Role definitions

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

  • Name: The name of a role displayed in the user interface (UI).
  • Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
  • Level: The specification of whether this role is scoped by the organization or a project.
  • Type: The type of this role. For example, some possible values are Role, ProjectRole, ClusterRole, or ProjectClusterRole.
  • Binding type: The type of binding that you must apply to this role.
  • Management API server or Kubernetes cluster permissions: The permissions that this role has for the Management API server or the Kubernetes cluster. For example, some possible values are read, write, read and write, or not applicable (N/A).
  • Escalates to: The specification of whether this role escalates to other roles or not.

Role types

  • ClusterRole: a Kubernetes RBAC role at the cluster scope in the Management API server or Kubernetes cluster.
  • Role: a Kubernetes RBAC role at the namespace scope in the Management API server or Kubernetes cluster.
  • ProjectRole: a custom resource definition with permission defined and is bound to Kubernetes clusters and namespaces. Project roles propagate to Kubernetes clusters as a Role.
  • OrganizationRole: a custom resource definition with permission defined, that propagates to Kubernetes clusters as a ClusterRole there.

Predefined identity and access roles tables

The following tables provide details about the permissions assigned to each predefined role. There are separate tables for each persona:

IO Persona, predefined identity and access roles

IO persona
Name Kubernetes resource name Initial admin Level Type
Security Admin security-admin True Organization ClusterRole
APPLSTOR debugger applstor-debugger False Organization ClusterRole
APPLSTOR monitor applstor-monitor False Organization ClusterRole
APPLSTOR secret rotator applstor-secret-rotator False Organization Role
AuditLoggingTarget IO Creator auditloggingtarget-io-creator False Organization ClusterRole
AuditLoggingTarget IO Viewer auditloggingtarget-io-viewer False Organization ClusterRole
AuditLoggingTarget IO Editor auditloggingtarget-io-editor False Organization ClusterRole
Audit Logs Backup Restore Editor audit-logs-backup-restore-editor False Organization ClusterRole
Audit Logs Infra Bucket Viewer audit-logs-infra-bucket-viewer False Organization ClusterRole
AIS Admin ais-admin False Organization Role
AIS Debugger ais-debugger False Organization Role
AIS Monitor ais-monitor False Organization Role
AuthzPDP Debugger authzpdp-debugger False Organization Role
Cert Manager System Cluster Debugger platauth-cert-manager-system-debugger False Organization OrganizationRole
Dashboard Creator dashboard-creator False Organization ClusterRole
Dashboard IO Creator dashboard-io-creator False Organization ClusterRole
Dashboard IO Editor dashboard-io-editor False Organization ClusterRole
Dashboard IO Viewer dashboard-io-viewer False Organization ClusterRole
Debugging AuditLoggingTarget custom resource auditloggingtarget-monitor False Project Role
DNS Admin dns-admin False Organization ClusterRole
DNS Debugger dns-debugger-root False Organization ClusterRole
DNS Monitor dns-monitor False Organization ClusterRole
DNS Suffix Viewer dnssuffix-viewer False Organization ClusterRole
Emergency SSH Creds Admin emergencysshcreds-admin False Organization Role
FluentBit IO Creator fluentbit-io-creator False Organization ClusterRole
FluentBit IO Viewer fluentbit-io-viewer False Organization ClusterRole
FluentBit IO Editor fluentbit-io-editor False Organization ClusterRole
Gatekeeper Admin gatekeeper-admin False Organization Role
Grafana Viewer grafana-viewer False Organization ClusterRole
Grafana Debugger grafana-debugger False Project ProjectRole
Hardware Admin hardware-admin False Organization ClusterRole
HWDR Admin hardware-dr-admin False Organization ClusterRole
HWDR Viewer hwdr-viewer False Organization ClusterRole
Infra PKI Debugger platauth-infra-pki-debugger False Project Role
Interconnect Admin interconnect-admin-cp False Organization ClusterRole
Kiali Admin kiali-admin False Organization ClusterRole
KUB IPAM Debugger kub-ipam-debugger False Organization ClusterRole
KUB Monitor kub-monitor False Organization ClusterRole
LogCollector IO Creator logcollector-io-creator False Organization ClusterRole
LogCollector IO Viewer logcollector-io-viewer False Organization ClusterRole
LogCollector IO Editor logcollector-io-editor False Organization ClusterRole
LoggingRule IO Creator loggingrule-io-creator False Organization ClusterRole
LoggingRule IO Viewer loggingrule-io-viewer False Organization ClusterRole
LoggingRule IO Editor loggingrule-io-editor False Organization ClusterRole
LoggingTarget IO Creator loggingtarget-io-creator False Organization ClusterRole
LoggingTarget IO Viewer loggingtarget-io-viewer False Organization ClusterRole
LoggingTarget IO Editor loggingtarget-io-editor False Organization ClusterRole
Log Query API Querier log-query-api-querier False Project Role
MonitoringRule IO Creator monitoringrule-io-creator False Organization ClusterRole
MonitoringRule IO Viewer monitoringrule-io-viewer False Organization ClusterRole
MonitoringRule IO Editor monitoringrule-io-editor False Organization ClusterRole
MonitoringTarget Creator monitoringtarget-creator False Organization ClusterRole
MonitoringTarget IO Creator monitoringtarget-io-creator False Organization ClusterRole
