catalog logoThe IAM Privilege Catalog

services / Workspace / Groups

Privileges for viewing and managing users.

Users are accounts with static usernames, passwords, and email addresses. Typically used for human accounts.

USERS_​RETRIEVE

Gives access to the account's user name, email address, and profile fields. Many profile fields are personally identifying or otherwise sensitive, including addresses, telephone numbers, and gender.

Risks

  1. Data exfiltration (CRITICAL)
  2. Account discovery (LOW)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​developers.​google.​com/​admin-​sdk/​directory/​reference/​rest/​v1/​users#​User

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog