Separation of duties and Identity and Access Management roles
Stay organized with collections
Save and categorize content based on your preferences.
This pages describes how to configure different projects with different
IAM roles to establish
separation of duties among individuals or
teams for typical activities associated with using Binary Authorization.
Activities and associated IAM roles
In Google Cloud, separation of duties is accomplished by assigning
IAM roles to accounts in different projects. These accounts
include service accounts, used by GKE and
Binary Authorization, and user accounts, accessed by people.
By providing different organizational roles with specific IAM
roles, you can enforce the
principle of least privilege,
ensuring that the user and service accounts in your organization have only the
roles essential to performing their intended functions.
To see the underlying permissions for each IAM role, see
Understanding roles.
The following table describes typical Binary Authorization activities. Separation of
duties is achieved by having separate Google Cloud project. Each project is
only granted the minimum required IAM roles to accomplish the
activity and associated tasks.
For an end-to-end tutorial describing this scenario, see:
Multi-project setup.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis document outlines how to use different IAM roles across separate Google Cloud projects to implement separation of duties for Binary Authorization activities.\u003c/p\u003e\n"],["\u003cp\u003eIAM roles are assigned to service accounts and user accounts, ensuring they have the minimum permissions required, following the principle of least privilege.\u003c/p\u003e\n"],["\u003cp\u003eThe described Binary Authorization activities include Security Operations Management, Deployment Management, and Attestation Management, each with its own project and associated IAM roles.\u003c/p\u003e\n"],["\u003cp\u003eSpecific IAM roles, such as \u003ccode\u003eroles/binaryauthorization.policyEditor\u003c/code\u003e and \u003ccode\u003eroles/containeranalysis.occurrences.editor\u003c/code\u003e, are detailed for each project and activity to enforce segregation.\u003c/p\u003e\n"]]],[],null,["# Separation of duties and Identity and Access Management roles\n\nThis pages describes how to configure different projects with different\nIAM roles to establish\n[separation of duties](/kms/docs/separation-of-duties) among individuals or\nteams for typical activities associated with using Binary Authorization.\n\nActivities and associated IAM roles\n-----------------------------------\n\nIn Google Cloud, separation of duties is accomplished by assigning\nIAM roles to accounts in different projects. These accounts\ninclude service accounts, used by GKE and\nBinary Authorization, and user accounts, accessed by people.\n\nBy providing different organizational roles with specific IAM\nroles, you can enforce the\n[principle of least privilege](/iam/docs/using-iam-securely#least_privilege),\nensuring that the user and service accounts in your organization have only the\nroles essential to performing their intended functions.\n\nTo see the underlying permissions for each IAM role, see\n[Understanding roles](/iam/docs/understanding-roles).\n\nThe following table describes typical Binary Authorization activities. Separation of\nduties is achieved by having separate Google Cloud project. Each project is\nonly granted the minimum required IAM roles to accomplish the\nactivity and associated tasks.\n\nFor an end-to-end tutorial describing this scenario, see:\n[Multi-project setup](/binary-authorization/docs/multi-project-setup-cli)."]]