services / Google Cloud / Firebase security rules publishing

Manage security rules sources. By themselves, these don't do anything, but when they are referenced by the current release, they are the active rules.

firebaserules.​rulesets.​create

While creating a ruleset by itself doesn't do anything, when combined with access to update security rules releases, an attacker can hijack your security rules.

Risks

1. Data escalation (CRITICAL)
2. Policy destruction (CRITICAL)
3. Denial-of-access (EVASION)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.