See the supported connectors for Application Integration.

Predefined Application Integration IAM roles

Predefined roles give granular access to specific Google Cloud resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.

The following table lists all the predefined IAM roles for Application Integration:

Permissions

(roles/advisorynotifications.admin)

Grants write access to settings in Advisory Notifications

advisorynotifications.*

  • advisorynotifications.notifications.get
  • advisorynotifications.notifications.list
  • advisorynotifications.settings.get
  • advisorynotifications.settings.update

resourcemanager.organizations.get

resourcemanager.projects.get

(roles/advisorynotifications.viewer)

Grants view access in Advisory Notifications

advisorynotifications.notifications.*

  • advisorynotifications.notifications.get
  • advisorynotifications.notifications.list

advisorynotifications.settings.get

resourcemanager.organizations.get

resourcemanager.projects.get

(roles/apphub.admin)

Full access to App Hub resources.

apphub.*

  • apphub.applications.create
  • apphub.applications.delete
  • apphub.applications.get
  • apphub.applications.getIamPolicy
  • apphub.applications.list
  • apphub.applications.setIamPolicy
  • apphub.applications.update
  • apphub.discoveredServices.get
  • apphub.discoveredServices.list
  • apphub.discoveredServices.register
  • apphub.discoveredWorkloads.get
  • apphub.discoveredWorkloads.list
  • apphub.discoveredWorkloads.register
  • apphub.locations.get
  • apphub.locations.list
  • apphub.operations.cancel
  • apphub.operations.delete
  • apphub.operations.get
  • apphub.operations.list
  • apphub.serviceProjectAttachments.attach
  • apphub.serviceProjectAttachments.create
  • apphub.serviceProjectAttachments.delete
  • apphub.serviceProjectAttachments.detach
  • apphub.serviceProjectAttachments.get
  • apphub.serviceProjectAttachments.list
  • apphub.serviceProjectAttachments.lookup
  • apphub.services.create
  • apphub.services.delete
  • apphub.services.get
  • apphub.services.list
  • apphub.services.update
  • apphub.workloads.create
  • apphub.workloads.delete
  • apphub.workloads.get
  • apphub.workloads.list
  • apphub.workloads.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apphub.editor)

Edit access to App Hub resources.

apphub.applications.create

apphub.applications.delete

apphub.applications.get

apphub.applications.list

apphub.applications.update

apphub.discoveredServices.*

  • apphub.discoveredServices.get
  • apphub.discoveredServices.list
  • apphub.discoveredServices.register

apphub.discoveredWorkloads.*

  • apphub.discoveredWorkloads.get
  • apphub.discoveredWorkloads.list
  • apphub.discoveredWorkloads.register

apphub.locations.*

  • apphub.locations.get
  • apphub.locations.list

apphub.operations.*

  • apphub.operations.cancel
  • apphub.operations.delete
  • apphub.operations.get
  • apphub.operations.list

apphub.serviceProjectAttachments.lookup

apphub.services.*

  • apphub.services.create
  • apphub.services.delete
  • apphub.services.get
  • apphub.services.list
  • apphub.services.update

apphub.workloads.*

  • apphub.workloads.create
  • apphub.workloads.delete
  • apphub.workloads.get
  • apphub.workloads.list
  • apphub.workloads.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apphub.viewer)

View access to App Hub resources.

apphub.applications.get

apphub.applications.list

apphub.discoveredServices.get

apphub.discoveredServices.list

apphub.discoveredWorkloads.get

apphub.discoveredWorkloads.list

apphub.locations.*

  • apphub.locations.get
  • apphub.locations.list

apphub.operations.get

apphub.operations.list

apphub.serviceProjectAttachments.lookup

apphub.services.get

apphub.services.list

apphub.workloads.get

apphub.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/applianceactivation.approver)

Grants access to approve commands to run on appliances

applianceactivation.rttCommands.approve

applianceactivation.rttCommands.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/applianceactivation.client)

Grants access to read commands for an appliance and send its result.

applianceactivation.rttCommands.get

applianceactivation.rttCommands.sendResult

(roles/applianceactivation.troubleshooter)

Grants access to send new commands to run on appliances and view the outputs

applianceactivation.rttCommands.create

applianceactivation.rttCommands.get

applianceactivation.rttCommands.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/assuredoss.admin)

Full access to Assured OSS resources.

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.*

  • artifactregistry.files.download
  • artifactregistry.files.get
  • artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.*

  • assuredoss.config.get
  • assuredoss.locations.get
  • assuredoss.locations.list
  • assuredoss.metadata.get
  • assuredoss.metadata.list
  • assuredoss.operations.cancel
  • assuredoss.operations.delete
  • assuredoss.operations.get
  • assuredoss.operations.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/assuredoss.reader)

Read access to all Assured OSS resources.

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.*

  • artifactregistry.files.download
  • artifactregistry.files.get
  • artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

  • assuredoss.locations.get
  • assuredoss.locations.list

assuredoss.metadata.*

  • assuredoss.metadata.get
  • assuredoss.metadata.list

assuredoss.operations.get

assuredoss.operations.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/assuredoss.user)

Read access to Assured OSS packages and metadata.

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.*

  • artifactregistry.files.download
  • artifactregistry.files.get
  • artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.locations.*

  • assuredoss.locations.get
  • assuredoss.locations.list

assuredoss.metadata.*

  • assuredoss.metadata.get
  • assuredoss.metadata.list

assuredoss.operations.get

assuredoss.operations.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/auditmanager.admin)

Full access to Audit Manager resources.

auditmanager.*

  • auditmanager.auditReports.generate
  • auditmanager.auditScopeReports.generate
  • auditmanager.locations.enrollResource
  • auditmanager.locations.get
  • auditmanager.locations.list
  • auditmanager.operations.get
  • auditmanager.operations.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/auditmanager.auditor)

Allows creating and viewing an audit report.

auditmanager.auditReports.generate

auditmanager.auditScopeReports.generate

auditmanager.locations.get

auditmanager.locations.list

auditmanager.operations.*

  • auditmanager.operations.get
  • auditmanager.operations.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/autoscaling.metricsWriter)

Access to write metrics for autoscaling site

autoscaling.sites.writeMetrics

(roles/autoscaling.recommendationsReader)

Access to read recommendations from autoscaling site

autoscaling.sites.readRecommendations

(roles/autoscaling.sitesAdmin)

Full access to all autoscaling site features

autoscaling.*

  • autoscaling.sites.getIamPolicy
  • autoscaling.sites.readRecommendations
  • autoscaling.sites.setIamPolicy
  • autoscaling.sites.writeMetrics
  • autoscaling.sites.writeState

resourcemanager.projects.get

resourcemanager.projects.list

(roles/autoscaling.stateWriter)

Access to write state for autoscaling site

autoscaling.sites.writeState

(roles/batch.agentReporter)

Reporter of batch agent states.

batch.states.report

(roles/batch.jobsEditor)

Editor of batch Jobs

batch.jobs.*

  • batch.jobs.create
  • batch.jobs.delete
  • batch.jobs.get
  • batch.jobs.list

batch.locations.*

  • batch.locations.get
  • batch.locations.list

batch.operations.*

  • batch.operations.get
  • batch.operations.list

batch.tasks.*

  • batch.tasks.get
  • batch.tasks.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/batch.jobsViewer)

Viewer of Batch Jobs, Task Groups and Tasks

batch.jobs.get

batch.jobs.list

batch.locations.*

  • batch.locations.get
  • batch.locations.list

batch.operations.*

  • batch.operations.get
  • batch.operations.list

batch.tasks.*

  • batch.tasks.get
  • batch.tasks.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/biglake.admin)

Provides full access to all BigLake resources.

biglake.*

  • biglake.catalogs.create
  • biglake.catalogs.delete
  • biglake.catalogs.get
  • biglake.catalogs.list
  • biglake.databases.create
  • biglake.databases.delete
  • biglake.databases.get
  • biglake.databases.list
  • biglake.databases.update
  • biglake.locks.check
  • biglake.locks.create
  • biglake.locks.delete
  • biglake.locks.list
  • biglake.tables.create
  • biglake.tables.delete
  • biglake.tables.get
  • biglake.tables.list
  • biglake.tables.lock
  • biglake.tables.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/biglake.viewer)

Provides read-only access to all BigLake resources.

biglake.catalogs.get

biglake.catalogs.list

biglake.databases.get

biglake.databases.list

biglake.locks.list

biglake.tables.get

biglake.tables.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquerymigration.editor)

Editor of EDW migration workflows.

bigquerymigration.locations.*

  • bigquerymigration.locations.get
  • bigquerymigration.locations.list

bigquerymigration.subtasks.get

bigquerymigration.subtasks.list

bigquerymigration.workflows.create

bigquerymigration.workflows.delete

bigquerymigration.workflows.get

bigquerymigration.workflows.list

bigquerymigration.workflows.update

(roles/bigquerymigration.orchestrator)

Orchestrator of EDW migration tasks.

bigquerymigration.subtasks.create

bigquerymigration.taskTypes.orchestrateTask

bigquerymigration.workflows.orchestrateTask

storage.objects.list

(roles/bigquerymigration.translationUser)

User of EDW migration interactive SQL translation service.

bigquerymigration.translation.translate

(roles/bigquerymigration.viewer)

Viewer of EDW migration MigrationWorkflow.

bigquerymigration.locations.*

  • bigquerymigration.locations.get
  • bigquerymigration.locations.list

bigquerymigration.subtasks.get

bigquerymigration.subtasks.list

bigquerymigration.workflows.get

bigquerymigration.workflows.list

(roles/bigquerymigration.worker)

Worker that executes EDW migration subtasks.

bigquerymigration.subtaskTypes.executeTask

bigquerymigration.subtasks.executeTask

storage.objects.create

storage.objects.get

storage.objects.list

(roles/billing.carbonViewer)

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.list

(roles/blockchainnodeengine.admin)

Full access to Blockchain Node Engine resources.

blockchainnodeengine.*

  • blockchainnodeengine.blockchainNodes.create
  • blockchainnodeengine.blockchainNodes.delete
  • blockchainnodeengine.blockchainNodes.get
  • blockchainnodeengine.blockchainNodes.list
  • blockchainnodeengine.blockchainNodes.update
  • blockchainnodeengine.locations.get
  • blockchainnodeengine.locations.list
  • blockchainnodeengine.operations.cancel
  • blockchainnodeengine.operations.delete
  • blockchainnodeengine.operations.get
  • blockchainnodeengine.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/blockchainnodeengine.viewer)

Read-only access to Blockchain Node Engine resources.

blockchainnodeengine.blockchainNodes.get

blockchainnodeengine.blockchainNodes.list

blockchainnodeengine.locations.*

  • blockchainnodeengine.locations.get
  • blockchainnodeengine.locations.list

blockchainnodeengine.operations.get

blockchainnodeengine.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/capacityplanner.viewer)

Read-only access to Capacity Planner usage resources

capacityplanner.*

  • capacityplanner.forecasts.list
  • capacityplanner.usageHistories.list
  • capacityplanner.usageHistories.summarize

cloudquotas.quotas.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

(roles/carestudio.viewer)

This role can view all properties of Patients.

carestudio.*

  • carestudio.patients.get
  • carestudio.patients.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chroniclesm.admin)

Admins can view and modify Chronicle service details.

chroniclesm.*

  • chroniclesm.gcpAssociations.create
  • chroniclesm.gcpAssociations.delete
  • chroniclesm.gcpAssociations.get
  • chroniclesm.gcpSettings.get
  • chroniclesm.gcpSettings.update

(roles/chroniclesm.viewer)

Viewers can see Chronicle service details but not change them.

chroniclesm.gcpAssociations.get

chroniclesm.gcpSettings.get

(roles/cloud.locationReader)

Read and enumerate locations available for resource creation.

cloud.*

  • cloud.locations.get
  • cloud.locations.list

(roles/cloudaicompanion.user)

