Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Menyetujui permintaan Persetujuan Akses
Dokumen ini menjelaskan cara menyetujui permintaan Persetujuan Akses.
Sebelum memulai
Pastikan Anda memahami konsep di halaman Ringkasan.
Berikan peran IAM Access Approval Approver (roles/accessapproval.approver) pada project, folder, atau organisasi kepada prinsipal yang Anda inginkan agar dapat melakukan persetujuan. Anda dapat memberikan
peran IAM Access Approval Approver kepada
pengguna individual, akun layanan, atau
grup Google.
Jika menggunakan kunci penandatanganan kustom, Anda juga harus memberikan peran IAM Penandatangan/Pemverifikasi CryptoKey Cloud KMS (roles/cloudkms.signerVerifier) ke akun layanan Persetujuan Akses untuk resource Anda. Jika menggunakan
kunci penandatanganan yang dikelola Google, Anda tidak perlu memberikan izin lain.
Untuk mengetahui informasi tentang cara memberikan peran IAM, lihat Memberikan
satu peran.
Mengonfigurasi setelan untuk menerima notifikasi
Anda memiliki opsi berikut untuk menerima permintaan Persetujuan Akses:
Jika Anda memilih untuk menerima permintaan Persetujuan Akses melalui
email, Anda juga dapat membuka halaman ini dengan mengklik link di email
yang dikirimkan kepada Anda dengan permintaan persetujuan.
Untuk menyetujui permintaan, klik Setujui.
Anda juga memiliki opsi untuk menolak permintaan tersebut. Menolak permintaan bersifat opsional karena akses akan terus ditolak meskipun Anda tidak menolak permintaan tersebut.
Jika Anda tidak menyetujui permintaan akses karyawan Google dalam waktu 14 hari atau sebelum permintaan berakhir, permintaan akan otomatis ditutup.
Di kotak dialog yang terbuka, pilih tanggal dan waktu saat Anda ingin akses berakhir.
Pilih Setujui untuk menyetujui akses hingga tanggal dan waktu habis masa berlaku yang ditetapkan.
Opsional: Untuk memvalidasi tanda tangan pada permintaan setelah menyetujuinya,
ikuti langkah-langkah yang diberikan di
Memvalidasi tanda tangan permintaan.
cURL
Untuk menyetujui permintaan Persetujuan Akses menggunakan cURL, lakukan hal berikut:
Ambil nama approvalRequest dari pesan Pub/Sub.
Lakukan panggilan API untuk menyetujui atau menutup approvalRequest tersebut.
Anda dapat membalas permintaan dengan salah satu opsi berikut:
Tindakan
Efek
Status akses Google
:approve
Menyetujui permintaan.
Ditolak sebelum persetujuan, disetujui setelah persetujuan.
:dismiss
Menolak permintaan persetujuan. Sebaiknya tutup permintaan akses, bukan tidak mengambil tindakan apa pun. Menolak permintaan akses akan meminta karyawan Google untuk menindaklanjuti.
Ditolak sebelum pemecatan, ditolak setelah pemecatan.
Tidak ada tindakan
Akses karyawan Google masih ditolak. Karyawan Google harus membuka permintaan baru untuk mengakses resource setelah waktu requestedExpiration berlalu.
Ditolak sebelum tidak ada tindakan, ditolak setelah waktu habis masa berlaku.
Setelah Anda menyetujui permintaan, status permintaan akan berubah menjadi Approved. Setiap
karyawan Google dengan karakteristik yang cocok dengan cakupan persetujuan dapat membuat
akses dalam jangka waktu yang disetujui. Karakteristik pencocokan ini mencakup
justifikasi, lokasi, atau lokasi meja yang sama.
Persetujuan Akses tidak memberikan peran IAM atau izin baru kepada karyawan Google yang meminta akses.
Jika Anda tidak menyetujui permintaan akses karyawan Google, akses akan ditolak untuk
karyawan Google tersebut. Menolak permintaan hanya akan menghapusnya dari daftar
permintaan yang tertunda. Jika Anda gagal menolak permintaan persetujuan, akses akan terus ditolak.
Setelah diaktifkan,
Transparansi Akses akan mencatat semua
akses ke Data Pelanggan yang Anda setujui.
