Cloud IAM can grant access to resources to members of an organization. The specifics of access are defined by roles and respective permissions. Being a member of the organization implies having one of the following Identities:

• Google account: This is, for most intents and purposes, an email address associated with gmail.com or any other domain managed by G Suite. The account can represent a developer, admin, or someone with access to GCP.
• Service account: This is pretty similar to a Google email account, apart from the fact that it belongs to an application instead of a user. Mostly these accounts are used for executing different logical components of the application (for example client, server, and so on).
• Google groups: This is a collection of various Google accounts, which may even include service accounts. They have a unique email address to identify them. These are convenient ways to pass similar roles to multiple users instead of passing them to each account individually. It is possible to add the members in the group. Their addition or removal from the group will also lead to their gaining access to permissions of the roles affiliated to the group. Similarly, being removed from the group means having the roles revoked.
• G Suite domains: This is a collection of all the accounts created under the organization's (domain's) G Suite account. G Suite domains do not contain the identity of each user, but they are useful for managing permissions and roles.
• Cloud identity domain: This is a lot like the G Suite domain in terms of IAM administration, but the users of the cloud identity domain do not have access to G Suite applications.
• Other users: Apart from all of these users, the ones approved by an admin or ones with access to GCP APIs under a certain project can also be managed by IAM.