Stay organized with collections
Save and categorize content based on your preferences.
Application Operator roles
An Application Operator (AO) is a member of the development team within the
Platform Administrator (PA) organization. AOs interact with project-level
resources. You can assign the following predefined roles to team members:
Project IAM Admin: Manages the IAM allow
policies of projects.
AI OCR Developer: Access the Optical Character Recognition service to
detect text in images.
AI Speech Developer: Access the Speech-to-Text service to recognize
speech and transcribe audio.
AI Translation Developer: Access the Vertex AI Translation
service to translate text.
Artifact Management Admin: Has admin access to resources in all Harbor
projects in the project namespace.
Artifact Management Editor: Has read and write access to resources in
all Harbor projects in the project namespace.
Certificate Authority Service Admin: Has access to manage
certificate authorities and certificate requests in their project.
Certificate Service Admin: Has access to manage certificates and
certificate issuers in their project.
Dashboard Editor: Has read and write access on Dashboard custom
resources.
Dashboard Viewer: Has read-only access on Dashboard custom resources.
Harbor Instance Admin: Has full access to manage Harbor instances in a
project.
Harbor Instance Viewer: Has read-only access to view Harbor instances in
a project.
Harbor Project Creator: Has access to manage Harbor instance projects.
K8s Network Policy Admin: Manages network policies in Kubernetes clusters.
LoggingRule Creator: Creates LoggingRule custom resources in the
project namespace.
LoggingRule Editor: Edits LoggingRule custom resources in the
project namespace.
LoggingRule Viewer: Views LoggingRule custom resources in the
project namespace.
LoggingTarget Creator: Creates LoggingTarget custom resources in the
project namespace.
LoggingTarget Editor: Edits LoggingTarget custom resources in the
project namespace.
LoggingTarget Viewer: Views LoggingTarget custom resources in the
project namespace.
Load Balancer Admin: has read and write permissions on all load balancer
resources in project namespace.
MonitoringRule Editor: Has read and write access to MonitoringRule
resources.
MonitoringRule Viewer: Has read-only access to MonitoringRule
custom resources.
MonitoringTarget Editor: Has read and write access to MonitoringTarget
custom resources.
MonitoringTarget Viewer: Has read-only access to MonitoringTarget
custom resources.
NAT Viewer: Has read-only access to deployments in Kubernetes clusters.
Namespace Admin: Manages all resources within the project namespace.
ObservabilityPipeline Editor: Has read and write access on
ObservabilityPipeine custom resources.
ObservabilityPipeline Viewer: Has read-only access on
ObservabilityPipeline custom resources.
Project Bucket Admin: Manages the storage buckets and objects within
buckets.
Project Bucket Object Admin: Has read-only access on buckets within a
project, and read-write access on the objects in those buckets.
Project Bucket Object Viewer: Has read-only access on buckets within a
project and the objects in those buckets.
Project Cortex Alertmanager Editor: Grants permissions to edit the
Cortex Alertmanager instance in the project namespace.
Project Cortex Alertmanager Viewer: Grants permissions to access the
Cortex Alertmanager instance in the project namespace.
Project Cortex Prometheus Viewer: Grants permissions to access the
Cortex Prometheus instance in the project namespace.
Project Grafana Viewer: Accesses the Grafana instance in the project
namespace of the fleet admin cluster.
Project NetworkPolicy Admin: Manages the project network policies in
the project namespace.
Project Viewer: Has read-only access to all resources within project
namespaces.
Project VirtualMachine Admin: Manages VMs in the project namespace.
Project VirtualMachine Image Admin: Manages VM images in the project
namespace.
Secret Admin: Manages Kubernetes secrets in projects.
Secret Viewer: Views Kubernetes secrets in projects.
Service Configuration Admin: Has read and write access to service
configurations within a project namespace.
