如果授權設有核准作業流程,指定為核准者的主體可以核准或拒絕該授權的授予要求。
如果是在機構層級啟用 Security Command Center Premium 或 Enterprise 方案,核准工作流程最多可有兩層核准程序。核准者可位於一或兩個核准層級,但只能核准一次。收到必要數量的第一層級核准後,系統會傳送電子郵件通知給第二層級核准者。收到規定數量的第二層核准後,補助金就會進入 active 狀態。如果任何核准者拒絕授權,授權就會進入 denied 狀態,且不會傳送給其他核准者。這項功能目前為預先發布版。
核准或拒絕對權利提出的授權要求時,請注意下列事項:
你無法核准自己的要求。
如果要求在 24 小時內未獲准或遭拒,授權狀態會變更為
expired。之後,如果主體仍需提升權限,就必須提出新的授權要求。
使用 Google Cloud 控制台核准或拒絕授權
如要核准或拒絕對權利提出的授權要求,請完成下列操作:
前往「Privileged Access Manager」頁面。
依序點選「核准授權」分頁標籤和「待核准」分頁標籤。
在要核准或拒絕的要求相關列中,按一下「核准/拒絕」。
如果需要理由,請在「Comment」(留言) 欄位中輸入。 您可以在「記錄」分頁中查看授權記錄。
按一下「核准」或「拒絕」。
您可以在「我的核准記錄」分頁中查看核准記錄。核准動作完成後,核准記錄會保留 30 天。如果授予項目是從父項資源繼承的授權建立,就會顯示在父項資源的核准記錄中。
以程式輔助方式核准或拒絕授予項目
如要核准或拒絕授權,請完成下列動作:
搜尋您是核准者的授權。
使用相關權利 ID 搜尋可核准或拒絕的授權要求。
核准或拒絕授權要求。
搜尋您是核准者的授權
gcloud
gcloud pam entitlements search 命令搭配 grant-approver 呼叫端存取權類型,可搜尋您是核准者的授權。
使用下列任何指令資料之前,請先替換以下項目:
RESOURCE_TYPE:選用。權利所屬的資源類型。請使用organization、folder或project值。RESOURCE_ID:與RESOURCE_TYPE搭配使用。要管理權限的 Google Cloud專案、資料夾或機構的 ID。專案 ID 為英數字串,例如my-project。 資料夾和機構 ID 為數字,例如123456789012。
執行下列指令:
Linux、macOS 或 Cloud Shell
gcloud pam entitlements search \ --caller-access-type=grant-approver \ --location=global \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud pam entitlements search ` --caller-access-type=grant-approver ` --location=global ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud pam entitlements search ^ --caller-access-type=grant-approver ^ --location=global ^ --RESOURCE_TYPE=RESOURCE_ID
您應該會收到類似以下的回應:
additionalNotificationTargets: {}
approvalWorkflow:
manualApprovals:
requireApproverJustification: true
steps:
- approvalsNeeded: 1
approvers:
- principals:
- user:alex@example.com
createTime: '22024-03-26T11:07:37.009498890Z'
etag: 00000000000000000000000000000000000000000000000000000000000=
maxRequestDuration: 3600s
name: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID
privilegedAccess:
gcpIamAccess:
resource: //cloudresourcemanager.googleapis.com/projects/my-project
resourceType: cloudresourcemanager.googleapis.com/Project
roleBindings:
- role: roles/storage.admin
requesterJustificationConfig:
notMandatory: {}
state: AVAILABLE
updateTime: '2024-03-26T11:07:40.056780645Z'
REST
Privileged Access Manager API 的 searchEntitlements 方法會使用 GRANT_APPROVER 呼叫端存取權類型,搜尋您是核准者的權利。
使用任何要求資料之前,請先替換以下項目:
SCOPE:授權所在的機構、資料夾或專案,格式為organizations/ORGANIZATION_ID、folders/FOLDER_ID或projects/PROJECT_ID。專案 ID 為英數字串,例如my-project。資料夾和機構 ID 都是數字,例如123456789012。FILTER:選用。傳回欄位值符合 AIP-160 運算式的授權。PAGE_SIZE:選用。要在回應中傳回的項目數。PAGE_TOKEN:選用。要從哪個頁面開始回應,使用先前回應中傳回的頁面權杖。
HTTP 方法和網址:
GET https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements:search?callerAccessType=GRANT_APPROVER&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN
如要傳送要求,請展開以下其中一個選項:
您應該會收到如下的 JSON 回應:
[
{
"name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID",
"createTime": "2023-11-21T17:28:39.962144708Z",
"updateTime": "2023-11-21T17:28:43.160309410Z",
"eligibleUsers": [
{
"principals": [
"user:alex@example.com"
]
}
],
"approvalWorkflow": {
"manualApprovals": {
"steps": [
{
"approvers": [
{
"principals": [
"user:bola@example.com"
]
}
],
"approvalsNeeded": 1
}
]
}
},
"privilegedAccess": {
"gcpIamAccess": {
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/my-project",
"roleBindings": [
{
"role": "roles/storage.admin"
}
]
}
},
"maxRequestDuration": "14400s",
"state": "AVAILABLE",