MonitoringTarget IO Viewer monitoringtarget-io-viewer False Organization ClusterRole
MonitoringTarget IO Editor monitoringtarget-io-editor False Organization ClusterRole
ObservabilityPipeline IO Creator observabilitypipeline-io-creator False Organization ClusterRole
ObservabilityPipeline IO Viewer observabilitypipeline-io-viewer False Organization ClusterRole
ObservabilityPipeline IO Editor observabilitypipeline-io-editor False Organization ClusterRole
Observability Admin observability-admin False Organization Role
Observability Debugger observability-debugger False Organization OrganizationRole
Observability System Debugger observability-system-debugger False Organization OrganizationRole
Observability Viewer observability-viewer False Organization Role
OCLCM Debugger oclcm-debugger-root False Organization ClusterRole
OCLCM Viewer oclcm-viewer-root False Organization ClusterRole
Organization Admin organization-admin False Organization ClusterRole
Organization System Artifact Management Admin organization-system-artifact-management-admin False Organization Role
Organization System Artifact Management Debugger organization-system-artifact-management-debugger False Organization ClusterRole
PERF Admin Monitor perf-admin-monitor False Organization Role
PERF Admin Resource Maintainer perf-admin-resource-maintainer False Project Role
PERF Debugger perf-debugger False Project ProjectRole
PERF System Monitor perf-system-monitor False Project ProjectRole
PERF System Resource Maintainer perf-system-resource-maintainer False Project ProjectRole
PNET Debugger pnet-debugger False Organization ClusterRole
PNET Monitor pnet-monitor False Organization ClusterRole
PNET Secret Debugger pnet-secret-debugger False Organization Role
PSPF Debugger pspf-debugger False Organization Role
PSPF Monitor pspf-monitor False Organization Role
Policy Admin policy-admin False Organization ClusterRole
Remote Logger Admin remote-logger-admin False Organization Role
Remote Logger Viewer remote-logger-viewer False Organization Role
Root Cortex Alertmanager Editor root-cortex-alertmanager-editor False Organization Role
Root Cortex Alertmanager Viewer root-cortex-alertmanager-viewer False Organization Role
Root Cortex Prometheus Viewer root-cortex-prometheus-viewer False Organization Role
Root Session Admin root-session-admin False Organization Role
Security Viewer security-viewer False Organization ClusterRole
Service Now Admin service-now-admin False Project Role
Service Now Admin service-now-admin False Project ProjectRole
SSH Infra Debugger platauth-ssh-infra-debugger False Project ProjectRole
System Artifact Management Admin system-artifact-management-admin False Organization Role
System Artifact Management Secrets Admin system-artifact-management-secrets-admin False Organization Role
System Artifact Registry Harbor Admin sar-harbor-admin False Organization Role
System Artifact Registry Harbor Read sar-harbor-read False Organization Role
System Artifact Registry Harbor ReadWrite sar-harbor-readwrite False Organization Role
System Artifact Registry Debugger sar-debugger-root False Organization ClusterRole
System Artifact Registry Monitor
  • Org infra cluster:
    sar-monitor
  • Root admin cluster:
    sar-monitor-root
    		•  False Organization ClusterRole
    System Cluster Admin system-cluster-admin False Organization OrganizationRole
    System Cluster DNS Debugger system-cluster-dns-debugger False Organization OrganizationRole
    System Cluster UNET Debugger system-cluster-unet-debugger False Organization OrganizationRole
    System Cluster UNET Monitor system-cluster-unet-monitor False Organization OrganizationRole
    User Cluster UNET Debugger user-cluster-unet-debugger False Organization OrganizationRole
    System Cluster Viewer system-cluster-viewer False Organization OrganizationRole
    System Project VirtualMachine Admin system-project-vm-admin False Role Role
    Tenable Nessus Admin tenable-nessus-admin False Project Role
    Tenable Nessus Admin tenable-nessus-system-admin False Project ProjectRole
    Transfer Appliance Request Admin transfer-appliance-request-admin False Organization ClusterRole
    Trust Bundle Root Monitor transfer-appliance-request-admin False Organization Role
    UI Debugger ui-debugger False Organization ClusterRole
    UNET CLI Org Admin Monitor unet-cli-org-admin-monitor False Organization ClusterRole
    UNET CLI Root Admin Monitor unet-cli-root-admin-monitor False Organization ClusterRole
    UNET CLI System Monitor unet-cli-system-monitor False Organization OrganizationRole
    UNET CLI User Monitor unet-cli-user-monitor False Organization OrganizationRole
    Upgrade Appliance Admin upgrade-admin-te False Organization ClusterRole
    Upgrade Debugger upgrade-debugger False Organization OrganizationRole
    User Cluster DNS Debugger user-cluster-dns-debugger False Organization OrganizationRole
    User Cluster Debugger user-cluster-debugger False Organization OrganizationRole
    User Cluster UNET Debugger user-cluster-unet-debugger False Organization OrganizationRole
    User Cluster UNET Monitor user-cluster-unet-monitor False Organization OrganizationRole
    VAISEARCH Secret Rotator vaisearch-secret-rotator False Project ProjectRole
    VPN Debugger For Management Plane API server vpn-debugger False Project Role
    Web TLS Certificate Debugger platauth-web-tls-cert-debugger False Project Role

