External MSP users must list SCC findings with minimal involvement in external user lifecycle. What is the recommended approach?

Using a workforce identity pool to federate the MSP’s identity provider lets external users authenticate with their own credentials and be granted access to your Google Cloud resources without provisioning separate accounts for them. By federating at the organization level, you can assign an appropriate IAM role to MSP users that applies across the entire org, giving them the necessary access to Security Command Center findings while keeping control centralized and revocation streamlined in the IdP or through org IAM policies. Credentials are short-lived and managed by Google’s identity federation, reducing administrative overhead and external lifecycle work for your team. This approach directly supports minimal involvement in external user lifecycle while still providing the required access. Other options involve creating external accounts in Cloud Identity or using service accounts with impersonation, which are less scalable and not ideal for human MSP users.