I created the user, a non-admin account, and created a project (My User Project ) as well. when I switched to the admin account, I can see the My User Project in My trial billing account. as per the tutorial I should not see the project at all, was there any change in this behavior?
2 Answers
It seems to me that google upgraded this behaviour but noticed that admin still can’t change billing for ‘My user project’. However he/she can disable billing for ‘My user project’ which makes sense because Admin is the owner of the billing account.
From what I can see currently, the Admin can see all the projects from the graphs located at the page of a specific billing account, as it’s possible to check what projects are spending more money along with their existence. But, when the admin list the "My Projects" tab by the side of the "My Billing Accounts", it sees only its own projects, not lower privileged users projects.
Summarising, projects names appears linked to billing accounts owned by the admin. That’s because when we created the lecture’s user, it was created with the Billing Account User role, meaning the user can link projects to billing accounts. As the new user created through a new project, its role on the project when he created it is owner for the project is created.
Good readings:
https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#projects
-Bianchi
Did you create the user from "IAM & Admin"? Or did you create a new Google gmail account?
Not sure if the user account should have default Project creation access in first place or isn’t violating the security principle that default permission should be none. Also the user account isn’t mine and that user can create hasn’t setup credit card setup etc. any thoughts?
Do you create the user account in IAM first and if so, when role should they be assigned?