turbot/googledirectory
steampipe plugin install googledirectory

Table: googledirectory_privilege - Query Google Directory Privileges using SQL

Google Directory Privileges is a resource within Google Workspace Admin SDK that manages and provides information about the various rights granted to administrative roles. It allows administrators to create, update, and delete roles that contain one or more privileges. It is a key component in managing access control within Google Workspace.

Table Usage Guide

The googledirectory_privilege table provides insights into the privileges within Google Workspace Admin SDK. As an administrator, explore privilege-specific details through this table, including service IDs, privilege names, and associated metadata. Utilize it to uncover information about privileges, such as those associated with specific roles, and manage access control effectively within your Google Workspace environment.

Examples

Basic info

Explore which privileges within the Google Directory service are applicable to Organizational Units. This can aid in understanding the scope of access control and managing permissions effectively.

select
privilege_name,
service_name,
service_id,
is_ou_scopable
from
googledirectory_privilege;
select
privilege_name,
service_name,
service_id,
is_ou_scopable
from
googledirectory_privilege;

List privileges by service

Explore the distribution of privileges across different services. This can help in assessing the security posture by identifying services with a high count of privileges.

select
service_name,
count(*)
from
googledirectory_privilege
group by
service_name
order by
count desc;
select
service_name,
count(*)
from
googledirectory_privilege
group by
service_name
order by
count(*) desc;

List privileges for each role

This example allows you to examine the specific permissions associated with each role within your Google Directory. It's useful for ensuring that roles are correctly configured and that each role has the appropriate level of access, enhancing your overall security posture.

select
r.role_name as role_name,
p.service_name as service_name,
p.privilege_name as privilege_name
from
googledirectory_role as r,
jsonb_array_elements(r.role_privileges) as rp,
googledirectory_privilege as p
where
rp ->> 'serviceId' = p.service_id
and rp ->> 'privilegeName' = p.privilege_name
order by
role_name,
service_name,
privilege_name;
select
r.role_name as role_name,
p.service_name as service_name,
p.privilege_name as privilege_name
from
googledirectory_role as r,
json_each(r.role_privileges) as rp,
googledirectory_privilege as p
where
json_extract(rp.value, '$.serviceId') = p.service_id
and json_extract(rp.value, '$.privilegeName') = p.privilege_name
order by
role_name,
service_name,
privilege_name;

Schema for googledirectory_privilege

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
child_privilegesjsonbA list of child privileges. Privileges for a service form a tree. Each privilege can have a list of child privileges; this list is empty for a leaf privilege.
customer_idtext=The customer ID to retrieve all privileges for a customer.
etagtextA hash of the metadata, used to ensure there were no concurrent modifications to the resource when attempting an update.
is_ou_scopablebooleanIndicates if the privilege can be restricted to an organization unit.
kindtextThe type of the API resource.
privilege_nametextThe name of the privilege.
service_idtextThe obfuscated ID of the service this privilege is for.
service_nametextThe name of the service this privilege is for.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- googledirectory

You can pass the configuration to the command with the --config argument:

steampipe_export_googledirectory --config '<your_config>' googledirectory_privilege