Requesting Cloud Access Role Exemptions
There are two ways you can use exemptions with cloud access roles.
- Exempt a cloud access role from a cloud rule. Cloud access roles and cloud rules that are applied to an OU automatically become associated. You can request to exempt the cloud access role from locally defined cloud rules. You can only exempt a cloud access role from a cloud rule on the same OU that the cloud rule is applied or on a project.
- Exempt a resource from a cloud access role. When a cloud access role is exempted on an OU, it is not inherited by descendant resources. This kind of exemption acts like a roadblock, completely stopping the cloud access role from moving past it.
For more information, see Cloud Access Role Inheritance and Exemption.
Exempting a Cloud Access Role from a Cloud Rule
If you have the Manage Cloud Access Roles permission, you can request a cloud rule exemption for a cloud access role. Once approved, the cloud rule, including any of its IAM policies, will no longer be applied to your cloud access role.
To request to exempt a cloud access role from a cloud rule:
- Navigate to the details page for your project.
- Click on the Cloud Management tab.
- Click on the Cloud Access Roles tab.
- Click on the name of the cloud access role you want exempted from a cloud rule.
- In the Cloud Rules section, click Request Exemption next to the cloud rule.
- (Optional) Enter a comment.
- Click Confirm.
A request is sent to the users with manage permission on the OU or project where the cloud rule is applied. If the same cloud rule is applied in more than one place above your cloud access role, you will need to request an exemption from each one.
Exempting a Resource from a Cloud Access Role
If you have permission to manage an OU or project, you can request to exempt your resource from a cloud access role. When a cloud access role is exempted on an OU, it is not inherited by descendant resources.
To request an exemption from an inherited cloud access role:
- Navigate to the OU or project's details page by clicking on its name on the All OUs or All Projects page.
- Click the Cloud Management tab, then the Cloud Access Roles sub-tab. You will see a list of cloud rules applied to the resource.
- Click the ellipsis menu and select Exempt. If this is not an option, the cloud rule may be applied locally.
- (Optional) Enter a comment for the request.
- Click OK.
Because you must have manage permissions to request to exempt a resource from a cloud access role, which are the same to approve a request, the request is automatically approved when you click OK. If the same cloud access role is applied to multiple parent OUs, you must request an exemption from each one.