Table: googledirectory_privilege - Query Google Directory Privileges using SQL
Google Directory Privileges is a resource within Google Workspace Admin SDK that manages and provides information about the various rights granted to administrative roles. It allows administrators to create, update, and delete roles that contain one or more privileges. It is a key component in managing access control within Google Workspace.
Table Usage Guide
The googledirectory_privilege
table provides insights into the privileges within Google Workspace Admin SDK. As an administrator, explore privilege-specific details through this table, including service IDs, privilege names, and associated metadata. Utilize it to uncover information about privileges, such as those associated with specific roles, and manage access control effectively within your Google Workspace environment.
Examples
Basic info
Explore which privileges within the Google Directory service are applicable to Organizational Units. This can aid in understanding the scope of access control and managing permissions effectively.
select privilege_name, service_name, service_id, is_ou_scopablefrom googledirectory_privilege;
select privilege_name, service_name, service_id, is_ou_scopablefrom googledirectory_privilege;
List privileges by service
Explore the distribution of privileges across different services. This can help in assessing the security posture by identifying services with a high count of privileges.
select service_name, count(*)from googledirectory_privilegegroup by service_nameorder by count desc;
select service_name, count(*)from googledirectory_privilegegroup by service_nameorder by count(*) desc;
List privileges for each role
This example allows you to examine the specific permissions associated with each role within your Google Directory. It's useful for ensuring that roles are correctly configured and that each role has the appropriate level of access, enhancing your overall security posture.
select r.role_name as role_name, p.service_name as service_name, p.privilege_name as privilege_namefrom googledirectory_role as r, jsonb_array_elements(r.role_privileges) as rp, googledirectory_privilege as pwhere rp ->> 'serviceId' = p.service_id and rp ->> 'privilegeName' = p.privilege_nameorder by role_name, service_name, privilege_name;
select r.role_name as role_name, p.service_name as service_name, p.privilege_name as privilege_namefrom googledirectory_role as r, json_each(r.role_privileges) as rp, googledirectory_privilege as pwhere json_extract(rp.value, '$.serviceId') = p.service_id and json_extract(rp.value, '$.privilegeName') = p.privilege_nameorder by role_name, service_name, privilege_name;
Schema for googledirectory_privilege
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
child_privileges | jsonb | A list of child privileges. Privileges for a service form a tree. Each privilege can have a list of child privileges; this list is empty for a leaf privilege. | |
customer_id | text | = | The customer ID to retrieve all privileges for a customer. |
etag | text | A hash of the metadata, used to ensure there were no concurrent modifications to the resource when attempting an update. | |
is_ou_scopable | boolean | Indicates if the privilege can be restricted to an organization unit. | |
kind | text | The type of the API resource. | |
privilege_name | text | The name of the privilege. | |
service_id | text | The obfuscated ID of the service this privilege is for. | |
service_name | text | The name of the service this privilege is for. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- googledirectory
You can pass the configuration to the command with the --config
argument:
steampipe_export_googledirectory --config '<your_config>' googledirectory_privilege