You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, when a collaborator uploads data, we generate a service-account on a per dataset level, which makes it hard to track through system logs which collaborator uploads data (and harder to revoke).
We should instead use one account for a collaborator, and add them to managed groups - even if this means we need to add more managed groups with varied permissions. It's fine for this collaborator's SA to be manually created.
A secondary task should involve generating a new service-account JSON for each collaborator, revoking all existing service-account JSONs, and then removing accounts like the -shared-SA and main-upload accounts.
The text was updated successfully, but these errors were encountered:
Currently, when a collaborator uploads data, we generate a service-account on a per dataset level, which makes it hard to track through system logs which collaborator uploads data (and harder to revoke).
We should instead use one account for a collaborator, and add them to managed groups - even if this means we need to add more managed groups with varied permissions. It's fine for this collaborator's SA to be manually created.
A secondary task should involve generating a new service-account JSON for each collaborator, revoking all existing service-account JSONs, and then removing accounts like the
-shared-SAandmain-uploadaccounts.The text was updated successfully, but these errors were encountered: