilities, including which service accounts itcan impersonate and whether it used any impersonation permissions in the last90 days.

The IAM recommender doesn't use lateral movement insights on their ownto generate new role recommendations. This is because, if a service account isusing its impersonation permissions, the IAM recommender can't safelysuggest removing them. However, if a role recommendation suggests removing thesepermissions because they aren't being used, the IAM recommenderwill link the lateral movement insight to that recommendation. This linkagehelps you prioritize role recommendations for service accounts that havepowerful, unused impersonation permissions across projects.

To learn how to manage lateral movement insights, seeManage lateral movementinsights.

Availability

Policy insights, lateral movement insights, and role recommendations aren'tgenerated for all roles that are granted to principals. Read the followingsections to understand the roles that policy insights, lateral movementinsights, and recommendations are generated for.

• The IAM allow policy that grants the role must beattached to one of the following resources:

  Preview — Policy insights for BigQuery datasets

  This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

  • Cloud Storage bucket
  • BigQuery dataset
  • Project
  • Folder
  • Organization

  The IAM recommender only generates policy insights for rolesthat are granted on these resources.

• The role binding that grants the role mustnot have a condition. TheIAM recommender does not generate policy insights forconditional role bindings.

• The principal that's granted the role needs to be one of the followingprincipal types:

  • User
  • Service account
  • Group
  • allUsers
  • allAuthenticatedUsers
  • Cloud Storage convenience values
  • BigQuery special group membership

  • One of the following types of federated identities:

    • All identities in a workload identity pool
    • Single identity in a workload identity pool
    • All identities in a workforce identity pool
    • Single identity in a workforce identity pool

    • All Google Kubernetes Engine Pods that use a specific Kubernetes service account

      Note: For the IAM recommender to generate policy insightsfor this principal type, the principal identifier must use theKubernetes service account's name, not its UID. For more informationabout principal identifiers for this principal type, seeReferenceKubernetes resources in IAM policies.

  For details about the identifier format for each principal type, seePrincipal identifiers.

It can take up to 10 days for the IAM recommenderto generate policy insights for a newly granted role.

Lateral movement insight availability

Lateral movement insights are generated for roles that are granted on thefollowing resources:

• Organizations
• Folders
• Projects
• Service accounts

Role recommendation availability

For the IAM recommender to generate a role recommendation for a role,the following must be true:

• The role must have a policy insight associated with it. This policyinsight serves as the basis for the recommendation.
• It must have been longer than theminimum observationperiod since the role was granted. This ensures that theIAM recommender has enough usage data to make a recommendation. Bydefault, the minimum observation period is 90 days, butyou can manually set it to 30 days or 60 days. For details, seeConfigurerole recommendation generation.
• If the principal that's granted the role is aservice agent,the role must be Owner, Editor, or Viewer. The IAM recommenderdoesn't generate role recommendations for service agents with other roles. Formore details, seeRole recommendations for service agents.

If a role was granted too recently or doesn't have any insights, theAnalyzed permissions column in the Google Cloud console shows ahelp icon.

There are some cases where the IAM recommender doesn't generate rolerecommendations for a role, even though enough time has passed and the role hasan insight associated with it. This can happen for the following reasons:

• There are no predefined IAM roles that are moreappropriate than the current role. If a principal already has a predefinedrole that minimizes their permissions, or that includes fewer permissionsthan other predefined roles, then the IAM recommender cannotrecommend a different predefined role.

  You might be able to reduce the principal's permissions by creating acustom role for the principal.

• The principal is aservice agent, and the role is not abasic role. The IAM recommender only generates rolerecommendations for service agents that have a basic role (Owner, Editor, orViewer). For more details, seeRole recommendations for serviceagents.

• No other principal has the Owner basic role for the project. At leastone principal must have the Owner role (roles/owner) for each project. Ifonly one principal has this role, the IAM recommender will notrecommend that you revoke or replace the role.

In these cases, theAnalyzed permissions column in theGoogle Cloud console shows the principal's permission usage, but does not haveaRecommendation availableicon.

Priority and severity

Recommendation priority and insight severity help you understand the urgencyof a recommendation or insight and prioritize accordingly.

Role recommendation priority

Recommendations are assigned priority levels based their perceived urgency.Priority levels range fromP1 (highest priority) toP4 (lowest priority).