"requesterJustificationConfig": {
"unstructured": {}
},
"additionalNotificationTargets": {
"adminEmailRecipients": [
"alex@example.com"
]
},
"etag": "00000000000000000000000000000000000000000000000000000000000="
}
]
搜尋可核准或拒絕的授權要求
gcloud
gcloud alpha pam grants search
指令會搜尋可供核准或拒絕的授權,或是您已核准或拒絕的授權。使用這個方法時,不需要特定的 Privileged Access Manager 權限。
使用下列任何指令資料之前,請先替換以下項目:
ENTITLEMENT_ID:授權所屬的權利 ID。如要擷取 ID,請 搜尋您是核准者的授權。-
CALLER_RELATIONSHIP_TYPE:請使用下列其中一個值:had-approved:傳回呼叫端已核准或拒絕的授權。can-approve:傳回呼叫端可核准或拒絕的授權。
RESOURCE_TYPE:選用。權利所屬的資源類型。請使用organization、folder或project值。RESOURCE_ID:與RESOURCE_TYPE搭配使用。要管理權限的 Google Cloud專案、資料夾或機構的 ID。專案 ID 為英數字串,例如my-project。 資料夾和機構 ID 為數字,例如123456789012。
執行下列指令:
Linux、macOS 或 Cloud Shell
gcloud alpha pam grants search \ --entitlement=ENTITLEMENT_ID \ --caller-relationship=CALLER_RELATIONSHIP_TYPE \ --location=global \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud alpha pam grants search ` --entitlement=ENTITLEMENT_ID ` --caller-relationship=CALLER_RELATIONSHIP_TYPE ` --location=global ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud alpha pam grants search ^ --entitlement=ENTITLEMENT_ID ^ --caller-relationship=CALLER_RELATIONSHIP_TYPE ^ --location=global ^ --RESOURCE_TYPE=RESOURCE_ID
您應該會收到類似以下的回應:
additionalEmailRecipients:
- bola@example.com
createTime: '2024-03-07T00:34:32.557017289Z'
justification:
unstructuredJustification: Renaming a file to mitigate issue #312
name: projects/PROJECT_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID
privilegedAccess:
gcpIamAccess:
resource: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID
resourceType: cloudresourcemanager.googleapis.com/Project
roleBindings:
- role: roles/storage.admin
id: hwqrt_1
requestedDuration: 3600s
requestedPrivilegedAccess:
gcpIamAccess:
resource: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID
resourceType: cloudresourcemanager.googleapis.com/Project
roleBindings:
- role: roles/storage.admin
entitlementRoleBindingId: hwqrt_1
requester: cruz@example.com
state: DENIED
timeline:
events:
- eventTime: '2024-03-07T00:34:32.793769042Z'
requested:
expireTime: '2024-03-08T00:34:32.793769042Z'
- denied:
actor: alex@example.com
reason: Issue has already been resolved
eventTime: '2024-03-07T00:36:08.309116203Z'
updateTime: '2024-03-07T00:34:32.926967128Z'
REST
Privileged Access Manager API 的 searchGrants 方法會搜尋您可以核准或拒絕,或已核准或拒絕的授權。使用這個方法時,不需要特定的 Privileged Access Manager 權限。
使用任何要求資料之前,請先替換以下項目:
SCOPE:授權所在的機構、資料夾或專案,格式為organizations/ORGANIZATION_ID、folders/FOLDER_ID或projects/PROJECT_ID。專案 ID 為英數字串,例如my-project。資料夾和機構 ID 都是數字,例如123456789012。ENTITLEMENT_ID:授權所屬的權利 ID。如要擷取 ID,請 搜尋您是核准者的授權。RELATIONSHIP_TYPE:有效值如下:HAD_APPROVED:傳回呼叫端先前核准或拒絕的授權。CAN_APPROVE:傳回呼叫端可核准或拒絕的授權。
FILTER:選用。傳回欄位值符合 AIP-160 運算式的授權。PAGE_SIZE:選用。要在回應中傳回的項目數。PAGE_TOKEN:選用。要從哪個頁面開始回應,使用先前回應中傳回的頁面權杖。
HTTP 方法和網址:
GET https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants:search?callerRelationship=RELATIONSHIP_TYPE&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN
如要傳送要求,請展開以下其中一個選項:
您應該會收到如下的 JSON 回應:
{
"grants": [
{
"name": "projects/PROJECT_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID",
"createTime": "2024-03-06T03:08:49.330577625Z",
"updateTime": "2024-03-06T03:08:49.625874598Z",
"requester": "alex@example.com",
"requestedDuration": "3600s",
"justification": {
"unstructuredJustification": "Emergency service for outage"
