Query Mode

Changing the query mode lets you show Effective Permissions from source to destination entities OR information about additional intermediate entity types such as roles and policy bindings.

• Effective mode calculates and shows all possible actions, after accounting for any potential restrictions (such as policy deny statements and other controls). Effective Permissions represent all the metadata and non-data actions the principal can take on a resource.

• System mode shows the configured permissions and access path, before processing potentially overriding policies such as deny statements, service control policies (SCPs), and network policies. system mode is useful for understanding, certifying, and enforcing rules based on User > Policy > Resource relationships and other role-based access controls.

See Intermediate Entities for example queries possible in this mode. System mode also enables the full range of possible selections for Workflow Summary Entities.

Permissions in system mode

Search and Workflows present a natural-language summary of the actions that identities can ultimately take on a resource, in the form of Effective Permissions (EP). The default Effective mode shows the cumulative level of access a principal has on a resource, after accounting for all roles, groups, and elements such as policy "deny" statements.

In Effective mode, you can click on a single Permission node in Authorization Graph and click Explain Effective Permissions to view the configured system-level authorization relationships that result in the EP calculation. Typically, this will show additional entities such as policies, groups, and roles configured for the principal.

System mode enables visualization and constraints on raw authorization nodes such as role bindings and group memberships, and the exact permissions connecting identities, policies, and resources.

In general, enabling system mode can add additional context to understand and map Role Based Access Controls for Google Cloud Platform and Microsoft Azure AD. System mode is especially useful for searching and filtering on the intermediate entities such as roles and groups connecting identities and resources.

• Role Bindings entities assign specific permissions to a specific user or group in a Google Organization. Graph view consolidates duplicate Role Bindings by Role name, or by Role name and Policy Resource pair.

• Policy Resource nodes represent the specific resource types that a role binding applies to. Graph shows relationships for Role Bindings and the resources in the search, indicating the resource hierarchy and the level of the hierarchy the Role applies.

• The Google Folder hierarchy is a visual representation of the Organization structure.

• "Group" is a term used to describe a collection of users in a Google Organization. The visualization will also show the relationship between a User and a Role Binding, and any intermediate Group entities.