Actually cloud identity is the best option, you can use for free until 50 users, basically you will need to create and organization on GCP in order to do that(just need a valid domain). If you use other identify provider like AD or Okta you could just sync it with Google Cloud Identity. Cloud Identity will made you able to manage the groups too. Just a reminder that Google have a clear separation between Authentication and Authorization. Authentication is handled by Google Cloud Identity and Authorization by IAM. So probably you will need to use two packages: cloudidentity and the iam methods that are present at resources, project, folders and organization level. For example :
https://www.pulumi.com/registry/packages/gcp/api-docs/projects/iammember/