A user who can receive assistance from Cloud AI Companion

cloudaicompanion.*

  • cloudaicompanion.companions.generateChat
  • cloudaicompanion.companions.generateCode
  • cloudaicompanion.entitlements.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudcontrolspartner.admin)

Full access to Cloud Controls Partner resources.

cloudcontrolspartner.customers.list

cloudcontrolspartner.ekmconnections.get

cloudcontrolspartner.inspectabilityevents.get

cloudcontrolspartner.partners.get

cloudcontrolspartner.platformcontrols.get

cloudcontrolspartner.violations.list

cloudcontrolspartner.workloads.list

(roles/cloudcontrolspartner.editor)

Editor access to Cloud Controls Partner resources.

cloudcontrolspartner.*

  • cloudcontrolspartner.customers.get
  • cloudcontrolspartner.customers.list
  • cloudcontrolspartner.ekmconnections.get
  • cloudcontrolspartner.inspectabilityevents.get
  • cloudcontrolspartner.partners.get
  • cloudcontrolspartner.platformcontrols.get
  • cloudcontrolspartner.violations.get
  • cloudcontrolspartner.violations.list
  • cloudcontrolspartner.workloads.get
  • cloudcontrolspartner.workloads.list

(roles/cloudcontrolspartner.inspectabilityReader)

Readonly access to Cloud Controls Partner inspectability resources.

cloudcontrolspartner.customers.*

  • cloudcontrolspartner.customers.get
  • cloudcontrolspartner.customers.list

cloudcontrolspartner.inspectabilityevents.get

cloudcontrolspartner.platformcontrols.get

(roles/cloudcontrolspartner.monitoringReader)

Read-only access to Cloud Controls Partner monitoring resources.

cloudcontrolspartner.customers.*

  • cloudcontrolspartner.customers.get
  • cloudcontrolspartner.customers.list

cloudcontrolspartner.violations.*

  • cloudcontrolspartner.violations.get
  • cloudcontrolspartner.violations.list

cloudcontrolspartner.workloads.*

  • cloudcontrolspartner.workloads.get
  • cloudcontrolspartner.workloads.list

(roles/cloudcontrolspartner.reader)

Read-only access to Cloud Controls Partner resources.

cloudcontrolspartner.*

  • cloudcontrolspartner.customers.get
  • cloudcontrolspartner.customers.list
  • cloudcontrolspartner.ekmconnections.get
  • cloudcontrolspartner.inspectabilityevents.get
  • cloudcontrolspartner.partners.get
  • cloudcontrolspartner.platformcontrols.get
  • cloudcontrolspartner.violations.get
  • cloudcontrolspartner.violations.list
  • cloudcontrolspartner.workloads.get
  • cloudcontrolspartner.workloads.list

(roles/cloudoptimization.admin)

Administrator of Cloud Optimization AI resources

cloudoptimization.*

  • cloudoptimization.operations.create
  • cloudoptimization.operations.get

(roles/cloudoptimization.editor)

Editor of Cloud Optimization AI resources

cloudoptimization.*

  • cloudoptimization.operations.create
  • cloudoptimization.operations.get

(roles/cloudoptimization.viewer)

Viewer of Cloud Optimization AI resources

cloudoptimization.operations.get

(roles/cloudquotas.admin)

Full access to Cloud Quotas resources.

cloudquotas.*

  • cloudquotas.quotas.get
  • cloudquotas.quotas.update

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudquotas.viewer)

Readonly access to Cloud Quotas resources.

cloudquotas.quotas.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceagreementpublishing.admin)

Admin of Commerce Agreement Publishing service

commerceagreementpublishing.*

  • commerceagreementpublishing.agreements.create
  • commerceagreementpublishing.agreements.delete
  • commerceagreementpublishing.agreements.get
  • commerceagreementpublishing.agreements.list
  • commerceagreementpublishing.agreements.update
  • commerceagreementpublishing.documents.create
  • commerceagreementpublishing.documents.delete
  • commerceagreementpublishing.documents.get
  • commerceagreementpublishing.documents.list
  • commerceagreementpublishing.documents.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceagreementpublishing.viewer)

Viewer of Commerce Agreement Publishing service

commerceagreementpublishing.agreements.get

commerceagreementpublishing.agreements.list

commerceagreementpublishing.documents.get

commerceagreementpublishing.documents.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/confidentialcomputing.workloadUser)

Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.

confidentialcomputing.*

  • confidentialcomputing.challenges.create
  • confidentialcomputing.challenges.verify
  • confidentialcomputing.locations.get
  • confidentialcomputing.locations.list

logging.logEntries.create

(roles/contactcenteraiplatform.admin)

Full access to Contact Center AI Platform resources.

contactcenteraiplatform.*

  • contactcenteraiplatform.contactCenters.create
  • contactcenteraiplatform.contactCenters.delete
  • contactcenteraiplatform.contactCenters.get
  • contactcenteraiplatform.contactCenters.list
  • contactcenteraiplatform.contactCenters.program
  • contactcenteraiplatform.contactCenters.queryQuota
  • contactcenteraiplatform.contactCenters.update
  • contactcenteraiplatform.locations.get
  • contactcenteraiplatform.locations.list
  • contactcenteraiplatform.operations.cancel
  • contactcenteraiplatform.operations.delete
  • contactcenteraiplatform.operations.get
  • contactcenteraiplatform.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contactcenteraiplatform.viewer)

Read-only access to Contact Center AI Platform resources.

contactcenteraiplatform.contactCenters.get

contactcenteraiplatform.contactCenters.list

contactcenteraiplatform.locations.*

  • contactcenteraiplatform.locations.get
  • contactcenteraiplatform.locations.list

contactcenteraiplatform.operations.get

contactcenteraiplatform.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contactcenterinsights.editor)

Grants read and write access to all Contact Center AI Insights resources.

contactcenterinsights.*

  • contactcenterinsights.analyses.create
  • contactcenterinsights.analyses.delete
  • contactcenterinsights.analyses.get
  • contactcenterinsights.analyses.list
  • contactcenterinsights.conversations.create
  • contactcenterinsights.conversations.delete
  • contactcenterinsights.conversations.export
  • contactcenterinsights.conversations.get
  • contactcenterinsights.conversations.list
  • contactcenterinsights.conversations.update
  • contactcenterinsights.conversations.upload
  • contactcenterinsights.faqEntries.delete
  • contactcenterinsights.faqEntries.get
  • contactcenterinsights.faqEntries.list
  • contactcenterinsights.faqEntries.update
  • contactcenterinsights.faqModels.create
  • contactcenterinsights.faqModels.delete
  • contactcenterinsights.faqModels.get
  • contactcenterinsights.faqModels.list
  • contactcenterinsights.faqModels.update
  • contactcenterinsights.issueModels.create
  • contactcenterinsights.issueModels.delete
  • contactcenterinsights.issueModels.deploy
  • contactcenterinsights.issueModels.export
  • contactcenterinsights.issueModels.get
  • contactcenterinsights.issueModels.import
  • contactcenterinsights.issueModels.list
  • contactcenterinsights.issueModels.undeploy
  • contactcenterinsights.issueModels.update
  • contactcenterinsights.issues.create
  • contactcenterinsights.issues.delete
  • contactcenterinsights.issues.get
  • contactcenterinsights.issues.list
  • contactcenterinsights.issues.update
  • contactcenterinsights.operations.get
  • contactcenterinsights.operations.list
  • contactcenterinsights.phraseMatchers.create
  • contactcenterinsights.phraseMatchers.delete
  • contactcenterinsights.phraseMatchers.get
  • contactcenterinsights.phraseMatchers.list
  • contactcenterinsights.phraseMatchers.update
  • contactcenterinsights.settings.get
  • contactcenterinsights.settings.update
  • contactcenterinsights.views.create
  • contactcenterinsights.views.delete
  • contactcenterinsights.views.get
  • contactcenterinsights.views.list
  • contactcenterinsights.views.update

(roles/contactcenterinsights.viewer)

Grants read access to all Contact Center AI Insights resources.

contactcenterinsights.analyses.get

contactcenterinsights.analyses.list

contactcenterinsights.conversations.get

contactcenterinsights.conversations.list

contactcenterinsights.faqEntries.get

contactcenterinsights.faqEntries.list

contactcenterinsights.faqModels.get

contactcenterinsights.faqModels.list

contactcenterinsights.issueModels.get

contactcenterinsights.issueModels.list

contactcenterinsights.issues.get

contactcenterinsights.issues.list

contactcenterinsights.operations.*

  • contactcenterinsights.operations.get
  • contactcenterinsights.operations.list

contactcenterinsights.phraseMatchers.get

contactcenterinsights.phraseMatchers.list

contactcenterinsights.settings.get

contactcenterinsights.views.get

contactcenterinsights.views.list

(roles/containersecurity.viewer)

Read-only access to GKE Security Posture resources.

containersecurity.*

  • containersecurity.clusterSummaries.list
  • containersecurity.findings.list
  • containersecurity.locations.get
  • containersecurity.locations.list
  • containersecurity.workloadConfigAudits.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.admin)

Grants full access to all the resources in Content Warehouse

contentwarehouse.corpora.*

  • contentwarehouse.corpora.create
  • contentwarehouse.corpora.delete
  • contentwarehouse.corpora.get
  • contentwarehouse.corpora.list
  • contentwarehouse.corpora.update

contentwarehouse.dataExportJobs.*

  • contentwarehouse.dataExportJobs.create
  • contentwarehouse.dataExportJobs.update

contentwarehouse.documentSchemas.*

  • contentwarehouse.documentSchemas.create
  • contentwarehouse.documentSchemas.delete
  • contentwarehouse.documentSchemas.get
  • contentwarehouse.documentSchemas.list
  • contentwarehouse.documentSchemas.update

contentwarehouse.documents.*

  • contentwarehouse.documents.create
  • contentwarehouse.documents.delete
  • contentwarehouse.documents.get
  • contentwarehouse.documents.getIamPolicy
  • contentwarehouse.documents.list
  • contentwarehouse.documents.setIamPolicy
  • contentwarehouse.documents.update

contentwarehouse.locations.*

  • contentwarehouse.locations.getStatus
  • contentwarehouse.locations.initialize

contentwarehouse.operations.get

contentwarehouse.rawDocuments.*

  • contentwarehouse.rawDocuments.download
  • contentwarehouse.rawDocuments.upload

contentwarehouse.ruleSets.*

  • contentwarehouse.ruleSets.create
  • contentwarehouse.ruleSets.delete
  • contentwarehouse.ruleSets.get
  • contentwarehouse.ruleSets.list
  • contentwarehouse.ruleSets.update

contentwarehouse.synonymSets.*

  • contentwarehouse.synonymSets.create
  • contentwarehouse.synonymSets.delete
  • contentwarehouse.synonymSets.get
  • contentwarehouse.synonymSets.list
  • contentwarehouse.synonymSets.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentAdmin)

Grants full access to the document resource in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documents.create

contentwarehouse.documents.delete

contentwarehouse.documents.get

contentwarehouse.documents.getIamPolicy

contentwarehouse.documents.setIamPolicy

contentwarehouse.documents.update

contentwarehouse.links.*

  • contentwarehouse.links.create
  • contentwarehouse.links.delete
  • contentwarehouse.links.get
  • contentwarehouse.links.update

contentwarehouse.locations.getStatus

contentwarehouse.rawDocuments.*

  • contentwarehouse.rawDocuments.download
  • contentwarehouse.rawDocuments.upload

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentCreator)

Grants access to create document in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documentSchemas.list

contentwarehouse.documents.create

contentwarehouse.locations.getStatus

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentEditor)

Grants access to update document resource in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documents.get

contentwarehouse.documents.getIamPolicy

contentwarehouse.documents.update

contentwarehouse.links.*

  • contentwarehouse.links.create
  • contentwarehouse.links.delete
  • contentwarehouse.links.get
  • contentwarehouse.links.update

contentwarehouse.locations.getStatus

contentwarehouse.rawDocuments.*

  • contentwarehouse.rawDocuments.download
  • contentwarehouse.rawDocuments.upload

