Wintus/GCP-IAM.svg

## gcp-iam.graphviz.dot
digraph IAM {
  rankdir="LR";
  node [shape="component"];
  subgraph cluster_policy {
    cluster="true";
    style="dashed";
    label="Policy";
    URL="https://cloud.google.com/iam/docs/policy-types";
    role [label="Role"];
    perm [label="Permission"];
		// URL="https://cloud.google.com/resource-manager/reference/rest/Shared.Types/Policy"
		// URL="https://cloud.google.com/iam/docs/reference/rest/v1/Policy"
    ap [label="Allow Policy", URL="https://cloud.google.com/iam/docs/policies"];
    dp [label="Deny Policy", URL="https://cloud.google.com/iam/docs/deny-overview"];
    pab [label="PAB Policy", URL="https://cloud.google.com/iam/docs/principal-access-boundary-policies"];
    binding;
    condition;
    dr [label="DenyRule", URL="https://cloud.google.com/iam/docs/reference/rest/v2/policies#denyrule"];
    rule [label="Rule", URL="https://cloud.google.com/iam/docs/reference/rest/v3beta/organizations.locations.principalAccessBoundaryPolicies#principalaccessboundarypolicyrule"];
  }
  subgraph cluster_members {
    style="dashed";
    label="Principals";
    URL="https://cloud.google.com/iam/docs/principal-identifiers";
    member [shape="box"];
    sa [label="Service Account", URL="https://cloud.google.com/iam/docs/service-account-overview"];
    member -> {
        sa;
        user;
        group;
        k8s [label="Kubernetes resource", URL="https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#kubernetes-resources-iam-policies"];
        PrincipalSet;
        allUsers;
        allAuthenticatedUsers;
      } [dir="back", arrowtail="empty"];
    PrincipalSet [shape="box"];
  }
  subgraph cluster_svc {
    style="dashed";
    label="Service";
    res [label="Resource"];
  }
  subgraph composition {
    edge [dir="back", arrowtail="diamond"];
    ap -> binding -> {
        role;
        // has many
        member;
        /* optional */
        condition;
      };
    role -> perm;
    dp -> dr -> member;
    res -> dp [label="has many"];
    pab -> {
        PrincipalSet;
        rule;
      } [label="containts"];
    PrincipalSet -> member [label="contains"];
  }
  subgraph cluster_resource_manager {
    style="dashed";
    label="Resource Manager";
    URL="https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy";
    parent [shape="box", label="container", URL="https://cloud.google.com/iam/docs/resource-hierarchy-access-control"];
    parent -> {
        subgraph hierarchy {
          org -> folder -> project -> res [dir="back", arrowtail="diamond", label="inherits"];
        }
      } [dir="back", arrowtail="empty"];
  }
  subgraph policy_bindings {
    URL="https://cloud.google.com/iam/docs/manage-access-other-resources";
    URL="https://cloud.google.com/resource-manager/reference/rest/Shared.Types/Binding";
    edge [label="policy binding", dir="both"];
    ap -> {
        parent;
        res;
      };
  }
  perm -> res [label="verb"];
  sa -> res [arrowhead="empty", label="is-a"];
  rule -> res [label="allow effect"];
}

## GCP-IAM.svg

      
Display the source blob

    
Display the rendered blob

    
    Raw
  

              GCP-IAM.svg
            
          
      Loading

      Sorry, something went wrong. Reload?
      Sorry, we cannot display this file.
      Sorry, this file is invalid so it cannot be displayed.
      
          Viewer requires iframe.
	digraph IAM {
	rankdir="LR";
	node [shape="component"];
	subgraph cluster_policy {
	cluster="true";
	style="dashed";
	label="Policy";
	URL="https://cloud.google.com/iam/docs/policy-types";
	role [label="Role"];
	perm [label="Permission"];
	// URL="https://cloud.google.com/resource-manager/reference/rest/Shared.Types/Policy"
	// URL="https://cloud.google.com/iam/docs/reference/rest/v1/Policy"
	ap [label="Allow Policy", URL="https://cloud.google.com/iam/docs/policies"];
	dp [label="Deny Policy", URL="https://cloud.google.com/iam/docs/deny-overview"];
	pab [label="PAB Policy", URL="https://cloud.google.com/iam/docs/principal-access-boundary-policies"];
	binding;
	condition;
	dr [label="DenyRule", URL="https://cloud.google.com/iam/docs/reference/rest/v2/policies#denyrule"];
	rule [label="Rule", URL="https://cloud.google.com/iam/docs/reference/rest/v3beta/organizations.locations.principalAccessBoundaryPolicies#principalaccessboundarypolicyrule"];
	}
	subgraph cluster_members {
	style="dashed";
	label="Principals";
	URL="https://cloud.google.com/iam/docs/principal-identifiers";
	member [shape="box"];
	sa [label="Service Account", URL="https://cloud.google.com/iam/docs/service-account-overview"];
	member -> {
	sa;
	user;
	group;
	k8s [label="Kubernetes resource", URL="https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#kubernetes-resources-iam-policies"];
	PrincipalSet;
	allUsers;
	allAuthenticatedUsers;
	} [dir="back", arrowtail="empty"];
	PrincipalSet [shape="box"];
	}
	subgraph cluster_svc {
	style="dashed";
	label="Service";
	res [label="Resource"];
	}
	subgraph composition {
	edge [dir="back", arrowtail="diamond"];
	ap -> binding -> {
	role;
	// has many
	member;
	/* optional */
	condition;
	};
	role -> perm;
	dp -> dr -> member;
	res -> dp [label="has many"];
	pab -> {
	PrincipalSet;
	rule;
	} [label="containts"];
	PrincipalSet -> member [label="contains"];
	}
	subgraph cluster_resource_manager {
	style="dashed";
	label="Resource Manager";
	URL="https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy";
	parent [shape="box", label="container", URL="https://cloud.google.com/iam/docs/resource-hierarchy-access-control"];
	parent -> {
	subgraph hierarchy {
	org -> folder -> project -> res [dir="back", arrowtail="diamond", label="inherits"];
	}
	} [dir="back", arrowtail="empty"];
	}
	subgraph policy_bindings {
	URL="https://cloud.google.com/iam/docs/manage-access-other-resources";
	URL="https://cloud.google.com/resource-manager/reference/rest/Shared.Types/Binding";
	edge [label="policy binding", dir="both"];
	ap -> {
	parent;
	res;
	};
	}
	perm -> res [label="verb"];
	sa -> res [arrowhead="empty", label="is-a"];
	rule -> res [label="allow effect"];
	}