• Review and apply role recommendations for projects, folders, andorganizations
• Review and apply role recommendations for Cloud Storagebuckets
• Review and apply role recommendations for BigQuerydatasets

Audit logging

When you apply or dismiss a recommendation, the IAM recommender createsa log entry. You canview these entries in your recommendationshistory, or you canview them in your Google Cloud audit logs.

Role recommendation subtypes

Preview — Policy insights for BigQuery datasets

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Role recommendations are split into several different subtypes based on theaction they recommend. If you use the gcloud CLI or the RESTAPI, you can use these subtypes to filter your recommendations.

Role recommendations for service agents

Forservice agents, theIAM recommender only provides recommendations forbasicroles (Owner, Editor, or Viewer).

Recommendations for service agents are divided into two recommendation subtypes.

SERVICE_AGENT_WITH_DEFAULT_ROLE

On creation, some service agents are automatically granted aservice agentrole to ensure that your Google Cloud services workproperly. If you replace this role with a basic role (Owner, Editor, or Viewer),a role recommendation might suggest that you restore the original service agentrole to remove excess permissions, even if the service agent role haspermissions that are not in the basic role. These recommendations have thesubtypeSERVICE_AGENT_WITH_DEFAULT_ROLE. They help you safely remove excesspermissions while ensuring that all Google Cloud services work properly.

SERVICE_AGENT_WITH_DEFAULT_ROLE recommendations are the only type ofrecommendation that might suggest roles with permissions not in the currentrole.

SERVICE_AGENT_WITHOUT_DEFAULT_ROLE

If a service agent is not automatically granted a role on creation,recommendations for the service agent are based exclusively on the permissionsthat the service agent uses. These recommendations have the subtypeSERVICE_AGENT_WITHOUT_DEFAULT_ROLE.

Role recommendations in Security Command Center

If you have the Premium or Enterprise tier of Security Command Center, you can view somesubtypes of role recommendations as findings in Security Command Center. Each subtype isassociated with a detector:

For more information about viewing role recommendations in Security Command Center,seeIAM recommender in the Security Command Centerdocumentation.

Pricing

Project-level, folder-level, and organization-level role recommendations forbasic roles are available at no charge.

The following advanced IAM recommender features are availablewith project-level or organization-level activations ofthe Premium or Enterprise tier of Security Command Center:

• Recommendations for non-basic roles
• Recommendations for roles granted on resources other than organizations,folders, and projects—for example, recommendations for roles grantedon Cloud Storage buckets
• Recommendations that suggest custom roles
• Policy insights
• Lateral movement insights

For more information, seeBilling questions.

Examples of role recommendations

The following examples show the types of recommendations that you can receive.

Revoke an existing role

The usermy-user@example.com was granted the Browser role on a project.The Browser role includes six permissions that allow the user to view resourcesin the project. However, during the past 90 days,my-user@example.com hasn't viewed any resources.

Therefore, the IAM recommender generates a role recommendationsuggesting that you revoke the Browser role frommy-user@example.com:

{"associatedInsights":[{"insight":"projects/123456789012/locations/global/insightTypes/google.iam.policy.Insight/insights/86c14538-dcfd-4326-afe5-ee8ac921e06a"}],"content":{"operationGroups":[{"operations":[{"action":"remove","path":"/iamPolicy/bindings/*/members/*","pathFilters":{"/iamPolicy/bindings/*/condition/expression":"","/iamPolicy/bindings/*/members/*":"user:my-user@example.com","/iamPolicy/bindings/*/role":"roles/browser"},"resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","resourceType":"cloudresourcemanager.googleapis.com/Project"}]}],"overview":{"member":"user:my-user@example.com","removedRole":"roles/browser","resource":"//cloudresourcemanager.googleapis.com/projects/123456789012"}},"description":"This role has not been used during the observation window.","etag":"\"9fc3241da8bfab51\"","lastRefreshTime":"2022-05-20T07:00:00Z","name":"projects/123456789012/locations/global/recommenders/google.iam.policy.Recommender/recommendations/fe512038-5455-49g1-8f9c-752e31c8c154","primaryImpact":{"category":"SECURITY","securityProjection":{"details":{"revokedIamPermissionsCount":6}}},"priority":"P4","recommenderSubtype":"REMOVE_ROLE","stateInfo":{"state":"ACTIVE"}}

