I have G Suite account, say example.com and I add a new user called [email protected]. Now this user logs into GCP (Google Cloud Platform) console and he has access to all resources under example.com organization. No roles have been assigned to this user using Cloud IAM and no specific policies are defined.
It is expected that [email protected] by default doesn't have any access to resources under GCP till some role is assigned
In this question, the problem is caused by having the Cloud IAM member type "domain:" added as a member assigned with Project Owner role. Everyone in the same domain inherits the permissions assigned to the domain member.
For clarity, you have the domain name example.com. If you add the IAM member domain:example.com to Cloud IAM, everyone that has an email address, eg [email protected] will inherit the permissions assigned to domain:example.com automatically.
The domain member requires that the email addresses are managed by either G Suite or Cloud Identity.
domain. All email addresses in that domain inherit the permissions of the domain member. The domain member is similar to a group member. – John Hanley