Role definitions for projects

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

• Name: The name of a role displayed in the user interface (UI).
• Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
• Level: The specification of whether this role is scoped by the organization or a project.
• Type: The type of this role. For example, some possible values are Role, ProjectRole, ClusterRole, or ProjectClusterRole.
• Binding type: The type of binding that you must apply to this role.
• Management API server or Kubernetes cluster permissions: The permissions that this role has for the Management API server or the Kubernetes cluster. For example, some possible values are read, write, read and write, or not applicable (N/A).
• Escalates to: The specification of whether this role escalates to other roles or not.

AO persona, predefined identity and access roles

AO persona
Name	Kubernetes resource name	Initial admin	Level	Type
Project IAM Admin	project-iam-admin	True	Project	Role
AI OCR Developer	ai-ocr-developer	False	Project	Role
AI Platform Viewer	ai-platform-viewer	False	Project	Role
AI Speech Developer	ai-speech-developer	False	Project	Role
AI Translation Developer	ai-translation-developer	False	Project	Role
Artifact Management Admin	artifact-management-admin	False	Project	Role
Artifact Management Editor	artifact-management-editor	False	Project	Role
Certificate Authority Service Admin	certificate-authority-service-admin	False	Project	Role
Certificate Service Admin	certificate-service-admin	False	Project	Role
Dashboard Editor	dashboard-editor	False	Project	Role
Dashboard Viewer	dashboard-viewer	False	Project	Role
Harbor Instance Admin	harbor-instance-admin	False	Project	Role
Harbor Instance Viewer	harbor-instance-viewer	False	Project	Role
Harbor Project Creator	harbor-project-creator	False	Project	Role
K8s Network Policy Admin	k8s-networkpolicy-admin	False	Project	ProjectRole
Load Balancer Admin	load-balancer-admin	False	Project	ProjectRole
LoggingRule Creator	loggingrule-creator	False	Project	Role
LoggingRule Editor	loggingrule-editor	False	Project	Role
LoggingRule Viewer	loggingrule-viewer	False	Project	Role
LoggingTarget Creator	loggingtarget-creator	False	Project	Role
LoggingTarget Editor	loggingtarget-editor	False	Project	Role
LoggingTarget Viewer	loggingtarget-viewer	False	Project	Role
MonitoringRule Editor	monitoringrule-editor	False	Project	Role
MonitoringRule Viewer	monitoringrule-viewer	False	Project	Role
MonitoringTarget Editor	monitoringtarget-editor	False	Project	Role
MonitoringTarget Viewer	monitoringtarget-viewer	False	Project	Role
Namespace Admin	namespace-admin	False	Project	ProjectRole
NAT Viewer	nat-viewer	False	Project	ProjectRole
ObservabilityPipeline Editor	observabilitypipeline-editor	False	Project	Role
ObservabilityPipeline Viewer	observabilitypipeline-viewer	False	Project	Role
Project Bucket Admin	project-bucket-admin	False	Project	Role
Project Bucket Object Admin	project-bucket-object-admin	False	Project	Role
Project Bucket Object Viewer	project-bucket-object-viewer	False	Project	Role
Project Cortex Alertmanager Editor	project-cortex-alertmanager-editor	False	Project	Role
Project Cortex Alertmanager Viewer	project-cortex-alertmanager-viewer	False	Project	Role
Project Cortex Prometheus Viewer	project-cortex-prometheus-viewer	False	Project	Role
Project Grafana Viewer	project-grafana-viewer	False	Project	Role
Project NetworkPolicy Admin	project-networkpolicy-admin	False	Project	Role
Project Viewer	project-viewer	False	Project	Role
Project VirtualMachine Admin	project-vm-admin	False	Project	Role
Project VirtualMachine Image Admin	project-vm-image-admin	False	Project	Role
Secret Admin	secret-admin	False	Project	Role
Secret Viewer	secret-viewer	False	Project	Role
Service Configuration Admin	service-configuration-admin	False	Project	Role
Service Configuration Viewer	service-configuration-viewer	False	Project	Role
Workbench Notebooks Admin	workbench-notebooks-admin	False	Project	Role
Volume Replication Admin	app-volume-replication-admin	False	Cluster	Role
Workbench Notebooks Viewer	workbench-notebooks-viewer	False	Project	Role
Workload Viewer	workload-viewer	False	Project	Role

