使用 Privileged Access Manager 核准或拒絕授權

建立授權後,主要人員即可要求授予該授權。如果該授權指定了核准工作流程,則設為核准者的主體可以核准或拒絕該授權的授予要求。

核准或拒絕授權要求時,請注意下列事項:

  • 你無法核准自己的要求。

  • 如果要求在 24 小時內未獲准或遭拒,授權狀態會變更為 expired。之後,如果仍需提升權限,主體就必須提出新的授權要求。

使用 Google Cloud 控制台核准或拒絕授權

如要核准或拒絕對權利提出的授權要求,請完成下列操作:

  1. 前往「Privileged Access Manager」頁面。

    前往 Privileged Access Manager

  2. 依序點選「核准授權」分頁標籤和「待核准」分頁標籤。

  3. 在要核准或拒絕的要求相關列中,按一下「核准/拒絕」

  4. 如果需要理由,請在「Comment」(留言) 欄位中輸入。

  5. 按一下「核准」或「拒絕」

您可以在「我的核准記錄」分頁中查看核准記錄。核准動作完成後,核准記錄會保留 30 天。

以程式輔助方式核准或拒絕授予項目

如要核准或拒絕授權,請完成下列動作:

  1. 搜尋您是核准者的授權。

  2. 使用相關授權 ID 搜尋可核准或拒絕的授權要求。

  3. 核准或拒絕授權要求。

搜尋您是核准者的權利

gcloud

gcloud pam entitlements search 命令搭配 grant-approver 呼叫端存取權類型,可搜尋您是核准者的授權。

使用下方的任何指令資料之前,請先替換以下項目:

  • RESOURCE_TYPE:選用。權利所屬的資源類型。請使用 organizationfolderproject 值。
  • RESOURCE_ID:與 RESOURCE_TYPE 搭配使用。要管理權限的 Google Cloud專案、資料夾或機構的 ID。專案 ID 為英數字串,例如 my-project。 資料夾和機構 ID 是數字,例如 123456789012

執行下列指令:

Linux、macOS 或 Cloud Shell

gcloud pam entitlements search \
    --caller-access-type=grant-approver \
    --location=global \
    --RESOURCE_TYPE=RESOURCE_ID

Windows (PowerShell)

gcloud pam entitlements search `
    --caller-access-type=grant-approver `
    --location=global `
    --RESOURCE_TYPE=RESOURCE_ID

Windows (cmd.exe)

gcloud pam entitlements search ^
    --caller-access-type=grant-approver ^
    --location=global ^
    --RESOURCE_TYPE=RESOURCE_ID

您應該會收到類似以下的回應:

additionalNotificationTargets: {}
approvalWorkflow:
  manualApprovals:
    requireApproverJustification: true
    steps:
    - approvalsNeeded: 1
      approvers:
      - principals:
        - user:alex@example.com
createTime: '22024-03-26T11:07:37.009498890Z'
etag: 00000000000000000000000000000000000000000000000000000000000=
maxRequestDuration: 3600s
name: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID
privilegedAccess:
  gcpIamAccess:
    resource: //cloudresourcemanager.googleapis.com/projects/my-project
    resourceType: cloudresourcemanager.googleapis.com/Project
    roleBindings:
    - role: roles/storage.admin
requesterJustificationConfig:
  notMandatory: {}
state: AVAILABLE
updateTime: '2024-03-26T11:07:40.056780645Z'

REST

Privileged Access Manager API 的 searchEntitlements 方法會使用 GRANT_APPROVER 呼叫端存取權類型,搜尋您是核准者的權利。

使用任何要求資料之前,請先替換以下項目:

  • SCOPE:權利所在的機構、資料夾或專案,格式為 organizations/ORGANIZATION_IDfolders/FOLDER_IDprojects/PROJECT_ID。專案 ID 為英數字串,例如 my-project。資料夾和機構 ID 為數字,例如 123456789012
  • FILTER:選用。傳回欄位值符合 AIP-160 運算式的授權。
  • PAGE_SIZE:選用。要在回應中傳回的項目數。
  • PAGE_TOKEN:選用。要從哪個頁面開始回應,使用先前回應中傳回的頁面權杖。