Service Configuration Viewer: Has read access to service configurations
within a project namespace.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eApplication Operators (AOs) are development team members within the Platform Administrator (PA) organization who interact with project-level resources.\u003c/p\u003e\n"],["\u003cp\u003ePredefined roles for AOs include managing project IAM policies, Harbor resources, Dashboard resources, network policies, marketplace service instances, and monitoring resources.\u003c/p\u003e\n"],["\u003cp\u003eCommon roles, applicable to all authenticated users, provide permissions for AIS resources, DNS configurations, IAM resources, Marketplace services, project views, and VM image access.\u003c/p\u003e\n"],["\u003cp\u003eThere is a wide array of roles, each with specific read, write, and admin permissions regarding various parts of the project, such as buckets, alert managers, VMs and secrets, among others.\u003c/p\u003e\n"],["\u003cp\u003eRole types are broken down into Project-Level roles that interact with the resources, and Common roles that apply to all authenticated users and have a more general access level.\u003c/p\u003e\n"]]],[],null,["# Predefined role descriptions for AOs\n\nApplication Operator roles\n--------------------------\n\nAn Application Operator (AO) is a member of the development team within the\nPlatform Administrator (PA) organization. AOs interact with project-level\nresources. You can assign the following predefined roles to team members:\n\n- **Project IAM Admin:** Manages the IAM allow policies of projects.\n- **AI OCR Developer**: Access the Optical Character Recognition service to detect text in images.\n- **AI Speech Developer**: Access the Speech-to-Text service to recognize speech and transcribe audio.\n- **AI Translation Developer**: Access the Vertex AI Translation service to translate text.\n- **Artifact Management Admin**: Has admin access to resources in all Harbor projects in the project namespace.\n- **Artifact Management Editor**: Has read and write access to resources in all Harbor projects in the project namespace.\n- **Certificate Authority Service Admin**: Has access to manage certificate authorities and certificate requests in their project.\n- **Certificate Service Admin**: Has access to manage certificates and certificate issuers in their project.\n- **Dashboard Editor** : Has read and write access on `Dashboard` custom resources.\n- **Dashboard Viewer** : Has read-only access on `Dashboard` custom resources.\n- **Harbor Instance Admin**: Has full access to manage Harbor instances in a project.\n- **Harbor Instance Viewer**: Has read-only access to view Harbor instances in a project.\n- **Harbor Project Creator**: Has access to manage Harbor instance projects.\n- **K8s Network Policy Admin**: Manages network policies in Kubernetes clusters.\n- **LoggingRule Creator** : Creates `LoggingRule` custom resources in the project namespace.\n- **LoggingRule Editor** : Edits `LoggingRule` custom resources in the project namespace.\n- **LoggingRule Viewer** : Views `LoggingRule` custom resources in the project namespace.\n- **LoggingTarget Creator** : Creates `LoggingTarget` custom resources in the project namespace.\n- **LoggingTarget Editor** : Edits `LoggingTarget` custom resources in the project namespace.\n- **LoggingTarget Viewer** : Views `LoggingTarget` custom resources in the project namespace.\n- **Load Balancer Admin**: has read and write permissions on all load balancer resources in project namespace.\n- **MonitoringRule Editor** : Has read and write access to `MonitoringRule` resources.\n- **MonitoringRule Viewer** : Has read-only access to `MonitoringRule` custom resources.\n- **MonitoringTarget Editor** : Has read and write access to `MonitoringTarget` custom resources.\n- **MonitoringTarget Viewer** : Has read-only access to `MonitoringTarget` custom resources.\n- **NAT Viewer**: Has read-only access to deployments in Kubernetes clusters.\n- **Namespace Admin**: Manages all resources within the project namespace.\n- **ObservabilityPipeline Editor** : Has read and write access on `ObservabilityPipeine` custom resources.\n- **ObservabilityPipeline Viewer** : Has read-only access on `ObservabilityPipeline` custom resources.\n- **Project Bucket Admin**: Manages the storage buckets and objects within buckets.\n- **Project Bucket Object Admin**: Has read-only access on buckets within a project, and read-write access on the objects in those buckets.\n- **Project Bucket Object Viewer**: Has read-only access on buckets within a project and the objects in those buckets.\n- **Project Cortex Alertmanager Editor**: Grants permissions to edit the Cortex Alertmanager instance in the project namespace.\n- **Project Cortex Alertmanager Viewer**: Grants permissions to access the Cortex Alertmanager instance in the project namespace.\n- **Project Cortex Prometheus Viewer**: Grants permissions to access the Cortex Prometheus instance in the project namespace.\n- **Project Grafana Viewer**: Accesses the Grafana instance in the project namespace of the fleet admin cluster.\n- **Project NetworkPolicy Admin:** Manages the project network policies in the project namespace.\n- **Project Viewer:** Has read-only access to all resources within project namespaces.\n- **Project VirtualMachine Admin**: Manages VMs in the project namespace.\n- **Project VirtualMachine Image Admin**: Manages VM images in the project namespace.\n- **Secret Admin**: Manages Kubernetes secrets in projects.\n- **Secret Viewer**: Views Kubernetes secrets in projects.\n- **Service Configuration Admin**: Has read and write access to service configurations within a project namespace.\n- **Service Configuration Viewer**: Has read access to service configurations within a project namespace.\n- **Volume Replication Admin**: Manages volume replication resources.\n- **Workbench Notebooks Admin**: Get read and write access to all notebook resources within a project namespace.\n- **Workbench Notebooks Viewer**: Get read-only access to all notebook resources within a project namespace and view the Vertex AI Workbench user interface.\n- **Workload Viewer**: Has read access to workloads in a project.\n\nCommon roles\n------------\n\nThe following predefined common roles apply to all authenticated users:\n\n- **AI Platform Viewer**: Grants permissions to view pre-trained services.\n- **DNS Suffix Viewer**: Accesses the domain name service (DNS) suffix config map.\n- **Flow Log Admin**: Has read and write access to all Flow Log resources.\n- **Flow Log Viewer**: Has read-only access to all Flow Log resources.\n- **Project Discovery Viewer**: Has read access for all authenticated users to the project view.\n- **Public Image Viewer** : Has read access for all authenticated users on the public VM images in the namespace `vm-images`.\n- **System Artifact Registry anthos-creds secret Monitor** : Has read-only access to secrets in the `anthos-creds` namespace.\n- **System Artifact Registry gpc-system secret Monitor** : Has read-only access to secrets in the `gpc-system` namespace.\n- **System Artifact Registry harbor-system secret Monitor** : Has read-only access to secrets in the `harbor-system` namespace.\n- **Virtual Machine Type Viewer**: Has read access to cluster-scoped virtual machine types.\n- **VM Type Viewer**: Has read access to the predefined virtual machine types on the admin clusters."]]
