Closed charlie-costanzo closed 1 month ago
Hi @charlie-costanzo is it possible to add domain:ministryofvelocity.com
or group:consultants@ministryofvelocity.com
instead?
Hi @charlie-costanzo is it possible to add
domain:ministryofvelocity.com
orgroup:consultants@ministryofvelocity.com
instead?
Hey @ohrite – when creating new groups to allow access to row access policies in GCP, I believe that the domain for a new group's email address is actually automatically assigned the domain of the 'owner' of the GCP organization, and I believe Jarvus is still technically the 'owner' of the Cal-ITP GCP instance. So I wasn't given an option to substitute domains, and I don't think it has much impact other than the settings for the group's access to the tables, but can look into this further if you'd like.
I could also potentially change to a domain-level access to the tables, such as domain:ministryofvelocity.com
, if preferred, but that would be a less granular way to control who accesses these (more sensitive) payments tables. Currently the only domain that's given broad domain access is calitp.org
, as the group that Jarvus users have been in names users specifically. Let me know if you'd like me to look further into this though, as well.
Compiler owns the existing GCP project, not Jarvus
We don't have access to the "organization" that owns the GCP project—either because none is assigned to the project or because we're not members of it.
Groups can only be created at the organization level so we're creating them under jarvus for now
We're about to rework all this stuff in the transition to Caltrans owning the GCP project so it might be best to just stick with small un-ideal changes for now rather than making the current IAM structure more complex for what will hopefully only be a few weeks
Description
Update payments row access polices in macro create_row_access_policy to include new GCP group:
mov-project-team@jarv.us
to facilitate querying and contributions to row access policy-protected tables (primarily fct_payments__rides_v2 and fct_elavon__transactions)Type of change