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentSchemaViewer)

Grants access to view the document schemas in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documentSchemas.list

contentwarehouse.locations.getStatus

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentViewer)

Grants access to view all the resources in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documents.get

contentwarehouse.documents.getIamPolicy

contentwarehouse.links.get

contentwarehouse.locations.getStatus

contentwarehouse.rawDocuments.download

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.admin)

Grants full access to all resources in Data Lineage API

datalineage.*

  • datalineage.events.create
  • datalineage.events.delete
  • datalineage.events.get
  • datalineage.events.list
  • datalineage.locations.searchLinks
  • datalineage.operations.get
  • datalineage.processes.create
  • datalineage.processes.delete
  • datalineage.processes.get
  • datalineage.processes.list
  • datalineage.processes.update
  • datalineage.runs.create
  • datalineage.runs.delete
  • datalineage.runs.get
  • datalineage.runs.list
  • datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.editor)

Grants edit access to all resources in Data Lineage API

datalineage.events.*

  • datalineage.events.create
  • datalineage.events.delete
  • datalineage.events.get
  • datalineage.events.list

datalineage.locations.searchLinks

datalineage.operations.get

datalineage.processes.create

datalineage.processes.get

datalineage.processes.list

datalineage.processes.update

datalineage.runs.create

datalineage.runs.get

datalineage.runs.list

datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.producer)

Grants access to creating all resources in Data Lineage API

datalineage.events.create

datalineage.processes.create

datalineage.processes.get

datalineage.processes.update

datalineage.runs.create

datalineage.runs.get

datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.viewer)

Grants read access to all resources in Data Lineage API

datalineage.events.get

datalineage.events.list

datalineage.locations.searchLinks

datalineage.processes.get

datalineage.processes.list

datalineage.runs.get

datalineage.runs.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataprocessing.admin)

Data processing controls admin who can fully manage data processing controls settings and view all datasource data.

billing.accounts.get

billing.accounts.list

dataprocessing.*

  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.datasources.update
  • dataprocessing.featurecontrols.list
  • dataprocessing.featurecontrols.update
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • dataprocessing.groupcontrols.update

(roles/dataprocessing.dataSourceManager)

Data processing controls data source manager who can get, list, and update the underlying data.

dataprocessing.datasources.list

dataprocessing.datasources.update

(roles/discoveryengine.admin)

Grants full access to all discoveryengine resources.

discoveryengine.*

  • discoveryengine.analytics.acquireDashboardSession
  • discoveryengine.analytics.refreshDashboardSessionTokens
  • discoveryengine.branches.get
  • discoveryengine.branches.list
  • discoveryengine.cmekConfigs.get
  • discoveryengine.cmekConfigs.list
  • discoveryengine.cmekConfigs.update
  • discoveryengine.collections.delete
  • discoveryengine.collections.get
  • discoveryengine.collections.list
  • discoveryengine.completionConfigs.get
  • discoveryengine.completionConfigs.update
  • discoveryengine.controls.create
  • discoveryengine.controls.delete
  • discoveryengine.controls.get
  • discoveryengine.controls.list
  • discoveryengine.controls.update
  • discoveryengine.conversations.converse
  • discoveryengine.conversations.create
  • discoveryengine.conversations.delete
  • discoveryengine.conversations.get
  • discoveryengine.conversations.list
  • discoveryengine.conversations.update
  • discoveryengine.dataStores.completeQuery
  • discoveryengine.dataStores.create
  • discoveryengine.dataStores.delete
  • discoveryengine.dataStores.enrollSolutions
  • discoveryengine.dataStores.get
  • discoveryengine.dataStores.list
  • discoveryengine.dataStores.trainCustomModel
  • discoveryengine.dataStores.update
  • discoveryengine.documentProcessingConfigs.get
  • discoveryengine.documentProcessingConfigs.update
  • discoveryengine.documents.create
  • discoveryengine.documents.delete
  • discoveryengine.documents.get
  • discoveryengine.documents.import
  • discoveryengine.documents.list
  • discoveryengine.documents.purge
  • discoveryengine.documents.update
  • discoveryengine.engines.create
  • discoveryengine.engines.delete
  • discoveryengine.engines.get
  • discoveryengine.engines.list
  • discoveryengine.engines.pause
  • discoveryengine.engines.resume
  • discoveryengine.engines.tune
  • discoveryengine.engines.update
  • discoveryengine.locations.estimateDataSize
  • discoveryengine.models.create
  • discoveryengine.models.delete
  • discoveryengine.models.get
  • discoveryengine.models.list
  • discoveryengine.models.pause
  • discoveryengine.models.resume
  • discoveryengine.models.tune
  • discoveryengine.models.update
  • discoveryengine.operations.get
  • discoveryengine.operations.list
  • discoveryengine.projects.get
  • discoveryengine.projects.provision
  • discoveryengine.projects.reportConsentChange
  • discoveryengine.schemas.create
  • discoveryengine.schemas.delete
  • discoveryengine.schemas.get
  • discoveryengine.schemas.list
  • discoveryengine.schemas.update
  • discoveryengine.servingConfigs.create
  • discoveryengine.servingConfigs.delete
  • discoveryengine.servingConfigs.get
  • discoveryengine.servingConfigs.list
  • discoveryengine.servingConfigs.recommend
  • discoveryengine.servingConfigs.search
  • discoveryengine.servingConfigs.update
  • discoveryengine.siteSearchEngines.batchVerifyTargetSites
  • discoveryengine.siteSearchEngines.disableAdvancedSiteSearch
  • discoveryengine.siteSearchEngines.enableAdvancedSiteSearch
  • discoveryengine.siteSearchEngines.fetchDomainVerificationStatus
  • discoveryengine.siteSearchEngines.get
  • discoveryengine.siteSearchEngines.recrawlUris
  • discoveryengine.suggestionDenyListEntries.import
  • discoveryengine.suggestionDenyListEntries.purge
  • discoveryengine.targetSites.batchCreate
  • discoveryengine.targetSites.create
  • discoveryengine.targetSites.delete
  • discoveryengine.targetSites.get
  • discoveryengine.targetSites.list
  • discoveryengine.targetSites.update
  • discoveryengine.userEvents.create
  • discoveryengine.userEvents.fetchStats
  • discoveryengine.userEvents.import
  • discoveryengine.userEvents.purge
  • discoveryengine.widgetConfigs.get
  • discoveryengine.widgetConfigs.update

(roles/discoveryengine.editor)

Grants read and write access to all discovery engine resources.

discoveryengine.analytics.*

  • discoveryengine.analytics.acquireDashboardSession
  • discoveryengine.analytics.refreshDashboardSessionTokens

discoveryengine.branches.*

  • discoveryengine.branches.get
  • discoveryengine.branches.list

discoveryengine.cmekConfigs.get

discoveryengine.cmekConfigs.list

discoveryengine.collections.get

discoveryengine.collections.list

discoveryengine.completionConfigs.get

discoveryengine.controls.get

discoveryengine.controls.list

discoveryengine.conversations.*

  • discoveryengine.conversations.converse
  • discoveryengine.conversations.create
  • discoveryengine.conversations.delete
  • discoveryengine.conversations.get
  • discoveryengine.conversations.list
  • discoveryengine.conversations.update

discoveryengine.dataStores.completeQuery

discoveryengine.dataStores.get

discoveryengine.dataStores.list

discoveryengine.documentProcessingConfigs.get

discoveryengine.documents.create

discoveryengine.documents.delete

discoveryengine.documents.get

discoveryengine.documents.import

discoveryengine.documents.list

discoveryengine.documents.update

discoveryengine.engines.get

discoveryengine.engines.list

discoveryengine.engines.pause

discoveryengine.engines.resume

discoveryengine.engines.tune

discoveryengine.models.*

  • discoveryengine.models.create
  • discoveryengine.models.delete
  • discoveryengine.models.get
  • discoveryengine.models.list
  • discoveryengine.models.pause
  • discoveryengine.models.resume
  • discoveryengine.models.tune
  • discoveryengine.models.update

discoveryengine.operations.*

  • discoveryengine.operations.get
  • discoveryengine.operations.list

discoveryengine.projects.get

discoveryengine.schemas.get

discoveryengine.schemas.list

discoveryengine.servingConfigs.get

discoveryengine.servingConfigs.list

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.siteSearchEngines.get

discoveryengine.targetSites.get

discoveryengine.targetSites.list

discoveryengine.userEvents.create

discoveryengine.userEvents.fetchStats

discoveryengine.userEvents.import

discoveryengine.widgetConfigs.*

  • discoveryengine.widgetConfigs.get
  • discoveryengine.widgetConfigs.update

(roles/discoveryengine.viewer)

Grants read access to all discovery engine resources.

discoveryengine.analytics.*

  • discoveryengine.analytics.acquireDashboardSession
  • discoveryengine.analytics.refreshDashboardSessionTokens

discoveryengine.branches.*

  • discoveryengine.branches.get
  • discoveryengine.branches.list

discoveryengine.cmekConfigs.get

discoveryengine.cmekConfigs.list

discoveryengine.collections.get

discoveryengine.collections.list

discoveryengine.completionConfigs.get

discoveryengine.controls.get

discoveryengine.controls.list

discoveryengine.conversations.converse

discoveryengine.conversations.get

discoveryengine.conversations.list

discoveryengine.dataStores.completeQuery

discoveryengine.dataStores.get

discoveryengine.dataStores.list

discoveryengine.documentProcessingConfigs.get

discoveryengine.documents.get

discoveryengine.documents.list

discoveryengine.engines.get

discoveryengine.engines.list

discoveryengine.models.get

discoveryengine.models.list

discoveryengine.operations.*

  • discoveryengine.operations.get
  • discoveryengine.operations.list

discoveryengine.projects.get

discoveryengine.schemas.get

discoveryengine.schemas.list

discoveryengine.servingConfigs.get

discoveryengine.servingConfigs.list

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.siteSearchEngines.get

discoveryengine.targetSites.get

discoveryengine.targetSites.list

discoveryengine.userEvents.fetchStats

discoveryengine.widgetConfigs.get

(roles/enterprisepurchasing.admin)

Full access to Enterprise Purchasing resources.

enterprisepurchasing.*

  • enterprisepurchasing.gcveCuds.create
  • enterprisepurchasing.gcveCuds.get
  • enterprisepurchasing.gcveCuds.list
  • enterprisepurchasing.gcveNodePricingInfo.list
  • enterprisepurchasing.locations.get
  • enterprisepurchasing.locations.list
  • enterprisepurchasing.operations.cancel
  • enterprisepurchasing.operations.delete
  • enterprisepurchasing.operations.get
  • enterprisepurchasing.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/enterprisepurchasing.editor)

Edit access to Enterprise Purchasing resources.

enterprisepurchasing.gcveCuds.get

enterprisepurchasing.gcveCuds.list

enterprisepurchasing.gcveNodePricingInfo.list

enterprisepurchasing.locations.*

  • enterprisepurchasing.locations.get
  • enterprisepurchasing.locations.list

enterprisepurchasing.operations.get

enterprisepurchasing.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/enterprisepurchasing.viewer)

Readonly access to Enterprise Purchasing resources.

enterprisepurchasing.gcveCuds.get

enterprisepurchasing.gcveCuds.list

enterprisepurchasing.gcveNodePricingInfo.list

enterprisepurchasing.locations.*

  • enterprisepurchasing.locations.get
  • enterprisepurchasing.locations.list

enterprisepurchasing.operations.get

enterprisepurchasing.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/essentialcontacts.admin)

Full access to all essential contacts

essentialcontacts.*

  • essentialcontacts.contacts.create
  • essentialcontacts.contacts.delete
  • essentialcontacts.contacts.get
  • essentialcontacts.contacts.list
  • essentialcontacts.contacts.send
  • essentialcontacts.contacts.update

(roles/essentialcontacts.viewer)

Viewer for all essential contacts

essentialcontacts.contacts.get

essentialcontacts.contacts.list

(roles/firebasecloudmessaging.admin)

