如果某项权利具有审批工作流,则指定为审批者的主账号可以批准或拒绝针对该权利的授权请求。
如果 Security Command Center 高级方案层级或企业方案层级是在组织级层激活的,则审批工作流可以包含两个审批级别。审批者可以位于一个或两个审批级别中,但只能审批一次。收到所需数量的第一级审批后,系统会向第二级审批人发送邮件通知。在收到所需数量的第二级审批后,授权会进入 active 状态。如果有任何审批人拒绝授权,则授权会进入 denied 状态,并且不会发送给任何其他审批人。 此功能为预览版。
针对某项权利批准或拒绝授权请求时,请注意以下事项:
您无法批准您自己的请求。
如果请求在 24 小时内未获得批准或被拒绝,则授权状态会更改为
expired。在此之后,如果仍需要提升权限,则主账号必须发出新的授权请求。
使用 Google Cloud 控制台批准或拒绝授权
如需批准或拒绝针对某项权利发出的授权请求,请按照以下说明操作:
前往 Privileged Access Manager 页面。
点击批准授权标签页,然后点击待批准标签页。
在与您要批准或拒绝的请求相关的行中,点击批准/拒绝。
如果需要提供理由,请在备注字段中输入。 您可以在历史记录标签页中查看授权历史记录。
点击批准或拒绝。
您可以在我的审批记录标签页中查看审批记录。审批记录在审批操作完成后 30 天内可供访问。 在从父资源继承的授权上创建的授权会显示在父资源的审批历史记录中。
以编程方式批准或拒绝授权
如需批准或拒绝授权,您需要完成以下操作:
搜索您是审批者的权利。
使用相关的权利 ID,搜索您可以批准或拒绝的授权。
批准或拒绝授权请求。
搜索您是审批者的权利
gcloud
结合使用 gcloud pam entitlements search 命令和 grant-approver 调用方访问权限类型可搜索您是审批者的权利。
在使用下面的命令数据之前,请先进行以下替换:
RESOURCE_TYPE:可选。权利所属的资源类型。使用值organization、folder或project。RESOURCE_ID:与RESOURCE_TYPE一起使用。您要为其管理使用权的 Google Cloud项目、文件夹或组织的 ID。项目 ID 是字母数字字符串,例如my-project。文件夹和组织 ID 是数字,例如123456789012。
执行以下命令:
Linux、macOS 或 Cloud Shell
gcloud pam entitlements search \ --caller-access-type=grant-approver \ --location=global \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud pam entitlements search ` --caller-access-type=grant-approver ` --location=global ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud pam entitlements search ^ --caller-access-type=grant-approver ^ --location=global ^ --RESOURCE_TYPE=RESOURCE_ID
您应该会收到类似如下所示的响应:
additionalNotificationTargets: {}
approvalWorkflow:
manualApprovals:
requireApproverJustification: true
steps:
- approvalsNeeded: 1
approvers:
- principals:
- user:alex@example.com
createTime: '22024-03-26T11:07:37.009498890Z'
etag: 00000000000000000000000000000000000000000000000000000000000=
maxRequestDuration: 3600s
name: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID
privilegedAccess:
gcpIamAccess:
resource: //cloudresourcemanager.googleapis.com/projects/my-project
resourceType: cloudresourcemanager.googleapis.com/Project
roleBindings:
- role: roles/storage.admin
requesterJustificationConfig:
notMandatory: {}
state: AVAILABLE
updateTime: '2024-03-26T11:07:40.056780645Z'
REST
结合使用 Privileged Access Manager API 的 searchEntitlements 方法和 GRANT_APPROVER 调用方访问权限类型可搜索您是审批者的权利。
在使用任何请求数据之前,请先进行以下替换:
SCOPE:权利所属的组织、文件夹或项目,格式为organizations/ORGANIZATION_ID、folders/FOLDER_ID或projects/PROJECT_ID。项目 ID 是字母数字字符串,例如my-project。文件夹和组织 ID 是数字,例如123456789012。FILTER:可选。返回字段值与 AIP-160 表达式匹配的权利。PAGE_SIZE:可选。响应中要返回的项数。PAGE_TOKEN:可选。使用上述响应中返回的页面令牌,确定从哪个页面开始响应。
HTTP 方法和网址:
GET https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements:search?callerAccessType=GRANT_APPROVER&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
[
{
"name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID",
"createTime": "2023-11-21T17:28:39.962144708Z",
"updateTime": "2023-11-21T17:28:43.160309410Z",
"eligibleUsers": [
{
"principals": [
"user:alex@example.com"
]
}
],
"approvalWorkflow": {
"manualApprovals": {
"steps": [
{
"approvers": [
{
"principals": [
"user:bola@example.com"
]
}
],
"approvalsNeeded": 1
}
]
}
},
"privilegedAccess": {
"gcpIamAccess": {
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/my-project",
"roleBindings": [
{
"role": "roles/storage.admin"
}
]
}
},
"maxRequestDuration": "14400s",
"state": "AVAILABLE",
"requesterJustificationConfig": {
"unstructured": {}
},
