See the supported connectors for Application Integration.

Predefined Application Integration IAM roles

Predefined roles give granular access to specific Google Cloud resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.

The following table lists all the predefined IAM roles for Application Integration:

Permissions

(roles/advisorynotifications.admin)

Grants write access to settings in Advisory Notifications

advisorynotifications.*

resourcemanager.organizations.get

resourcemanager.projects.get

(roles/advisorynotifications.viewer)

Grants view access in Advisory Notifications

advisorynotifications.notifications.*

advisorynotifications.settings.get

resourcemanager.organizations.get

resourcemanager.projects.get

(roles/apihub.admin)

Full access to all API hub resources.

apihub.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apihub.attributeAdmin)

Full access to all Cloud API hub attribute's resources.

apihub.attributes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apihub.editor)

Edit access to most of Cloud API Hub resources.

apihub.apiHubInstances.get

apihub.apiHubInstances.list

apihub.apiOperations.*

apihub.apis.*

apihub.attributes.get

apihub.attributes.list

apihub.definitions.*

apihub.dependencies.*

apihub.deployments.*

apihub.externalApis.*

apihub.hostProjectRegistrations.get

apihub.hostProjectRegistrations.list

apihub.llmEnablements.*

apihub.locations.searchResources

apihub.operations.get

apihub.operations.list

apihub.plugins.get

apihub.plugins.list

apihub.runTimeProjectAttachments.get

apihub.runTimeProjectAttachments.list

apihub.specs.*

apihub.styleGuides.get

apihub.versions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apihub.pluginAdmin)

Full access to all Cloud API hub plugin's resources.

apihub.plugins.*

apihub.specs.lint

apihub.styleGuides.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apihub.provisioningAdmin)

Full access to Cloud API hub provisioning related resources.

apihub.apiHubInstances.*

apihub.hostProjectRegistrations.*

apihub.operations.*

apihub.runTimeProjectAttachments.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apihub.viewer)

View access to all Cloud API hub resources.

apihub.apiHubInstances.get

apihub.apiHubInstances.list

apihub.apiOperations.get

apihub.apiOperations.list

apihub.apis.get

apihub.apis.list

apihub.attributes.get

apihub.attributes.list

apihub.definitions.get

apihub.definitions.list

apihub.dependencies.get

apihub.dependencies.list

apihub.deployments.get

apihub.deployments.list

apihub.externalApis.get

apihub.externalApis.list

apihub.hostProjectRegistrations.get

apihub.hostProjectRegistrations.list

apihub.llmEnablements.get

apihub.llmEnablements.list

apihub.locations.searchResources

apihub.operations.get

apihub.operations.list

apihub.plugins.get

apihub.plugins.list

apihub.runTimeProjectAttachments.get

apihub.runTimeProjectAttachments.list

apihub.specs.get

apihub.specs.list

apihub.styleGuides.get

apihub.versions.get

apihub.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apim.admin)

Full access to API Management resources.

apim.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apim.viewer)

Readonly access to API Management resources.

apim.apiObservations.get

apim.apiObservations.list

apim.apiOperations.*

apim.locations.*

apim.observationJobs.get

apim.observationJobs.list

apim.observationSources.get

apim.observationSources.list

apim.operations.get

apim.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apphub.admin)

Full access to App Hub resources.

apphub.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apphub.editor)

Edit access to App Hub resources.

apphub.applications.create

apphub.applications.delete

apphub.applications.get

apphub.applications.list

apphub.applications.update

apphub.discoveredServices.*

apphub.discoveredWorkloads.*

apphub.locations.*

apphub.operations.*

apphub.serviceProjectAttachments.lookup

apphub.services.*

apphub.workloads.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apphub.viewer)

View access to App Hub resources.

apphub.applications.get

apphub.applications.list

apphub.discoveredServices.get

apphub.discoveredServices.list

apphub.discoveredWorkloads.get

apphub.discoveredWorkloads.list

apphub.locations.*

apphub.operations.get

apphub.operations.list

apphub.serviceProjectAttachments.lookup

apphub.services.get

apphub.services.list

apphub.workloads.get

apphub.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/applianceactivation.approver)

Grants access to approve commands to run on appliances

applianceactivation.rttCommands.approve

applianceactivation.rttCommands.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/applianceactivation.client)

Grants access to read commands for an appliance and send its result.

applianceactivation.rttCommands.get

applianceactivation.rttCommands.sendResult

(roles/applianceactivation.troubleshooter)

Grants access to send new commands to run on appliances and view the outputs

applianceactivation.rttCommands.create

applianceactivation.rttCommands.get

applianceactivation.rttCommands.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/assuredoss.admin)

Access to use Assured OSS and manage configuration.

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.*

iam.serviceAccountKeys.create

iam.serviceAccounts.create

iam.serviceAccounts.get

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.create

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.get

pubsub.topics.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/assuredoss.projectAdmin)

Access to use Assured OSS and manage configuration.

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.*

iam.serviceAccounts.create

iam.serviceAccounts.get

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/assuredoss.reader)

Access to use Assured OSS and view Assured OSS configuration.

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

assuredoss.metadata.*

assuredoss.operations.get

assuredoss.operations.list

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/assuredoss.user)

Access to use Assured OSS.

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.locations.*

assuredoss.metadata.*

assuredoss.operations.get

assuredoss.operations.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/auditmanager.admin)

Full access to Audit Manager resources.

auditmanager.*

cloudasset.assets.searchAllResources

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/auditmanager.auditor)

Allows creating and viewing an audit report.

auditmanager.auditReports.*

auditmanager.auditScopeReports.generate

auditmanager.billingSettings.get

auditmanager.controlReports.*

auditmanager.controls.list

auditmanager.findings.*

auditmanager.locations.get

auditmanager.locations.list

auditmanager.operations.*

auditmanager.resourceEnrollmentStatuses.*

cloudasset.assets.searchAllResources

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/autoscaling.metricsWriter)

Access to write metrics for autoscaling site

autoscaling.sites.writeMetrics

(roles/autoscaling.recommendationsReader)

Access to read recommendations from autoscaling site

autoscaling.sites.readRecommendations

(roles/autoscaling.sitesAdmin)

Full access to all autoscaling site features

autoscaling.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/autoscaling.stateWriter)

Access to write state for autoscaling site

autoscaling.sites.writeState

(roles/batch.admin)

Administrator of Batch resources

batch.jobs.*

batch.locations.*

batch.operations.*

batch.resourceAllowances.*

batch.tasks.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/batch.agentReporter)

Reporter of Batch agent states.

batch.states.report

(roles/batch.jobsEditor)

Editor of Batch Jobs

batch.jobs.*

batch.locations.*

batch.operations.*

batch.tasks.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/batch.jobsViewer)

Viewer of Batch Jobs, Task Groups and Tasks

batch.jobs.get

batch.jobs.list

batch.locations.*

batch.operations.*

batch.tasks.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/batch.resourceAllowancesEditor)

Editor of Batch ResourceAllowances

batch.locations.*

batch.operations.*

batch.resourceAllowances.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/batch.resourceAllowancesViewer)

Viewer of Batch ResourceAllowances

batch.locations.*

batch.operations.*

batch.resourceAllowances.get

batch.resourceAllowances.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/biglake.admin)

Provides full access to all BigLake resources.

biglake.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/biglake.viewer)

Provides read-only access to all BigLake resources.

biglake.catalogs.get

biglake.catalogs.list

biglake.databases.get

biglake.databases.list

biglake.locks.list

biglake.tables.get

biglake.tables.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquerymigration.editor)

Editor of EDW migration workflows.

bigquerymigration.locations.*

bigquerymigration.subtasks.get

bigquerymigration.subtasks.list

bigquerymigration.workflows.create

bigquerymigration.workflows.delete

bigquerymigration.workflows.get

bigquerymigration.workflows.list

bigquerymigration.workflows.update

(roles/bigquerymigration.orchestrator)

Orchestrator of EDW migration tasks.

bigquerymigration.subtasks.create

bigquerymigration.taskTypes.*

bigquerymigration.workflows.orchestrateTask

storage.objects.list

(roles/bigquerymigration.translationUser)

User of EDW migration interactive SQL translation service.

bigquerymigration.translation.translate

(roles/bigquerymigration.viewer)

Viewer of EDW migration MigrationWorkflow.

bigquerymigration.locations.*

bigquerymigration.subtasks.get

bigquerymigration.subtasks.list

bigquerymigration.workflows.get

bigquerymigration.workflows.list

(roles/bigquerymigration.worker)

Worker that executes EDW migration subtasks.

bigquerymigration.subtaskTypes.executeTask

bigquerymigration.subtasks.executeTask

storage.objects.create

storage.objects.get

storage.objects.list

(roles/billing.carbonViewer)

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.list

(roles/blockchainnodeengine.admin)

Full access to Blockchain Node Engine resources.

blockchainnodeengine.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/blockchainnodeengine.viewer)

Read-only access to Blockchain Node Engine resources.

blockchainnodeengine.blockchainNodes.get

blockchainnodeengine.blockchainNodes.list

blockchainnodeengine.locations.*

blockchainnodeengine.operations.get

blockchainnodeengine.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/blockchainvalidatormanager.admin)

