GWS_GROUP_MANAGER

Summary

FSProtect ACL Alias

GWS_GROUP_MANAGER

GWS Alias

Group Manager

Affected Object Types

GWS Group

Exploitation Certainty

Certain

Description

GWS_GROUP_MANAGER is a structural edge representing that an identity is a manager of a Google Workspace Group. Group managers occupy the second tier of group authority: they can add and remove members, approve membership requests, and promote existing members to MANAGER. A manager cannot assign the OWNER role, delete the group, or modify group-level settings.

If the group is bound to GCP IAM roles, a manager can add a controlled identity as a member to immediately inherit those permissions. The full escalation chain requires only a single API call: GWS_GROUP_MANAGERGWS_ADD_GROUP_MEMBER → GCP IAM access.

Manager accounts are frequently overlooked during security reviews because alert policies typically focus on ownership changes. A manager foothold also persists through group ownership transfers — existing manager assignments are not automatically revoked when a group's owner is changed or removed. If the target group is bound to organization-level or folder-level GCP IAM roles, a single manager foothold can yield access across every project in the organization.

Group membership changes by a manager are recorded only in Google Workspace audit logs. Member additions via the Groups UI route to the groups_enterprise stream; additions via the Admin API route to the admin stream. The GCP setIamPolicy event is never triggered.

Identification

gcloud CLI

# Find all GCP-bound groups across the organization
gcloud asset search-all-iam-policies \
    --scope='organizations/ORG_ID' \
    --query='memberTypes:group' \
    --format="table(resource, policy.bindings[].role, policy.bindings[].members)"

Google Admin Console

  1. Open Google Admin Console (admin.google.com) → DirectoryGroups.

  2. Click on the target group → Members tab.

  3. Filter by Role: Manager to list all group managers.

Exploitation

Mitigation

  1. Convert GCP-bound groups to security groups — restricts all membership management to Super Admins only:

  2. Minimize managers — assign the MANAGER role only when membership delegation is genuinely required. Audit and revoke unnecessary manager assignments regularly.

  3. Audit manager assignments on GCP-bound groups:

  4. Alert on manager-driven member additions on GCP-bound groups — specifically when the actor holds MANAGER (not OWNER or Admin), which is the operational signature of foothold exploitation.

  5. Enable GWS audit log export to Cloud Logging — without this, groups_enterprise additions (via Groups UI) are invisible to GCP-based monitoring.

Detection

Monitor group membership changes in Google Workspace Audit Logs. Pay attention to member additions performed by accounts that hold MANAGER rather than OWNER — these are the signature of manager foothold exploitation.

Google Admin Console

  1. Open Google Admin Console (admin.google.com) → ReportingAudit and investigationGroups Enterprise log events.

  2. Filter by Event Name: Add member or Update member (role change to MANAGER).

  3. Check the Actor field — if the actor holds MANAGER (not OWNER or Admin), the foothold is actively being exploited.

Cloud Logging (GCP)

References

  • https://www.netspi.com/blog/technical-blog/cloud-pentesting/escalating-privileges-in-google-cloud-via-open-groups/

  • https://cloud.google.com/iam/docs/groups-in-cloud-console

  • https://developers.google.com/admin-sdk/directory/reference/rest/v1/members

  • https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships

  • https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview

  • https://developers.google.com/workspace/admin/reports/v1/appendix/activity/groups-enterprise

  • https://support.google.com/a/answer/167430

Last updated

Was this helpful?