"additionalNotificationTargets": {
"adminEmailRecipients": [
"alex@example.com"
]
},
"etag": "00000000000000000000000000000000000000000000000000000000000="
}
]
搜索可批准或拒绝的授权请求
gcloud
gcloud alpha pam grants search 命令可搜索您可以批准或拒绝的授权,或者您已批准或拒绝的授权。此方法不需要特定的 Privileged Access Manager 权限即可使用。
在使用下面的命令数据之前,请先进行以下替换:
ENTITLEMENT_ID:授权所属的权利的 ID。您可以通过搜索您是审批者的权利来检索此 ID。-
CALLER_RELATIONSHIP_TYPE:请使用以下某个值:had-approved:返回调用方已批准或拒绝的授权。can-approve:返回调用方可以批准或拒绝的授权。
RESOURCE_TYPE:可选。权利所属的资源类型。使用值organization、folder或project。RESOURCE_ID:与RESOURCE_TYPE一起使用。您要为其管理使用权的 Google Cloud项目、文件夹或组织的 ID。项目 ID 是字母数字字符串,例如my-project。文件夹和组织 ID 是数字,例如123456789012。
执行以下命令:
Linux、macOS 或 Cloud Shell
gcloud alpha pam grants search \ --entitlement=ENTITLEMENT_ID \ --caller-relationship=CALLER_RELATIONSHIP_TYPE \ --location=global \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud alpha pam grants search ` --entitlement=ENTITLEMENT_ID ` --caller-relationship=CALLER_RELATIONSHIP_TYPE ` --location=global ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud alpha pam grants search ^ --entitlement=ENTITLEMENT_ID ^ --caller-relationship=CALLER_RELATIONSHIP_TYPE ^ --location=global ^ --RESOURCE_TYPE=RESOURCE_ID
您应该会收到类似如下所示的响应:
additionalEmailRecipients:
- bola@example.com
createTime: '2024-03-07T00:34:32.557017289Z'
justification:
unstructuredJustification: Renaming a file to mitigate issue #312
name: projects/PROJECT_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID
privilegedAccess:
gcpIamAccess:
resource: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID
resourceType: cloudresourcemanager.googleapis.com/Project
roleBindings:
- role: roles/storage.admin
id: hwqrt_1
requestedDuration: 3600s
requestedPrivilegedAccess:
gcpIamAccess:
resource: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID
resourceType: cloudresourcemanager.googleapis.com/Project
roleBindings:
- role: roles/storage.admin
entitlementRoleBindingId: hwqrt_1
requester: cruz@example.com
state: DENIED
timeline:
events:
- eventTime: '2024-03-07T00:34:32.793769042Z'
requested:
expireTime: '2024-03-08T00:34:32.793769042Z'
- denied:
actor: alex@example.com
reason: Issue has already been resolved
eventTime: '2024-03-07T00:36:08.309116203Z'
updateTime: '2024-03-07T00:34:32.926967128Z'
REST
Privileged Access Manager API 的 searchGrants 方法可搜索您可以批准或拒绝的授权,或者您已批准或拒绝的授权。此方法不需要特定的 Privileged Access Manager 权限即可使用。
在使用任何请求数据之前,请先进行以下替换:
SCOPE:权利所属的组织、文件夹或项目,格式为organizations/ORGANIZATION_ID、folders/FOLDER_ID或projects/PROJECT_ID。项目 ID 是字母数字字符串,例如my-project。文件夹和组织 ID 是数字,例如123456789012。ENTITLEMENT_ID:授权所属的权利的 ID。您可以通过搜索您是审批者的权利来检索此 ID。RELATIONSHIP_TYPE:有效值包括:HAD_APPROVED:返回调用方之前批准或拒绝的授权。CAN_APPROVE:返回调用方可以批准或拒绝的授权。
FILTER:可选。返回字段值与 AIP-160 表达式匹配的授权。PAGE_SIZE:可选。响应中要返回的项数。PAGE_TOKEN:可选。使用上述响应中返回的页面令牌,确定从哪个页面开始响应。
HTTP 方法和网址:
GET https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants:search?callerRelationship=RELATIONSHIP_TYPE&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
{
"grants": [
{
"name": "projects/PROJECT_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID",
"createTime": "2024-03-06T03:08:49.330577625Z",
"updateTime": "2024-03-06T03:08:49.625874598Z",
"requester": "alex@example.com",
"requestedDuration": "3600s",
"justification": {
"unstructuredJustification": "Emergency service for outage"
},
"state": "APPROVAL_AWAITED",
"timeline": {
"events": [
{