Full access to Blockchain Validator Manager resources.

blockchainvalidatormanager.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/blockchainvalidatormanager.viewer)

Readonly access to Blockchain Validator Manager resources.

blockchainvalidatormanager.blockchainValidatorConfigs.get

blockchainvalidatormanager.blockchainValidatorConfigs.list

blockchainvalidatormanager.locations.*

blockchainvalidatormanager.operations.get

blockchainvalidatormanager.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/capacityplanner.viewer)

Read-only access to Capacity Planner usage resources

capacityplanner.*

cloudquotas.quotas.get

compute.futureReservations.get

compute.futureReservations.list

compute.reservations.get

compute.reservations.list

monitoring.timeSeries.list

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

(roles/carestudio.viewer)

This role can view all properties of Patients.

carestudio.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chroniclesm.admin)

Admins can view and modify Chronicle service details.

chroniclesm.*

(roles/chroniclesm.viewer)

Viewers can see Chronicle service details but not change them.

chroniclesm.gcpAssociations.get

chroniclesm.gcpAssociations.list

chroniclesm.gcpLogFlowFilters.get

chroniclesm.gcpSettings.get

(roles/cloud.locationReader)

Read and enumerate locations available for resource creation.

cloud.*

(roles/cloudaicompanion.codeRepositoryIndexesAdmin)

Grants full access to Code Repository Indexes resources.

cloudaicompanion.codeRepositoryIndexes.*

cloudaicompanion.operations.*

cloudaicompanion.repositoryGroups.create

cloudaicompanion.repositoryGroups.delete

cloudaicompanion.repositoryGroups.get

cloudaicompanion.repositoryGroups.getIamPolicy

cloudaicompanion.repositoryGroups.list

cloudaicompanion.repositoryGroups.setIamPolicy

cloudaicompanion.repositoryGroups.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudaicompanion.codeRepositoryIndexesViewer)

Grants readonly access to Code Repository Indexes resources.

cloudaicompanion.codeRepositoryIndexes.get

cloudaicompanion.codeRepositoryIndexes.list

cloudaicompanion.operations.get

cloudaicompanion.operations.list

cloudaicompanion.repositoryGroups.get

cloudaicompanion.repositoryGroups.getIamPolicy

cloudaicompanion.repositoryGroups.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudaicompanion.repositoryGroupsUser)

Grants Read/Use access to the Code Repository Indexes Repository Group.

cloudaicompanion.codeRepositoryIndexes.get

cloudaicompanion.repositoryGroups.get

cloudaicompanion.repositoryGroups.getIamPolicy

cloudaicompanion.repositoryGroups.use

(roles/cloudaicompanion.user)

A user who can use Gemini for Google Cloud

cloudaicompanion.companions.*

cloudaicompanion.entitlements.get

cloudaicompanion.instances.*

cloudaicompanion.licenses.selfAssign

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudcontrolspartner.admin)

Full access to Cloud Controls Partner resources.

cloudcontrolspartner.accessapprovalrequests.list

cloudcontrolspartner.customers.*

cloudcontrolspartner.ekmconnections.get

cloudcontrolspartner.inspectabilityevents.get

cloudcontrolspartner.partnerpermissions.get

cloudcontrolspartner.partners.get

cloudcontrolspartner.platformcontrols.get

cloudcontrolspartner.violations.list

cloudcontrolspartner.workloads.list

(roles/cloudcontrolspartner.editor)

Editor access to Cloud Controls Partner resources.

cloudcontrolspartner.*

(roles/cloudcontrolspartner.inspectabilityReader)

Readonly access to Cloud Controls Partner inspectability resources.

cloudcontrolspartner.customers.get

cloudcontrolspartner.customers.list

cloudcontrolspartner.inspectabilityevents.get

cloudcontrolspartner.platformcontrols.get

(roles/cloudcontrolspartner.monitoringReader)

Read-only access to Cloud Controls Partner monitoring resources.

cloudcontrolspartner.customers.get

cloudcontrolspartner.customers.list

cloudcontrolspartner.violations.*

cloudcontrolspartner.workloads.*

(roles/cloudcontrolspartner.reader)

Read-only access to Cloud Controls Partner resources.

cloudcontrolspartner.accessapprovalrequests.list

cloudcontrolspartner.customers.get

cloudcontrolspartner.customers.list

cloudcontrolspartner.ekmconnections.get

cloudcontrolspartner.inspectabilityevents.get

cloudcontrolspartner.partnerpermissions.get

cloudcontrolspartner.partners.get

cloudcontrolspartner.platformcontrols.get

cloudcontrolspartner.violations.*

cloudcontrolspartner.workloads.*

(roles/cloudoptimization.admin)

Administrator of Cloud Optimization AI resources

cloudoptimization.*

(roles/cloudoptimization.editor)

Editor of Cloud Optimization AI resources

cloudoptimization.*

(roles/cloudoptimization.viewer)

Viewer of Cloud Optimization AI resources

cloudoptimization.operations.get

(roles/cloudquotas.admin)

Full access to Cloud Quotas resources.

cloudquotas.*

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudquotas.viewer)

Readonly access to Cloud Quotas resources.

cloudquotas.quotas.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceagreementpublishing.admin)

Admin of Commerce Agreement Publishing service

commerceagreementpublishing.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceagreementpublishing.viewer)

Viewer of Commerce Agreement Publishing service

commerceagreementpublishing.agreements.get

commerceagreementpublishing.agreements.list

commerceagreementpublishing.documents.get

commerceagreementpublishing.documents.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/confidentialcomputing.workloadUser)

Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.

confidentialcomputing.*

logging.logEntries.create

(roles/configdelivery.configDeliveryAdmin)

Grants full access to all Config Delivery resources. Lets users create, remove and manage fleet packages and resource bundles.

configdelivery.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/configdelivery.configDeliveryViewer)

Grants read access to all Config Delivery resources. Lets users view existing fleet packages and resource bundles, but they will not be able to make any changes.

configdelivery.fleetPackages.get

configdelivery.fleetPackages.list

configdelivery.locations.*

configdelivery.operations.get

configdelivery.operations.list

configdelivery.releases.get

configdelivery.releases.list

configdelivery.resourceBundles.get

configdelivery.resourceBundles.list

configdelivery.rollouts.get

configdelivery.rollouts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/configdelivery.resourceBundlePublisher)

Grants read and write permissions to Config Delivery ResourceBundles and Releases.

configdelivery.locations.*

configdelivery.operations.get

configdelivery.operations.list

configdelivery.releases.create

configdelivery.releases.get

configdelivery.releases.list

configdelivery.releases.update

configdelivery.resourceBundles.create

configdelivery.resourceBundles.get

configdelivery.resourceBundles.list

configdelivery.resourceBundles.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contactcenteraiplatform.admin)

Full access to Contact Center AI Platform resources.

contactcenteraiplatform.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contactcenteraiplatform.viewer)

Read-only access to Contact Center AI Platform resources.

contactcenteraiplatform.contactCenters.get

contactcenteraiplatform.contactCenters.list

contactcenteraiplatform.locations.*

contactcenteraiplatform.operations.get

contactcenteraiplatform.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contactcenterinsights.editor)

Grants read and write access to all Contact Center AI Insights resources.

contactcenterinsights.*

(roles/contactcenterinsights.viewer)

Grants read access to all Contact Center AI Insights resources.

contactcenterinsights.analyses.get

contactcenterinsights.analyses.list

contactcenterinsights.analysisRules.get

contactcenterinsights.analysisRules.list

contactcenterinsights.conversations.get

contactcenterinsights.conversations.list

contactcenterinsights.faqEntries.get

contactcenterinsights.faqEntries.list

contactcenterinsights.faqModels.get

contactcenterinsights.faqModels.list

contactcenterinsights.feedbackLabels.get

contactcenterinsights.feedbackLabels.list

contactcenterinsights.issueModels.get

contactcenterinsights.issueModels.list

contactcenterinsights.issues.get

contactcenterinsights.issues.list

contactcenterinsights.operations.get

contactcenterinsights.operations.list

contactcenterinsights.phraseMatchers.get

contactcenterinsights.phraseMatchers.list

contactcenterinsights.qaQuestions.get

contactcenterinsights.qaQuestions.list

contactcenterinsights.qaScorecardRevisions.get

contactcenterinsights.qaScorecardRevisions.list

contactcenterinsights.qaScorecards.get

contactcenterinsights.qaScorecards.list

contactcenterinsights.settings.get

contactcenterinsights.views.get

contactcenterinsights.views.list

(roles/containersecurity.viewer)

Read-only access to GKE Security Posture resources.

container.clusters.list

containersecurity.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.admin)

Grants full access to all the resources in Content Warehouse

contentwarehouse.corpora.*

contentwarehouse.dataExportJobs.*

contentwarehouse.documentSchemas.*

contentwarehouse.documents.*

contentwarehouse.locations.*

contentwarehouse.operations.get

contentwarehouse.rawDocuments.*

contentwarehouse.ruleSets.*

contentwarehouse.synonymSets.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentAdmin)

