GWS_ADD_GROUP_MANAGER

Summary

FSProtect ACL Alias

GWS Alias

Add Group Manager

Affected Object Types

GWS Group

Exploitation Certainty

Certain

Granting Roles / Positions

Google Workspace Super Admin, Groups Admin (directory role), existing Group Owner

Description

GWS_ADD_GROUP_MANAGER represents the ability to add new managers to a Google Workspace Group. Granting the MANAGER role to an identity delegates partial administrative authority: a manager can add and remove group members, approve membership requests, and promote existing members to MANAGER. A manager cannot assign the OWNER role, delete the group, or modify group-level settings.

The security significance of this edge is the two-step escalation chain it enables: GWS_ADD_GROUP_MANAGER → GWS_GROUP_MANAGER → GWS_ADD_GROUP_MEMBER → GCP IAM access. After a controlled identity is promoted to manager, it independently gains the ability to add members to the group without requiring any further owner action. The entire chain from promotion to GCP IAM inheritance can complete in minutes with two API calls.

Manager accounts are frequently overlooked during security reviews because alert policies tend to focus on ownership changes. A manager foothold also persists through group ownership transfers — if the group's owner is rotated or remediated, existing manager assignments are not automatically revoked.

Identification

gcloud CLI

# Find all GCP-bound groups across the organization (primary target list)
gcloud asset search-all-iam-policies \
    --scope='organizations/ORG_ID' \
    --query='memberTypes:group' \
    --format="table(resource, policy.bindings[].role, policy.bindings[].members)"

# List current owners who can assign the MANAGER role
GROUP_EMAIL="[email protected]"
gcloud identity groups memberships list \
  --group-email=$GROUP_EMAIL \
  --format="table(preferredMemberKey.id, roles[0].name)" | grep -E "OWNER|MANAGER"

Google Admin Console

Open Google Admin Console (admin.google.com) → Directory → Groups.
Click the target group → Members.
Filter by Role: Owner — these identities can assign the MANAGER role.
Check Admin roles → Groups Admin for directory-level admin identities.

Exploitation

# Step 1: Promote controlled identity to MANAGER
GROUP_EMAIL="[email protected]"
gcloud identity groups memberships add \
  --group-email=$GROUP_EMAIL \
  [email protected] \
  --roles=MANAGER

# Step 2: As the new manager, add a second controlled identity as MEMBER to inherit GCP IAM
gcloud identity groups memberships add \
  --group-email=$GROUP_EMAIL \
  [email protected] \
  --roles=MEMBER

# Wait 1-5 minutes for IAM propagation
gcloud projects list

Mitigation

Convert GCP-bound groups to security groups — restricts all membership and role changes to Super Admins only:
```
gcloud identity groups update GROUP_EMAIL \
  --labels=cloudidentity.googleapis.com/groups.security=''
```
Minimize manager assignments — assign the MANAGER role only when membership delegation is genuinely required. Audit and revoke unnecessary managers regularly.
Restrict manager assignment to Super Admins only via Google Admin Console → group settings → disable owner-delegated manager assignment.
Alert on MANAGER role assignments for groups with GCP IAM bindings, not just OWNER changes.

Detection

Monitor group role changes in Google Workspace Audit Logs. The two-step chain (manager promotion → member addition) requires correlating two separate audit events, potentially across the admin and groups_enterprise streams.

Google Admin Console

Open Google Admin Console (admin.google.com) → Reporting → Audit and investigation → Groups Enterprise log events.
Filter by Event Name: Add member or Update member where role = MANAGER.
For the same group, look for a subsequent Add member with role = MEMBER performed by the same identity (the exploitation chain indicator).

Cloud Logging (GCP)

# Monitor MANAGER role assignments and all subsequent member additions
gcloud logging read \
  'logName="organizations/ORG_ID/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.serviceName="admin.googleapis.com" AND (protoPayload.methodName="google.admin.AdminService.addGroupMember" OR protoPayload.methodName="google.admin.AdminService.updateGroupMember")' \
  --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.request.groupKey, protoPayload.request.memberKey, protoPayload.request.role)"

References

https://www.netspi.com/blog/technical-blog/cloud-pentesting/escalating-privileges-in-google-cloud-via-open-groups/
https://cloud.google.com/iam/docs/groups-in-cloud-console
https://developers.google.com/admin-sdk/directory/reference/rest/v1/members/insert
https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships
https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview
https://support.google.com/a/answer/167430

PreviousGCP_ROLE_SCOPED_TO NextGWS_ADD_GROUP_MEMBER

Last updated 6 days ago

Was this helpful?