Full read/write access to Firebase Cloud Messaging API resources.

cloudmessaging.messages.create

fcmdata.deliverydata.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasecrash.symbolMappingsAdmin)

Full read/write access to symbol mapping file resources for Firebase Crash Reporting.

firebase.clients.get

firebase.clients.list

resourcemanager.projects.get

(roles/gdchardwaremanagement.admin)

Full access to GDC Hardware Management resources.

gdchardwaremanagement.*

  • gdchardwaremanagement.changeLogEntries.get
  • gdchardwaremanagement.changeLogEntries.list
  • gdchardwaremanagement.comments.create
  • gdchardwaremanagement.comments.get
  • gdchardwaremanagement.comments.list
  • gdchardwaremanagement.hardware.get
  • gdchardwaremanagement.hardware.list
  • gdchardwaremanagement.hardware.update
  • gdchardwaremanagement.hardwareGroups.create
  • gdchardwaremanagement.hardwareGroups.delete
  • gdchardwaremanagement.hardwareGroups.get
  • gdchardwaremanagement.hardwareGroups.list
  • gdchardwaremanagement.hardwareGroups.update
  • gdchardwaremanagement.locations.get
  • gdchardwaremanagement.locations.list
  • gdchardwaremanagement.operations.cancel
  • gdchardwaremanagement.operations.delete
  • gdchardwaremanagement.operations.get
  • gdchardwaremanagement.operations.list
  • gdchardwaremanagement.orders.create
  • gdchardwaremanagement.orders.delete
  • gdchardwaremanagement.orders.get
  • gdchardwaremanagement.orders.list
  • gdchardwaremanagement.orders.submit
  • gdchardwaremanagement.orders.update
  • gdchardwaremanagement.sites.create
  • gdchardwaremanagement.sites.get
  • gdchardwaremanagement.sites.list
  • gdchardwaremanagement.sites.update
  • gdchardwaremanagement.skus.get
  • gdchardwaremanagement.skus.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gdchardwaremanagement.operator)

Create, read, and update access to GDC Hardware Management resources that support those operations. Also grants delete access to HardwareGroup resource.

gdchardwaremanagement.changeLogEntries.*

  • gdchardwaremanagement.changeLogEntries.get
  • gdchardwaremanagement.changeLogEntries.list

gdchardwaremanagement.comments.*

  • gdchardwaremanagement.comments.create
  • gdchardwaremanagement.comments.get
  • gdchardwaremanagement.comments.list

gdchardwaremanagement.hardware.*

  • gdchardwaremanagement.hardware.get
  • gdchardwaremanagement.hardware.list
  • gdchardwaremanagement.hardware.update

gdchardwaremanagement.hardwareGroups.*

  • gdchardwaremanagement.hardwareGroups.create
  • gdchardwaremanagement.hardwareGroups.delete
  • gdchardwaremanagement.hardwareGroups.get
  • gdchardwaremanagement.hardwareGroups.list
  • gdchardwaremanagement.hardwareGroups.update

gdchardwaremanagement.locations.*

  • gdchardwaremanagement.locations.get
  • gdchardwaremanagement.locations.list

gdchardwaremanagement.operations.get

gdchardwaremanagement.operations.list

gdchardwaremanagement.orders.create

gdchardwaremanagement.orders.get

gdchardwaremanagement.orders.list

gdchardwaremanagement.orders.update

gdchardwaremanagement.sites.*

  • gdchardwaremanagement.sites.create
  • gdchardwaremanagement.sites.get
  • gdchardwaremanagement.sites.list
  • gdchardwaremanagement.sites.update

gdchardwaremanagement.skus.*

  • gdchardwaremanagement.skus.get
  • gdchardwaremanagement.skus.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gdchardwaremanagement.reader)

Readonly access to GDC Hardware Management resources.

gdchardwaremanagement.changeLogEntries.*

  • gdchardwaremanagement.changeLogEntries.get
  • gdchardwaremanagement.changeLogEntries.list

gdchardwaremanagement.comments.get

gdchardwaremanagement.comments.list

gdchardwaremanagement.hardware.get

gdchardwaremanagement.hardware.list

gdchardwaremanagement.hardwareGroups.get

gdchardwaremanagement.hardwareGroups.list

gdchardwaremanagement.locations.*

  • gdchardwaremanagement.locations.get
  • gdchardwaremanagement.locations.list

gdchardwaremanagement.operations.get

gdchardwaremanagement.operations.list

gdchardwaremanagement.orders.get

gdchardwaremanagement.orders.list

gdchardwaremanagement.sites.get

gdchardwaremanagement.sites.list

gdchardwaremanagement.skus.*

  • gdchardwaremanagement.skus.get
  • gdchardwaremanagement.skus.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/identityplatform.admin)

Full access to Identity Platform resources.

firebaseauth.*

  • firebaseauth.configs.create
  • firebaseauth.configs.get
  • firebaseauth.configs.getHashConfig
  • firebaseauth.configs.getSecret
  • firebaseauth.configs.update
  • firebaseauth.users.create
  • firebaseauth.users.createSession
  • firebaseauth.users.delete
  • firebaseauth.users.get
  • firebaseauth.users.sendEmail
  • firebaseauth.users.update

identitytoolkit.*

  • identitytoolkit.tenants.create
  • identitytoolkit.tenants.delete
  • identitytoolkit.tenants.get
  • identitytoolkit.tenants.getIamPolicy
  • identitytoolkit.tenants.list
  • identitytoolkit.tenants.setIamPolicy
  • identitytoolkit.tenants.update

(roles/identityplatform.viewer)

Read access to Identity Platform resources.

firebaseauth.configs.get

firebaseauth.users.get

identitytoolkit.tenants.get

identitytoolkit.tenants.getIamPolicy

identitytoolkit.tenants.list

(roles/identitytoolkit.admin)

Full access to Identity Toolkit resources.

firebaseauth.*

  • firebaseauth.configs.create
  • firebaseauth.configs.get
  • firebaseauth.configs.getHashConfig
  • firebaseauth.configs.getSecret
  • firebaseauth.configs.update
  • firebaseauth.users.create
  • firebaseauth.users.createSession
  • firebaseauth.users.delete
  • firebaseauth.users.get
  • firebaseauth.users.sendEmail
  • firebaseauth.users.update

identitytoolkit.*

  • identitytoolkit.tenants.create
  • identitytoolkit.tenants.delete
  • identitytoolkit.tenants.get
  • identitytoolkit.tenants.getIamPolicy
  • identitytoolkit.tenants.list
  • identitytoolkit.tenants.setIamPolicy
  • identitytoolkit.tenants.update

(roles/identitytoolkit.viewer)

Read access to Identity Toolkit resources.

firebaseauth.configs.get

firebaseauth.users.get

identitytoolkit.tenants.get

identitytoolkit.tenants.getIamPolicy

identitytoolkit.tenants.list

(roles/integrations.apigeeIntegrationAdminRole)

A user that has full access to all Apigee integrations.

connectors.actions.*

  • connectors.actions.execute
  • connectors.actions.list

connectors.connections.executeSqlQuery

connectors.entities.*

  • connectors.entities.create
  • connectors.entities.delete
  • connectors.entities.deleteEntitiesWithConditions
  • connectors.entities.get
  • connectors.entities.list
  • connectors.entities.update
  • connectors.entities.updateEntitiesWithConditions

connectors.entityTypes.list

integrations.apigeeAuthConfigs.*

  • integrations.apigeeAuthConfigs.create
  • integrations.apigeeAuthConfigs.delete
  • integrations.apigeeAuthConfigs.get
  • integrations.apigeeAuthConfigs.list
  • integrations.apigeeAuthConfigs.update

integrations.apigeeCertificates.*

  • integrations.apigeeCertificates.create
  • integrations.apigeeCertificates.delete
  • integrations.apigeeCertificates.get
  • integrations.apigeeCertificates.list
  • integrations.apigeeCertificates.update

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

  • integrations.apigeeIntegrationVers.create
  • integrations.apigeeIntegrationVers.delete
  • integrations.apigeeIntegrationVers.deploy
  • integrations.apigeeIntegrationVers.get
  • integrations.apigeeIntegrationVers.list
  • integrations.apigeeIntegrationVers.update

integrations.apigeeIntegrations.*

  • integrations.apigeeIntegrations.invoke
  • integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.*

  • integrations.apigeeSfdcChannels.create
  • integrations.apigeeSfdcChannels.delete
  • integrations.apigeeSfdcChannels.get
  • integrations.apigeeSfdcChannels.list
  • integrations.apigeeSfdcChannels.update

integrations.apigeeSfdcInstances.*

  • integrations.apigeeSfdcInstances.create
  • integrations.apigeeSfdcInstances.delete
  • integrations.apigeeSfdcInstances.get
  • integrations.apigeeSfdcInstances.list
  • integrations.apigeeSfdcInstances.update

integrations.apigeeSuspensions.*

  • integrations.apigeeSuspensions.lift
  • integrations.apigeeSuspensions.list
  • integrations.apigeeSuspensions.resolve

integrations.authConfigs.*

  • integrations.authConfigs.create
  • integrations.authConfigs.delete
  • integrations.authConfigs.get
  • integrations.authConfigs.list
  • integrations.authConfigs.update

integrations.certificates.*

  • integrations.certificates.create
  • integrations.certificates.delete
  • integrations.certificates.get
  • integrations.certificates.list
  • integrations.certificates.update

integrations.executions.*

  • integrations.executions.get
  • integrations.executions.list

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.*

  • integrations.integrations.create
  • integrations.integrations.delete
  • integrations.integrations.deploy
  • integrations.integrations.get
  • integrations.integrations.invoke
  • integrations.integrations.list
  • integrations.integrations.update

integrations.sfdcChannels.*

  • integrations.sfdcChannels.create
  • integrations.sfdcChannels.delete
  • integrations.sfdcChannels.get
  • integrations.sfdcChannels.list
  • integrations.sfdcChannels.update

integrations.sfdcInstances.*

  • integrations.sfdcInstances.create
  • integrations.sfdcInstances.delete
  • integrations.sfdcInstances.get
  • integrations.sfdcInstances.list
  • integrations.sfdcInstances.update

integrations.suspensions.*

  • integrations.suspensions.lift
  • integrations.suspensions.list
  • integrations.suspensions.resolve

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeIntegrationDeployerRole)

A developer that can deploy/undeploy Apigee integrations to the integration runtime.

integrations.apigeeIntegrationVers.deploy

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.deploy

integrations.integrations.get

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeIntegrationEditorRole)

A developer that can list, create and update Apigee integrations.

connectors.actions.*

  • connectors.actions.execute
  • connectors.actions.list

connectors.connections.executeSqlQuery

connectors.entities.*

  • connectors.entities.create
  • connectors.entities.delete
  • connectors.entities.deleteEntitiesWithConditions
  • connectors.entities.get
  • connectors.entities.list
  • connectors.entities.update
  • connectors.entities.updateEntitiesWithConditions

connectors.entityTypes.list

integrations.apigeeAuthConfigs.create

integrations.apigeeAuthConfigs.get

integrations.apigeeAuthConfigs.list

integrations.apigeeAuthConfigs.update

integrations.apigeeCertificates.create

integrations.apigeeCertificates.get

integrations.apigeeCertificates.list

integrations.apigeeCertificates.update

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

  • integrations.apigeeIntegrationVers.create
  • integrations.apigeeIntegrationVers.delete
  • integrations.apigeeIntegrationVers.deploy
  • integrations.apigeeIntegrationVers.get
  • integrations.apigeeIntegrationVers.list
  • integrations.apigeeIntegrationVers.update

integrations.apigeeIntegrations.*

  • integrations.apigeeIntegrations.invoke
  • integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.create

integrations.apigeeSfdcChannels.get

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcChannels.update

integrations.apigeeSfdcInstances.create

integrations.apigeeSfdcInstances.get

integrations.apigeeSfdcInstances.list

integrations.apigeeSfdcInstances.update

integrations.authConfigs.create

integrations.authConfigs.get

integrations.authConfigs.list

integrations.authConfigs.update

integrations.certificates.get

integrations.executions.*

  • integrations.executions.get
  • integrations.executions.list

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.create

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

integrations.integrations.update

integrations.sfdcChannels.*

  • integrations.sfdcChannels.create
  • integrations.sfdcChannels.delete
  • integrations.sfdcChannels.get
  • integrations.sfdcChannels.list
  • integrations.sfdcChannels.update

integrations.sfdcInstances.*

  • integrations.sfdcInstances.create
  • integrations.sfdcInstances.delete
  • integrations.sfdcInstances.get
  • integrations.sfdcInstances.list
  • integrations.sfdcInstances.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeIntegrationInvokerRole)