Grants full access to the document resource in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documents.create

contentwarehouse.documents.delete

contentwarehouse.documents.get

contentwarehouse.documents.getIamPolicy

contentwarehouse.documents.setIamPolicy

contentwarehouse.documents.update

contentwarehouse.links.*

contentwarehouse.locations.getStatus

contentwarehouse.rawDocuments.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentCreator)

Grants access to create document in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documentSchemas.list

contentwarehouse.documents.create

contentwarehouse.locations.getStatus

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentEditor)

Grants access to update document resource in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documents.get

contentwarehouse.documents.getIamPolicy

contentwarehouse.documents.update

contentwarehouse.links.*

contentwarehouse.locations.getStatus

contentwarehouse.rawDocuments.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentSchemaViewer)

Grants access to view the document schemas in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documentSchemas.list

contentwarehouse.locations.getStatus

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentViewer)

Grants access to view all the resources in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documents.get

contentwarehouse.documents.getIamPolicy

contentwarehouse.links.get

contentwarehouse.locations.getStatus

contentwarehouse.rawDocuments.download

resourcemanager.projects.get

resourcemanager.projects.list

(roles/databasecenter.viewer)

Viewer role for Database Center resource data

cloudaicompanion.entitlements.get

databasecenter.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/databaseinsights.eventsViewer)

Viewer role for Events Service data

databaseinsights.aggregatedEvents.query

databaseinsights.clusterEvents.query

databaseinsights.instanceEvents.query

(roles/databaseinsights.monitoringViewer)

Viewer role for Database Insights monitoring data

databaseinsights.activeQueries.fetch

databaseinsights.activitySummary.fetch

databaseinsights.aggregatedStats.query

databaseinsights.locations.*

databaseinsights.timeSeries.query

databaseinsights.workloadRecommendations.fetch

resourcemanager.projects.get

resourcemanager.projects.list

(roles/databaseinsights.operationsAdmin)

Admin role for performing Database Insights operations

databaseinsights.activeQuery.terminate

(roles/databaseinsights.recommendationViewer)

Viewer role for Database Insights recommendation data

databaseinsights.locations.*

databaseinsights.recommendations.query

databaseinsights.resourceRecommendations.query

databaseinsights.workloadRecommendations.fetch

resourcemanager.projects.get

resourcemanager.projects.list

(roles/databaseinsights.viewer)

Viewer role for Database Insights data

databaseinsights.activeQueries.fetch

databaseinsights.activitySummary.fetch

databaseinsights.aggregatedStats.query

databaseinsights.locations.*

databaseinsights.recommendations.query

databaseinsights.resourceRecommendations.query

databaseinsights.timeSeries.query

databaseinsights.workloadRecommendations.fetch

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.admin)

Grants full access to all resources in Data Lineage API

datalineage.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.editor)

Grants edit access to all resources in Data Lineage API

datalineage.events.*

datalineage.locations.searchLinks

datalineage.operations.get

datalineage.processes.create

datalineage.processes.get

datalineage.processes.list

datalineage.processes.update

datalineage.runs.create

datalineage.runs.get

datalineage.runs.list

datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.producer)

Grants access to creating all resources in Data Lineage API

datalineage.events.create

datalineage.processes.create

datalineage.processes.get

datalineage.processes.update

datalineage.runs.create

datalineage.runs.get

datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.viewer)

Grants read access to all resources in Data Lineage API

datalineage.events.get

datalineage.events.list

datalineage.locations.searchLinks

datalineage.processes.get

datalineage.processes.list

datalineage.runs.get

datalineage.runs.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataprocessing.admin)

Data processing controls admin who can fully manage data processing controls settings and view all datasource data.

billing.accounts.get

billing.accounts.list

dataprocessing.*

(roles/dataprocessing.dataSourceManager)

Data processing controls data source manager who can get, list, and update the underlying data.

dataprocessing.datasources.list

dataprocessing.datasources.update

(roles/dataprocrm.admin)

Grants full access to all Dataproc Resource Manager resources. Intended for users that need to create and delete any Dataproc Resource Manager resources.

dataprocrm.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataprocrm.viewer)

Grants read access to all Dataproc Resource Manager resources. Intended for users that need read-only access to Dataproc Resource Manager resources.

dataprocrm.locations.*

dataprocrm.nodePools.get

dataprocrm.nodePools.list

dataprocrm.nodes.get

dataprocrm.nodes.list

dataprocrm.nodes.mintOAuthToken

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.get

dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/developerconnect.admin)

Full access to Developer Connect resources.

developerconnect.connections.*

developerconnect.gitRepositoryLinks.create

developerconnect.gitRepositoryLinks.delete

developerconnect.gitRepositoryLinks.fetchGitRefs

developerconnect.gitRepositoryLinks.get

developerconnect.gitRepositoryLinks.list

developerconnect.locations.*

developerconnect.operations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/developerconnect.readTokenAccessor)

Grants access to Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.

developerconnect.connections.get

developerconnect.gitRepositoryLinks.fetchReadToken

developerconnect.gitRepositoryLinks.get

(roles/developerconnect.tokenAccessor)

Grants access to Read/Write and Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.

developerconnect.connections.get

developerconnect.gitRepositoryLinks.fetchReadToken

developerconnect.gitRepositoryLinks.fetchReadWriteToken

developerconnect.gitRepositoryLinks.get

(roles/developerconnect.user)

Grants access to view the connection and to the features that interact with the actual repository such as reading content from the repository

developerconnect.connections.fetchGitHubInstallations

developerconnect.connections.fetchLinkableGitRepositories

developerconnect.connections.get

developerconnect.connections.list

developerconnect.gitRepositoryLinks.fetchGitRefs

developerconnect.gitRepositoryLinks.get

developerconnect.gitRepositoryLinks.list

developerconnect.locations.*

developerconnect.operations.get

developerconnect.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/developerconnect.viewer)

Readonly access to Developer Connect resources.

developerconnect.connections.get

developerconnect.connections.list

developerconnect.gitRepositoryLinks.get

developerconnect.gitRepositoryLinks.list

developerconnect.locations.*

developerconnect.operations.get

developerconnect.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/discoveryengine.admin)

Grants full access to all discoveryengine resources.

discoveryengine.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/discoveryengine.editor)

Grants read and write access to all discovery engine resources.

discoveryengine.aclConfigs.get

discoveryengine.analytics.*

discoveryengine.answers.get

discoveryengine.branches.*

discoveryengine.cmekConfigs.get

discoveryengine.cmekConfigs.list

discoveryengine.collections.get

discoveryengine.collections.list

discoveryengine.completionConfigs.completeQuery

discoveryengine.completionConfigs.get

discoveryengine.controls.get

discoveryengine.controls.list

discoveryengine.conversations.*

discoveryengine.dataStores.completeQuery

discoveryengine.dataStores.get

discoveryengine.dataStores.list

discoveryengine.documentProcessingConfigs.get

discoveryengine.documents.batchGetDocumentsMetadata

discoveryengine.documents.create

discoveryengine.documents.delete

discoveryengine.documents.get

discoveryengine.documents.import

discoveryengine.documents.list

discoveryengine.documents.update

discoveryengine.engines.get

discoveryengine.engines.list

discoveryengine.engines.pause

discoveryengine.engines.resume

discoveryengine.engines.tune

discoveryengine.evaluations.get

discoveryengine.evaluations.list

discoveryengine.groundingConfigs.check

discoveryengine.models.*

discoveryengine.operations.*

discoveryengine.projects.get

discoveryengine.rankingConfigs.rank

discoveryengine.sampleQueries.*

discoveryengine.sampleQuerySets.*

discoveryengine.schemas.get

discoveryengine.schemas.list

discoveryengine.schemas.preview

discoveryengine.schemas.validate

discoveryengine.servingConfigs.answer

discoveryengine.servingConfigs.get

discoveryengine.servingConfigs.list

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.sessions.*

discoveryengine.siteSearchEngines.get

discoveryengine.targetSites.get

discoveryengine.targetSites.list

discoveryengine.userEvents.create

discoveryengine.userEvents.fetchStats

discoveryengine.userEvents.import

discoveryengine.widgetConfigs.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/discoveryengine.user)

Grants user-level access to Discovery Engine resources.

discoveryengine.answers.get

discoveryengine.servingConfigs.answer

discoveryengine.servingConfigs.search

discoveryengine.sessions.get

(roles/discoveryengine.viewer)

Grants read access to all discovery engine resources.

