Google Cloud IAM Role Best Practices
Google Cloud has it's own method of permission inheritance that operates separately from Kion. This can result in discrepancies between which permissions Kion shows as being applied and which ones are actually applied. For example, if a user is granted limited permissions to a project in Kion but has inherited ownership permissions in the Google Cloud console, they would have ownership permissions that a Kion admin wouldn't be aware of.
To avoid permission discrepancies, we recommend managing all of your user permissions through Kion. This would mean removing all permission assignments within the Google Cloud platform (at the organization level and folder levels) and relying on Kion to assign permissions during federation.
For information about managing Google Cloud IAM roles and permissions through Kion, see What is a Google Cloud IAM Role?
For information about modifying/removing permissions in the Google Cloud Console, see Google's article Manage access to projects, folders, and organizations.