GCP: Node & Edge Schema

The GCP connection transforms Google Cloud IAM identities, resources, and permissions into a connected graph structure within the SlashID platform. It supports both principal identities (human or service accounts) and policy-based access definitions.

---

Node Types

Node Type	Description
GCPPrincipal	A GCP identity such as a user, group, or service account
GCPRole	A GCP IAM role (predefined or custom)
GCPServiceAccount	A specific type of principal used for automated services
GCPBucket	A Google Cloud Storage bucket
BigQueryDataset	A dataset resource in BigQuery
BigQueryTable	A table within a BigQuery dataset
GCPCloudRunService	A deployed service in Cloud Run
GCPComputeInstance	A Compute Engine VM instance
GCPPolicyBinding	A policy binding (role-principal pair) used in IAM
GCPPolicyDenyRule	An explicit deny rule defined within a policy
IAMPolicy	Aggregated IAM policy used across resources

---

Edge Relationships

Edge Type	From Node	To Node	Description
CAN_ACCESS	GCPPrincipal	GCPBucket, BigQueryDataset, GCPCloudRunService	Grants access from a principal to a resource
HAS_PERMISSION	GCPPrincipal	GCPRole	Indicates which role a principal is granted
IS_ASSIGNED	GCPRole	GCPPolicyBinding	Indicates that a role is assigned via a binding
IS_CREDENTIAL_OF	GCPServiceAccount	GCPPrincipal	Maps credentials to their identity owner
CONTAINS	BigQueryDataset	BigQueryTable	Dataset-to-table structural relationship
IS_CONTAINED_BY	BigQueryTable	BigQueryDataset	Reverse of CONTAINS
CONTAINS	IAMPolicy	GCPPolicyDenyRule	Policy includes one or more deny rules

These relationships reflect both logical structure (e.g., dataset → table) and policy grouping (policy → rules).

---

Examples

(GCPPrincipal)-[:CAN_ACCESS]->(GCPBucket)
(GCPPrincipal)-[:HAS_PERMISSION]->(GCPRole)
(GCPRole)-[:IS_ASSIGNED]->(GCPPolicyBinding)
(BigQueryDataset)-[:CONTAINS]->(BigQueryTable)
(IAMPolicy)-[:CONTAINS]->(GCPPolicyDenyRule)