discoveryengine.aclConfigs.get

discoveryengine.analytics.*

discoveryengine.answers.get

discoveryengine.branches.*

discoveryengine.cmekConfigs.get

discoveryengine.cmekConfigs.list

discoveryengine.collections.get

discoveryengine.collections.list

discoveryengine.completionConfigs.completeQuery

discoveryengine.completionConfigs.get

discoveryengine.controls.get

discoveryengine.controls.list

discoveryengine.conversations.converse

discoveryengine.conversations.get

discoveryengine.conversations.list

discoveryengine.dataStores.completeQuery

discoveryengine.dataStores.get

discoveryengine.dataStores.list

discoveryengine.documentProcessingConfigs.get

discoveryengine.documents.batchGetDocumentsMetadata

discoveryengine.documents.get

discoveryengine.documents.list

discoveryengine.engines.get

discoveryengine.engines.list

discoveryengine.evaluations.get

discoveryengine.evaluations.list

discoveryengine.groundingConfigs.check

discoveryengine.models.get

discoveryengine.models.list

discoveryengine.operations.*

discoveryengine.projects.get

discoveryengine.rankingConfigs.rank

discoveryengine.sampleQueries.get

discoveryengine.sampleQueries.list

discoveryengine.sampleQuerySets.get

discoveryengine.sampleQuerySets.list

discoveryengine.schemas.get

discoveryengine.schemas.list

discoveryengine.schemas.preview

discoveryengine.schemas.validate

discoveryengine.servingConfigs.answer

discoveryengine.servingConfigs.get

discoveryengine.servingConfigs.list

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.sessions.get

discoveryengine.sessions.list

discoveryengine.siteSearchEngines.get

discoveryengine.targetSites.get

discoveryengine.targetSites.list

discoveryengine.userEvents.fetchStats

discoveryengine.widgetConfigs.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/enterprisepurchasing.admin)

Full access to Enterprise Purchasing resources.

enterprisepurchasing.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/enterprisepurchasing.editor)

Edit access to Enterprise Purchasing resources.

enterprisepurchasing.gcveCuds.get

enterprisepurchasing.gcveCuds.list

enterprisepurchasing.gcveNodePricingInfo.list

enterprisepurchasing.locations.*

enterprisepurchasing.operations.get

enterprisepurchasing.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/enterprisepurchasing.viewer)

Readonly access to Enterprise Purchasing resources.

enterprisepurchasing.gcveCuds.get

enterprisepurchasing.gcveCuds.list

enterprisepurchasing.gcveNodePricingInfo.list

enterprisepurchasing.locations.*

enterprisepurchasing.operations.get

enterprisepurchasing.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/essentialcontacts.admin)

Full access to all essential contacts

essentialcontacts.*

(roles/essentialcontacts.viewer)

Viewer for all essential contacts

essentialcontacts.contacts.get

essentialcontacts.contacts.list

(roles/firebasecloudmessaging.admin)

Full read/write access to Firebase Cloud Messaging API resources.

cloudmessaging.messages.create

fcmdata.deliverydata.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasecrash.symbolMappingsAdmin)

Full read/write access to symbol mapping file resources for Firebase Crash Reporting.

firebase.clients.get

firebase.clients.list

resourcemanager.projects.get

(roles/firebasedataconnect.admin)

Full access to Firebase Data Connect API resources, including data.

firebasedataconnect.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasedataconnect.dataAdmin)

Full access to data sources.

firebasedataconnect.services.executeGraphql

firebasedataconnect.services.executeGraphqlRead

(roles/firebasedataconnect.dataViewer)

Readonly access to data sources.

firebasedataconnect.services.executeGraphqlRead

(roles/firebasedataconnect.viewer)

Readonly access to Firebase Data Connect API resources. Role does not grant access to data.

firebasedataconnect.connectorRevisions.get

firebasedataconnect.connectorRevisions.list

firebasedataconnect.connectors.get

firebasedataconnect.connectors.list

firebasedataconnect.locations.*

firebasedataconnect.operations.get

firebasedataconnect.operations.list

firebasedataconnect.schemaRevisions.get

firebasedataconnect.schemaRevisions.list

firebasedataconnect.schemas.get

firebasedataconnect.schemas.list

firebasedataconnect.services.get

firebasedataconnect.services.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gdchardwaremanagement.admin)

Full access to GDC Hardware Management resources.

gdchardwaremanagement.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gdchardwaremanagement.operator)

Create, read, and update access to GDC Hardware Management resources that support those operations. Also grants delete access to HardwareGroup resource.

gdchardwaremanagement.changeLogEntries.*

gdchardwaremanagement.comments.*

gdchardwaremanagement.hardware.*

gdchardwaremanagement.hardwareGroups.*

gdchardwaremanagement.locations.*

gdchardwaremanagement.operations.get

gdchardwaremanagement.operations.list

gdchardwaremanagement.orders.create

gdchardwaremanagement.orders.get

gdchardwaremanagement.orders.list

gdchardwaremanagement.orders.update

gdchardwaremanagement.sites.*

gdchardwaremanagement.skus.*

gdchardwaremanagement.zones.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gdchardwaremanagement.reader)

Readonly access to GDC Hardware Management resources.

gdchardwaremanagement.changeLogEntries.*

gdchardwaremanagement.comments.get

gdchardwaremanagement.comments.list

gdchardwaremanagement.hardware.get

gdchardwaremanagement.hardware.list

gdchardwaremanagement.hardwareGroups.get

gdchardwaremanagement.hardwareGroups.list

gdchardwaremanagement.locations.*

gdchardwaremanagement.operations.get

gdchardwaremanagement.operations.list

gdchardwaremanagement.orders.get

gdchardwaremanagement.orders.list

gdchardwaremanagement.sites.get

gdchardwaremanagement.sites.list

gdchardwaremanagement.skus.*

gdchardwaremanagement.zones.get

gdchardwaremanagement.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/identityplatform.admin)

Full access to Identity Platform resources.

firebaseauth.*

identitytoolkit.*

(roles/identityplatform.viewer)

Read access to Identity Platform resources.

firebaseauth.configs.get

firebaseauth.users.get

identitytoolkit.tenants.get

identitytoolkit.tenants.getIamPolicy

identitytoolkit.tenants.list

(roles/identitytoolkit.admin)

Full access to Identity Toolkit resources.

firebaseauth.*

identitytoolkit.*

(roles/identitytoolkit.viewer)

Read access to Identity Toolkit resources.

firebaseauth.configs.get

firebaseauth.users.get

identitytoolkit.tenants.get

identitytoolkit.tenants.getIamPolicy

identitytoolkit.tenants.list

(roles/integrations.apigeeIntegrationAdminRole)

A user that has full access to all Apigee integrations.

connectors.actions.*

connectors.connections.executeSqlQuery

connectors.entities.*

connectors.entityTypes.list

integrations.apigeeAuthConfigs.*

integrations.apigeeCertificates.*

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrations.*

integrations.apigeeSfdcChannels.*

integrations.apigeeSfdcInstances.*

integrations.apigeeSuspensions.*

integrations.authConfigs.*

integrations.certificates.*

integrations.executions.get

integrations.executions.list

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.create

integrations.integrations.delete

integrations.integrations.deploy

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

integrations.integrations.update

integrations.sfdcChannels.*

integrations.sfdcInstances.*

integrations.suspensions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeIntegrationDeployerRole)

A developer that can deploy/undeploy Apigee integrations to the integration runtime.

integrations.apigeeIntegrationVers.deploy

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.deploy

integrations.integrations.get

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeIntegrationEditorRole)

A developer that can list, create and update Apigee integrations.

connectors.actions.*

connectors.connections.executeSqlQuery

connectors.entities.*

connectors.entityTypes.list

integrations.apigeeAuthConfigs.create

integrations.apigeeAuthConfigs.get

integrations.apigeeAuthConfigs.list

integrations.apigeeAuthConfigs.update

integrations.apigeeCertificates.create

integrations.apigeeCertificates.get

integrations.apigeeCertificates.list

integrations.apigeeCertificates.update

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrations.*

integrations.apigeeSfdcChannels.create

integrations.apigeeSfdcChannels.get

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcChannels.update

integrations.apigeeSfdcInstances.create

integrations.apigeeSfdcInstances.get

integrations.apigeeSfdcInstances.list

integrations.apigeeSfdcInstances.update

integrations.authConfigs.create

integrations.authConfigs.get

integrations.authConfigs.list

integrations.authConfigs.update

integrations.certificates.get

integrations.executions.get

integrations.executions.list

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.create

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

integrations.integrations.update

integrations.sfdcChannels.*

integrations.sfdcInstances.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeIntegrationInvokerRole)

A role that can invoke Apigee integrations.

connectors.actions.*

connectors.connections.executeSqlQuery

connectors.entities.*

connectors.entityTypes.list

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.*

integrations.executions.get

integrations.executions.list

integrations.integrationVersions.get

integrations.integrationVersions.invoke

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeIntegrationsViewer)

A developer that can list and view Apigee integrations.

integrations.apigeeAuthConfigs.list

integrations.apigeeCertificates.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcInstances.list

integrations.authConfigs.get

integrations.authConfigs.list

integrations.certificates.get

integrations.certificates.list

integrations.executions.get

integrations.executions.list

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.list

integrations.sfdcChannels.list

integrations.sfdcInstances.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeSuspensionResolver)

A role that can approve / reject Apigee integrations that contain a suspension/wait task.

integrations.apigeeSuspensions.*

integrations.suspensions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.certificateViewer)

A developer that can list and view Certificates.

integrations.certificates.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationAdmin)

A user that has full access (CRUD) to all integrations.

integrations.apigeeAuthConfigs.*

integrations.apigeeCertificates.*

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrations.*

integrations.apigeeSfdcChannels.*

integrations.apigeeSfdcInstances.*

integrations.apigeeSuspensions.*

integrations.authConfigs.*

integrations.certificates.*

integrations.executions.*

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.*

integrations.sfdcChannels.*

integrations.sfdcInstances.*

integrations.suspensions.*

integrations.testCases.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationDeployer)

A developer that can deploy/undeploy integrations to the integration runtime.

integrations.apigeeIntegrationVers.deploy

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.deploy

integrations.integrations.get

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationEditor)

A developer that can list, create and update integrations.

integrations.apigeeAuthConfigs.create

integrations.apigeeAuthConfigs.get

integrations.apigeeAuthConfigs.list

integrations.apigeeAuthConfigs.update

integrations.apigeeCertificates.create

integrations.apigeeCertificates.get

integrations.apigeeCertificates.list

integrations.apigeeCertificates.update

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrations.*

integrations.apigeeSfdcChannels.create

integrations.apigeeSfdcChannels.get

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcChannels.update

integrations.apigeeSfdcInstances.create

integrations.apigeeSfdcInstances.get

integrations.apigeeSfdcInstances.list

integrations.apigeeSfdcInstances.update

integrations.authConfigs.create

integrations.authConfigs.get

integrations.authConfigs.list

integrations.authConfigs.update

integrations.certificates.get

integrations.executions.*

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.create

integrations.integrations.generateOpenApiSpec

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

integrations.integrations.update

integrations.sfdcChannels.*

integrations.sfdcInstances.*

integrations.testCases.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationInvoker)

A role that can invoke integrations.

