Typically, companies will have many different projects with many different users working on them.  And those users will often have different needs.  For example, some users might need access to every project, while others might only need to access one or two.  Some users will just need the ability to just look at things, while others might also need to make changes.  That is why every project in your Google Cloud Platform account has its own set of users.  And each user account can have its own unique set of permissions.

When it comes to creating new user accounts, you have a couple of options.  First, you can manually create them yourself.  This works fine if you have a small number of users.  However, for large companies with hundreds or thousands of users, you may want to consider automating the process.   If you already have something like Active Directory or LDAP, you can use Google Cloud Directory Sync to automatically replicate them to Google Cloud Identity.  Cloud Identity allows you to manage and authorize your user accounts across multiple applications and projects.  It also supports SAML 2.0 (Security Assertion Markup Language) for single sign-on (SSO), as well as two-factor authentication (2FA).

Whichever option you choose, you have full control over which permissions are granted to your users.  This is accomplished by assigning roles.  Roles are groups of permissions.  You could try to directly assign individual permissions to users, but this would take a lot of time.  Users typically need many, many different types of permissions to do their jobs.  So to save time, you instead assign permissions to roles.  And then you assign roles to users.  

Now there are three main types of roles: basic, predefined, and custom.  Basic and predefined roles are already created for you by Google.  Custom roles are roles that you can create yourself.

Basic roles (formerly called primitive roles) represent a very simple and broad set of permissions.  The Browser role allows a user to view what resources already exist, but not get any detailed information.  The Viewer role allows a user to get more detailed information about resources, but not modify them.  The Editor role allows a user to modify resources, but not other user accounts.  And the Owner role gives a user full control.  Owners can modify any resource or user account, and can also do things like set up billing.  It is generally recommended that you avoid using basic roles, especially in production environments.  Basic roles typically either grant too many or not enough permissions.

Predefined roles provide smaller sets of permissions for specific resources.  And because of this, there are many, many more predefined roles than basic ones.  For example, if a user needed to be able to inventory all the compute engine resources, you could grant them the “Compute Viewer” predefined role.  This would only allow them to view the current Compute Resources.  If a user needed to modify firewall rules, you could grant them the “Compute Security Admin” predefined role.  And if a user needed full control over all Compute Engine resources including VMs, security, and storage, you could grant them the “Compute Admin” predefined role.

The third type of role is the custom role.  Custom roles are groups of permissions that can be as wide or as restricted as you wish.  Predefined roles cover many typical scenarios, but can still end up granting unnecessary permissions.  By defining your own Custom roles, you can assign exactly the permissions each user needs and no more.

Alright.  Enough talk.  Time to demonstrate how to create user accounts and assign roles.  First, go to the Navigation menu and select “IAM & Admin” and then “IAM”.  Right now I just have a single user account for myself.  This is the account I am using right now.  Let’s add a few more.

Before creating a new user, always double-check that you have the right project selected.  You don’t want to accidentally add a user to the wrong project. 

Next, click the “Add” button at the top of the page.  First, you will need to enter the user's email address.  So let me do that.  Second, you need to pick at least one role to assign.  There are the three main types of roles I talked about before.  You can find Basic roles here.  For this first user I will pick “Browser”.  And once you click on “Save” the user will be created.  So now the person with the email address of newuser1@gmail can log in and browse the resources inside of my “Photo blog” project.

Next, let’s add another user with some predefined roles.  I will enter another email address.  You can find the predefined roles down here under “All roles”.  You can see that there are a lot more predefined roles than basic.  There are so many, that it is often helpful to use the filter to search for the roles you are interested in.  I can search for “App Engine” and get a list of App Engine related roles.  So let me assign the App Engine Viewer role.  You can also add more roles.  You aren’t just limited to one.  So let me add another predefined role.  I’ll pick “BigQuery Data Viewer”.  And then click “Save”.

So I have assigned basic and predefined roles.  Let’s create a  third user and assign custom roles.  I have already created a few custom roles before I started filming so you could see how this work.  If you want to create a new role, you can click on the “Manage Roles” link below.  I’m going to assign Custom Role 1.   And also Custom Role 2.  So now you know how to add new user accounts to your project.  

Really quickly, I want to also show you how to create your own custom roles.  If you select “Roles” from the side menu, you will see a list of the predefined and custom roles that exist.  From here you just need to click on “Create Role” at the top of the page and you can pick a title (which is the name) and then add permissions.  There are a lot of permissions to choose from, so you can also search and filter by name.  I am just going to pick a few permissions at random.

So this new custom role is called “Custom Role 3”.  It is going to have 4 assigned permissions.  And once I click “Create” it will be available to use.

There are going to be times when you want to delete a user.   Luckily, deleting is pretty simple.  Let’s go back to the IAM page.  You just select the users, and then click the “Remove” button at the top of the page. Confirm that, yes, you wish to remove the users from the project.  And that is all there is to it.  The user accounts have been deleted.

As you can see, creating users and assigning them roles is fairly straightforward.  The real trick is understanding what permissions your users will need.  It depends on what you are building and what your requirements are.  Remember, you can always change permissions later.  So it is recommended to start out assigning the minimum amount of permissions at first.  Then you can add more later as required.  It is safer to give out too few, than too many.

And that wraps up the lesson on users and roles.  If you can, I recommend creating a few users with different levels of permissions.  Then try to log in as each and take note of the limitations on what you can see and do.