The names for some Assured Workloads control packages have changed. For information about the name change, see Control package renaming notice.

Supporting compliance by restricting customer personnel data access

This page provides information about supporting compliance with customer personnel restrictions using Identity and Access Management (IAM) in combination with Assured Workloads.

Overview

Restricting access to data personnel is fundamental to supporting regulatory compliance of Google Cloud resources. Assured Workloads supports compliance by controlling access to your resources by Google personnel. You are still responsible for controlling access to your resources by your organization's personnel.

Restricting customer personnel access strategies

IAM allows you to create roles and groups that restrict personnel access to data and Google Cloud resources. It is your responsibility to determine the eligibility of staff, based on compliance requirements. We recommend that you determine eligibility before providing access to data. After you have confirmed adjudication, you can use IAM to create a group for the personnel who successfully meet the compliance criteria. You use this group to limit access to Google Cloud resources and data within the Assured Workloads folder to support compliance.

Remaining compliant requires ongoing management of these IAM groups to ensure that:

Personnel continue to meet the requirements of the control package.
Personnel are properly removed from IAM groups when they don't meet the requirements of the program.

What's next

Learn more about personnel access controls.
Learn how to create an IAM group.
Learn how to restrict resource usage for workloads.