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.*

integrations.executions.*

integrations.integrationVersions.get

integrations.integrationVersions.invoke

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

integrations.testCases.get

integrations.testCases.invoke

integrations.testCases.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationViewer)

A developer that can list and view integrations.

integrations.apigeeAuthConfigs.list

integrations.apigeeCertificates.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcInstances.list

integrations.authConfigs.get

integrations.authConfigs.list

integrations.certificates.get

integrations.certificates.list

integrations.executions.get

integrations.executions.list

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.generateOpenApiSpec

integrations.integrations.get

integrations.integrations.list

integrations.sfdcChannels.list

integrations.sfdcInstances.list

integrations.testCases.get

integrations.testCases.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.securityIntegrationAdmin)

A user that has full access to all Security integrations.

integrations.securityAuthConfigs.*

integrations.securityExecutions.*

integrations.securityIntegTempVers.*

integrations.securityIntegrationVers.*

integrations.securityIntegrations.*

(roles/integrations.sfdcInstanceAdmin)

A user that has full access (CRUD) to all SFDC instances.

integrations.sfdcChannels.*

integrations.sfdcInstances.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.sfdcInstanceEditor)

A developer that can list, create and update integrations.

integrations.sfdcChannels.create

integrations.sfdcChannels.get

integrations.sfdcChannels.list

integrations.sfdcChannels.update

integrations.sfdcInstances.create

integrations.sfdcInstances.get

integrations.sfdcInstances.list

integrations.sfdcInstances.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.sfdcInstanceViewer)

A developer that can list and view SFDC instances.

integrations.sfdcChannels.get

integrations.sfdcChannels.list

integrations.sfdcInstances.get

integrations.sfdcInstances.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.suspensionResolver)

A role that can resolve suspended integrations.

integrations.apigeeSuspensions.*

integrations.suspensions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.accountManagerAdmin)

This role can perform all account manager related operations

issuerswitch.accountManagerTransactions.*

issuerswitch.managedAccounts.*

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.accountManagerTransactionsAdmin)

This role can perform all account manager transactions related operations

issuerswitch.accountManagerTransactions.*

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.accountManagerTransactionsViewer)

This role can view all account manager transactions

issuerswitch.accountManagerTransactions.list

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.admin)

Access to all issuer switch roles

issuerswitch.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.issuerParticipantsAdmin)

Full access to issuer switch participants

issuerswitch.issuerParticipants.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.resolutionsAdmin)

Full access to issuer switch resolutions

issuerswitch.complaintTransactions.list

issuerswitch.complaints.*

issuerswitch.disputes.*

issuerswitch.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.rulesAdmin)

Full access to issuer switch rules

issuerswitch.ruleMetadata.list

issuerswitch.ruleMetadataValues.*

issuerswitch.rules.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.rulesViewer)

This role can view rules and related metadata.

issuerswitch.ruleMetadata.list

issuerswitch.ruleMetadataValues.list

issuerswitch.rules.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.transactionsViewer)

This role can view all transactions

issuerswitch.complaintTransactions.list

issuerswitch.financialTransactions.list

issuerswitch.mandateTransactions.list

issuerswitch.metadataTransactions.list

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/kubernetesmetadata.publisher)

Publisher of Kubernetes clusters metadata

kubernetesmetadata.*

(roles/licensemanager.admin)

Full access to Cloud License Manager resources.

licensemanager.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/licensemanager.viewer)

Readonly access to Cloud License Manager resources.

licensemanager.configurations.get

licensemanager.configurations.list

licensemanager.instances.*

licensemanager.locations.*

licensemanager.operations.get

licensemanager.operations.list

licensemanager.products.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedflink.admin)

Full access to Managed Flink resources.

managedflink.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedflink.developer)

Full access to Managed Flink Jobs and Sessions and read access to Deployments.

managedflink.deployments.get

managedflink.deployments.list

managedflink.jobs.*

managedflink.locations.*

managedflink.operations.get

managedflink.operations.list

managedflink.sessions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedflink.viewer)

Readonly access to Managed Flink resources.

managedflink.deployments.get

managedflink.deployments.list

managedflink.jobs.get

managedflink.jobs.list

managedflink.locations.*

managedflink.operations.get

managedflink.operations.list

managedflink.sessions.get

managedflink.sessions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedkafka.admin)

Full access to Managed Kafka resources.

managedkafka.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/managedkafka.client)

Provides access to connect to the Kafka servers in a cluster, i.e. provides Kafka data plane access. Intended for, e.g., producers and consumers.

managedkafka.clusters.connect

managedkafka.clusters.get

managedkafka.clusters.list

managedkafka.consumerGroups.*

managedkafka.locations.*

managedkafka.operations.get

managedkafka.operations.list

managedkafka.topics.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/managedkafka.clusterEditor)

Provides read and write access to Kafka clusters. Intended for, e.g., IT Departments that provision Kafka clusters, but need not be able to read or modify topics or consumer groups.

managedkafka.clusters.create

managedkafka.clusters.delete

managedkafka.clusters.get

managedkafka.clusters.list

managedkafka.clusters.update

managedkafka.consumerGroups.get

managedkafka.consumerGroups.list

managedkafka.locations.*

managedkafka.operations.get

managedkafka.operations.list

managedkafka.topics.get

managedkafka.topics.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/managedkafka.consumerGroupEditor)

Provides read and write access to consumer group metadata. Intended for, e.g., developers who configure consumer groups.

managedkafka.clusters.get

managedkafka.clusters.list

managedkafka.consumerGroups.*

managedkafka.locations.*

managedkafka.operations.get

managedkafka.operations.list

managedkafka.topics.get

managedkafka.topics.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/managedkafka.topicEditor)

Provides read and write access to topic metadata. Intended for, e.g., developers who configure topics.

managedkafka.clusters.get

managedkafka.clusters.list

managedkafka.consumerGroups.get

managedkafka.consumerGroups.list

managedkafka.locations.*

managedkafka.operations.get

managedkafka.operations.list

managedkafka.topics.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/managedkafka.viewer)

Readonly access to Managed Kafka resources.

managedkafka.clusters.get

managedkafka.clusters.list

managedkafka.consumerGroups.get

managedkafka.consumerGroups.list

managedkafka.locations.*

managedkafka.operations.get

managedkafka.operations.list

managedkafka.topics.get

managedkafka.topics.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/mandiant.attackSurfaceManagementEditor)

Access to write Attack Surface Management

mandiant.genericAttackSurfaceManagements.create

mandiant.genericAttackSurfaceManagements.delete

mandiant.genericAttackSurfaceManagements.update

mandiant.genericPlatforms.create

mandiant.genericPlatforms.delete

mandiant.genericPlatforms.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.attackSurfaceManagementViewer)

Access to read Attack Surface Management

mandiant.genericAttackSurfaceManagements.get

mandiant.genericPlatforms.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.digitalThreatMonitoringEditor)

Access to write Digital Threat Monitoring

mandiant.genericDigitalThreatMonitorings.create

mandiant.genericDigitalThreatMonitorings.update

mandiant.genericPlatforms.create

mandiant.genericPlatforms.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.digitalThreatMonitoringViewer)

Access to read Digital Threat Monitoring

mandiant.genericDigitalThreatMonitorings.get

mandiant.genericPlatforms.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.expertiseOnDemandEditor)

Access to write Expertise On Demand

mandiant.genericExpertiseOnDemands.create

mandiant.genericExpertiseOnDemands.delete

mandiant.genericExpertiseOnDemands.update

mandiant.genericPlatforms.create

mandiant.genericPlatforms.delete

mandiant.genericPlatforms.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.expertiseOnDemandViewer)

Access to read Expertise On Demand

mandiant.genericExpertiseOnDemands.get

mandiant.genericPlatforms.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.threatIntelEditor)

Access to write Threat Intel

mandiant.genericPlatforms.create

mandiant.genericPlatforms.delete

mandiant.genericPlatforms.update

mandiant.genericThreatIntels.create

mandiant.genericThreatIntels.delete

mandiant.genericThreatIntels.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.threatIntelViewer)

