Thanks for watching my question..

I'm working with Cloud IAP (Identity-Aware Proxy) to define a SSH tunnel to my GCE instance.
And to secure access by restricting IP addresses, I did following action

1. In IAP console in GCP, choose target GCE
2. Share that GCE to specific user, with role  [IAP-secured Tunnel User], and role condition is Access Level contain my IP Address.

It works OK when I shared a specific user (A) to IAP (with the role [IAP-secured Tunnel User], and condition is IP sets)
Because role has condition with IP restriction, so accessed IP will be checked when user use IAP to connect to GCE.

But when the user (B) has [Editor] role in project level, and because [Editor] role contains [IAP-secured Tunnel User] role,
So the user (B) can use IAP without IP restriction.
Even if I shared user (B) to specific IAP with IP restriction, the connection from user (B) will ignore because [Editor] role contains [IAP-secured Tunnel User] role.

My question is: With the user has high permission in project, how can I secure access to IAP from a specific IP sets.
I want to apply this rule (IP restriction when using IAP) to all user in the project.