"<Product> User" roles (in addition to Viewer & Admin roles)
Right now, there are two levels of pre-defined roles: "Viewer" and "Admin".
However, sometimes you don't need all of the Admin permissions, but you still need to make some changes in the system as normal operations.
This has been already done for App Check but not other products.
Cloud Firestore:
Let's take the Firestore roles as an example:
- Cloud Datastore Viewer (A generic Firestore viewer permission)
- Cloud Datastore User (A service account for manipulating data in the Firestore databases)
- Cloud Datastore Owner (A generic Firestore owner permission).
And then, there are specialized roles with viewer/admin level access for certain types of Firestore features to be configured:
- Cloud Datastore restore admin
- Cloud Datastore Key Visualiser viewer
- Cloud Datastore Index Admin
- Cloud Datastore Import Export Admin
- Cloud Datastore Backups Viewer
- Cloud Datastore backups admin
- Cloud Datastore backup schedules viewer
- Cloud Datastore backup schedules admin
Firebase Authentication:
Looking at other products something like this would also be helpful, let's take as an example Firebase Auth/Identity platform.
Here we have "Firebase Authentication Viewer" (which allows to get auth config AND list users) and "Firebase Authentication Admin" (which allows to change config, change users, AND get critical data like user hashes, salts, secrets, etc.).
There should be more granularity and e.g. a role like:
"Firebase Authentication User" which allows the following:
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseauth.configs.get
firebaseauth.users.create
firebaseauth.users.createSession
firebaseauth.users.delete
firebaseauth.users.get
firebaseauth.users.sendEmail
firebaseauth.users.update
resourcemanager.projects.get
resourcemanager.projects.list
Basically, everything from viewer in addition to "firebaseauth.users.*" related permissions.
One could also consider a "Firebase Authentication Configuration Admin" which would allow to change configuration BUT NOT access any user data.
Meaning only these permissions:
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.getHashConfig
firebaseauth.configs.getSecret
firebaseauth.configs.update
resourcemanager.projects.get
resourcemanager.projects.list
There are no "firebaseauth.users.*" related permissions. This is helpful to allow a service account to configure Firebase Auth but doesn't get access to any PII.
App Distribution:
Here a logic role would be: App Distribution User (or Releaser?!).
firebaseappdistro.releases.update
and maybe (viewer permissions):
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Hosting:
Firebase Hosting User (Deployer?).
firebasehosting.sites.update
and maybe (viewer permissions):
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasehosting.sites.get
firebasehosting.sites.list
resourcemanager.projects.get
resourcemanager.projects.list
The suggestions are non-exhaustive and I may have missed some.
Those are just the ones that would be most important for us.