Access to read Threat Intel

mandiant.genericPlatforms.get

mandiant.genericThreatIntels.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.validationEditor)

Access to write Validation

mandiant.genericPlatforms.create

mandiant.genericPlatforms.delete

mandiant.genericPlatforms.update

mandiant.genericValidations.create

mandiant.genericValidations.delete

mandiant.genericValidations.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.validationViewer)

Access to read Validation

mandiant.genericPlatforms.get

mandiant.genericValidations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mapsanalytics.mobilitySolutionsOverageViewer)

Grants read-only access to Mobility Solutions Overages metric data.

mapsanalytics.metricData.queryMobilitySolutionsOverageData

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.list

(roles/mapsanalytics.viewer)

Grants read-only access to all of the Maps Analytics resources.

mapsanalytics.metricData.query

mapsanalytics.metricMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.list

(roles/mapsplatformdatasets.admin)

Grants read and write access to all the Maps Platform Datasets API resources

mapsadmin.clientStyles.*

mapsplatformdatasets.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mapsplatformdatasets.viewer)

Grants read-only access to all the Maps Platform Datasets API resources

mapsadmin.clientStyles.get

mapsadmin.clientStyles.list

mapsplatformdatasets.datasets.export

mapsplatformdatasets.datasets.get

mapsplatformdatasets.datasets.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/marketplacesolutions.admin)

Full access to Marketplace Solutions resources.

marketplacesolutions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/marketplacesolutions.editor)

Edit access to Marketplace Solutions resources.

marketplacesolutions.locations.*

marketplacesolutions.operations.get

marketplacesolutions.operations.list

marketplacesolutions.powerImages.*

marketplacesolutions.powerInstances.get

marketplacesolutions.powerInstances.list

marketplacesolutions.powerInstances.update

marketplacesolutions.powerNetworks.*

marketplacesolutions.powerSshKeys.*

marketplacesolutions.powerVolumes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/marketplacesolutions.viewer)

Readonly access to Marketplace Solutions resources.

marketplacesolutions.locations.*

marketplacesolutions.operations.get

marketplacesolutions.operations.list

marketplacesolutions.powerImages.*

marketplacesolutions.powerInstances.get

marketplacesolutions.powerInstances.list

marketplacesolutions.powerNetworks.*

marketplacesolutions.powerSshKeys.*

marketplacesolutions.powerVolumes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/memorystore.admin)

Full access to Memorystore resources.

memorystore.instances.create

memorystore.instances.delete

memorystore.instances.get

memorystore.instances.list

memorystore.instances.update

memorystore.locations.*

memorystore.operations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/memorystore.dbConnectionUser)

Access to connecting to Memorystore Server db.

memorystore.instances.connect

(roles/memorystore.viewer)

Readonly access to Memorystore resources.

memorystore.instances.get

memorystore.instances.list

memorystore.locations.*

memorystore.operations.get

memorystore.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/nestconsole.homeDeveloperAdmin)

Admin access to Google Home Developer Console resources

nestconsole.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/nestconsole.homeDeveloperEditor)

Read-Write access to Google Home Developer Console resources

nestconsole.smarthomePreviews.update

nestconsole.smarthomeProjects.get

nestconsole.smarthomeProjects.update

nestconsole.smarthomeVersions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/nestconsole.homeDeveloperViewer)

Read-only access to Google Home Developer Console resources

nestconsole.smarthomeProjects.get

nestconsole.smarthomeVersions.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/netapp.admin)

Full access to Google Cloud NetApp Volumes resources.

netapp.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/netapp.viewer)

Readonly access to Google Cloud NetApp Volumes resources.

netapp.activeDirectories.get

netapp.activeDirectories.list

netapp.backupPolicies.get

netapp.backupPolicies.list

netapp.backupVaults.get

netapp.backupVaults.list

netapp.backups.get

netapp.backups.list

netapp.kmsConfigs.get

netapp.kmsConfigs.list

netapp.locations.*

netapp.operations.get

netapp.operations.list

netapp.replications.get

netapp.replications.list

netapp.snapshots.get

netapp.snapshots.list

netapp.storagePools.get

netapp.storagePools.list

netapp.volumes.get

netapp.volumes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oauthconfig.editor)

Read/write access to OAuth config resources

clientauthconfig.*

oauthconfig.*

(roles/oauthconfig.viewer)

Read-only access to OAuth config resources

clientauthconfig.brands.get

clientauthconfig.brands.list

clientauthconfig.clients.get

clientauthconfig.clients.list

oauthconfig.clientpolicy.get

oauthconfig.testusers.get

oauthconfig.verification.get

(roles/oracledatabase.admin)

Grants full access to manage all Oracle Database resources.

oracledatabase.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.autonomousDatabaseAdmin)

Grants full access to manage all Autonomous Database resources.

oracledatabase.autonomousDatabaseBackups.*

oracledatabase.autonomousDatabaseCharacterSets.list

oracledatabase.autonomousDatabases.*

oracledatabase.autonomousDbVersions.list

oracledatabase.entitlements.list

oracledatabase.locations.*

oracledatabase.operations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.autonomousDatabaseViewer)

Grants read access to see all Autonomous Database resources.

oracledatabase.autonomousDatabaseBackups.get

oracledatabase.autonomousDatabaseBackups.list

oracledatabase.autonomousDatabaseCharacterSets.list

oracledatabase.autonomousDatabases.generateWallet

oracledatabase.autonomousDatabases.get

oracledatabase.autonomousDatabases.list

oracledatabase.autonomousDbVersions.list

oracledatabase.entitlements.list

oracledatabase.locations.*

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.cloudExadataInfrastructureAdmin)

Grants full access to manage all Exadata Infrastructure resources.

oracledatabase.cloudExadataInfrastructures.create

oracledatabase.cloudExadataInfrastructures.delete

oracledatabase.cloudExadataInfrastructures.get

oracledatabase.cloudExadataInfrastructures.list

oracledatabase.cloudExadataInfrastructures.update

oracledatabase.dbServers.list

oracledatabase.dbSystemShapes.list

oracledatabase.entitlements.list

oracledatabase.giVersions.list

oracledatabase.locations.*

oracledatabase.operations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.cloudExadataInfrastructureViewer)

Grants read access to see all Exadata Infrastructure resources.

oracledatabase.cloudExadataInfrastructures.get

oracledatabase.cloudExadataInfrastructures.list

oracledatabase.dbServers.list

oracledatabase.dbSystemShapes.list

oracledatabase.entitlements.list

oracledatabase.giVersions.list

oracledatabase.locations.*

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.cloudVmClusterAdmin)

Grants full access to manage all VM Cluster resources.

oracledatabase.cloudExadataInfrastructures.list

oracledatabase.cloudExadataInfrastructures.use

oracledatabase.cloudVmClusters.*

oracledatabase.dbNodes.list

oracledatabase.dbServers.list

oracledatabase.entitlements.list

oracledatabase.giVersions.list

oracledatabase.locations.*

oracledatabase.operations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.cloudVmClusterViewer)

Grants read access to see all VM Cluster resources.

oracledatabase.cloudVmClusters.get

oracledatabase.cloudVmClusters.list

oracledatabase.dbNodes.list

oracledatabase.entitlements.list

oracledatabase.locations.*

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.viewer)

Grants view access to all Oracle Database resources.

oracledatabase.autonomousDatabaseBackups.get

oracledatabase.autonomousDatabaseBackups.list

oracledatabase.autonomousDatabaseCharacterSets.list

oracledatabase.autonomousDatabases.generateWallet

oracledatabase.autonomousDatabases.get

oracledatabase.autonomousDatabases.list

oracledatabase.autonomousDbVersions.list

oracledatabase.cloudExadataInfrastructures.get

oracledatabase.cloudExadataInfrastructures.list

oracledatabase.cloudVmClusters.get

oracledatabase.cloudVmClusters.list

oracledatabase.dbNodes.list

oracledatabase.dbServers.list

oracledatabase.dbSystemShapes.list

oracledatabase.entitlements.list

oracledatabase.giVersions.list

oracledatabase.locations.*

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/parallelstore.admin)

Full access to Parallelstore resources.

parallelstore.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/parallelstore.viewer)

Readonly access to Parallelstore resources.

parallelstore.instances.get

parallelstore.instances.list

parallelstore.locations.*

parallelstore.operations.get

parallelstore.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.partnerAdmin)

Full access to all Payments Reseller resources, including subscriptions, products and promotions

paymentsresellersubscription.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.partnerViewer)

Read access to all Payments Reseller resources, including subscriptions, products and promotions

paymentsresellersubscription.products.list

paymentsresellersubscription.promotions.list

paymentsresellersubscription.subscriptions.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.productViewer)

Read access to Payments Reseller Product resource

paymentsresellersubscription.products.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.promotionViewer)

Read access to Payments Reseller Promotion resource

paymentsresellersubscription.promotions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.subscriptionEditor)

Write access to Payments Reseller Subscription resource

paymentsresellersubscription.subscriptions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.subscriptionViewer)

Read access to Payments Reseller Subscription resource

paymentsresellersubscription.subscriptions.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.userSessionEditor)

