Policy: GCP > Turbot > Permissions > Turbot/Owner Level to grant GCP/SuperUser

Define the levels at which a user must have Turbot/Owner to be able to grant GCP/SuperUser. GCP/SuperUser is a highly privileged right that may require tighter restrictions than other rights. For example, if set to "GCP Folder or higher", then only users with Turbot/Owner on a parent Google folder, Organization, or Guardrails folder can grant GCP/SuperUser on a GCP Project - users with Turbot/Owner at the Project level would not be able to grant GCP/SuperUser.

Targets

This policy targets the following resource types:

Primary Policy

This policy is used with the following primary policy:

GCP > Turbot > Permissions

Policy Specification

Schema Type	`string`
Default	`Turbot Folder or higher`
Valid Values [YAML]	`Turbot` `Turbot Folder or higher` `Organization or higher` `GCP Folder or higher` `Project or higher`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/turbot#/control/categories/iamPermissions

Policy Type URI

tmod:@turbot/gcp-iam#/policy/types/permissionsGrantOwner

GraphQL

query policyType(id: "tmod:@turbot/gcp-iam#/policy/types/permissionsGrantOwner") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/gcp-iam#/policy/types/permissionsGrantOwner'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/gcp-iam#/policy/types/permissionsGrantOwner'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/gcp-iam#/policy/types/permissionsGrantOwner"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/gcp-iam#/policy/types/permissionsGrantOwner"