Stay organized with collections
Save and categorize content based on your preferences.
Supporting compliance by restricting customer personnel data access
This page provides information about supporting compliance with customer
personnel restrictions using Identity and Access Management (IAM) in combination with
Assured Workloads.
Overview
Restricting access to data personnel is fundamental to supporting regulatory
compliance of Google Cloud resources. Assured Workloads supports
compliance by controlling access to your resources by Google personnel. You are
still responsible for controlling access to your resources by your
organization's personnel.
Restricting customer personnel access strategies
IAM allows you to create roles and groups that restrict personnel
access to data and Google Cloud resources. It is your responsibility to
determine the eligibility of staff, based on compliance requirements. We
recommend that you determine eligibility before providing access to data. After
you have confirmed adjudication, you can use IAM to create a
group for the personnel who successfully meet the compliance criteria. You use
this group to limit access to Google Cloud resources and data within the
Assured Workloads folder to support compliance.
Remaining compliant requires ongoing management of these IAM
groups to ensure that:
Personnel continue to meet the requirements of the control package.
Personnel are properly removed from IAM groups when they
don't meet the requirements of the program.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis content explains how to use Identity and Access Management (IAM) with Assured Workloads to comply with customer personnel data access restrictions.\u003c/p\u003e\n"],["\u003cp\u003eAssured Workloads helps with compliance by restricting Google personnel access, while you control your organization's personnel access.\u003c/p\u003e\n"],["\u003cp\u003eIAM allows creating roles and groups to restrict personnel access to Google Cloud data and resources.\u003c/p\u003e\n"],["\u003cp\u003eMaintaining compliance requires ongoing management of IAM groups to ensure personnel meet and continue to meet access requirements.\u003c/p\u003e\n"]]],[],null,["# Supporting compliance by restricting customer personnel data access\n===================================================================\n\nThis page provides information about supporting compliance with customer\npersonnel restrictions using Identity and Access Management (IAM) in combination with\nAssured Workloads.\n\nOverview\n--------\n\nRestricting access to data personnel is fundamental to supporting regulatory\ncompliance of Google Cloud resources. Assured Workloads supports\ncompliance by controlling access to your resources by Google personnel. You are\nstill responsible for controlling access to your resources by your\norganization's personnel.\n\n### Restricting customer personnel access strategies\n\n| **Note:** Assured Workloads only provides support for personnel data access controls for Google Cloud if it is supported by the control package you choose.\n\nIAM allows you to create roles and groups that restrict personnel\naccess to data and Google Cloud resources. It is your responsibility to\ndetermine the eligibility of staff, based on compliance requirements. We\nrecommend that you determine eligibility before providing access to data. After\nyou have confirmed adjudication, you can use IAM to create a\ngroup for the personnel who successfully meet the compliance criteria. You use\nthis group to limit access to Google Cloud resources and data within the\nAssured Workloads folder to support compliance.\n\nRemaining compliant requires ongoing management of these IAM\ngroups to ensure that:\n\n- Personnel continue to meet the requirements of the control package.\n- Personnel are properly removed from IAM groups when they don't meet the requirements of the program.\n\nWhat's next\n-----------\n\n- Learn more about [personnel access controls](/assured-workloads/docs/personnel-access-data-controls).\n- Learn how to [create an IAM group](/iam/docs/groups-in-cloud-console#creating).\n- Learn how to [restrict resource usage for workloads](/assured-workloads/docs/restrict-resource-usage)."]]
