https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/API-access/m-p/355#M103 <P>Yup, that's perfectly doable, and it only really needs to be done before deleting an important user account, as ownership needs to be transferred first, else&nbsp;<EM>it should</EM> disappear along with the owner.</P><P><A title="GCP Resource Manager interface" href="https://console.cloud.google.com/cloud-resource-manager" target="_blank" rel="noopener">GCP Resource Manager interface</A>.</P><P>There any superadmin can give themselves access to anything else, by assigning <A title="IAM roles" href="https://cloud.google.com/iam/docs/conditions-overview?hl=en_GB" target="_blank" rel="noopener">IAM roles</A> to themselves, so called <A title="Principals" href="https://cloud.google.com/iam/docs/overview?hl=en_GB#concepts_related_identity" target="_blank" rel="noopener">Principals</A>, for the entire domain.&nbsp;I usually make sure to have these, meaning I can do most things.</P><P>Organisation Administrator,&nbsp;Project Creator, Storage Admin,&nbsp;Folder Admin.</P><P>You should really read closely what each role can do, as sometimes you need a lesser role to do something even though being "admin" sounds better.</P><P>But there's also an <A title="Interactive guide on how to secure your GCP" href="https://console.cloud.google.com/cloud-setup/overview" target="_blank" rel="noopener">very extensive interactive guide on how to secure your GCP</A>.</P><P>I can definitely recommend walking through that, and do most of what is suggested.</P><P><EM>Owner</EM> is of course necessary for things that should not be removed. But it&nbsp;<EM>may</EM> require that ownership is removed from the user that created it. Else the entire thing needs to re-created with another account.</P><P>So, for super-important stuff, I recommend creating and owning them with a "utility" account, an account which isn't really a person, but which is only ever&nbsp;<EM>managed</EM> by a single person at the time.</P><P>Never ever not-ever share credentials to an account.</P> Mon, 10 Jul 2023 22:15:23 GMT Kim_Nilsson 2023-07-10T22:15:23Z https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/API-access/m-p/354#M102 <P>I have a question about the managment site&nbsp;<A href="https://console.cloud.google.com/" target="_blank" rel="noopener">https://console.cloud.google.com/</A>. We get in there from time to time to add SSO etc. Usually I do them but another admin went in and it turns out I can only seee the ones I've created he can only see any hes created etc. Is there any way in here permissions wise we can make it so all admins can see the API settings for each project? If I leave they basically have to leave my account forever.</P> Mon, 10 Jul 2023 20:30:55 GMT https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/API-access/m-p/354#M102 jasoncrcsd 2023-07-10T20:30:55Z https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/API-access/m-p/355#M103 <P>Yup, that's perfectly doable, and it only really needs to be done before deleting an important user account, as ownership needs to be transferred first, else&nbsp;<EM>it should</EM> disappear along with the owner.</P><P><A title="GCP Resource Manager interface" href="https://console.cloud.google.com/cloud-resource-manager" target="_blank" rel="noopener">GCP Resource Manager interface</A>.</P><P>There any superadmin can give themselves access to anything else, by assigning <A title="IAM roles" href="https://cloud.google.com/iam/docs/conditions-overview?hl=en_GB" target="_blank" rel="noopener">IAM roles</A> to themselves, so called <A title="Principals" href="https://cloud.google.com/iam/docs/overview?hl=en_GB#concepts_related_identity" target="_blank" rel="noopener">Principals</A>, for the entire domain.&nbsp;I usually make sure to have these, meaning I can do most things.</P><P>Organisation Administrator,&nbsp;Project Creator, Storage Admin,&nbsp;Folder Admin.</P><P>You should really read closely what each role can do, as sometimes you need a lesser role to do something even though being "admin" sounds better.</P><P>But there's also an <A title="Interactive guide on how to secure your GCP" href="https://console.cloud.google.com/cloud-setup/overview" target="_blank" rel="noopener">very extensive interactive guide on how to secure your GCP</A>.</P><P>I can definitely recommend walking through that, and do most of what is suggested.</P><P><EM>Owner</EM> is of course necessary for things that should not be removed. But it&nbsp;<EM>may</EM> require that ownership is removed from the user that created it. Else the entire thing needs to re-created with another account.</P><P>So, for super-important stuff, I recommend creating and owning them with a "utility" account, an account which isn't really a person, but which is only ever&nbsp;<EM>managed</EM> by a single person at the time.</P><P>Never ever not-ever share credentials to an account.</P> Mon, 10 Jul 2023 22:15:23 GMT https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/API-access/m-p/355#M103 Kim_Nilsson 2023-07-10T22:15:23Z