HTTP 方法和網址:

GET https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements:search?callerAccessType=GRANT_APPROVER&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN

如要傳送要求,請展開以下其中一個選項:

您應該會收到如下的 JSON 回應:

[
  {
    "name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID",
    "createTime": "2023-11-21T17:28:39.962144708Z",
    "updateTime": "2023-11-21T17:28:43.160309410Z",
    "eligibleUsers": [
      {
        "principals": [
          "user:alex@example.com"
        ]
      }
    ],
    "approvalWorkflow": {
      "manualApprovals": {
        "steps": [
          {
            "approvers": [
              {
                "principals": [
                  "user:bola@example.com"
                ]
              }
            ],
            "approvalsNeeded": 1
          }
        ]
      }
    },
    "privilegedAccess": {
      "gcpIamAccess": {
        "resourceType": "cloudresourcemanager.googleapis.com/Project",
        "resource": "//cloudresourcemanager.googleapis.com/projects/my-project",
        "roleBindings": [
          {
            "role": "roles/storage.admin"
          }
        ]
      }
    },
    "maxRequestDuration": "14400s",
    "state": "AVAILABLE",
    "requesterJustificationConfig": {
      "unstructured": {}
    },
    "additionalNotificationTargets": {
      "adminEmailRecipients": [
        "alex@example.com"
      ]
    },
    "etag": "00000000000000000000000000000000000000000000000000000000000="
  }
]

搜尋可核准或拒絕的授權要求

gcloud

gcloud pam grants search 指令會搜尋可供核准或拒絕的授權,或是已核准或拒絕的授權。使用這個方法時,不需要特定的 Privileged Access Manager 權限。

使用下方的任何指令資料之前,請先替換以下項目:

  • ENTITLEMENT_ID:授權所屬的授權 ID。如要擷取 ID,請 搜尋您是核准者的授權

  • CALLER_RELATIONSHIP_TYPE:請使用下列其中一個值:

    • had-approved:傳回呼叫端已核准或拒絕的授權。
    • can-approve:傳回呼叫端可核准或拒絕的授權。
  • RESOURCE_TYPE:選用。權利所屬的資源類型。請使用 organizationfolderproject 值。
  • RESOURCE_ID:與 RESOURCE_TYPE 搭配使用。要管理權限的 Google Cloud專案、資料夾或機構的 ID。專案 ID 為英數字串,例如 my-project。 資料夾和機構 ID 是數字,例如 123456789012

執行下列指令:

Linux、macOS 或 Cloud Shell

gcloud pam grants search \
    --entitlement=ENTITLEMENT_ID \
    --caller-relationship=CALLER_RELATIONSHIP_TYPE \
    --location=global \
    --RESOURCE_TYPE=RESOURCE_ID

Windows (PowerShell)

gcloud pam grants search `
    --entitlement=ENTITLEMENT_ID `
    --caller-relationship=CALLER_RELATIONSHIP_TYPE `
    --location=global `
    --RESOURCE_TYPE=RESOURCE_ID

Windows (cmd.exe)

gcloud pam grants search ^
    --entitlement=ENTITLEMENT_ID ^
    --caller-relationship=CALLER_RELATIONSHIP_TYPE ^
    --location=global ^
    --RESOURCE_TYPE=RESOURCE_ID

您應該會收到類似以下的回應:

additionalEmailRecipients:
- bola@example.com
createTime: '2024-03-07T00:34:32.557017289Z'
justification:
  unstructuredJustification: Renaming a file to mitigate issue #312
name: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID
privilegedAccess:
  gcpIamAccess:
    resource: //cloudresourcemanager.googleapis.com/projects/my-project
    resourceType: cloudresourcemanager.googleapis.com/Project
    roleBindings:
    - role: roles/storage.admin
requestedDuration: 3600s
requester: cruz@example.com
state: DENIED
timeline:
  events:
  - eventTime: '2024-03-07T00:34:32.793769042Z'
    requested:
      expireTime: '2024-03-08T00:34:32.793769042Z'
  - denied:
      actor: alex@example.com
      reason: Issue has already been resolved
    eventTime: '2024-03-07T00:36:08.309116203Z'
updateTime: '2024-03-07T00:34:32.926967128Z'