{"name":"projects/123456789012/locations/global/recommenders/google.iam.policy.Recommender/recommendations/fe512038-5455-49g1-8f9c-752e31c8c154","description":"This role has not been used during the observation window.","lastRefreshTime":"2022-05-20T07:00:00Z","primaryImpact":{"category":"SECURITY","securityProjection":{"details":{"revokedIamPermissionsCount":6}}},"content":{"operationGroups":[{"operations":[{"action":"remove","resourceType":"cloudresourcemanager.googleapis.com/Project","resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","path":"/iamPolicy/bindings/*/members/*","pathFilters":{"/iamPolicy/bindings/*/condition/expression":"","/iamPolicy/bindings/*/members/*":"user:my-user@example.com","/iamPolicy/bindings/*/role":"roles/browser"}}]}],"overview":{"resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","member":"user:my-user@example.com","removedRole":"roles/browser"}},"stateInfo":{"state":"ACTIVE"},"etag":"\"9fc3241da8bfab51\"","recommenderSubtype":"REMOVE_ROLE","associatedInsights":[{"insight":"projects/123456789012/locations/global/insightTypes/google.iam.policy.Insight/insights/86c14538-dcfd-4326-afe5-ee8ac921e06a"}],"priority":"P4"}

Replace an existing role

A service account was granted the Editor role (roles/editor) on a project.This basic role includes more than 3,000 permissions and grants extensive accessto the project. However, during the past 90 days, theservice account has only used a few of those permissions.

Therefore, the IAM recommender generates a role recommendationsuggesting that you revoke the Editor role and replace it with a combination oftwo other roles, which removes thousands of excess permissions:

{"associatedInsights":[{"insight":"projects/123456789012/locations/global/insightTypes/google.iam.policy.Insight/insights/3d4ef3d6-bdf0-4330-975d-c65cb929c44d"}],"content":{"operationGroups":[{"operations":[{"action":"add","path":"/iamPolicy/bindings/*/members/-","pathFilters":{"/iamPolicy/bindings/*/condition/expression":"","/iamPolicy/bindings/*/role":"roles/iam.serviceAccountUser"},"resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","resourceType":"cloudresourcemanager.googleapis.com/Project","value":"user:my-user@example.com"},{"action":"add","path":"/iamPolicy/bindings/*/members/-","pathFilters":{"/iamPolicy/bindings/*/condition/expression":"","/iamPolicy/bindings/*/role":"roles/storage.objectAdmin"},"resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","resourceType":"cloudresourcemanager.googleapis.com/Project","value":"user:my-user@example.com"},{"action":"remove","path":"/iamPolicy/bindings/*/members/*","pathFilters":{"/iamPolicy/bindings/*/condition/expression":"","/iamPolicy/bindings/*/members/*":"user:my-user@example.com","/iamPolicy/bindings/*/role":"roles/editor"},"resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","resourceType":"cloudresourcemanager.googleapis.com/Project"}]}],"overview":{"addedRoles":["roles/iam.serviceAccountUser","roles/storage.objectAdmin"],"member":"user:my-user@example.com","minimumObservationPeriodInDays":"0","removedRole":"roles/editor","resource":"//cloudresourcemanager.googleapis.com/projects/123456789012"}},"description":"Replace the current role with smaller predefined roles to cover the permissions needed.","etag":"\"0da9a354c2a83d96\"","lastRefreshTime":"2022-06-22T07:00:00Z","name":"projects/123456789012/locations/global/recommenders/google.iam.policy.Recommender/recommendations/4637db3d-dba5-45eb-95ac-b4ee4b4cd14e","primaryImpact":{"category":"SECURITY","securityProjection":{"details":{"revokedIamPermissionsCount":2998}}},"priority":"P2","recommenderSubtype":"REPLACE_ROLE","stateInfo":{"state":"ACTIVE"}}