    IO persona, predefined identity, and access roles

    IO persona
    Name Binding type Management API server permissions Kubernetes cluster permissions Escalates to
    Security Admin ClusterRoleBinding
    • RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, OrganizationClusterRole, ProjectRoleBinding, and OrganizationRoleBinding: Create, read, update, and delete
    • GKE Identity Service custom resources (CR): Read and write
    		 N/A Org IAM Admin and all other IO roles
    AIS Admin RoleBinding
    • GKE Identity Service pods deployments: Read and write
    • AIS encryption secret: Delete
    		 N/A N/A
    AIS Debugger RoleBinding AIS resources: Create, read, update, delete, and patch N/A N/A
    AIS Monitor RoleBinding AIS resources in iam-system namespace: Read and write N/A N/A
    APPLSTOR debugger ClusterRoleBinding
    • Namespaces, secrets, service accounts: Get, list
    • Buckets, bucket groups: Read and write
    • External HSM: Read and write
    		 N/A N/A
    APPLSTOR monitor ClusterRoleBinding asmconfigs: Get, list N/A N/A
    APPLSTOR secret rotator RoleBinding Object storage secrets: Get, patch N/A N/A
    AuditLoggingTarget IO Creator ClusterRoleBinding AuditLoggingTarget custom resources: Read and write N/A N/A
    AuditLoggingTarget IO Editor ClusterRoleBinding AuditLoggingTarget custom resources: Read and write N/A N/A
    AuditLoggingTarget IO Viewer ClusterRoleBinding AuditLoggingTarget custom resources: Read N/A N/A
    Audit Logs Backup Restore Editor ClusterRoleBinding Backup buckets: Read and write N/A N/A
    Audit Logs Infra Bucket Viewer ClusterRoleBinding Backup buckets: Read N/A N/A
    Dashboard Creator ClusterRoleBinding Dashboard custom resources: Get, list, watch, create N/A N/A
    Dashboard IO Creator ClusterRoleBinding Dashboard custom resources: Read and write N/A N/A
    AuthzPDP Debugger RoleBinding
    • AuthzPDP service: Read and update
    • DNS deployments: Read, patch, and update
    		 N/A N/A
    Cert Manager System Cluster Debugger OrganizationRoleBinding Certificates, certificate requests, issuers, cluster issuers, challenges, orders: Get, list, watch, update, patch, delete, and create N/A N/A
    Dashboard IO Editor ClusterRoleBinding Dashboard custom resources: Read and write N/A N/A
    Dashboard IO Viewer ClusterRoleBinding Dashboard custom resources: Read N/A N/A
    Debugging AuditLoggingTarget custom resource RoleBinding
    • DNS registrations: Get, list
    • Audit logging targets :Get, list, update, delete, patch
    		 N/A N/A
    DNS Admin ClusterRoleBinding
    • DNS files and security keys: Create, read, update, and delete
    • DNSRegistration custom resources (CR): Create, read, and update
    • DNS services and resolver: Read and update
    		 N/A N/A
    DNS Debugger ClusterRoleBinding
    • Configmaps and secrets: Create, read, and delete
    • DNS registrations: Create and read
    • Services: Read and update
    • Deployments and deployment logs: Read, patch, and update
    • Pods: Create and read
    • Pod logs: Read
    		 N/A N/A
    DNS Monitor ClusterRoleBinding N/A Configmaps, secrets, DNS Registration API, DNS services, DNS deployments: Read N/A
    DNS Suffix Viewer ClusterRoleBinding N/A DNS suffix configmap: Read N/A
