To configure the behavior where each department member automatically has read-only access to all new project resources created by any department member, you should use Google Cloud's folder structure and IAM roles effectively. Here are the steps:
* Create Folders for Departments: Create a folder under your Organization for each department.
Folders help organize resources and provide a hierarchy for applying policies and permissions.
* Assign IAM Roles to Google Groups: Assign the Project Viewer role to the Google Group associated with each department at the folder level. This ensures that all members of the group have the necessary permissions.
* Inherited Permissions: When a department member creates a new project under their department's folder, the permissions assigned to the folder are inherited by the new project. Thus, all department members will automatically have read-only access to the project's resources.
* Navigate to IAM & Admin in the GCP Console.
* Select "Folders" from the left-hand menu.
* For each department, create a new folder under the organization.
* Select the newly created folder, and then go to the "Permissions" tab.
* Click on "Add" to assign a new role.
* Enter the email address of the Google Group for the department.
* Assign the "Project Viewer" role to the group.
* Access Restrictions: Since the permissions are applied at the folder level, only the members of the specific department's Google Group will have read-only access to the projects created in that folder.
Other departments will not have access unless explicitly granted.
By following these steps, you ensure that department members have the required access to their respective projects without manual configuration for each new project.
References:
* Google Cloud IAM Documentation
* Google Cloud Resource Manager Documentation