A role that can invoke Apigee integrations.

connectors.actions.*

  • connectors.actions.execute
  • connectors.actions.list

connectors.connections.executeSqlQuery

connectors.entities.*

  • connectors.entities.create
  • connectors.entities.delete
  • connectors.entities.deleteEntitiesWithConditions
  • connectors.entities.get
  • connectors.entities.list
  • connectors.entities.update
  • connectors.entities.updateEntitiesWithConditions

connectors.entityTypes.list

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.*

  • integrations.apigeeIntegrations.invoke
  • integrations.apigeeIntegrations.list

integrations.executions.*

  • integrations.executions.get
  • integrations.executions.list

integrations.integrationVersions.get

integrations.integrationVersions.invoke

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeIntegrationsViewer)

A developer that can list and view Apigee integrations.

integrations.apigeeAuthConfigs.list

integrations.apigeeCertificates.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcInstances.list

integrations.authConfigs.get

integrations.authConfigs.list

integrations.certificates.get

integrations.certificates.list

integrations.executions.*

  • integrations.executions.get
  • integrations.executions.list

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.list

integrations.sfdcChannels.list

integrations.sfdcInstances.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeSuspensionResolver)

A role that can approve / reject Apigee integrations that contain a suspension/wait task.

integrations.apigeeSuspensions.*

  • integrations.apigeeSuspensions.lift
  • integrations.apigeeSuspensions.list
  • integrations.apigeeSuspensions.resolve

integrations.suspensions.*

  • integrations.suspensions.lift
  • integrations.suspensions.list
  • integrations.suspensions.resolve

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.certificateViewer)

A developer that can list and view Certificates.

integrations.certificates.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationAdmin)

A user that has full access (CRUD) to all integrations.

integrations.apigeeAuthConfigs.*

  • integrations.apigeeAuthConfigs.create
  • integrations.apigeeAuthConfigs.delete
  • integrations.apigeeAuthConfigs.get
  • integrations.apigeeAuthConfigs.list
  • integrations.apigeeAuthConfigs.update

integrations.apigeeCertificates.*

  • integrations.apigeeCertificates.create
  • integrations.apigeeCertificates.delete
  • integrations.apigeeCertificates.get
  • integrations.apigeeCertificates.list
  • integrations.apigeeCertificates.update

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

  • integrations.apigeeIntegrationVers.create
  • integrations.apigeeIntegrationVers.delete
  • integrations.apigeeIntegrationVers.deploy
  • integrations.apigeeIntegrationVers.get
  • integrations.apigeeIntegrationVers.list
  • integrations.apigeeIntegrationVers.update

integrations.apigeeIntegrations.*

  • integrations.apigeeIntegrations.invoke
  • integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.*

  • integrations.apigeeSfdcChannels.create
  • integrations.apigeeSfdcChannels.delete
  • integrations.apigeeSfdcChannels.get
  • integrations.apigeeSfdcChannels.list
  • integrations.apigeeSfdcChannels.update

integrations.apigeeSfdcInstances.*

  • integrations.apigeeSfdcInstances.create
  • integrations.apigeeSfdcInstances.delete
  • integrations.apigeeSfdcInstances.get
  • integrations.apigeeSfdcInstances.list
  • integrations.apigeeSfdcInstances.update

integrations.apigeeSuspensions.*

  • integrations.apigeeSuspensions.lift
  • integrations.apigeeSuspensions.list
  • integrations.apigeeSuspensions.resolve

integrations.authConfigs.*

  • integrations.authConfigs.create
  • integrations.authConfigs.delete
  • integrations.authConfigs.get
  • integrations.authConfigs.list
  • integrations.authConfigs.update

integrations.certificates.*

  • integrations.certificates.create
  • integrations.certificates.delete
  • integrations.certificates.get
  • integrations.certificates.list
  • integrations.certificates.update

integrations.executions.*

  • integrations.executions.get
  • integrations.executions.list

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.*

  • integrations.integrations.create
  • integrations.integrations.delete
  • integrations.integrations.deploy
  • integrations.integrations.get
  • integrations.integrations.invoke
  • integrations.integrations.list
  • integrations.integrations.update

integrations.sfdcChannels.*

  • integrations.sfdcChannels.create
  • integrations.sfdcChannels.delete
  • integrations.sfdcChannels.get
  • integrations.sfdcChannels.list
  • integrations.sfdcChannels.update

integrations.sfdcInstances.*

  • integrations.sfdcInstances.create
  • integrations.sfdcInstances.delete
  • integrations.sfdcInstances.get
  • integrations.sfdcInstances.list
  • integrations.sfdcInstances.update

integrations.suspensions.*

  • integrations.suspensions.lift
  • integrations.suspensions.list
  • integrations.suspensions.resolve

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationDeployer)

A developer that can deploy/undeploy integrations to the integration runtime.

integrations.apigeeIntegrationVers.deploy

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.deploy

integrations.integrations.get

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationEditor)

A developer that can list, create and update integrations.

integrations.apigeeAuthConfigs.create

integrations.apigeeAuthConfigs.get

integrations.apigeeAuthConfigs.list

integrations.apigeeAuthConfigs.update

integrations.apigeeCertificates.create

integrations.apigeeCertificates.get

integrations.apigeeCertificates.list

integrations.apigeeCertificates.update

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

  • integrations.apigeeIntegrationVers.create
  • integrations.apigeeIntegrationVers.delete
  • integrations.apigeeIntegrationVers.deploy
  • integrations.apigeeIntegrationVers.get
  • integrations.apigeeIntegrationVers.list
  • integrations.apigeeIntegrationVers.update

integrations.apigeeIntegrations.*

  • integrations.apigeeIntegrations.invoke
  • integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.create

integrations.apigeeSfdcChannels.get

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcChannels.update

integrations.apigeeSfdcInstances.create

integrations.apigeeSfdcInstances.get

integrations.apigeeSfdcInstances.list

integrations.apigeeSfdcInstances.update

integrations.authConfigs.create

integrations.authConfigs.get

integrations.authConfigs.list

integrations.authConfigs.update

integrations.certificates.get

integrations.executions.*

  • integrations.executions.get
  • integrations.executions.list

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.create

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

integrations.integrations.update

integrations.sfdcChannels.*

  • integrations.sfdcChannels.create
  • integrations.sfdcChannels.delete
  • integrations.sfdcChannels.get
  • integrations.sfdcChannels.list
  • integrations.sfdcChannels.update

integrations.sfdcInstances.*

  • integrations.sfdcInstances.create
  • integrations.sfdcInstances.delete
  • integrations.sfdcInstances.get
  • integrations.sfdcInstances.list
  • integrations.sfdcInstances.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationInvoker)

A role that can invoke integrations.

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.*

  • integrations.apigeeIntegrations.invoke
  • integrations.apigeeIntegrations.list

integrations.executions.*

  • integrations.executions.get
  • integrations.executions.list

integrations.integrationVersions.get

integrations.integrationVersions.invoke

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationViewer)

A developer that can list and view integrations.

integrations.apigeeAuthConfigs.list

integrations.apigeeCertificates.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcInstances.list

integrations.authConfigs.get

integrations.authConfigs.list

integrations.certificates.get

integrations.certificates.list

integrations.executions.*

  • integrations.executions.get
  • integrations.executions.list

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.list

integrations.sfdcChannels.list

integrations.sfdcInstances.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.securityIntegrationAdmin)

A user that has full access to all Security integrations.

integrations.securityAuthConfigs.*

  • integrations.securityAuthConfigs.create
  • integrations.securityAuthConfigs.delete
  • integrations.securityAuthConfigs.get
  • integrations.securityAuthConfigs.list
  • integrations.securityAuthConfigs.update

integrations.securityExecutions.*

  • integrations.securityExecutions.cancel
  • integrations.securityExecutions.get
  • integrations.securityExecutions.list

integrations.securityIntegTempVers.*

  • integrations.securityIntegTempVers.create
  • integrations.securityIntegTempVers.get
  • integrations.securityIntegTempVers.list

integrations.securityIntegrationVers.*

  • integrations.securityIntegrationVers.create
  • integrations.securityIntegrationVers.delete
  • integrations.securityIntegrationVers.deploy
  • integrations.securityIntegrationVers.get
  • integrations.securityIntegrationVers.list
  • integrations.securityIntegrationVers.update

integrations.securityIntegrations.*

  • integrations.securityIntegrations.invoke
  • integrations.securityIntegrations.list

(roles/integrations.sfdcInstanceAdmin)

A user that has full access (CRUD) to all SFDC instances.

integrations.sfdcChannels.*

  • integrations.sfdcChannels.create
  • integrations.sfdcChannels.delete
  • integrations.sfdcChannels.get
  • integrations.sfdcChannels.list
  • integrations.sfdcChannels.update

integrations.sfdcInstances.*

  • integrations.sfdcInstances.create
  • integrations.sfdcInstances.delete
  • integrations.sfdcInstances.get
  • integrations.sfdcInstances.list
  • integrations.sfdcInstances.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.sfdcInstanceEditor)

A developer that can list, create and update integrations.

integrations.sfdcChannels.create

integrations.sfdcChannels.get

integrations.sfdcChannels.list

integrations.sfdcChannels.update

integrations.sfdcInstances.create

integrations.sfdcInstances.get

integrations.sfdcInstances.list

integrations.sfdcInstances.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.sfdcInstanceViewer)

A developer that can list and view SFDC instances.

integrations.sfdcChannels.get

integrations.sfdcChannels.list

integrations.sfdcInstances.get

integrations.sfdcInstances.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.suspensionResolver)

A role that can resolve suspended integrations.

integrations.apigeeSuspensions.*

  • integrations.apigeeSuspensions.lift
  • integrations.apigeeSuspensions.list
  • integrations.apigeeSuspensions.resolve

integrations.suspensions.*

  • integrations.suspensions.lift
  • integrations.suspensions.list
  • integrations.suspensions.resolve

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.accountManagerAdmin)

This role can perform all account manager related operations

issuerswitch.accountManagerTransactions.*

  • issuerswitch.accountManagerTransactions.list
  • issuerswitch.accountManagerTransactions.update

issuerswitch.managedAccounts.*

  • issuerswitch.managedAccounts.get
  • issuerswitch.managedAccounts.update

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.accountManagerTransactionsAdmin)

This role can perform all account manager transactions related operations

issuerswitch.accountManagerTransactions.*

  • issuerswitch.accountManagerTransactions.list
  • issuerswitch.accountManagerTransactions.update

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.accountManagerTransactionsViewer)

This role can view all account manager transactions

issuerswitch.accountManagerTransactions.list

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.admin)

Access to all issuer switch roles

issuerswitch.*

  • issuerswitch.accountManagerTransactions.list
  • issuerswitch.accountManagerTransactions.update
  • issuerswitch.complaintTransactions.list
  • issuerswitch.complaints.create
  • issuerswitch.complaints.resolve
  • issuerswitch.disputes.create
  • issuerswitch.disputes.resolve
  • issuerswitch.financialTransactions.list
  • issuerswitch.issuerParticipants.get
  • issuerswitch.issuerParticipants.update
  • issuerswitch.managedAccounts.get
  • issuerswitch.managedAccounts.update
  • issuerswitch.mandateTransactions.list
  • issuerswitch.metadataTransactions.list
  • issuerswitch.operations.cancel
  • issuerswitch.operations.delete
  • issuerswitch.operations.get
  • issuerswitch.operations.list
  • issuerswitch.operations.wait
  • issuerswitch.ruleMetadata.list
  • issuerswitch.ruleMetadataValues.create
  • issuerswitch.ruleMetadataValues.delete
  • issuerswitch.ruleMetadataValues.list
  • issuerswitch.rules.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.issuerParticipantsAdmin)