REST

Privileged Access Manager API 的 searchGrants 方法會搜尋您可以核准或拒絕,或已核准或拒絕的授權。使用這個方法時,不需要特定的 Privileged Access Manager 權限。

使用任何要求資料之前,請先替換以下項目:

  • SCOPE:權利所在的機構、資料夾或專案,格式為 organizations/ORGANIZATION_IDfolders/FOLDER_IDprojects/PROJECT_ID。專案 ID 為英數字串,例如 my-project。資料夾和機構 ID 為數字,例如 123456789012
  • ENTITLEMENT_ID:授權所屬的授權 ID。如要擷取 ID,請 搜尋您是核准者的授權
  • RELATIONSHIP_TYPE:有效值如下:
    • HAD_APPROVED:傳回呼叫端先前核准或拒絕的授權。
    • CAN_APPROVE:傳回呼叫端可核准或拒絕的授權。
  • FILTER:選用。傳回欄位值符合 AIP-160 運算式的授權。
  • PAGE_SIZE:選用。要在回應中傳回的項目數。
  • PAGE_TOKEN:選用。要從哪個頁面開始回應,使用先前回應中傳回的頁面權杖。

HTTP 方法和網址:

GET https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants:search?callerRelationship=RELATIONSHIP_TYPE&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN

如要傳送要求,請展開以下其中一個選項:

您應該會收到如下的 JSON 回應:

{
  "grants": [
    {
      "name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID",
      "createTime": "2024-03-06T03:08:49.330577625Z",
      "updateTime": "2024-03-06T03:08:49.625874598Z",
      "requester": "alex@example.com",
      "requestedDuration": "3600s",
      "justification": {
        "unstructuredJustification": "Emergency service for outage"
      },
      "state": "APPROVAL_AWAITED",
      "timeline": {
        "events": [
          {
            "eventTime": "2024-03-06T03:08:49.462765846Z",
            "requested": {
              "expireTime": "2024-03-07T03:08:49.462765846Z"
            }
          }
        ]
      },
      "privilegedAccess": {
        "gcpIamAccess": {
          "resourceType": "cloudresourcemanager.googleapis.com/Project",
          "resource": "//cloudresourcemanager.googleapis.com/projects/my-project",
          "roleBindings": [
            {
              "role": "roles/storage.admin"
            }
          ]
        }
      },
      "additionalEmailRecipients": [
        "bola@google.com"
      ]
    }
  ]
}

以程式輔助方式核准授予項目

gcloud

gcloud pam grants describe 指令會核准特定授權要求。

使用下方的任何指令資料之前,請先替換以下項目:

  • GRANT_ID:您要核准的授權 ID。 您可以透過 搜尋可核准或拒絕的授權要求,擷取 ID。
  • ENTITLEMENT_ID:授權所屬的權利 ID。
  • APPROVAL_REASON:補助金核准原因。
  • RESOURCE_TYPE:選用。權利所屬的資源類型。請使用 organizationfolderproject 值。
  • RESOURCE_ID:與 RESOURCE_TYPE 搭配使用。要管理權限的 Google Cloud專案、資料夾或機構的 ID。專案 ID 為英數字串,例如 my-project。 資料夾和機構 ID 是數字,例如 123456789012

執行下列指令:

Linux、macOS 或 Cloud Shell

gcloud pam grants approve \
    GRANT_ID \
    --entitlement=ENTITLEMENT_ID \
    --reason="APPROVAL_REASON" \
    --location=global \
    --RESOURCE_TYPE=RESOURCE_ID

Windows (PowerShell)

gcloud pam grants approve `
    GRANT_ID `
    --entitlement=ENTITLEMENT_ID `
    --reason="APPROVAL_REASON" `
    --location=global `
    --RESOURCE_TYPE=RESOURCE_ID

