Can IAM policies that are implemented higher in the resource hierarchy take away access that is granted by lower-level policies?
If I understood your question – the scenario you saying is not possible because GCP resources inherit the Cloud IAM policies of their parent node..so you cant have child resource higher/exclusive permission than the one assigned to the parent resource . That is my understanding ,atleast
Ansh is correct: That is not possible. In particular, access that is granted at one level (any level) cannot be revoked at any other level (neither higher nor lower). A slide in the IAM Breakdown – Policies lecture notes:
Always additive ("Allow") and never subtractive (no "Deny")
It’s good to check that you understand things like this correctly. 👍