Full access to issuer switch participants

issuerswitch.issuerParticipants.*

  • issuerswitch.issuerParticipants.get
  • issuerswitch.issuerParticipants.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.resolutionsAdmin)

Full access to issuer switch resolutions

issuerswitch.complaintTransactions.list

issuerswitch.complaints.*

  • issuerswitch.complaints.create
  • issuerswitch.complaints.resolve

issuerswitch.disputes.*

  • issuerswitch.disputes.create
  • issuerswitch.disputes.resolve

issuerswitch.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.rulesAdmin)

Full access to issuer switch rules

issuerswitch.ruleMetadata.list

issuerswitch.ruleMetadataValues.*

  • issuerswitch.ruleMetadataValues.create
  • issuerswitch.ruleMetadataValues.delete
  • issuerswitch.ruleMetadataValues.list

issuerswitch.rules.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.rulesViewer)

This role can view rules and related metadata.

issuerswitch.ruleMetadata.list

issuerswitch.ruleMetadataValues.list

issuerswitch.rules.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.transactionsViewer)

This role can view all transactions

issuerswitch.complaintTransactions.list

issuerswitch.financialTransactions.list

issuerswitch.mandateTransactions.list

issuerswitch.metadataTransactions.list

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/kubernetesmetadata.publisher)

Publisher of Kubernetes clusters metadata

kubernetesmetadata.*

  • kubernetesmetadata.metadata.config
  • kubernetesmetadata.metadata.publish
  • kubernetesmetadata.metadata.snapshot

(roles/mandiant.attackSurfaceManagementEditor)

Access to write Attack Surface Management

mandiant.genericAttackSurfaceManagements.create

mandiant.genericAttackSurfaceManagements.delete

mandiant.genericAttackSurfaceManagements.update

mandiant.genericPlatforms.create

mandiant.genericPlatforms.delete

mandiant.genericPlatforms.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.attackSurfaceManagementViewer)

Access to read Attack Surface Management

mandiant.genericAttackSurfaceManagements.get

mandiant.genericPlatforms.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.digitalThreatMonitoringEditor)

Access to write Digital Threat Monitoring

mandiant.genericDigitalThreatMonitorings.create

mandiant.genericDigitalThreatMonitorings.update

mandiant.genericPlatforms.create

mandiant.genericPlatforms.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.digitalThreatMonitoringViewer)

Access to read Digital Threat Monitoring

mandiant.genericDigitalThreatMonitorings.get

mandiant.genericPlatforms.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.expertiseOnDemandEditor)

Access to write Expertise On Demand

mandiant.genericExpertiseOnDemands.create

mandiant.genericExpertiseOnDemands.delete

mandiant.genericExpertiseOnDemands.update

mandiant.genericPlatforms.create

mandiant.genericPlatforms.delete

mandiant.genericPlatforms.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.expertiseOnDemandViewer)

Access to read Expertise On Demand

mandiant.genericExpertiseOnDemands.get

mandiant.genericPlatforms.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.threatIntelEditor)

Access to write Threat Intel

mandiant.genericPlatforms.create

mandiant.genericPlatforms.delete

mandiant.genericPlatforms.update

mandiant.genericThreatIntels.create

mandiant.genericThreatIntels.delete

mandiant.genericThreatIntels.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.threatIntelViewer)

Access to read Threat Intel

mandiant.genericPlatforms.get

mandiant.genericThreatIntels.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.validationEditor)

Access to write Validation

mandiant.genericPlatforms.create

mandiant.genericPlatforms.delete

mandiant.genericPlatforms.update

mandiant.genericValidations.create

mandiant.genericValidations.delete

mandiant.genericValidations.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.validationViewer)

Access to read Validation

mandiant.genericPlatforms.get

mandiant.genericValidations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mapsanalytics.viewer)

Grants read-only access to all of the Maps Analytics resources.

mapsanalytics.*

  • mapsanalytics.metricData.query
  • mapsanalytics.metricMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.list

(roles/mapsplatformdatasets.admin)

Grants read and write access to all the Maps Platform Datasets API resources

mapsadmin.clientStyles.*

  • mapsadmin.clientStyles.create
  • mapsadmin.clientStyles.delete
  • mapsadmin.clientStyles.get
  • mapsadmin.clientStyles.list
  • mapsadmin.clientStyles.update

mapsplatformdatasets.*

  • mapsplatformdatasets.datasets.create
  • mapsplatformdatasets.datasets.delete
  • mapsplatformdatasets.datasets.export
  • mapsplatformdatasets.datasets.get
  • mapsplatformdatasets.datasets.import
  • mapsplatformdatasets.datasets.list
  • mapsplatformdatasets.datasets.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mapsplatformdatasets.viewer)

Grants read-only access to all the Maps Platform Datasets API resources

mapsadmin.clientStyles.get

mapsadmin.clientStyles.list

mapsplatformdatasets.datasets.export

mapsplatformdatasets.datasets.get

mapsplatformdatasets.datasets.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/marketplacesolutions.admin)

Full access to Marketplace Solutions resources.

marketplacesolutions.*

  • marketplacesolutions.locations.get
  • marketplacesolutions.locations.list
  • marketplacesolutions.operations.cancel
  • marketplacesolutions.operations.delete
  • marketplacesolutions.operations.get
  • marketplacesolutions.operations.list
  • marketplacesolutions.powerImages.get
  • marketplacesolutions.powerImages.list
  • marketplacesolutions.powerInstances.applyPowerAction
  • marketplacesolutions.powerInstances.create
  • marketplacesolutions.powerInstances.delete
  • marketplacesolutions.powerInstances.get
  • marketplacesolutions.powerInstances.list
  • marketplacesolutions.powerInstances.reset
  • marketplacesolutions.powerInstances.update
  • marketplacesolutions.powerNetworks.get
  • marketplacesolutions.powerNetworks.list
  • marketplacesolutions.powerSshKeys.get
  • marketplacesolutions.powerSshKeys.list
  • marketplacesolutions.powerVolumes.get
  • marketplacesolutions.powerVolumes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/marketplacesolutions.editor)

Edit access to Marketplace Solutions resources.

marketplacesolutions.locations.*

  • marketplacesolutions.locations.get
  • marketplacesolutions.locations.list

marketplacesolutions.operations.get

marketplacesolutions.operations.list

marketplacesolutions.powerImages.*

  • marketplacesolutions.powerImages.get
  • marketplacesolutions.powerImages.list

marketplacesolutions.powerInstances.get

marketplacesolutions.powerInstances.list

marketplacesolutions.powerInstances.update

marketplacesolutions.powerNetworks.*

  • marketplacesolutions.powerNetworks.get
  • marketplacesolutions.powerNetworks.list

marketplacesolutions.powerSshKeys.*

  • marketplacesolutions.powerSshKeys.get
  • marketplacesolutions.powerSshKeys.list

marketplacesolutions.powerVolumes.*

  • marketplacesolutions.powerVolumes.get
  • marketplacesolutions.powerVolumes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/marketplacesolutions.viewer)

Readonly access to Marketplace Solutions resources.

marketplacesolutions.locations.*

  • marketplacesolutions.locations.get
  • marketplacesolutions.locations.list

marketplacesolutions.operations.get

marketplacesolutions.operations.list

marketplacesolutions.powerImages.*

  • marketplacesolutions.powerImages.get
  • marketplacesolutions.powerImages.list

marketplacesolutions.powerInstances.get

marketplacesolutions.powerInstances.list

marketplacesolutions.powerNetworks.*

  • marketplacesolutions.powerNetworks.get
  • marketplacesolutions.powerNetworks.list

marketplacesolutions.powerSshKeys.*

  • marketplacesolutions.powerSshKeys.get
  • marketplacesolutions.powerSshKeys.list

marketplacesolutions.powerVolumes.*

  • marketplacesolutions.powerVolumes.get
  • marketplacesolutions.powerVolumes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/nestconsole.homeDeveloperAdmin)

Admin access to Google Home Developer Console resources

nestconsole.*

  • nestconsole.smarthomePreviews.update
  • nestconsole.smarthomeProjects.create
  • nestconsole.smarthomeProjects.delete
  • nestconsole.smarthomeProjects.get
  • nestconsole.smarthomeProjects.update
  • nestconsole.smarthomeVersions.create
  • nestconsole.smarthomeVersions.get
  • nestconsole.smarthomeVersions.submit

resourcemanager.projects.get

resourcemanager.projects.list

(roles/nestconsole.homeDeveloperEditor)

Read-Write access to Google Home Developer Console resources

nestconsole.smarthomePreviews.update

nestconsole.smarthomeProjects.get

nestconsole.smarthomeProjects.update

nestconsole.smarthomeVersions.*

  • nestconsole.smarthomeVersions.create
  • nestconsole.smarthomeVersions.get
  • nestconsole.smarthomeVersions.submit

resourcemanager.projects.get

resourcemanager.projects.list

(roles/nestconsole.homeDeveloperViewer)

Read-only access to Google Home Developer Console resources

nestconsole.smarthomeProjects.get

nestconsole.smarthomeVersions.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/netapp.admin)

Full access to Google Cloud NetApp Volumes resources.

netapp.*

  • netapp.activeDirectories.create
  • netapp.activeDirectories.delete
  • netapp.activeDirectories.get
  • netapp.activeDirectories.list
  • netapp.activeDirectories.update
  • netapp.backupPolicies.create
  • netapp.backupPolicies.delete
  • netapp.backupPolicies.get
  • netapp.backupPolicies.list
  • netapp.backupPolicies.update
  • netapp.backupVaults.create
  • netapp.backupVaults.delete
  • netapp.backupVaults.get
  • netapp.backupVaults.list
  • netapp.backupVaults.update
  • netapp.backups.create
  • netapp.backups.delete
  • netapp.backups.get
  • netapp.backups.list
  • netapp.backups.update
  • netapp.kmsConfigs.create
  • netapp.kmsConfigs.delete
  • netapp.kmsConfigs.encrypt
  • netapp.kmsConfigs.get
  • netapp.kmsConfigs.list
  • netapp.kmsConfigs.update
  • netapp.kmsConfigs.verify
  • netapp.replications.create
  • netapp.replications.delete
  • netapp.replications.get
  • netapp.replications.list
  • netapp.replications.resume
  • netapp.replications.reverse
  • netapp.replications.stop
  • netapp.replications.update
  • netapp.snapshots.create
  • netapp.snapshots.delete
  • netapp.snapshots.get
  • netapp.snapshots.list
  • netapp.snapshots.update
  • netapp.storagePools.create
  • netapp.storagePools.delete
  • netapp.storagePools.get
  • netapp.storagePools.list
  • netapp.storagePools.update
  • netapp.volumes.create
  • netapp.volumes.delete
  • netapp.volumes.get
  • netapp.volumes.list
  • netapp.volumes.revert
  • netapp.volumes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/netapp.viewer)

Readonly access to Google Cloud NetApp Volumes resources.

netapp.activeDirectories.get

netapp.activeDirectories.list

netapp.backupPolicies.get

netapp.backupPolicies.list

netapp.backupVaults.get

netapp.backupVaults.list

netapp.backups.get

netapp.backups.list

netapp.kmsConfigs.get

netapp.kmsConfigs.list

netapp.replications.get

netapp.replications.list

netapp.snapshots.get

netapp.snapshots.list

netapp.storagePools.get

netapp.storagePools.list

netapp.volumes.get

netapp.volumes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oauthconfig.editor)

