Policy Troubleshooter error: "You do not have permission to view specific group memberships."

Question

I'm trying to audit the permissions available to our staff in GCP.

To do this, I'm trying to use gcloud policy-troubleshooter or the GCP Console version of same.

What I'm finding is that I cannot see role assignments that are bound to Groups. On the command line, the response includes an error like MEMBERSHIP_UNKNOWN_INFO_DENIED; the web version is less shouty: "You do not know if principal is in this group or not because you do not have permission to view group membership"

I am the Owner of the the group in question, so I'm unclear why I wouldn't have permissions. I can see group membership in the IAM Groups panel. I also can't figure out what permission I lack; there's no Audit Log entry denying the access.

How can I get access to review these permissions?

Answer 1

After reading the documentation I noticed that there is a known limitation [1] which explains that Policy Troubleshooter can't always fully explain access to a resource. If you don't have access to a policy that applies to a resource, Policy Troubleshooter won't analyze it. So it recommends to ensure that you are granted the Security Reviewer (roles/iam.securityReviewer) role. This will ensure you can read all applicable Cloud IAM policies.

[1] https://cloud.google.com/iam/docs/troubleshooting-access#limitations

Answer 2

Group membership is not covered by IAM permissions.

Specific groups

For specific groups you can be granted the view members permission using the group roles in Google Groups (groups.google.com).

If you are a group member you will be able to see other members in most situations. However, who can see members can be customised in the group settings. It can be very open where everyone in the organisation can see group members. Alternatively, it can be very closed where only the owner of the group can see group members. But like I said, in most cases a member can see who are the other members of a group.

All groups in the organisation

Most people that view this answer will want permissions to view members of all groups in the organisation. You will need to be granted a specific Google Workspace administrator role to view the members of all groups. At minimum you will need the Groups Reader role. This will allow you to view all groups for that Google Workspace account. More info here: https://support.google.com/a/answer/2405986?hl=en#:~:text=Groups%20Reader%E2%80%94Can%20read%20Groups,label%20on%20a%20groups%20resource.