Figuring out who can access services across a platform as varied as Google Cloud can be a challenge for IT administrators. Google has done a lot of the work for you with a set of fairly granular pre-defined roles, but recognizing that canned roles won't suit everyone's needs, the company announced a Beta of custom roles today.
As the name implies, administrators can define roles as broadly or narrowly as they need for different jobs inside an organization. The platform includes three basic roles: owner, editor and viewer. From there it offers 100 service-specific roles, but when those aren't quite what you need, that's where the custom roles function comes into play.
As Google project manager Rohit Khare describes it in a blog post introducing the new feature, "Custom roles complement the primitive and predefined roles when you need to be even more precise." He offers the example of Cloud SQL data auditors, who need access to the database to understand the data being collected without having the ability to read the data or perform any actions on it.
As Khare explains in the blog post, "You can build your own “Cloud SQL Inventory” custom role to grant auditors browse access to databases without giving them permission to export their contents."
Google says the best way to create a new role is to clone one of the existing ones, then change the name and modify the permissions for the role you're creating. They warn that when you create a custom role, you'll need a system for tracking them because GCP is always updating the platform and you need to be sure your custom permissions are in line with the latest versions.
While Google has done a good job of providing a range of permissions for the most common kinds of use cases, there are always going to be outliers and giving admins the ability to manage a set of custom roles is going to be appealing to organizations who need even greater granular control than they get out of the box.