    Emergency SSH Creds Admin RoleBinding N/A EmergencySshCredentials: Create, read, and patch N/A
    FluentBit IO Creator ClusterRoleBinding FluentBit custom resources: Read and write N/A N/A
    FluentBit IO Editor ClusterRoleBinding FluentBit custom resources: Read and write N/A N/A
    FluentBit IO Viewer ClusterRoleBinding FluentBit custom resources: Read N/A N/A
    Gatekeeper Admin RoleBinding
    • Deployments: Read and patch
    • Secrets: Read, patch, and update
    		 N/A N/A
    Grafana Debugger ProjectRoleBinding Apps, deployments, stateful sets, and pods: Read, update, delete, and patch Apps, deployments, stateful sets, and pods:: Read, update, delete, and patch N/A
    Grafana Viewer RoleBinding GrafanaSystem and Grafana: Read and write N/A N/A
    Hardware Admin ClusterRoleBinding Hardware-related CRD: Read and write N/A N/A
    HWDR Admin ClusterRoleBinding
    • HWDR devices: Read and delete
    • Backup plans, pods, logs:Read
    		 N/A N/A
    HWDR Viewer ClusterRoleBinding N/A Backup plans: Read N/A
    Infra PKI Debugger RoleBinding N/A
    • PKI certificate issuers and certificate authorities: Get, list, watch, create, update, delete, patch
    • PKI secrets: Get, list
    		 N/A
    Interconnect Admin ClusterRoleBinding N/A Interconnect attachments and attachment groups: Get, list, watch, create, update, delete, patch N/A
    Kiali Admin RoleBinding N/A
    • Istio authorization: Read and write
    		 N/A
    KUB IPAM Debugger ClusterRoleBinding IPAM resources: Read and write N/A N/A
    KUB Monitor ClusterRoleBinding KUB resources: Read N/A N/A
    LogCollector IO Creator ClusterRoleBinding LogCollector custom resources: Read and write N/A N/A
    LogCollector IO Editor ClusterRoleBinding LogCollector custom resources: Read and write N/A N/A
    LogCollector IO Viewer ClusterRoleBinding LogCollector custom resources: Read N/A N/A
    LoggingRule IO Creator ClusterRoleBinding LoggingRule custom resources: Read and write N/A N/A
    LoggingRule IO Editor ClusterRoleBinding LoggingRule custom resources: Read and write N/A N/A
    LoggingRule IO Viewer ClusterRoleBinding LoggingRule custom resources: Read N/A N/A
    LoggingTarget IO Creator ClusterRoleBinding LoggingTarget custom resources: Read and write N/A N/A
    LoggingTarget IO Editor ClusterRoleBinding LoggingTarget custom resources: Read and write N/A N/A
    LoggingTarget IO Viewer ClusterRoleBinding LoggingTarget custom resources: Read N/A N/A
    Log Query API Querier ClusterRoleBinding Log Query API project logs: Read N/A N/A
    MonitoringRule IO Creator ClusterRoleBinding MonitoringRule custom resources: Read and write N/A N/A
    MonitoringRule IO Editor ClusterRoleBinding MonitoringRule custom resources: Read and write N/A N/A
    MonitoringRule IO Viewer ClusterRoleBinding MonitoringRule custom resources: Read N/A N/A
    MonitoringTarget Creator ClusterRoleBinding MonitoringTarget custom resources: Get, list, watch, create N/A N/A
    MonitoringTarget IO Creator ClusterRoleBinding MonitoringTarget custom resources: Read and write N/A N/A
    MonitoringTarget IO Editor ClusterRoleBinding MonitoringTarget custom resources: Read and write N/A N/A
    MonitoringTarget IO Viewer ClusterRoleBinding MonitoringTarget custom resources: Read N/A N/A
    ObservabilityPipeline IO Creator ClusterRoleBinding ObservabilityPipeline custom resources: Read and write N/A N/A