Windows (cmd.exe)

gcloud pam grants approve ^
    GRANT_ID ^
    --entitlement=ENTITLEMENT_ID ^
    --reason="APPROVAL_REASON" ^
    --location=global ^
    --RESOURCE_TYPE=RESOURCE_ID

您應該會收到類似以下的回應:

createTime: '2024-04-05T01:17:04.596455403Z'
justification:
  unstructuredJustification: Renaming a file to mitigate issue #312
name: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID
privilegedAccess:
  gcpIamAccess:
    resource: //cloudresourcemanager.googleapis.com/projects/my-project
    resourceType: cloudresourcemanager.googleapis.com/Project
    roleBindings:
    - role: roles/storage.admin
requestedDuration: 2700s
requester: cruz@example.com
state: SCHEDULED
timeline:
  events:
  - eventTime: '2024-04-05T01:17:04.732226659Z'
    requested:
      expireTime: '2024-04-06T01:17:04.732226659Z'
  - approved:
      actor: alex@example.com
      reason: Access allowed under existing policy
    eventTime: '2024-04-05T01:21:49.139539732Z'
  - eventTime: '2024-04-05T01:21:49.139463954Z'
    scheduled:
      scheduledActivationTime: '2024-04-05T01:21:49.139463954Z'
updateTime: '2024-04-05T01:21:49.139463954Z'

REST

Privileged Access Manager API 的 approveGrant 方法會核准特定授權要求。

使用任何要求資料之前,請先替換以下項目:

  • SCOPE:權利所在的機構、資料夾或專案,格式為 organizations/ORGANIZATION_IDfolders/FOLDER_IDprojects/PROJECT_ID。專案 ID 為英數字串,例如 my-project。資料夾和機構 ID 為數字,例如 123456789012
  • ENTITLEMENT_ID:授權所屬的權利 ID。
  • GRANT_ID:您要核准的授權 ID。 您可以透過 搜尋可核准或拒絕的授權要求,擷取 ID。
  • REASON:授權要求獲得核准的原因。

HTTP 方法和網址:

POST https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:approve

JSON 要求主體:

{
    "reason": "REASON"
}

如要傳送要求,請展開以下其中一個選項:

您應該會收到如下的 JSON 回應:

{
  "name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID",
  "createTime": "2024-03-06T03:08:49.330577625Z",
  "updateTime": "2024-03-06T23:01:13.964619844Z",
  "requester": "alex@example.com",
  "requestedDuration": "3600s",
  "justification": {
    "unstructuredJustification": "Emergency service for outage"
  },
  "state": "SCHEDULED",
  "timeline": {
    "events": [
      {
        "eventTime": "2024-03-06T03:08:49.462765846Z",
        "requested": {
          "expireTime": "2024-03-07T03:08:49.462765846Z"
        }
      },
      {
        "eventTime": "2024-03-06T23:01:13.964685709Z",
        "approved": {
          "reason": "Approved escalation",
          "actor": "cruz@example.com"
        }
      },
      {
        "eventTime": "2024-03-06T23:01:13.964619844Z",
        "scheduled": {
          "scheduledActivationTime": "2024-03-06T23:01:13.964619844Z"
        }
      }
    ]
  },
  "privilegedAccess": {
    "gcpIamAccess": {
      "resourceType": "cloudresourcemanager.googleapis.com/Project",
      "resource": "//cloudresourcemanager.googleapis.com/projects/my-project",
      "roleBindings": [
        {
          "role": "roles/storage.admin"
        }
      ]
    }
  },
  "additionalEmailRecipients": [
    "bola@example.com.com"
  ]
}

以程式輔助方式拒絕授權

gcloud

gcloud pam grants describe 指令會拒絕特定授權要求。

使用下方的任何指令資料之前,請先替換以下項目:

  • GRANT_ID:您要拒絕的授權 ID。您可以 搜尋可核准或拒絕的授權,以擷取 ID。
  • ENTITLEMENT_ID:授權所屬的權利 ID。
  • DENIAL_REASON:授予設定遭拒的原因。
  • RESOURCE_TYPE:選用。權利所屬的資源類型。請使用 organizationfolderproject 值。
  • RESOURCE_ID:與 RESOURCE_TYPE 搭配使用。要管理權限的 Google Cloud專案、資料夾或機構的 ID。專案 ID 為英數字串,例如 my-project。 資料夾和機構 ID 是數字,例如 123456789012