"eventTime": "2024-03-06T03:08:49.462765846Z",
"requested": {
"expireTime": "2024-03-07T03:08:49.462765846Z"
}
}
]
},
"privilegedAccess": {
"gcpIamAccess": {
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"roleBindings": [
{
"role": "roles/storage.admin"
"id": "hwqrt_1"
}
]
}
},
"requestedPrivilegedAccess": {
"gcpIamAccess": {
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"roleBindings": [
{
"role": "roles/storage.admin",
"entitlementRoleBindingId": "hwqrt_1"
}
]
}
},
"additionalEmailRecipients": [
"bola@google.com"
]
}
]
}
以编程方式批准授权
gcloud
gcloud pam grants describe 命令可批准特定的授权请求。
在使用下面的命令数据之前,请先进行以下替换:
GRANT_ID:您要批准的授权的 ID。您可以通过搜索可批准或拒绝的授权请求来检索此 ID。ENTITLEMENT_ID:授权所属的权利的 ID。APPROVAL_REASON:授权获得批准的原因。RESOURCE_TYPE:可选。权利所属的资源类型。使用值organization、folder或project。RESOURCE_ID:与RESOURCE_TYPE一起使用。您要为其管理使用权的 Google Cloud项目、文件夹或组织的 ID。项目 ID 是字母数字字符串,例如my-project。文件夹和组织 ID 是数字,例如123456789012。
执行以下命令:
Linux、macOS 或 Cloud Shell
gcloud pam grants approve \ GRANT_ID \ --entitlement=ENTITLEMENT_ID \ --reason="APPROVAL_REASON" \ --location=global \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud pam grants approve ` GRANT_ID ` --entitlement=ENTITLEMENT_ID ` --reason="APPROVAL_REASON" ` --location=global ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud pam grants approve ^ GRANT_ID ^ --entitlement=ENTITLEMENT_ID ^ --reason="APPROVAL_REASON" ^ --location=global ^ --RESOURCE_TYPE=RESOURCE_ID
您应该会收到类似如下所示的响应:
createTime: '2024-04-05T01:17:04.596455403Z'
justification:
unstructuredJustification: Renaming a file to mitigate issue #312
name: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID
privilegedAccess:
gcpIamAccess:
resource: //cloudresourcemanager.googleapis.com/projects/my-project
resourceType: cloudresourcemanager.googleapis.com/Project
roleBindings:
- role: roles/storage.admin
requestedDuration: 2700s
requester: cruz@example.com
state: SCHEDULED
timeline:
events:
- eventTime: '2024-04-05T01:17:04.732226659Z'
requested:
expireTime: '2024-04-06T01:17:04.732226659Z'
- approved:
actor: alex@example.com
reason: Access allowed under existing policy
eventTime: '2024-04-05T01:21:49.139539732Z'
- eventTime: '2024-04-05T01:21:49.139463954Z'
scheduled:
scheduledActivationTime: '2024-04-05T01:21:49.139463954Z'
updateTime: '2024-04-05T01:21:49.139463954Z'
REST
Privileged Access Manager API 的 approveGrant 方法可批准特定的授权请求。
在使用任何请求数据之前,请先进行以下替换:
SCOPE:权利所属的组织、文件夹或项目,格式为organizations/ORGANIZATION_ID、folders/FOLDER_ID或projects/PROJECT_ID。项目 ID 是字母数字字符串,例如my-project。文件夹和组织 ID 是数字,例如123456789012。ENTITLEMENT_ID:授权所属的权利的 ID。GRANT_ID:您要批准的授权的 ID。您可以通过搜索可批准或拒绝的授权请求来检索此 ID。REASON:授权请求获得批准的原因。
HTTP 方法和网址:
POST https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:approve
请求 JSON 正文:
{
"reason": "REASON"
}
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
{
"name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID",
"createTime": "2024-03-06T03:08:49.330577625Z",
"updateTime": "2024-03-06T23:01:13.964619844Z",
"requester": "alex@example.com",
"requestedDuration": "3600s",
"justification": {
"unstructuredJustification": "Emergency service for outage"
},
"state": "SCHEDULED",
"timeline": {
"events": [
{
"eventTime": "2024-03-06T03:08:49.462765846Z",
"requested": {
"expireTime": "2024-03-07T03:08:49.462765846Z"
}
},
{
"eventTime": "2024-03-06T23:01:13.964685709Z",
"approved": {
"reason": "Approved escalation",
"actor": "cruz@example.com"