AO persona, predefined identity, and access roles

AO persona
Name	Binding type	Management API server permissions	Kubernetes cluster permissions	Escalates to
Project IAM Admin	RoleBinding	RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, ProjectClusterRole, ProjectRoleBinding, and ProjectClusterRoleBinding: Create, read, update, delete, and bind ProjectServiceAccount: Create, read, update, and delete List project namespace	N/A	All other AO roles
AI OCR Developer	RoleBinding	OCR resources: Read and write	N/A	N/A
AI Speech Developer	RoleBinding	Speech resources: Read and write	N/A	N/A
AI Translation Developer	RoleBinding	Translation resources: Read and write	N/A	N/A
Artifact Management Admin	RoleBinding	HarborProjects: Admin, create, read, write, delete, and view	N/A	N/A
Artifact Management Editor	RoleBinding	HarborProjects: Read, write, and view	N/A	N/A
Certificate Authority Service Admin	RoleBinding	Certificate authorities and certificate requests: Get, list, watch, update, create, delete, and patch	N/A	N/A
Certificate Service Admin	RoleBinding	Certificates and certificate issuers: Get, list, watch, update, create, delete, and patch	N/A	N/A
Dashboard Editor	RoleBinding	Dashboard custom resources: Get, read, create, update, delete, and patch	N/A	N/A
Dashboard Viewer	RoleBinding	Dashboard: Get and read	N/A	N/A
Harbor Instance Admin	RoleBinding	Harbor instances: Create, read, update, delete, and patch	N/A	N/A
Harbor Instance Viewer	RoleBinding	Harbor instances: Read	N/A	N/A
Harbor Project Creator	RoleBinding	Harbor instance projects: Create, get, and watch	N/A	N/A
K8s NetworkPolicy Admin	ProjectRoleBinding	N/A	NetworkPolicy resources: Create, read, get, update, delete, and patch	N/A
Load Balancer Admin	RoleBinding	N/A	Backend: Get, watch, list, create, patch, update, and delete HealthCheck: Get, watch, list, create, patch, update, and delete BackendService: Get, watch, list, create, patch, update, and delete ForwardingRuleExternal: Get, watch, list, create, patch, update, and delete ForwardingRuleInternal: Get, watch, list, create, patch, update, and delete	N/A
LoggingRule Creator	RoleBinding	LoggingRule custom resources: Create, read, update, delete, and patch	N/A	N/A
LoggingRule Editor	RoleBinding	LoggingRule custom resources: Create, read, update, delete, and patch	N/A	N/A
LoggingRule Viewer	RoleBinding	LoggingRule custom resources: Read	N/A	N/A
LoggingTarget Creator	RoleBinding	LoggingTarget custom resources: Create, read, update, delete, and patch	N/A	N/A
LoggingTarget Editor	RoleBinding	LoggingTarget custom resources: Create, read, update, delete, and patch	N/A	N/A
LoggingTarget Viewer	RoleBinding	LoggingTarget custom resources: Read	N/A	N/A
MonitoringRule Editor	RoleBinding	MonitoringRule custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringRule Viewer	RoleBinding	MonitoringRule custom resources: Read	N/A	N/A
MonitoringTarget Editor	RoleBinding	MonitoringTarget custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringTarget Viewer	RoleBinding	MonitoringTarget custom resources: Read	N/A	N/A
Namespace Admin	ProjectRoleBinding	N/A	All resources: Read and write access in the project namespace	N/A
NAT Viewer	ProjectRoleBinding	N/A	Deployments: Get and read	N/A
ObservabilityPipeline Editor	RoleBinding	ObservabilityPipeline resources: Get, read, create, update, delete, and patch	N/A	N/A
ObservabilityPipeline Viewer	RoleBinding	ObservabilityPipeline resources: Get and read	N/A	N/A
Project Bucket Admin	RoleBinding	Bucket: Read and write in the project namespace	N/A	N/A
Project Bucket Object Admin	RoleBinding	Bucket: Read Objects: Read and write	N/A	N/A
Project Bucket Object Viewer	RoleBinding	Bucket and objects: Read	N/A	N/A
Project Cortex Alertmanager Editor	RoleBinding	Cortex system and Cortex Alertmanager: Read and write	N/A	N/A
Project Cortex Alertmanager Viewer	RoleBinding	Cortex system and Cortex Alertmanager: Read	N/A	N/A
Project Cortex Prometheus Viewer	RoleBinding	Cortex system and Cortex Prometheus: Read	N/A	N/A
Project Grafana Viewer	RoleBinding	Grafana system and Grafana: Read and write	N/A	N/A
Project NetworkPolicy Admin	RoleBinding	Project network policies: Read and write in the project namespace	N/A	N/A
Project Viewer	RoleBinding	All resources in the project namespace: Read	N/A	N/A
Project VirtualMachine Admin	RoleBinding	Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete Virtual machine restart: Put Virtual machine images, backup plans, and backup plan templates: Read	N/A	N/A
Project VirtualMachine Image Admin	RoleBinding	VM images: Read VM image imports: Read and write Buckets: Create "vm-images-bucket" Bucket: Read and write	N/A	N/A
Secret Admin	RoleBinding	Kubernetes secrets: Read, create, update, delete, and patch	N/A	N/A
Secret Viewer	RoleBinding	Kubernetes secrets: Read	N/A	N/A
Service Configuration Admin	RoleBinding	ServiceConfigurations: Read and write	N/A	N/A
Service Configuration Viewer	RoleBinding	ServiceConfigurations: Read	N/A	N/A
Volume Replication Admin	ClusterRoleBinding	Volume failovers, volume relationship replicas: Create, get, list, watch, delete	N/A	N/A
Workbench Notebooks Admin	RoleBinding	N/A	Notebook custom resources (CR) in the project namespace: Create, read, update, and delete ClusterInfo objects: Read	N/A
Workbench Notebooks Viewer	RoleBinding	N/A	Notebook custom resources (CR) in the project namespace: Read	N/A
Workload Viewer	ProjectRoleBinding	N/A	Pod custom resources in the project namespace: Read Deployment custom resources in the project namespace: Read	N/A

