Setting up groups and roles correctly on Google Cloud Platform IAM

aq flag

I have recently been reviewing our roles and IAM on our very small (but set up a long time ago) organization on GCP and realized that we don't have any Essential Contacts defined ( I didn't have access to view this.

I went back and completed the foundational set up ( - I don't think this existed when I originally signed up) to make sure I had the right groups set up with the right roles/permissions (and that I was a member of them).

But when I go to Essential Contacts and try to click "add Contact", I get a message that I don't have the permissions required.

essential contacts add contact button

So I can go and add this permission to myself individually or some group (that's not my question).

My question is:

  1. Have I actually set up the fundamental groups correctly? (if not, how)
  2. (Assuming I have set them up correctly) why is this permission left out of the roles assigned to the organization admins group ("gcp-organization-admins@DOMAIN" given that "Organisation administrators have access to administer all resources belonging to the organisation"). In other words, shouldn't an organizational admin already have this permission?

PS I am the owner of this (small) GCP organization.

nl flag

Seems you're using the default role with your created project, It's not recommended to use it. Even if you're the owner of the project and you're unable to create Essential Contacts, it means you are not setting up the fundamental groups correctly.

If you're unable to create Essential Contacts, that means you require Essential Contacts Admin role, recommend you to have at least one additional user with the Security admin role, with permissions to get and set any IAM policy. This role helps the user to grant any one owner or with any other role in the project. The owner role is a legacy role and has a wide range of permissions.

Please refer to the official GCP doc for more information.

Edit :

  1. First please check whether you are using the correct Organization & Project.

  2. Check If you have set up your foundation & admin role properly, you can get the result as shown in below image

enter image description here

If not set properly you will get the result as shown in the below image.

enter image description here

  1. You can check your roles : Login to the console >>Click on IAM & Admin>>Select IAM >>click on permissions then you can view VIEW BY ROLES & VIEW BY PRINCIPALS

Check whether you have Essential contacts admin roles in VIEW BY PRINCIPALS, if not available, you are unable to add/view contacts. By default the owner also doesn’t have that permission so add it as below.

You can grant access to the Essential contacts admin role as shown in the below image, so that you can get permission to add contacts.

enter image description here

Tim Diggins avatar
aq flag
Thanks, but I think you may have misunderstood my question (or be just answering a different one). I've updated my question to make it more explicit.
Veera Nagireddy avatar
nl flag
Look at the revised Answer, which may help to resolve your issue.
Veera Nagireddy avatar
nl flag
Further edited my answer, Check Edit in above answer. By default the owner also doesn’t have that permission to add, so add essential contacts admin role as mentioned in the answer.
I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.