{"name":"projects/123456789012/locations/global/recommenders/google.iam.policy.Recommender/recommendations/4637db3d-dba5-45eb-95ac-b4ee4b4cd14e","description":"Replace the current role with smaller predefined roles to cover the permissions needed.","lastRefreshTime":"2022-06-22T07:00:00Z","primaryImpact":{"category":"SECURITY","securityProjection":{"details":{"revokedIamPermissionsCount":2998}}},"content":{"operationGroups":[{"operations":[{"action":"add","resourceType":"cloudresourcemanager.googleapis.com/Project","resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","path":"/iamPolicy/bindings/*/members/-","value":"user:my-user@example.com","pathFilters":{"/iamPolicy/bindings/*/condition/expression":"","/iamPolicy/bindings/*/role":"roles/iam.serviceAccountOwner"}},{"action":"add","resourceType":"cloudresourcemanager.googleapis.com/Project","resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","path":"/iamPolicy/bindings/*/members/-","value":"user:my-user@example.com","pathFilters":{"/iamPolicy/bindings/*/condition/expression":"","/iamPolicy/bindings/*/role":"roles/storage.objectAdmin"}},{"action":"remove","resourceType":"cloudresourcemanager.googleapis.com/Project","resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","path":"/iamPolicy/bindings/*/members/*","pathFilters":{"/iamPolicy/bindings/*/condition/expression":"","/iamPolicy/bindings/*/members/*":"user:my-user@example.com","/iamPolicy/bindings/*/role":"roles/editor"}}]}],"overview":{"resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","member":"user:my-user@example.com","removedRole":"roles/editor","addedRoles":["roles/iam.serviceAccountUser","roles/storage.objectAdmin"],"minimumObservationPeriodInDays":"0"}},"stateInfo":{"state":"ACTIVE"},"etag":"\"0da9a354c2a83d96\"","recommenderSubtype":"REPLACE_ROLE","associatedInsights":[{"insight":"projects/123456789012/locations/global/insightTypes/google.iam.policy.Insight/insights/3d4ef3d6-bdf0-4330-975d-c65cb929c44d"}],"priority":"P2"}

Create a custom role

The usermy-user@example.com was granted the Cloud Trace Admin role(roles/cloudtrace.admin) on a project. The role includes more than 10permissions, but a policy insight indicates that, during the past90 days,my-user@example.com used only 4 of thosepermissions.

Therefore, the IAM recommender generates a role recommendationsuggesting that you create a custom role that includes only the permissions thatmy-user@example.com actually used:

{"associatedInsights":[{"insight":"projects/123456789012/locations/global/insightTypes/google.iam.policy.Insight/insights/2799dc04-b12e-4cf6-86aa-d81907d31f58"}],"associatedResourceNames":["//cloudresourcemanager.googleapis.com/projects/123456789012"],"content":{"operationGroups":[{"operations":[{"action":"add","path":"/iamPolicy/bindings/*/members/-","pathFilters":{"/iamPolicy/bindings/*/condition/expression":"","/iamPolicy/bindings/*/role":"roles/cloudtrace.user"},"resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","resourceType":"cloudresourcemanager.googleapis.com/Project","value":"user:my-user@example.com"},{"action":"remove","path":"/iamPolicy/bindings/*/members/*","pathFilters":{"/iamPolicy/bindings/*/condition/expression":"","/iamPolicy/bindings/*/members/*":"user:my-user@example.com","/iamPolicy/bindings/*/role":"roles/cloudtrace.admin"},"resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","resourceType":"cloudresourcemanager.googleapis.com/Project"}]}],"overview":{"minimumObservationPeriodInDays":"0"}},"description":"Replace the current role with a smaller role to cover the permissions needed.","etag":"\"c7f57a4725d32d66\"","lastRefreshTime":"2022-06-22T07:00:00Z","name":"projects/123456789012/locations/global/recommenders/google.iam.policy.Recommender/recommendations/ba1fc977-fddd-3856-a829-f69649ae8075","originalContent":{},"primaryImpact":{"category":"SECURITY","securityProjection":{"details":{},"revokedIamPermissionsCount":1}},"priority":"P4","recommenderSubtype":"REPLACE_ROLE_CUSTOMIZABLE","stateInfo":{"state":"ACTIVE"},"targetResources":["//cloudresourcemanager.googleapis.com/projects/123456789012"]}

{"name":"projects/123456789012/locations/global/recommenders/google.iam.policy.Recommender/recommendations/ba1fc977-fddd-3856-a829-f69649ae8075","description":"Replace the current role with a smaller role to cover the permissions needed.","lastRefreshTime":"2022-06-22T07:00:00Z","primaryImpact":{"category":"SECURITY","securityProjection":{"details":{"revokedIamPermissionsCount":1}}},"content":{"operationGroups":[{"operations":[{"action":"add","resourceType":"cloudresourcemanager.googleapis.com/Project","resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","path":"/iamPolicy/bindings/*/members/-","value":"user:my-user@example.com","pathFilters":{"/iamPolicy/bindings/*/condition/expression":"","/iamPolicy/bindings/*/role":"roles/cloudtrace.user"}},{"action":"remove","resourceType":"cloudresourcemanager.googleapis.com/Project","resource":"//cloudresourcemanager.googleapis.com/projects/123456789012","path":"/iamPolicy/bindings/*/members/*","pathFilters":{"/iamPolicy/bindings/*/condition/expression":"","/iamPolicy/bindings/*/members/*":"user:my-user@example.com","/iamPolicy/bindings/*/role":"roles/cloudtrace.admin"}}]}],"overview":{"minimumObservationPeriodInDays":"0"}},"stateInfo":{"state":"ACTIVE"},"etag":"\"c7f57a4725d32d66\"","recommenderSubtype":"REPLACE_ROLE_CUSTOMIZABLE","associatedInsights":[{"insight":"projects/123456789012/locations/global/insightTypes/google.iam.policy.Insight/insights/2799dc04-b12e-4cf6-86aa-d81907d31f58"}],"priority":"P4"}

