> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/gcp/gws_group_manager.md).
# GWS\_GROUP\_MANAGER
## Summary
| | |
| -------------------------- | ------------------- |
| **FSProtect ACL Alias** | GWS\_GROUP\_MANAGER |
| **GWS Alias** | Group Manager |
| **Affected Object Types** | GWS Group |
| **Exploitation Certainty** | Certain |
## Description
`GWS_GROUP_MANAGER` is a structural edge representing that an identity is a **manager of a Google Workspace Group**. Group managers occupy the second tier of group authority: they can add and remove members, approve membership requests, and promote existing members to `MANAGER`. A manager cannot assign the `OWNER` role, delete the group, or modify group-level settings.
If the group is bound to GCP IAM roles, a manager can add a controlled identity as a member to immediately inherit those permissions. The full escalation chain requires only a single API call: `GWS_GROUP_MANAGER` → `GWS_ADD_GROUP_MEMBER` → GCP IAM access.
Manager accounts are frequently overlooked during security reviews because alert policies typically focus on ownership changes. A manager foothold also persists through group ownership transfers — existing manager assignments are not automatically revoked when a group's owner is changed or removed. If the target group is bound to organization-level or folder-level GCP IAM roles, a single manager foothold can yield access across every project in the organization.
Group membership changes by a manager are recorded only in Google Workspace audit logs. Member additions via the Groups UI route to the `groups_enterprise` stream; additions via the Admin API route to the `admin` stream. The GCP `setIamPolicy` event is never triggered.
## Identification
### gcloud CLI
```bash
# Find all GCP-bound groups across the organization
gcloud asset search-all-iam-policies \
--scope='organizations/ORG_ID' \
--query='memberTypes:group' \
--format="table(resource, policy.bindings[].role, policy.bindings[].members)"
```
```bash
# List all members with MANAGER role in a group
GROUP_EMAIL="target-group@example.com"
gcloud identity groups memberships list \
--group-email=$GROUP_EMAIL \
--format="table(preferredMemberKey.id, roles[0].name)" \
| grep MANAGER
```
### Google Admin Console
1. Open **Google Admin Console** (`admin.google.com`) → **Directory** → **Groups**.
2. Click on the target group → **Members** tab.
3. Filter by **Role: Manager** to list all group managers.
## Exploitation
```bash
# As a group manager, add attacker-controlled identity as member to inherit GCP IAM
GROUP_EMAIL="privileged-group@example.com"
gcloud identity groups memberships add \
--group-email=$GROUP_EMAIL \
--member-email=attacker@example.com \
--roles=MEMBER
# Wait 1-5 minutes for GCP IAM propagation
gcloud projects list
gcloud compute instances list --project=TARGET_PROJECT
```
## Mitigation
1. **Convert GCP-bound groups to security groups** — restricts all membership management to Super Admins only:
```bash
gcloud identity groups update GROUP_EMAIL \
--labels=cloudidentity.googleapis.com/groups.security=''
```
2. **Minimize managers** — assign the MANAGER role only when membership delegation is genuinely required. Audit and revoke unnecessary manager assignments regularly.
3. **Audit manager assignments on GCP-bound groups:**
```bash
gcloud identity groups memberships list \
--group-email=SENSITIVE_GROUP_EMAIL \
--format="table(preferredMemberKey.id, roles[0].name)" | grep MANAGER
```
4. **Alert on manager-driven member additions** on GCP-bound groups — specifically when the actor holds MANAGER (not OWNER or Admin), which is the operational signature of foothold exploitation.
5. **Enable GWS audit log export to Cloud Logging** — without this, `groups_enterprise` additions (via Groups UI) are invisible to GCP-based monitoring.
## Detection
Monitor group membership changes in **Google Workspace Audit Logs**. Pay attention to member additions performed by accounts that hold `MANAGER` rather than `OWNER` — these are the signature of manager foothold exploitation.
### Google Admin Console
1. Open **Google Admin Console** (`admin.google.com`) → **Reporting** → **Audit and investigation** → **Groups Enterprise log events**.
2. Filter by **Event Name: Add member** or **Update member** (role change to MANAGER).
3. Check the **Actor** field — if the actor holds MANAGER (not OWNER or Admin), the foothold is actively being exploited.
### Cloud Logging (GCP)
```bash
# Monitor all group member additions and MANAGER role assignments
gcloud logging read \
'logName="organizations/ORG_ID/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.serviceName="admin.googleapis.com" AND protoPayload.methodName="google.admin.AdminService.addGroupMember"' \
--format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.request.groupKey, protoPayload.request.memberKey)"
```
## References
*
*
*
*
*
*
*
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.forestall.io/fsprotect/edges/gcp/gws_group_manager.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.