},
"state": "APPROVAL_AWAITED",
"timeline": {
"events": [
{
"eventTime": "2024-03-06T03:08:49.462765846Z",
"requested": {
"expireTime": "2024-03-07T03:08:49.462765846Z"
}
}
]
},
"privilegedAccess": {
"gcpIamAccess": {
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"roleBindings": [
{
"role": "roles/storage.admin"
"id": "hwqrt_1"
}
]
}
},
"requestedPrivilegedAccess": {
"gcpIamAccess": {
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"roleBindings": [
{
"role": "roles/storage.admin",
"entitlementRoleBindingId": "hwqrt_1"
}
]
}
},
"additionalEmailRecipients": [
"bola@google.com"
]
}
]
}
以程式輔助方式核准授予項目
gcloud
gcloud pam grants describe
指令會核准特定授權要求。
使用下列任何指令資料之前,請先替換以下項目:
GRANT_ID:您要核准的授權 ID。 您可以 搜尋可核准或拒絕的授權要求,藉此擷取 ID。ENTITLEMENT_ID:授權所屬的權利 ID。APPROVAL_REASON:補助金獲准的原因。RESOURCE_TYPE:選用。權利所屬的資源類型。請使用organization、folder或project值。RESOURCE_ID:與RESOURCE_TYPE搭配使用。要管理權限的 Google Cloud專案、資料夾或機構的 ID。專案 ID 為英數字串,例如my-project。 資料夾和機構 ID 為數字,例如123456789012。
執行下列指令:
Linux、macOS 或 Cloud Shell
gcloud pam grants approve \ GRANT_ID \ --entitlement=ENTITLEMENT_ID \ --reason="APPROVAL_REASON" \ --location=global \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud pam grants approve ` GRANT_ID ` --entitlement=ENTITLEMENT_ID ` --reason="APPROVAL_REASON" ` --location=global ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud pam grants approve ^ GRANT_ID ^ --entitlement=ENTITLEMENT_ID ^ --reason="APPROVAL_REASON" ^ --location=global ^ --RESOURCE_TYPE=RESOURCE_ID
您應該會收到類似以下的回應:
createTime: '2024-04-05T01:17:04.596455403Z'
justification:
unstructuredJustification: Renaming a file to mitigate issue #312
name: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID
privilegedAccess:
gcpIamAccess:
resource: //cloudresourcemanager.googleapis.com/projects/my-project
resourceType: cloudresourcemanager.googleapis.com/Project
roleBindings:
- role: roles/storage.admin
requestedDuration: 2700s
requester: cruz@example.com
state: SCHEDULED
timeline:
events:
- eventTime: '2024-04-05T01:17:04.732226659Z'
requested:
expireTime: '2024-04-06T01:17:04.732226659Z'
- approved:
actor: alex@example.com
reason: Access allowed under existing policy
eventTime: '2024-04-05T01:21:49.139539732Z'
- eventTime: '2024-04-05T01:21:49.139463954Z'
scheduled:
scheduledActivationTime: '2024-04-05T01:21:49.139463954Z'
updateTime: '2024-04-05T01:21:49.139463954Z'
REST
Privileged Access Manager API 的 approveGrant 方法會核准特定授權要求。
使用任何要求資料之前,請先替換以下項目:
SCOPE:授權所在的機構、資料夾或專案,格式為organizations/ORGANIZATION_ID、folders/FOLDER_ID或projects/PROJECT_ID。專案 ID 為英數字串,例如my-project。資料夾和機構 ID 都是數字,例如123456789012。ENTITLEMENT_ID:授權所屬的權利 ID。GRANT_ID:您要核准的授權 ID。 您可以 搜尋可核准或拒絕的授權要求,藉此擷取 ID。REASON:授權要求獲得核准的原因。
HTTP 方法和網址:
POST https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:approve
JSON 要求主體:
{
"reason": "REASON"
}
如要傳送要求,請展開以下其中一個選項:
您應該會收到如下的 JSON 回應:
{
"name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID",
"createTime": "2024-03-06T03:08:49.330577625Z",
"updateTime": "2024-03-06T23:01:13.964619844Z",
"requester": "alex@example.com",
"requestedDuration": "3600s",
"justification": {
"unstructuredJustification": "Emergency service for outage"
},
"state": "SCHEDULED",
"timeline": {
"events": [
{
"eventTime": "2024-03-06T03:08:49.462765846Z",
"requested": {
"expireTime": "2024-03-07T03:08:49.462765846Z"
}
},
{
"eventTime": "2024-03-06T23:01:13.964685709Z",
