Understanding how access management works on Google Cloud is key to making the following decisions as you plan your SAP implementation:
- How to organize your resources on Google Cloud.
- Which team members can access and work with resources.
- Exactly which permissions each team member needs to have to conform to the least privileges principle for resource access.
- Which services and applications need to use which service accounts, and what level of permissions to grant in each case.
For a high-level overview of authentication on Google Cloud, see Authentication overview.
Resource hierarchy and inheritance
The Cloud Platform Resource Hierarchy defines the various resource containers on Google Cloud, how they relate to each other, and what the access scopes are.
Access control policies applied to a parent resource, such as an organization or project, are inherited by the children of that resource, such as the Compute Engine virtual machines or Cloud Storage buckets in the organization or project.
Identity and Access Management
Identity and Access Management (IAM) provides unified control over permissions for Google Cloud resources. You can manage access control by defining who has what access to resources. For example, you can control who can perform control-plane operations on your SAP instances, such as creating and modifying VMs, persistent disks, and networking.
IAM service accounts provide a way for you to give permissions to applications and services. It's important to understand how service accounts work in Compute Engine. For details, see Service Accounts.
IAM roles grant permissions to users. For a reference about roles and which permissions they provide, see Identity and Access Management Roles.
For more details about IAM, see the Overview of IAM.
Resource-specific IAM information
For each resource that your SAP systems use, such as a Compute Engine resource, you need understand how IAM implements authentication and access management for the resource and what predefined roles IAM provides for the resource.
For information about how some resources that are commonly used by SAP systems implement IAM, see:
- BigQuery predefined roles and permissions
- Compute Engine access control options
- Deployment Manager access control options
- Cloud Logging access control guide
- Cloud Monitoring access control