}
},
{
"eventTime": "2024-03-06T23:01:13.964619844Z",
"scheduled": {
"scheduledActivationTime": "2024-03-06T23:01:13.964619844Z"
}
}
]
},
"privilegedAccess": {
"gcpIamAccess": {
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/my-project",
"roleBindings": [
{
"role": "roles/storage.admin"
}
]
}
},
"additionalEmailRecipients": [
"bola@example.com.com"
]
}
以编程方式拒绝授权
gcloud
gcloud pam grants describe 命令可拒绝特定的授权请求。
在使用下面的命令数据之前,请先进行以下替换:
GRANT_ID:您要拒绝的授权的 ID。您可以通过搜索可批准或拒绝的授权来检索此 ID。ENTITLEMENT_ID:授权所属的权利的 ID。DENIAL_REASON:授权被拒绝的原因。RESOURCE_TYPE:可选。权利所属的资源类型。使用值organization、folder或project。RESOURCE_ID:与RESOURCE_TYPE一起使用。您要为其管理使用权的 Google Cloud项目、文件夹或组织的 ID。项目 ID 是字母数字字符串,例如my-project。文件夹和组织 ID 是数字,例如123456789012。
执行以下命令:
Linux、macOS 或 Cloud Shell
gcloud pam grants deny \ GRANT_ID \ --entitlement=ENTITLEMENT_ID \ --reason="DENIAL_REASON" \ --location=global \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud pam grants deny ` GRANT_ID ` --entitlement=ENTITLEMENT_ID ` --reason="DENIAL_REASON" ` --location=global ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud pam grants deny ^ GRANT_ID ^ --entitlement=ENTITLEMENT_ID ^ --reason="DENIAL_REASON" ^ --location=global ^ --RESOURCE_TYPE=RESOURCE_ID
您应该会收到类似如下所示的响应:
createTime: '2024-04-05T01:29:13.129192816Z'
justification:
unstructuredJustification: Renaming a file to mitigate issue #312
name: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID
privilegedAccess:
gcpIamAccess:
resource: //cloudresourcemanager.googleapis.com/projects/my-project
resourceType: cloudresourcemanager.googleapis.com/Project
roleBindings:
- role: roles/storage.admin
requestedDuration: 2700s
requester: cruz@example.com
state: DENIED
timeline:
events:
- eventTime: '2024-04-05T01:29:13.267878626Z'
requested:
expireTime: '2024-04-06T01:29:13.267878626Z'
- denied:
actor: alex@example.com
reason: Access denied under existing policy
eventTime: '2024-04-05T01:29:49.492161363Z'
updateTime: '2024-04-05T01:29:49.492097724Z'
REST
Privileged Access Manager API 的 denyGrant 方法可拒绝特定的授权请求。
在使用任何请求数据之前,请先进行以下替换:
SCOPE:权利所属的组织、文件夹或项目,格式为organizations/ORGANIZATION_ID、folders/FOLDER_ID或projects/PROJECT_ID。项目 ID 是字母数字字符串,例如my-project。文件夹和组织 ID 是数字,例如123456789012。ENTITLEMENT_ID:授权所属的权利的 ID。GRANT_ID:您要拒绝的授权的 ID。您可以通过搜索可批准或拒绝的授权来检索此 ID。REASON:授权请求被拒绝的原因。
HTTP 方法和网址:
POST https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:deny
请求 JSON 正文:
{
"reason": "REASON"
}
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
{
"name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID",
"createTime": "2024-03-07T00:34:32.557017289Z",
"updateTime": "2024-03-07T00:36:08.309046580Z",
"requester": "alex@example.com",
"requestedDuration": "3600s",
"justification": {
"unstructuredJustification": "Emergency service for outage"
},
"state": "DENIED",
"timeline": {
"events": [
{
"eventTime": "2024-03-07T00:34:32.793769042Z",
"requested": {
"expireTime": "2024-03-08T00:34:32.793769042Z"
}
},
{
"eventTime": "2024-03-07T00:36:08.309116203Z",
"denied": {
"reason": "Outage already resolved",
"actor": "cruz@example.com"
}
}
]
},
"privilegedAccess": {
"gcpIamAccess": {
"resourceType": "cloudresourcemanager.googleapis.com/Project",
"resource": "//cloudresourcemanager.googleapis.com/projects/my-project",
"roleBindings": [
{
"role": "roles/storage.admin"
}
]
}
},
"additionalEmailRecipients": [
"bola@example.com"
]
}