"approved": {
"reason": "Approved escalation",
"actor": "cruz@example.com"
}
},
{
"eventTime": "2024-03-06T23:01:13.964619844Z",
"scheduled": {
"scheduledActivationTime": "2024-03-06T23:01:13.964619844Z"
}
}
]
},
"privilegedAccess": {
"gcpIamAccess": {
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/my-project",
"roleBindings": [
{
"role": "roles/storage.admin"
}
]
}
},
"additionalEmailRecipients": [
"bola@example.com.com"
]
}
以程式輔助方式拒絕授權
gcloud
gcloud pam grants describe
指令會拒絕特定授權要求。
使用下列任何指令資料之前,請先替換以下項目:
GRANT_ID:要拒絕的授權 ID。您可以 搜尋可核准或拒絕的授權,藉此擷取 ID。ENTITLEMENT_ID:授權所屬的權利 ID。DENIAL_REASON:說明補助金遭拒的原因。RESOURCE_TYPE:選用。權利所屬的資源類型。請使用organization、folder或project值。RESOURCE_ID:與RESOURCE_TYPE搭配使用。要管理權限的 Google Cloud專案、資料夾或機構的 ID。專案 ID 為英數字串,例如my-project。 資料夾和機構 ID 為數字,例如123456789012。
執行下列指令:
Linux、macOS 或 Cloud Shell
gcloud pam grants deny \ GRANT_ID \ --entitlement=ENTITLEMENT_ID \ --reason="DENIAL_REASON" \ --location=global \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud pam grants deny ` GRANT_ID ` --entitlement=ENTITLEMENT_ID ` --reason="DENIAL_REASON" ` --location=global ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud pam grants deny ^ GRANT_ID ^ --entitlement=ENTITLEMENT_ID ^ --reason="DENIAL_REASON" ^ --location=global ^ --RESOURCE_TYPE=RESOURCE_ID
您應該會收到類似以下的回應:
createTime: '2024-04-05T01:29:13.129192816Z'
justification:
unstructuredJustification: Renaming a file to mitigate issue #312
name: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID
privilegedAccess:
gcpIamAccess:
resource: //cloudresourcemanager.googleapis.com/projects/my-project
resourceType: cloudresourcemanager.googleapis.com/Project
roleBindings:
- role: roles/storage.admin
requestedDuration: 2700s
requester: cruz@example.com
state: DENIED
timeline:
events:
- eventTime: '2024-04-05T01:29:13.267878626Z'
requested:
expireTime: '2024-04-06T01:29:13.267878626Z'
- denied:
actor: alex@example.com
reason: Access denied under existing policy
eventTime: '2024-04-05T01:29:49.492161363Z'
updateTime: '2024-04-05T01:29:49.492097724Z'
REST
Privileged Access Manager API 的 denyGrant 方法會拒絕特定授權要求。
使用任何要求資料之前,請先替換以下項目:
SCOPE:授權所在的機構、資料夾或專案,格式為organizations/ORGANIZATION_ID、folders/FOLDER_ID或projects/PROJECT_ID。專案 ID 為英數字串,例如my-project。資料夾和機構 ID 都是數字,例如123456789012。ENTITLEMENT_ID:授權所屬的權利 ID。GRANT_ID:您要拒絕的授權 ID。 您可以 搜尋可核准或拒絕的授權,藉此擷取 ID。REASON:授權要求遭拒的原因。
HTTP 方法和網址:
POST https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:deny
JSON 要求主體:
{
"reason": "REASON"
}
如要傳送要求,請展開以下其中一個選項:
您應該會收到如下的 JSON 回應:
{
"name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID",
"createTime": "2024-03-07T00:34:32.557017289Z",
"updateTime": "2024-03-07T00:36:08.309046580Z",
"requester": "alex@example.com",
"requestedDuration": "3600s",
"justification": {
"unstructuredJustification": "Emergency service for outage"
},
"state": "DENIED",
"timeline": {
"events": [
{
"eventTime": "2024-03-07T00:34:32.793769042Z",
"requested": {
"expireTime": "2024-03-08T00:34:32.793769042Z"
}
},
{
"eventTime": "2024-03-07T00:36:08.309116203Z",
"denied": {
"reason": "Outage already resolved",
"actor": "cruz@example.com"
}
}
]
},
"privilegedAccess": {
"gcpIamAccess": {
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/my-project",
"roleBindings": [
{
"role": "roles/storage.admin"
}
]
}
},
"additionalEmailRecipients": [
"bola@example.com"
]
}