Read/write access to OAuth config resources

clientauthconfig.*

  • clientauthconfig.brands.create
  • clientauthconfig.brands.delete
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • clientauthconfig.brands.update
  • clientauthconfig.clients.create
  • clientauthconfig.clients.createSecret
  • clientauthconfig.clients.delete
  • clientauthconfig.clients.get
  • clientauthconfig.clients.getWithSecret
  • clientauthconfig.clients.list
  • clientauthconfig.clients.listWithSecrets
  • clientauthconfig.clients.undelete
  • clientauthconfig.clients.update

oauthconfig.*

  • oauthconfig.clientpolicy.get
  • oauthconfig.testusers.get
  • oauthconfig.testusers.update
  • oauthconfig.verification.get
  • oauthconfig.verification.submit
  • oauthconfig.verification.update

(roles/oauthconfig.viewer)

Read-only access to OAuth config resources

clientauthconfig.brands.get

clientauthconfig.brands.list

clientauthconfig.clients.get

clientauthconfig.clients.list

oauthconfig.clientpolicy.get

oauthconfig.testusers.get

oauthconfig.verification.get

(roles/paymentsresellersubscription.partnerAdmin)

Full access to all Payments Reseller resources, including subscriptions, products and promotions

paymentsresellersubscription.*

  • paymentsresellersubscription.products.list
  • paymentsresellersubscription.promotions.list
  • paymentsresellersubscription.subscriptions.cancel
  • paymentsresellersubscription.subscriptions.extend
  • paymentsresellersubscription.subscriptions.get
  • paymentsresellersubscription.subscriptions.provision
  • paymentsresellersubscription.subscriptions.undoCancel

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.partnerViewer)

Read access to all Payments Reseller resources, including subscriptions, products and promotions

paymentsresellersubscription.products.list

paymentsresellersubscription.promotions.list

paymentsresellersubscription.subscriptions.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.productViewer)

Read access to Payments Reseller Product resource

paymentsresellersubscription.products.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.promotionViewer)

Read access to Payments Reseller Promotion resource

paymentsresellersubscription.promotions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.subscriptionEditor)

Write access to Payments Reseller Subscription resource

paymentsresellersubscription.subscriptions.*

  • paymentsresellersubscription.subscriptions.cancel
  • paymentsresellersubscription.subscriptions.extend
  • paymentsresellersubscription.subscriptions.get
  • paymentsresellersubscription.subscriptions.provision
  • paymentsresellersubscription.subscriptions.undoCancel

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.subscriptionViewer)

Read access to Payments Reseller Subscription resource

paymentsresellersubscription.subscriptions.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/policyanalyzer.activityAnalysisViewer)

Viewer user that can read all activity analysis.

policyanalyzer.*

  • policyanalyzer.serviceAccountKeyLastAuthenticationActivities.query
  • policyanalyzer.serviceAccountLastAuthenticationActivities.query

(roles/policyremediatormanager.policyRemediatorAdmin)

Grants the ability to enable and disable the usage of the policy remediator for the organization

policyremediatormanager.*

  • policyremediatormanager.locations.get
  • policyremediatormanager.locations.list
  • policyremediatormanager.operations.cancel
  • policyremediatormanager.operations.delete
  • policyremediatormanager.operations.get
  • policyremediatormanager.operations.list
  • policyremediatormanager.remediatorServices.disable
  • policyremediatormanager.remediatorServices.enable
  • policyremediatormanager.remediatorServices.get

(roles/policyremediatormanager.policyRemediatorReader)

Grants the ability to read/view the state of the policy remediator for the organization

policyremediatormanager.locations.*

  • policyremediatormanager.locations.get
  • policyremediatormanager.locations.list

policyremediatormanager.operations.get

policyremediatormanager.operations.list

policyremediatormanager.remediatorServices.get

(roles/policysimulator.admin)

Admin user that can run and access replays.

policysimulator.replayResults.list

policysimulator.replays.*

  • policysimulator.replays.create
  • policysimulator.replays.get
  • policysimulator.replays.list
  • policysimulator.replays.run

(roles/policysimulator.orgPolicyAdmin)

OrgPolicy Admin that can run and access simulations.

cloudasset.assets.analyzeOrgPolicy

cloudasset.assets.exportResource

cloudasset.assets.listResource

cloudasset.assets.searchAllResources

orgpolicy.customConstraints.get

orgpolicy.customConstraints.list

orgpolicy.policies.list

orgpolicy.policy.get

policysimulator.orgPolicyViolations.list

policysimulator.orgPolicyViolationsPreviews.*

  • policysimulator.orgPolicyViolationsPreviews.create
  • policysimulator.orgPolicyViolationsPreviews.get
  • policysimulator.orgPolicyViolationsPreviews.list

resourcemanager.organizations.get

(roles/publicca.externalAccountKeyCreator)

This role can create a new externalAccountKey resource.

publicca.externalAccountKeys.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/readerrevenuesubscriptionlinking.admin)

Full access to publication reader resources

readerrevenuesubscriptionlinking.*

  • readerrevenuesubscriptionlinking.readerEntitlements.get
  • readerrevenuesubscriptionlinking.readerEntitlements.update
  • readerrevenuesubscriptionlinking.readers.delete
  • readerrevenuesubscriptionlinking.readers.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/readerrevenuesubscriptionlinking.entitlementsViewer)

This role can view all publication reader entitlements

readerrevenuesubscriptionlinking.readerEntitlements.get

(roles/readerrevenuesubscriptionlinking.viewer)

This role can view all publication reader resources

readerrevenuesubscriptionlinking.readerEntitlements.get

readerrevenuesubscriptionlinking.readers.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.exporter)

Exporter of Recommendations

recommender.resources.export

(roles/remotebuildexecution.actionCacheWriter)

Remote Build Execution Action Cache Writer

remotebuildexecution.actions.set

remotebuildexecution.blobs.create

(roles/remotebuildexecution.artifactAdmin)

Remote Build Execution Artifact Admin

remotebuildexecution.actions.create

remotebuildexecution.actions.delete

remotebuildexecution.actions.get

remotebuildexecution.blobs.*

  • remotebuildexecution.blobs.create
  • remotebuildexecution.blobs.get

remotebuildexecution.logstreams.*

  • remotebuildexecution.logstreams.create
  • remotebuildexecution.logstreams.get
  • remotebuildexecution.logstreams.update

(roles/remotebuildexecution.artifactCreator)

Remote Build Execution Artifact Creator

remotebuildexecution.actions.create

remotebuildexecution.actions.get

remotebuildexecution.blobs.*

  • remotebuildexecution.blobs.create
  • remotebuildexecution.blobs.get

remotebuildexecution.logstreams.*

  • remotebuildexecution.logstreams.create
  • remotebuildexecution.logstreams.get
  • remotebuildexecution.logstreams.update

(roles/remotebuildexecution.artifactViewer)

Remote Build Execution Artifact Viewer

remotebuildexecution.actions.get

remotebuildexecution.blobs.get

remotebuildexecution.logstreams.get

(roles/remotebuildexecution.configurationAdmin)

Remote Build Execution Configuration Admin

remotebuildexecution.instances.*

  • remotebuildexecution.instances.create
  • remotebuildexecution.instances.delete
  • remotebuildexecution.instances.get
  • remotebuildexecution.instances.list
  • remotebuildexecution.instances.update

remotebuildexecution.workerpools.*

  • remotebuildexecution.workerpools.create
  • remotebuildexecution.workerpools.delete
  • remotebuildexecution.workerpools.get
  • remotebuildexecution.workerpools.list
  • remotebuildexecution.workerpools.update

(roles/remotebuildexecution.configurationViewer)

Remote Build Execution Configuration Viewer

remotebuildexecution.instances.get

remotebuildexecution.instances.list

remotebuildexecution.workerpools.get

remotebuildexecution.workerpools.list

(roles/remotebuildexecution.logstreamWriter)

Remote Build Execution Logstream Writer

remotebuildexecution.logstreams.create

remotebuildexecution.logstreams.update

(roles/remotebuildexecution.reservationAdmin)

Remote Build Execution Reservation Admin

remotebuildexecution.actions.create

remotebuildexecution.actions.delete

remotebuildexecution.actions.get

(roles/remotebuildexecution.worker)

Remote Build Execution Worker

remotebuildexecution.actions.update

remotebuildexecution.blobs.*

  • remotebuildexecution.blobs.create
  • remotebuildexecution.blobs.get

remotebuildexecution.botsessions.*

  • remotebuildexecution.botsessions.create
  • remotebuildexecution.botsessions.update

remotebuildexecution.logstreams.create

remotebuildexecution.logstreams.update

(roles/retail.admin)

Full access to Retail api resources.

automlrecommendations.apiKeys.create

automlrecommendations.apiKeys.delete

automlrecommendations.catalogItems.*

  • automlrecommendations.catalogItems.create
  • automlrecommendations.catalogItems.delete
  • automlrecommendations.catalogItems.get
  • automlrecommendations.catalogItems.list
  • automlrecommendations.catalogItems.update

automlrecommendations.catalogs.*

  • automlrecommendations.catalogs.getStats
  • automlrecommendations.catalogs.list
  • automlrecommendations.catalogs.update

automlrecommendations.eventStores.getStats

automlrecommendations.events.create

automlrecommendations.events.list

automlrecommendations.events.purge

automlrecommendations.events.rejoin

automlrecommendations.placements.*

  • automlrecommendations.placements.create
  • automlrecommendations.placements.delete
  • automlrecommendations.placements.getStats
  • automlrecommendations.placements.list

automlrecommendations.recommendations.*

  • automlrecommendations.recommendations.create
  • automlrecommendations.recommendations.delete
  • automlrecommendations.recommendations.list
  • automlrecommendations.recommendations.pause
  • automlrecommendations.recommendations.resume
  • automlrecommendations.recommendations.update

retail.*

  • retail.attributesConfigs.addCatalogAttribute
  • retail.attributesConfigs.batchRemoveCatalogAttributes
  • retail.attributesConfigs.exportCatalogAttributes
  • retail.attributesConfigs.get
  • retail.attributesConfigs.importCatalogAttributes
  • retail.attributesConfigs.removeCatalogAttribute
  • retail.attributesConfigs.replaceCatalogAttribute
  • retail.attributesConfigs.update
  • retail.catalogs.completeQuery
  • retail.catalogs.exportAnalyticsMetrics
  • retail.catalogs.import
  • retail.catalogs.list
  • retail.catalogs.update
  • retail.controls.create
  • retail.controls.delete
  • retail.controls.export
  • retail.controls.get
  • retail.controls.import
  • retail.controls.list
  • retail.controls.update
  • retail.experiments.create
  • retail.experiments.delete
  • retail.experiments.get
  • retail.experiments.list
  • retail.experiments.loadExperimentLookerDashboard
  • retail.experiments.queryTrafficMetrics
  • retail.experiments.update
  • retail.models.create
  • retail.models.delete
  • retail.models.get
  • retail.models.list
  • retail.models.pause
  • retail.models.resume
  • retail.models.tune
  • retail.models.update
  • retail.operations.get
  • retail.operations.list
  • retail.placements.predict
  • retail.placements.search
  • retail.products.create
  • retail.products.delete
  • retail.products.export
  • retail.products.get
  • retail.products.import
  • retail.products.list
  • retail.products.purge
  • retail.products.setSponsorship
  • retail.products.update
  • retail.retailProjects.get
  • retail.servingConfigs.create
  • retail.servingConfigs.delete
  • retail.servingConfigs.get
  • retail.servingConfigs.list
  • retail.servingConfigs.predict
  • retail.servingConfigs.search
  • retail.servingConfigs.update
  • retail.userEvents.create
  • retail.userEvents.import
  • retail.userEvents.purge
  • retail.userEvents.rejoin

(roles/retail.editor)

Full access to Retail api resources except purge, rejoin, and setSponsorship.

