Project ownership is the first stop where decisions need to be made regarding user accounts, groups, permissions and other identity-related concepts. By following some simple guidelines for project ownership at the outset, you can save yourself some future headaches. Here are some tips for setting up your projects for success:
- prefer groups over individuals
- use Workspace or Cloud Identity for creating groups
- do NOT use a shared Google account. A shared Google account is a headless account - one in which multiple individuals are given the credentials.
Follow along with these three simple steps towards group-based project ownership.
- Create a project owner group
- Add users to the group
- Grant Project Owner role to the group
Create the group
The creator of a Cloud Project automatically gets assigned the role Project Owner. Preferably, you should grant the Project Owner role to a Google group, that has one or more members, eliminating the risk of project lockout. A group can be created from within Workspace or Cloud Identity - both platforms which provide identity management capabilities. If you have neither Workspace nor Cloud Identity, you can still create a group @googlegroups.com. This group can include Google accounts with any domain suffix (@gmail.com, @someenterprisedomain.com). Use the decision tree to decide how to establish your project owner group.
Once the group is created, add users to the group. These users must be existing Google accounts or service accounts. We recommend using Google accounts associated with your organization's corporate domain.
Grant IAM role to group
Finally, grant the Project Owner role to the group:
Cloud Console > IAM & Admin > Add member
Below is an example of granting the Project Owner role to the group email@example.com, a Google group created within Cloud Identity. Note, the group members log into Console with their individual account credentials.
*we found that group-based project ownership prevents a project owner from submitting a Google support ticket from within Cloud Console. Workaround - add your individual Google account as project owner, submit the support ticket, remove your individual account.