Editor of UserSessions for a Payments Partner

paymentsresellersubscription.userSessions.generate

(roles/policyanalyzer.activityAnalysisViewer)

Viewer user that can read all activity analysis.

policyanalyzer.*

(roles/policyremediatormanager.policyRemediatorAdmin)

Grants the ability to enable and disable the usage of the policy remediator for the organization

policyremediatormanager.*

(roles/policyremediatormanager.policyRemediatorReader)

Grants the ability to read/view the state of the policy remediator for the organization

policyremediatormanager.locations.*

policyremediatormanager.operations.get

policyremediatormanager.operations.list

policyremediatormanager.remediatorServices.get

(roles/policysimulator.admin)

Admin user that can run and access replays.

policysimulator.accessPolicySimulationResults.list

policysimulator.accessPolicySimulations.*

policysimulator.replayResults.list

policysimulator.replays.*

(roles/policysimulator.orgPolicyAdmin)

OrgPolicy Admin that can run and access simulations.

cloudasset.assets.analyzeOrgPolicy

cloudasset.assets.exportResource

cloudasset.assets.listResource

cloudasset.assets.searchAllResources

orgpolicy.customConstraints.get

orgpolicy.customConstraints.list

orgpolicy.policies.list

orgpolicy.policy.get

policysimulator.orgPolicyViolations.list

policysimulator.orgPolicyViolationsPreviews.*

resourcemanager.organizations.get

(roles/publicca.externalAccountKeyCreator)

This role can create a new externalAccountKey resource.

publicca.externalAccountKeys.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/readerrevenuesubscriptionlinking.admin)

Full access to publication reader resources

readerrevenuesubscriptionlinking.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/readerrevenuesubscriptionlinking.entitlementsViewer)

This role can view all publication reader entitlements

readerrevenuesubscriptionlinking.readerEntitlements.get

(roles/readerrevenuesubscriptionlinking.viewer)

This role can view all publication reader resources

readerrevenuesubscriptionlinking.readerEntitlements.get

readerrevenuesubscriptionlinking.readers.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.exporter)

Exporter of Recommendations

recommender.resources.export

(roles/remotebuildexecution.actionCacheWriter)

Remote Build Execution Action Cache Writer

remotebuildexecution.actions.set

remotebuildexecution.blobs.create

(roles/remotebuildexecution.artifactAdmin)

Remote Build Execution Artifact Admin

remotebuildexecution.actions.create

remotebuildexecution.actions.delete

remotebuildexecution.actions.get

remotebuildexecution.blobs.*

remotebuildexecution.logstreams.*

(roles/remotebuildexecution.artifactCreator)

Remote Build Execution Artifact Creator

remotebuildexecution.actions.create

remotebuildexecution.actions.get

remotebuildexecution.blobs.*

remotebuildexecution.logstreams.*

(roles/remotebuildexecution.artifactViewer)

Remote Build Execution Artifact Viewer

remotebuildexecution.actions.get

remotebuildexecution.blobs.get

remotebuildexecution.logstreams.get

(roles/remotebuildexecution.configurationAdmin)

Remote Build Execution Configuration Admin

remotebuildexecution.instances.*

remotebuildexecution.workerpools.*

(roles/remotebuildexecution.configurationViewer)

Remote Build Execution Configuration Viewer

remotebuildexecution.instances.get

remotebuildexecution.instances.list

remotebuildexecution.workerpools.get

remotebuildexecution.workerpools.list

(roles/remotebuildexecution.logstreamWriter)

Remote Build Execution Logstream Writer

remotebuildexecution.logstreams.create

remotebuildexecution.logstreams.update

(roles/remotebuildexecution.reservationAdmin)

Remote Build Execution Reservation Admin

remotebuildexecution.actions.create

remotebuildexecution.actions.delete

remotebuildexecution.actions.get

(roles/remotebuildexecution.worker)

Remote Build Execution Worker

remotebuildexecution.actions.update

remotebuildexecution.blobs.*

remotebuildexecution.botsessions.*

remotebuildexecution.logstreams.create

remotebuildexecution.logstreams.update

(roles/retail.admin)

Full access to Retail api resources.

automlrecommendations.apiKeys.create

automlrecommendations.apiKeys.delete

automlrecommendations.catalogItems.*

automlrecommendations.catalogs.*

automlrecommendations.eventStores.getStats

automlrecommendations.events.create

automlrecommendations.events.list

automlrecommendations.events.purge

automlrecommendations.events.rejoin

automlrecommendations.placements.*

automlrecommendations.recommendations.*

retail.*

(roles/retail.editor)

Full access to Retail api resources except purge, rejoin, and setSponsorship.

automlrecommendations.apiKeys.create

automlrecommendations.apiKeys.delete

automlrecommendations.catalogItems.*

automlrecommendations.catalogs.*

automlrecommendations.eventStores.getStats

automlrecommendations.events.create

automlrecommendations.events.list

automlrecommendations.placements.*

automlrecommendations.recommendations.*

retail.alertConfigs.*

retail.attributesConfigs.addCatalogAttribute

retail.attributesConfigs.exportCatalogAttributes

retail.attributesConfigs.get

retail.attributesConfigs.importCatalogAttributes

retail.attributesConfigs.replaceCatalogAttribute

retail.attributesConfigs.update

retail.branches.*

retail.catalogs.*

retail.controls.*

retail.experiments.*

retail.models.*

retail.operations.*

retail.placements.*

retail.products.create

retail.products.delete

retail.products.export

retail.products.get

retail.products.import

retail.products.list

retail.products.update

retail.retailProjects.get

retail.servingConfigs.*

retail.userEvents.create

retail.userEvents.import

(roles/retail.viewer)

Grants access to read all resources in Retail.

automlrecommendations.catalogItems.get

automlrecommendations.catalogItems.list

automlrecommendations.catalogs.getStats

automlrecommendations.catalogs.list

automlrecommendations.eventStores.getStats

automlrecommendations.events.list

automlrecommendations.placements.getStats

automlrecommendations.placements.list

automlrecommendations.recommendations.list

retail.alertConfigs.get

retail.attributesConfigs.exportCatalogAttributes

retail.attributesConfigs.get

retail.branches.*

retail.catalogs.completeQuery

retail.catalogs.exportAnalyticsMetrics

retail.catalogs.list

retail.controls.export

retail.controls.get

retail.controls.list

retail.experiments.get

retail.experiments.list

retail.experiments.loadExperimentLookerDashboard

retail.experiments.queryTrafficMetrics

retail.models.get

retail.models.list

retail.operations.*

retail.placements.*

retail.products.export

retail.products.get

retail.products.list

retail.retailProjects.get

retail.servingConfigs.get

retail.servingConfigs.list

retail.servingConfigs.predict

retail.servingConfigs.search

(roles/riscconfigs.admin)

Read/write access to RISC config resources.

clientauthconfig.clients.list

riscconfigurationservice.*

(roles/riscconfigs.viewer)

Read-only access to RISC config resources.

clientauthconfig.clients.list

riscconfigurationservice.riscconfigs.get

(roles/routeoptimization.editor)

This role can create long-running operations via BatchOptimizeTours.

resourcemanager.projects.get

resourcemanager.projects.list

routeoptimization.*

(roles/routeoptimization.viewer)

This role can view any long-running Operations.

resourcemanager.projects.get

resourcemanager.projects.list

routeoptimization.operations.get

(roles/runapps.developer)

Access to create and change Serverless Integrations and their configuration.

resourcemanager.projects.get

resourcemanager.projects.list

runapps.applications.*

runapps.deployments.get

runapps.deployments.list

runapps.locations.*

runapps.operations.*

(roles/runapps.operator)

Access to deploy Serverless Integrations.

resourcemanager.projects.get

resourcemanager.projects.list

runapps.applications.get

runapps.applications.getStatus

runapps.applications.list

runapps.deployments.*

runapps.locations.*

runapps.operations.*

(roles/runapps.viewer)

Read-only access to Serverless Integrations resources.

resourcemanager.projects.get

resourcemanager.projects.list

runapps.applications.get

runapps.applications.getStatus

runapps.applications.list

runapps.deployments.get

runapps.deployments.list

runapps.locations.*

runapps.operations.get

runapps.operations.list

(roles/runtimeconfig.admin)

Full access to RuntimeConfig resources.

runtimeconfig.*

(roles/securedlandingzone.bqdwOrgRemediator)

Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization.

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

accesscontextmanager.servicePerimeters.update

(roles/securedlandingzone.bqdwProjectRemediator)

Access to modify (remediate) resources in SLZ BQDW Blueprint at Project.

