Starting with version 2.0, Forseti introduces the use of data models.
The data model is an additional pool of relational data that is created from the flat JSON data in Inventory. With the relational data, Forseti can more easily understand the entire relationship, including inheritance between resources. Models allow for easier querying against the entire computed policy.
Scanner and Explain depend on a data model, so you must create a valid data model before you use Scanner or Explain. Note that data models aren’t meant to be persistent, so when you’re finished using a model, you should delete it.
Data models are stored in their own set of tables with a naming convention of
<model_handle>_<table_name>
, and are tied to each other by specific relationships.
Multiple sets of tables can exist, either created by the cron job, or by other users.
The table sets are listed in the models
table.
binding_members
tableThis table is a join table that connects the members
table with the bindings
table,
so you can know what resources each member can access.
bindings
tableThis table contains information about what resource and roles are associated for a
binding_id
. You can combine this with the binding_members table to see who has access to
resources, and with which roles.
group_in_group
tableThis table contains information about how groups are nested in other groups. Each row contains a group and its parent group. If a group isn’t nested, it won’t be in this table.
group_members
tableThis table contains information about groups, and the members in the group, including users and other groups.
members
tableThis table contains information about members, the types of resources they are, and their names.
permissions
tableThis table is a listing of all the permissions on Google Cloud Platform (GCP).
roles
tableThis table is a listing of all the roles on GCP, including title, stage, description, and whether it’s a custom role.
role_permissions
tableThis table contains information on the roles and the permissions of that role.
You can combine the binding_members
, bindings
, roles
, and
role_permissions
tables to see who has what permissions on which resources.
resources
tableThis table contains the details of each resource, like the full_name, its parents, and raw GCP data. This table allows Scanner to perform its auditing.