Secure Source Manager is generally available (GA) by invitation only. To use Secure Source Manager, contact your Google Account team.

Grant users instance access

This page describes how to grant your users access to your Secure Source Manager instance using Identity and Access Management (IAM). For more details on access control in Secure Source Manager, see Access control with IAM

Required roles

To get the permissions that you need to grant users instance access, ask your administrator to grant you the Secure Source Manager Instance Owner role (roles/securesourcemanager.instanceOwner) IAM role on Secure Source Manager instance. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

For information on granting Secure Source Manager roles, see Access control with IAM.

Grant users access

Create a Google group of all the users who need to access your instance. The group can be a domain specific group.

We recommend creating a broad group that includes all potential users, for instance all developers, and people who may file issues in your company. Users must be in this group to access or create resources in a Secure Source Manager instance, including repositories and issues.

Making this a broad group lets team leads manage instance-level and repository-level user roles without also having to manage the membership of the group.

Note: Access to repositories requires additional permissions.
To read the current allow policy and save it to /tmp/instances.json, run the following command:
```
  gcloud beta source-manager instances get-iam-policy INSTANCE_ID \
      --project=PROJECT_ID \
      --region=REGION \
      --format=json > /tmp/instance.json
```
Replace the following:
- INSTANCE_ID with the instance ID.
- PROJECT_ID with the project ID or project number of the instance.
- REGION with the region the instance is located in. See the locations documentation for available Secure Source Manager regions.
The output will include any existing bindings, or, if none exist, the etag value similar to the following:
```
{
    "etag": "BwUjHYKJUiQ="
}
```
Important: keep the etag value from the response to ensure that you don't overwrite someone else's policy changes. If you want to overwrite all other changes, you can remove the etag value.
Edit the JSON file /tmp/instance.json to grant your group(s) the following roles:
- Instance Accessor role (roles/securesourcemanager.instanceAccessor) for users that need to view the instance but will not create or modify repositories.
- Instance Repository Creator role (roles/securesourcemanager.instanceRepositoryCreator) for users that need to create and modify repositories.
- Instance Owner role (roles/securesourcemanager.instanceOwner) for users that will manage your instance.
Caution: The Instance Owner role includes the ability to delete the instance and all its repositories and other content.

The following example policy grants the roles/securesourcemanager.instanceRepositoryCreator role to the group your-group@gmail.com, and grants the users trusted-user1@gmail.com and trusted-user2@gmail.com the roles/securesourcemanager.instanceOwner role.
```
{
  "etag": "ETAG",
  "bindings": [
    {
      "role": "roles/securesourcemanager.instanceRepositoryCreator",
      "members": [
        "group:your-group@gmail.com"
      ]
    },
    {
      "role": "roles/securesourcemanager.instanceOwner",
      "members": [
        "user:trusted-user1@gmail.com",
        "user:trusted-user2@gmail.com"
      ]
    }
  ]
}
```
Replace the following:
- ETAG with the etag value from the getIamPolicy response, in this case it would be BwUjHYKJUiQ=
- your-group@gmail.com with the email address of your Google group.
- trusted-user1@gmail.com and trusted-user2@gmail.com with the email addresses of users you want to grant the Instance Owner role.
Save the edited /tmp/instance.json file.

Important: None of your changes will take effect until you set the updated allow policy.
After you modify the saved allow policy to grant and revoke the desired roles, update your instance allow policy by running the following command:

Warning: Setting a new allow policy permanently overwrites the existing allow policy on the resource. To avoid removing role bindings unintentionally, always follow the read-modify-write pattern when updating an allow policy: read the existing allow policy, modify it as needed, and then write the updated version of the allow policy.
```
gcloud beta source-manager instances set-iam-policy INSTANCE_ID  \
    --project=PROJECT_ID \
    --region=REGION \
    /tmp/instance.json
```
Replace the following:
- INSTANCE_ID with the instance ID.
- PROJECT_ID with the project ID or project number of the instance.
- REGION with the region the instance is located in. See the locations documentation for available Secure Source Manager regions.
After your group is created, and roles assigned, email the group URL to your Google contact to have your users added to the preview release.

What's next

Learn more about access control with IAM.
Create a repository.
Grant users repository access.
Grant and revoke IAM roles.