In a Google document about IAM policies hierarchy (see below image). it is written that:
- A less restrictive parent policy overrides a more restrictive resource policy
This means to me that if the parent allows edit of below resources, but a single resource policy does not allow edit, the resulting policy is the union, which means that the less restrictive policy (allow to edit) will be the resulting one.
In the same document they provide an example:
- The policies implemented at a higher level in this hierarchy can’t take away access that’s granted at lower level. For example, suppose that a policy applied on the “bookshelf” project gives user Pat the right to modify a Cloud Storage bucket. But a policy at the organization level says that Pat can only view Cloud Storage buckets, not change them. The more generous policy takes effect.
This means to me that if the parent does not allow edit, but the single below resource policy allows edit, the parent still is able to remove edit permission on the resource. Which to me sounds like the less generous policy is taking effect, as an intersection, not a union. How do you interpret "more generous"? To me, the more generous policy is the one allowing you to do more things, which, in this example, it is granting editing permission, which is the contrary of what it is written.
Does this mean that the less restrictive policy always "wins" since it would be the UNION of the policies?
In other words:
- A less restrictive parent policy overrides a more restrictive resource policy
- A more restrictive parent policy does not override a less restrictive resource policy
Does it make sense to you? thanks