Akses ke personel Google diizinkan hingga masa berlaku persetujuan berakhir atau
justifikasi untuk akses tidak lagi valid. Misalnya, akses akan berakhir jika kasus dukungan yang aksesnya diminta oleh personel Google ditutup.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-18 UTC."],[[["\u003cp\u003eAccess Approval requests can be approved via the Google Cloud console or using cURL, allowing administrators to grant Google personnel temporary access.\u003c/p\u003e\n"],["\u003cp\u003eApprovers must be granted the Access Approval Approver IAM role, and optionally, the Cloud KMS CryptoKey Signer/Verifier role if using a custom signing key.\u003c/p\u003e\n"],["\u003cp\u003eWhen approving via the Google Cloud console, you must select an expiration date and time, whereas cURL allows for immediate approval or dismissal without time settings.\u003c/p\u003e\n"],["\u003cp\u003eIf a request is not approved or dismissed within 14 days, or by the requested expiration time, the request is automatically dismissed, and access remains denied.\u003c/p\u003e\n"],["\u003cp\u003eDismissing a request is recommended as it prompts the Google employee to follow up if needed, although not acting on a request or dismissing it will still deny them access.\u003c/p\u003e\n"]]],[],null,["# Approving Access Approval requests\n==================================\n\nThis document explains how to approve an Access Approval request.\n\nBefore you begin\n----------------\n\n- Make sure that you understand the concepts in the\n [Overview](/assured-workloads/access-approval/docs/overview) page.\n\n- Grant the Access Approval Approver (`roles/accessapproval.approver`)\n IAM role on the project, folder, or\n organization to the [principal](/iam/docs/overview#concepts_related_identity)\n who you want to be able to perform approvals. You can grant the\n Access Approval Approver IAM role to either an\n [individual user](/iam/docs/overview#google_account), a [service account](/iam/docs/overview#service_account), or a\n [Google group](/iam/docs/overview#google_group).\n\n If you are using a custom signing key, you\n must also grant the Cloud KMS CryptoKey Signer/Verifier\n (`roles/cloudkms.signerVerifier`) IAM role to the\n Access Approval service account for your resource. If you are using a\n Google-managed signing key, you don't need to provide any other permissions.\n\n For information about granting an IAM role, see [Grant\n a single role](/iam/docs/granting-changing-revoking-access#grant-single-role).\n\nConfigure settings to receive notifications\n-------------------------------------------\n\nYou have the following options for receiving Access Approval requests:\n\n- Receive requests through email.\n- Receive requests through Pub/Sub.\n\nYou can choose both of these options by following the instructions in\n[Setting up email and Pub/Sub\nnotifications](/assured-workloads/access-approval/docs/review-approve-access-requests-google-keys#email-pubsub).\n\nApprove Access Approval requests\n--------------------------------\n\nAfter you have enrolled some users as approvers, those users receive all\naccess requests. \n\n### Console\n\nTo approve an Access Approval request using the\nGoogle Cloud console, do the following:\n\n1. To see all your pending approval requests, go to the\n **Access Approval** page in the Google Cloud console.\n\n [Go to Access Approval](https://console.cloud.google.com/security/access-approval)\n\n If you have opted to receive Access Approval requests through\n email, you can also go to this page by clicking the link in the email\n sent to you with the approval request.\n | **Note:** You can only see the pending Access Approval requests for the hierarchy level you have selected. For example, if you have selected a folder, you can only see the Access Approval requests made for folder-level resources, not all projects within those folders.\n2. To approve a request, click **Approve**.\n\n You also have the option of dismissing the request. Dismissing the\n request is optional because access continues to be denied even if you\n don't dismiss the request.\n\n If you don't approve the Google employee's access request within 14\n days or before the request expires, the request is automatically\n dismissed.\n3. In the dialog box that opens, select the date and time when you want\n the access to expire.\n\n | **Note:** Bulk approve option doesn't let you select the expiration date and time.\n4. Select **Approve** to approve access till the set expiration date and\n time.\n\n5. Optional: To validate the signature on a request after approving it,\n follow the steps given in\n [Validate a request signature](/assured-workloads/access-approval/docs/validate-request-signature).\n\n### cURL\n\nTo approve an Access Approval request using cURL, do the following:\n\n1. Take the `approvalRequest` name from the Pub/Sub message.\n2. Make an API call to approve or dismiss that `approvalRequest`.\n\n # HTTP POST request with empty body (an effect of using -d '')\n # service-account-credential.json is attained by going to the\n # IAM -\u003e Service Accounts menu in the cloud console and creating\n # a service account.\n curl -H \"$(oauth2l header --json service-account-credentials.json cloud-platform)\" \\\n -d '' https://accessapproval.googleapis.com/v1/projects/\u003cvar\u003ePROJECT_ID\u003c/var\u003e/approvalRequests/\u003cvar\u003eAPPROVAL_REQUEST_ID\u003c/var\u003e:approve\n\n | **Note:** This preceding example is a sample request using cURL. You can approve an access request by appending `:approve` to a POST request to the mentioned URI that contains a unique `approvalRequestId`.\n\n You can reply to a request with one of the following options:\n\nAfter you approve the request, the request status changes to `Approved`. Any\nGoogle employee with characteristics matching the approval scope can make an\naccess within the approved time frame. These matching characteristics include\nthe same justification, location, or desk location.\n\nAccess Approval doesn't provide any IAM role or any\nnew permission to the Google employee who requested access.\n\nIf you don't approve the Google employee's access request, access is denied to\nthe Google employee. Dismissing the request only removes it from your list of\npending requests. If you fail to dismiss an approval request, access continues\nto be denied.\n\nAfter enabling,\n[Access Transparency](/assured-workloads/access-transparency/docs/overview) logs all\naccesses to Customer Data that you approve.\n\nAccess to Google personnel is allowed until the approval expires or the\njustification for access is no longer valid. For example, access expires if the\nsupport case for which Google personnel requested access is closed.\n\nWhat's next\n-----------\n\n- Learn about the [actions by Google personnel that are excluded from\n Access Approval notifications](/assured-workloads/access-approval/docs/overview#exclusions).\n- Learn about the [fields in an Access Approval request](/assured-workloads/access-approval/docs/approval-request-details)."]]