automlrecommendations.apiKeys.create

automlrecommendations.apiKeys.delete

automlrecommendations.catalogItems.*

  • automlrecommendations.catalogItems.create
  • automlrecommendations.catalogItems.delete
  • automlrecommendations.catalogItems.get
  • automlrecommendations.catalogItems.list
  • automlrecommendations.catalogItems.update

automlrecommendations.catalogs.*

  • automlrecommendations.catalogs.getStats
  • automlrecommendations.catalogs.list
  • automlrecommendations.catalogs.update

automlrecommendations.eventStores.getStats

automlrecommendations.events.create

automlrecommendations.events.list

automlrecommendations.placements.*

  • automlrecommendations.placements.create
  • automlrecommendations.placements.delete
  • automlrecommendations.placements.getStats
  • automlrecommendations.placements.list

automlrecommendations.recommendations.*

  • automlrecommendations.recommendations.create
  • automlrecommendations.recommendations.delete
  • automlrecommendations.recommendations.list
  • automlrecommendations.recommendations.pause
  • automlrecommendations.recommendations.resume
  • automlrecommendations.recommendations.update

retail.attributesConfigs.addCatalogAttribute

retail.attributesConfigs.exportCatalogAttributes

retail.attributesConfigs.get

retail.attributesConfigs.importCatalogAttributes

retail.attributesConfigs.replaceCatalogAttribute

retail.attributesConfigs.update

retail.catalogs.*

  • retail.catalogs.completeQuery
  • retail.catalogs.exportAnalyticsMetrics
  • retail.catalogs.import
  • retail.catalogs.list
  • retail.catalogs.update

retail.controls.*

  • retail.controls.create
  • retail.controls.delete
  • retail.controls.export
  • retail.controls.get
  • retail.controls.import
  • retail.controls.list
  • retail.controls.update

retail.experiments.*

  • retail.experiments.create
  • retail.experiments.delete
  • retail.experiments.get
  • retail.experiments.list
  • retail.experiments.loadExperimentLookerDashboard
  • retail.experiments.queryTrafficMetrics
  • retail.experiments.update

retail.models.*

  • retail.models.create
  • retail.models.delete
  • retail.models.get
  • retail.models.list
  • retail.models.pause
  • retail.models.resume
  • retail.models.tune
  • retail.models.update

retail.operations.*

  • retail.operations.get
  • retail.operations.list

retail.placements.*

  • retail.placements.predict
  • retail.placements.search

retail.products.create

retail.products.delete

retail.products.export

retail.products.get

retail.products.import

retail.products.list

retail.products.update

retail.retailProjects.get

retail.servingConfigs.*

  • retail.servingConfigs.create
  • retail.servingConfigs.delete
  • retail.servingConfigs.get
  • retail.servingConfigs.list
  • retail.servingConfigs.predict
  • retail.servingConfigs.search
  • retail.servingConfigs.update

retail.userEvents.create

retail.userEvents.import

(roles/retail.viewer)

Grants access to read all resources in Retail.

automlrecommendations.catalogItems.get

automlrecommendations.catalogItems.list

automlrecommendations.catalogs.getStats

automlrecommendations.catalogs.list

automlrecommendations.eventStores.getStats

automlrecommendations.events.list

automlrecommendations.placements.getStats

automlrecommendations.placements.list

automlrecommendations.recommendations.list

retail.attributesConfigs.exportCatalogAttributes

retail.attributesConfigs.get

retail.catalogs.completeQuery

retail.catalogs.exportAnalyticsMetrics

retail.catalogs.list

retail.controls.export

retail.controls.get

retail.controls.list

retail.experiments.get

retail.experiments.list

retail.experiments.loadExperimentLookerDashboard

retail.experiments.queryTrafficMetrics

retail.models.get

retail.models.list

retail.operations.*

  • retail.operations.get
  • retail.operations.list

retail.placements.*

  • retail.placements.predict
  • retail.placements.search

retail.products.export

retail.products.get

retail.products.list

retail.retailProjects.get

retail.servingConfigs.get

retail.servingConfigs.list

retail.servingConfigs.predict

retail.servingConfigs.search

(roles/riscconfigs.admin)

Read/write access to RISC config resources.

clientauthconfig.clients.list

riscconfigurationservice.*

  • riscconfigurationservice.riscconfigs.createOrUpdate
  • riscconfigurationservice.riscconfigs.delete
  • riscconfigurationservice.riscconfigs.get

(roles/riscconfigs.viewer)

Read-only access to RISC config resources.

clientauthconfig.clients.list

riscconfigurationservice.riscconfigs.get

(roles/runapps.developer)

Access to create and change Serverless Integrations and their configuration.

resourcemanager.projects.get

resourcemanager.projects.list

runapps.applications.*

  • runapps.applications.create
  • runapps.applications.delete
  • runapps.applications.get
  • runapps.applications.getStatus
  • runapps.applications.list
  • runapps.applications.update

runapps.deployments.get

runapps.deployments.list

runapps.locations.*

  • runapps.locations.get
  • runapps.locations.list

runapps.operations.*

  • runapps.operations.cancel
  • runapps.operations.delete
  • runapps.operations.get
  • runapps.operations.list

(roles/runapps.operator)

Access to deploy Serverless Integrations.

resourcemanager.projects.get

resourcemanager.projects.list

runapps.applications.get

runapps.applications.getStatus

runapps.applications.list

runapps.deployments.*

  • runapps.deployments.create
  • runapps.deployments.get
  • runapps.deployments.list

runapps.locations.*

  • runapps.locations.get
  • runapps.locations.list

runapps.operations.*

  • runapps.operations.cancel
  • runapps.operations.delete
  • runapps.operations.get
  • runapps.operations.list

(roles/runapps.viewer)

Read-only access to Serverless Integrations resources.

resourcemanager.projects.get

resourcemanager.projects.list

runapps.applications.get

runapps.applications.getStatus

runapps.applications.list

runapps.deployments.get

runapps.deployments.list

runapps.locations.*

  • runapps.locations.get
  • runapps.locations.list

runapps.operations.get

runapps.operations.list

(roles/runtimeconfig.admin)

Full access to RuntimeConfig resources.

runtimeconfig.*

  • runtimeconfig.configs.create
  • runtimeconfig.configs.delete
  • runtimeconfig.configs.get
  • runtimeconfig.configs.getIamPolicy
  • runtimeconfig.configs.list
  • runtimeconfig.configs.setIamPolicy
  • runtimeconfig.configs.update
  • runtimeconfig.operations.get
  • runtimeconfig.operations.list
  • runtimeconfig.variables.create
  • runtimeconfig.variables.delete
  • runtimeconfig.variables.get
  • runtimeconfig.variables.getIamPolicy
  • runtimeconfig.variables.list
  • runtimeconfig.variables.setIamPolicy
  • runtimeconfig.variables.update
  • runtimeconfig.variables.watch
  • runtimeconfig.waiters.create
  • runtimeconfig.waiters.delete
  • runtimeconfig.waiters.get
  • runtimeconfig.waiters.getIamPolicy
  • runtimeconfig.waiters.list
  • runtimeconfig.waiters.setIamPolicy
  • runtimeconfig.waiters.update

(roles/securedlandingzone.bqdwOrgRemediator)

Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization.

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

accesscontextmanager.servicePerimeters.update

(roles/securedlandingzone.bqdwProjectRemediator)

Access to modify (remediate) resources in SLZ BQDW Blueprint at Project.

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.setIamPolicy

bigquery.datasets.update

cloudkms.cryptoKeys.get

cloudkms.cryptoKeys.getIamPolicy

cloudkms.cryptoKeys.list

cloudkms.cryptoKeys.setIamPolicy

cloudkms.cryptoKeys.update

cloudkms.keyRings.getIamPolicy

cloudkms.keyRings.setIamPolicy

pubsub.topics.get

pubsub.topics.getIamPolicy

pubsub.topics.list

pubsub.topics.setIamPolicy

pubsub.topics.update

resourcemanager.projects.update

serviceusage.services.use

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

storage.buckets.setIamPolicy

storage.buckets.update

(roles/securedlandingzone.overwatchActivator)

This role can activate or suspend Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.overwatches.activate

securedlandingzone.overwatches.suspend

(roles/securedlandingzone.overwatchAdmin)

Full access to Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.*

  • securedlandingzone.operations.get
  • securedlandingzone.overwatches.activate
  • securedlandingzone.overwatches.create
  • securedlandingzone.overwatches.delete
  • securedlandingzone.overwatches.get
  • securedlandingzone.overwatches.list
  • securedlandingzone.overwatches.suspend
  • securedlandingzone.overwatches.update

(roles/securedlandingzone.overwatchViewer)

This role can view all properties of Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.operations.get

securedlandingzone.overwatches.get

securedlandingzone.overwatches.list

(roles/securitycentermanagement.customModulesEditor)

Full access to manage Cloud Security Command Center custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.customModulesViewer)

Readonly access to Cloud Security Command Center custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycentermanagement.etdCustomModulesEditor)

Full access to manage Cloud Security Command Center ETD custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.*

  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

(roles/securitycentermanagement.etdCustomModulesViewer)

Readonly access to Cloud Security Command Center ETD custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

(roles/securitycentermanagement.shaCustomModulesEditor)

Full access to manage Cloud Security Command Center SHA custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.*

  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.shaCustomModulesViewer)

Readonly access to Cloud Security Command Center SHA custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securityposture.admin)

Full access to Security Posture service APIs.

orgpolicy.*

  • orgpolicy.constraints.list
  • orgpolicy.customConstraints.create
  • orgpolicy.customConstraints.delete
  • orgpolicy.customConstraints.get
  • orgpolicy.customConstraints.list
  • orgpolicy.customConstraints.update
  • orgpolicy.policies.create
  • orgpolicy.policies.delete
  • orgpolicy.policies.list
  • orgpolicy.policies.update
  • orgpolicy.policy.get
  • orgpolicy.policy.set

resourcemanager.organizations.get

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.update

securityposture.*

  • securityposture.locations.get
  • securityposture.locations.list
  • securityposture.operations.delete
  • securityposture.operations.get
  • securityposture.operations.list
  • securityposture.postureDeployments.create
  • securityposture.postureDeployments.delete
  • securityposture.postureDeployments.get
  • securityposture.postureDeployments.list
  • securityposture.postureDeployments.update
  • securityposture.postureTemplates.get
  • securityposture.postureTemplates.list
  • securityposture.postures.create
  • securityposture.postures.delete
  • securityposture.postures.extract
  • securityposture.postures.get
  • securityposture.postures.list
  • securityposture.postures.update

(roles/securityposture.postureDeployer)

Mutate and read permissions to the Posture Deployment resource.

orgpolicy.*

  • orgpolicy.constraints.list
  • orgpolicy.customConstraints.create
  • orgpolicy.customConstraints.delete
  • orgpolicy.customConstraints.get
  • orgpolicy.customConstraints.list
  • orgpolicy.customConstraints.update
  • orgpolicy.policies.create
  • orgpolicy.policies.delete
  • orgpolicy.policies.list
  • orgpolicy.policies.update
  • orgpolicy.policy.get
  • orgpolicy.policy.set

resourcemanager.organizations.get

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.update

securityposture.operations.get

securityposture.postureDeployments.*

  • securityposture.postureDeployments.create
  • securityposture.postureDeployments.delete
  • securityposture.postureDeployments.get
  • securityposture.postureDeployments.list
  • securityposture.postureDeployments.update

(roles/securityposture.postureDeploymentsViewer)

Read only access to the Posture Deployment resource.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postureDeployments.get

securityposture.postureDeployments.list

(roles/securityposture.postureEditor)

Mutate and read permissions to the Posture resource.

securityposture.operations.get

securityposture.postures.*

  • securityposture.postures.create
  • securityposture.postures.delete
  • securityposture.postures.extract
  • securityposture.postures.get
  • securityposture.postures.list
  • securityposture.postures.update

(roles/securityposture.postureViewer)

Read only access to the Posture resource.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postures.get

securityposture.postures.list

(roles/securityposture.reportCreator)

Create access for Reports, e.g. IaC Validation Report.

securityposture.operations.get

(roles/securityposture.viewer)

Read only access to all the SecurityPosture Service resou