執行下列指令:

Linux、macOS 或 Cloud Shell

gcloud pam grants deny \
    GRANT_ID \
    --entitlement=ENTITLEMENT_ID \
    --reason="DENIAL_REASON" \
    --location=global \
    --RESOURCE_TYPE=RESOURCE_ID

Windows (PowerShell)

gcloud pam grants deny `
    GRANT_ID `
    --entitlement=ENTITLEMENT_ID `
    --reason="DENIAL_REASON" `
    --location=global `
    --RESOURCE_TYPE=RESOURCE_ID

Windows (cmd.exe)

gcloud pam grants deny ^
    GRANT_ID ^
    --entitlement=ENTITLEMENT_ID ^
    --reason="DENIAL_REASON" ^
    --location=global ^
    --RESOURCE_TYPE=RESOURCE_ID

您應該會收到類似以下的回應:

createTime: '2024-04-05T01:29:13.129192816Z'
justification:
  unstructuredJustification: Renaming a file to mitigate issue #312
name: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID
privilegedAccess:
  gcpIamAccess:
    resource: //cloudresourcemanager.googleapis.com/projects/my-project
    resourceType: cloudresourcemanager.googleapis.com/Project
    roleBindings:
    - role: roles/storage.admin
requestedDuration: 2700s
requester: cruz@example.com
state: DENIED
timeline:
  events:
  - eventTime: '2024-04-05T01:29:13.267878626Z'
    requested:
      expireTime: '2024-04-06T01:29:13.267878626Z'
  - denied:
      actor: alex@example.com
      reason: Access denied under existing policy
    eventTime: '2024-04-05T01:29:49.492161363Z'
updateTime: '2024-04-05T01:29:49.492097724Z'

REST

Privileged Access Manager API 的 denyGrant 方法會拒絕特定授權要求。

使用任何要求資料之前,請先替換以下項目:

  • SCOPE:權利所在的機構、資料夾或專案,格式為 organizations/ORGANIZATION_IDfolders/FOLDER_IDprojects/PROJECT_ID。專案 ID 為英數字串,例如 my-project。資料夾和機構 ID 為數字,例如 123456789012
  • ENTITLEMENT_ID:授權所屬的權利 ID。
  • GRANT_ID:您要拒絕的授權 ID。 您可以 搜尋可核准或拒絕的授權,藉此擷取 ID。
  • REASON:授權要求遭拒的原因。

HTTP 方法和網址:

POST https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:deny

JSON 要求主體:

{
    "reason": "REASON"
}

如要傳送要求,請展開以下其中一個選項:

您應該會收到如下的 JSON 回應:

{
  "name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID",
  "createTime": "2024-03-07T00:34:32.557017289Z",
  "updateTime": "2024-03-07T00:36:08.309046580Z",
  "requester": "alex@example.com",
  "requestedDuration": "3600s",
  "justification": {
    "unstructuredJustification": "Emergency service for outage"
  },
  "state": "DENIED",
  "timeline": {
    "events": [
      {
        "eventTime": "2024-03-07T00:34:32.793769042Z",
        "requested": {
          "expireTime": "2024-03-08T00:34:32.793769042Z"
        }
      },
      {
        "eventTime": "2024-03-07T00:36:08.309116203Z",
        "denied": {
          "reason": "Outage already resolved",
          "actor": "cruz@example.com"
        }
      }
    ]
  },
  "privilegedAccess": {
    "gcpIamAccess": {
      "resourceType": "cloudresourcemanager.googleapis.com/Project",
      "resource": "//cloudresourcemanager.googleapis.com/projects/my-project",
      "roleBindings": [
        {
          "role": "roles/storage.admin"
        }
      ]
    }
  },
  "additionalEmailRecipients": [
    "bola@example.com"
  ]
}