The role recommendation also suggests another option, which is to replacethe existing role with the Cloud Trace User role(roles/cloudtrace.user). This predefined role includes slightly fewerpermissions than the Cloud Trace Admin role.

Role replacement with permissions suggested by machine learning

A service account was granted the Editor role (roles/editor) on a project.This basic role includes more than 3,000 permissions and grants extensive accessto a project. However, a policy insight indicates that, during the past90 days, the service account has used fewer than 10permissions.

The policy insight also highlights several permissions that service account islikely to need in the future. The IAM recommender identified thesepermissions usingmachine learning.

The IAM recommender generates a role recommendation suggesting that yourevoke the Editor role and replace it with the Storage Object Admin role(roles/storage.objectAdmin), which grants full control of objects in aCloud Storage bucket. This change removes thousands of excess permissions, whilestill including both the permissions the service account used and thepermissions that the service account is likely to need in the future:

associatedRecommendations:-recommendation:projects/123456789012/locations/global/recommenders/google.iam.policy.Recommender/recommendations/0573b702-96a5-4622-a916-c762e7b0731fcategory:SECURITYcontent:condition:description:''expression:''location:''title:''currentTotalPermissionsCount:'5069'exercisedPermissions:-permission:storage.objects.create-permission:storage.objects.delete-permission:storage.objects.get-permission:storage.objects.listinferredPermissions:-permission:resourcemanager.projects.getmember:serviceAccount:my-service-account@my-project.iam.gserviceaccount.comrole:roles/editordescription:4 of the permissions in this role binding were used in the past 90 days.etag:'"d3cdec23cc712bd0"'insightSubtype:PERMISSIONS_USAGElastRefreshTime:'2020-07-11T07:00:00Z'name:projects/123456789012/locations/global/insightTypes/google.iam.policy.Insight/insights/0d3ce433-f067-4e78-b6ae-03d7d1f6f040observationPeriod:7776000sstateInfo:state:ACTIVEtargetResources:-//cloudresourcemanager.googleapis.com/projects/123456789012severity:HIGH

{"name":"projects/123456789012/locations/global/insightTypes/google.iam.policy.Insight/insights/07841f74-02ce-4de8-bbe6-fc4eabb68568","description":"4 of the permissions in this role binding were used in the past 90 days.","content":{"role":"roles/editor","member":"serviceAccount:my-service-account@my-project.iam.gserviceaccount.com","condition":{"expression":"","title":"","description":"","location":""},"exercisedPermissions":[{"permission":"storage.objects.create"},{"permission":"storage.objects.delete"},{"permission":"storage.objects.get"},{"permission":"storage.objects.list"}],"inferredPermissions":[{"permission":"resourcemanager.projects.get"}],"currentTotalPermissionsCount":"5069"},"lastRefreshTime":"2020-07-12T07:00:00Z","observationPeriod":"7776000s","stateInfo":{"state":"ACTIVE"},"category":"SECURITY","associatedRecommendations":[{"recommendation":"projects/123456789012/locations/global/recommenders/google.iam.policy.Recommender/recommendations/b1932220-867d-43d1-bd74-fb95876ab656"}],"targetResources":["//cloudresourcemanager.googleapis.com/projects/123456789012"],"insightSubtype":"PERMISSIONS_USAGE","etag":"\"d3cdec23cc712bd0\"","severity":"HIGH"}

What's next

• Understandbest practices for using role recommendations.
• Review and apply role recommendations for projects, folders, andorganizations.
• Review and apply your role recommendations for Cloud Storagebuckets
• Review and apply your role recommendations for BigQuerydatasets
• Learn more aboutRecommender.
• Understandpredefined roles andcustom roles in IAM.