Common predefined identity and access roles

Common roles
Name	Kubernetes resource name	Initial admin	Level	Type
AI Platform Viewer	ai-platform-viewer	False	Project	Role
DNS Suffix Viewer	dnssuffix-viewer	False	Organization	Role
Flow Log Admin	flowlog-admin	False	Organization	ClusterRole
Flow Log Viewer	flowlog-viewer	False	Project	ClusterRole
Project Discovery Viewer	projectdiscovery-viewer	False	Project	ClusterRole
Public Image Viewer	public-image-viewer	False	Organization	Role
System Artifact Registry anthos-creds secret Monitor	sar-anthos-creds-secret-monitor	False	Organization	Role
System Artifact Registry gpc-system secret Monitor	sar-gpc-system-secret-monitor	False	Organization	Role
System Artifact Registry harbor-system secret Monitor	sar-harbor-system-secret-monitor	False	Organization	Role
Virtual Machine Type Viewer	virtualmachinetype-viewer	False	Organization	OrganizationRole
VM Type Viewer	vmtype-viewer	False	Organization	Role

Common predefined identity and access roles

Common roles
Name	Binding type	Admin cluster permissions	Kubernetes cluster permissions	Escalates to
AI Platform Viewer	RoleBinding	Pre-trained services: Read	N/A	N/A
DNS Suffix Viewer	ClusterRoleBinding	DNS suffix config maps: Read	N/A	N/A
Flow Log Admin	ClusterRoleBinding	Flow log resources: Get and read	Flow log resources: Get and read	N/A
Flow Log Viewer	ClusterRoleBinding	Flow log resources: Create, get, read, patch, update, and delete	Flow log resources: Create, get, read, patch, update, and delete	N/A
Project Discovery Viewer	ClusterRoleBinding	Projects: Read	N/A	N/A
Public Image Viewer	RoleBinding	VM images: Read	N/A	N/A
System Artifact Registry anthos-creds secret Monitor	RoleBinding	anthos-creds secrets: Get and read	anthos-creds secrets: Get and read	N/A
System Artifact Registry gpc-system secret Monitor	RoleBinding	gpc-system secrets: Get and read	gpc-system secrets: Get and read	N/A
System Artifact Registry harbor-system secret Monitor	RoleBinding	harbor-system secrets: Get and read	harbor-system secrets: Get and read	N/A
Virtual Machine Type Viewer	OrganizationRoleBinding	N/A	VM types: Read	N/A
VM Type Viewer	ClusterRoleBinding	VM types: Read	N/A	N/A