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.setIamPolicy

bigquery.datasets.update

cloudkms.cryptoKeys.get

cloudkms.cryptoKeys.getIamPolicy

cloudkms.cryptoKeys.list

cloudkms.cryptoKeys.setIamPolicy

cloudkms.cryptoKeys.update

cloudkms.keyRings.getIamPolicy

cloudkms.keyRings.setIamPolicy

pubsub.topics.get

pubsub.topics.getIamPolicy

pubsub.topics.list

pubsub.topics.setIamPolicy

pubsub.topics.update

resourcemanager.projects.update

serviceusage.services.use

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

storage.buckets.setIamPolicy

storage.buckets.update

(roles/securedlandingzone.overwatchActivator)

This role can activate or suspend Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.overwatches.activate

securedlandingzone.overwatches.suspend

(roles/securedlandingzone.overwatchAdmin)

Full access to Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.*

(roles/securedlandingzone.overwatchViewer)

This role can view all properties of Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.operations.get

securedlandingzone.overwatches.get

securedlandingzone.overwatches.list

(roles/securityposture.admin)

Full access to Security Posture service APIs.

orgpolicy.*

resourcemanager.organizations.get

securitycenter.securityhealthanalyticssettings.*

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.update

securityposture.*

(roles/securityposture.postureDeployer)

Mutate and read permissions to the Posture Deployment resource.

orgpolicy.*

resourcemanager.organizations.get

securitycenter.securityhealthanalyticssettings.*

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.update

securityposture.operations.get

securityposture.postureDeployments.*

(roles/securityposture.postureDeploymentsViewer)

Read only access to the Posture Deployment resource.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postureDeployments.get

securityposture.postureDeployments.list

(roles/securityposture.postureEditor)

Mutate and read permissions to the Posture resource.

securityposture.operations.get

securityposture.postures.*

(roles/securityposture.postureViewer)

Read only access to the Posture resource.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postures.get

securityposture.postures.list

(roles/securityposture.reportCreator)

Create access for Reports, e.g. IaC Validation Report.

securityposture.operations.get

securityposture.reports.*

(roles/securityposture.viewer)

Read only access to all the SecurityPosture Service resources.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postureDeployments.get

securityposture.postureDeployments.list

securityposture.postureTemplates.*

securityposture.postures.get

securityposture.postures.list

(roles/servicehealth.viewer)

Readonly access to Personalized Service Health resources.

resourcemanager.projects.get

resourcemanager.projects.list

servicehealth.*

(roles/servicesecurityinsights.securityInsightsViewer)

Read-only access to Security Insights resources

servicesecurityinsights.*

(roles/speakerid.admin)

Grants full access to all Speaker ID resources, including project settings.

speakerid.*

(roles/speakerid.editor)

Grants access to read and write all Speaker ID resources.

speakerid.phrases.*

speakerid.speakers.*

(roles/speakerid.verifier)

Grants read access to all Speaker ID resources, and allows verification.

speakerid.phrases.get

speakerid.phrases.list

speakerid.speakers.get

speakerid.speakers.list

speakerid.speakers.verify

(roles/speakerid.viewer)

Grants read access to all Speaker ID resources.

speakerid.phrases.get

speakerid.phrases.list

speakerid.speakers.get

speakerid.speakers.list

(roles/speech.admin)

Grants full access to all resources in Speech-to-text

speech.*

(roles/speech.client)

Grants access to the recognition APIs.

speech.adaptations.execute

speech.customClasses.get

speech.customClasses.list

speech.locations.*

speech.operations.get

speech.operations.list

speech.operations.wait

speech.phraseSets.get

speech.phraseSets.list

speech.recognizers.get

speech.recognizers.list

speech.recognizers.recognize

(roles/speech.editor)

Grants access to edit resources in Speech-to-text

speech.adaptations.execute

speech.customClasses.*

speech.locations.*

speech.operations.*

speech.phraseSets.*

speech.recognizers.*

(roles/storageinsights.admin)

Full access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.*

(roles/storageinsights.analyst)

Data access to Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.linkDataset

storageinsights.datasetConfigs.list

storageinsights.datasetConfigs.unlinkDataset

storageinsights.locations.*

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

(roles/storageinsights.viewer)

Read-only access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.list

storageinsights.locations.*

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

(roles/subscribewithgoogledeveloper.developer)

Access DevTools for Subscribe with Google

resourcemanager.projects.get

resourcemanager.projects.list

subscribewithgoogledeveloper.tools.get

(roles/telcoautomation.admin)

Full access to Telco Automation resources.

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

monitoring.timeSeries.list

observability.scopes.get

resourcemanager.projects.get

serviceusage.quotas.*

serviceusage.services.*

source.repos.get

source.repos.list

telcoautomation.*

(roles/telcoautomation.blueprintDesigner)

Ability to manage blueprints

telcoautomation.blueprints.create

telcoautomation.blueprints.delete

telcoautomation.blueprints.get

telcoautomation.blueprints.list

telcoautomation.blueprints.propose

telcoautomation.blueprints.update

telcoautomation.deployments.computeStatus

telcoautomation.deployments.get

telcoautomation.deployments.list

telcoautomation.hydratedDeployments.get

telcoautomation.hydratedDeployments.list

telcoautomation.orchestrationClusters.get

telcoautomation.orchestrationClusters.list

telcoautomation.publicBlueprints.*

(roles/telcoautomation.deploymentAdmin)

Ability to manage deployments

telcoautomation.blueprints.get

telcoautomation.blueprints.list

telcoautomation.deployments.*

telcoautomation.hydratedDeployments.*

telcoautomation.orchestrationClusters.get

telcoautomation.orchestrationClusters.list

(roles/telcoautomation.opsAdminTier1)

Ability to get status of deployments

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

observability.scopes.get

resourcemanager.projects.get

telcoautomation.blueprints.get

telcoautomation.blueprints.list

telcoautomation.deployments.computeStatus

telcoautomation.deployments.get

telcoautomation.deployments.list

telcoautomation.hydratedDeployments.get

telcoautomation.hydratedDeployments.list

telcoautomation.orchestrationClusters.get

telcoautomation.orchestrationClusters.list

(roles/telcoautomation.opsAdminTier4)

Ability to manage deployments and their status

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

observability.scopes.get

resourcemanager.projects.get

telcoautomation.blueprints.get

telcoautomation.blueprints.list

telcoautomation.deployments.*

telcoautomation.hydratedDeployments.*

telcoautomation.orchestrationClusters.get

telcoautomation.orchestrationClusters.list

(roles/telcoautomation.serviceOrchestrator)

Ability to manage deployments

telcoautomation.blueprints.get

telcoautomation.blueprints.list

telcoautomation.deployments.*

telcoautomation.hydratedDeployments.*

telcoautomation.orchestrationClusters.get

telcoautomation.orchestrationClusters.list

(roles/timeseriesinsights.datasetsEditor)

Edit access to DataSets.

timeseriesinsights.*

(roles/timeseriesinsights.datasetsOwner)

Full access to DataSets.

timeseriesinsights.*

(roles/timeseriesinsights.datasetsViewer)

Read-only access (List and Query) to DataSets.

timeseriesinsights.datasets.evaluate

timeseriesinsights.datasets.list

timeseriesinsights.datasets.query

timeseriesinsights.locations.*

(roles/trafficdirector.client)

Fetch service configurations and report metrics.

trafficdirector.*

(roles/translationhub.admin)

Admin of Translation Hub

automl.models.get

automl.models.list

automl.models.predict

cloudtranslate.customModels.get

cloudtranslate.customModels.list

cloudtranslate.customModels.predict

cloudtranslate.glossaries.create

cloudtranslate.glossaries.delete

cloudtranslate.glossaries.get

cloudtranslate.glossaries.list

cloudtranslate.glossaries.predict

resourcemanager.projects.get

resourcemanager.projects.list

translationhub.*

(roles/translationhub.portalUser)

Portal user of Translation Hub

automl.models.get

automl.models.list

automl.models.predict

cloudtranslate.customModels.get

cloudtranslate.customModels.list

cloudtranslate.customModels.predict

cloudtranslate.glossaries.get

cloudtranslate.glossaries.list

cloudtranslate.glossaries.predict

resourcemanager.projects.get

resourcemanager.projects.list

translationhub.portals.get

translationhub.portals.list

(roles/visualinspection.editor)

Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics

visualinspection.annotationSets.*

visualinspection.annotationSpecs.*

visualinspection.annotations.*

visualinspection.datasets.*

visualinspection.images.*

visualinspection.locations.get

visualinspection.locations.list

visualinspection.modelEvaluations.*

visualinspection.models.*

visualinspection.modules.*

visualinspection.operations.*

visualinspection.solutionArtifacts.*

visualinspection.solutions.*

(roles/visualinspection.usageMetricsReporter)

ReportUsageMetric access to Visual Inspection AI Service

visualinspection.locations.reportUsageMetrics

(roles/visualinspection.viewer)

Read access to Visual Inspection AI resources

visualinspection.annotationSets.get

visualinspection.annotationSets.list

visualinspection.annotationSpecs.get

visualinspection.annotationSpecs.list

visualinspection.annotations.get

visualinspection.annotations.list

visualinspection.datasets.export

visualinspection.datasets.get

visualinspection.datasets.list

visualinspection.images.get

visualinspection.images.list

visualinspection.locations.get

visualinspection.locations.list

visualinspection.modelEvaluations.*

visualinspection.models.get

visualinspection.models.list

visualinspection.modules.get

visualinspection.modules.list

visualinspection.operations.*

visualinspection.solutionArtifacts.get

visualinspection.solutionArtifacts.list

visualinspection.solutionArtifacts.predict

visualinspection.solutions.get

visualinspection.solutions.list

For more information about predefined roles, see Roles and permissions. For help choosing the most appropriate predefined roles, see Choose predefined roles.