    ObservabilityPipeline IO Editor ClusterRoleBinding ObservabilityPipeline custom resources: Read and write N/A N/A
    ObservabilityPipeline IO Viewer ClusterRoleBinding ObservabilityPipeline custom resources: Read N/A N/A
    Observability Admin RoleBinding
    • obs-system namespace: Read
    • Anthos audit logs forwarder and Anthos log forwarder: Update, patch, and delete
    • obs-system namespace: Read
    • audit-logs-loki, loki, cortex, anthos-audit-logs-forwarder, anthos-log-forwarder: Update, patch, and delete
    		 N/A
    Observability Debugger OrganizationRoleBinding
    • Deployments, stateful sets, daemon sets, secrets, configmaps: Read, create, delete, patch, and update
    • Certificates: Read
    		 N/A N/A
    Observability System Debugger OrganizationRoleBinding
    • Deployments, stateful sets, daemon sets, secrets, configmaps: Read, create, delete, patch, and update
    • Certificates: Read
    		 N/A N/A
    Observability Viewer RoleBinding obs-system namespace: Read obs-system namespace: Read N/A
    OCLCM Debugger ClusterRoleBinding oclcm-debugger:
    • Components: Create and read
    • Component rollouts and subcomponents: Read, patch, and update
    • Subcomponent overrides: Create, read, update, and patch
    		 oclcm-debugger-root:
    • Components: Create and read
    • Component rollouts and subcomponents: Read, patch, and update
    • Subcomponent overrides: Create, read, update, and patch
    		 N/A
    OCLCM Viewer ClusterRoleBinding oclcm-viewer:
    • Components, component rollouts, subcomponents, subcomponent overrides: Read
    		 oclcm-viewer-root:
    • Components, component rollouts, subcomponents, and subcomponent overrides: Read
    		 N/A
    Organization Admin ClusterRoleBinding
    • Organization custom resources (CR): Read and write
    • Organization upgrade and release metadata: Read
    		 N/A N/A
    Organization System Artifact Management Admin RoleBinding
    • Harbor projects: Admin, read, write, view, create, and delete
    • Harbor user credentials: Read, create, and delete
    		 N/A N/A
    PERF Admin Monitor RoleBinding PERF buckets, service accounts, and secrets: Read N/A N/A
    PERF Admin Resource Maintainer RoleBinding
    • Virtual machine resources, buckets, roles, rolebindings, project service accounts, and KMS keys: Read and delete
    • Service accounts and secrets: Read
    		 N/A N/A
    PERF Debugger ProjectRoleBinding
    • Jobs: Create, read, and delete
    • CronJobs and ConfigMap: Create, read, patch, and delete
    		 N/A N/A
    PERF System Monitor ProjectRoleBinding Pods, configmap, cron jobs: Read N/A N/A
    PERF System Resource Maintainer ProjectRoleBinding
    • Services and service accounts: Read and delete
    • Jobs and cron jobs: Read
    		 N/A N/A
    PNET Debugger ClusterRoleBinding N/A
    • PNET deployments and deployment logs: Read, patch, and update
    • Pods, pod logs, subnet claims, and switches: Read
    		 N/A
    PNET Monitor ClusterRoleBinding N/A PNET deployments, deployment logs, pods, pod logs, subnet claims, and switches: Read N/A
    PNET Secret Debugger RoleBinding N/A PNET secrets:Get, list, watch, create, update, patch, delete N/A
    PSPF Debugger RoleBinding N/A
    • PSPF deployments:Get, list, watch, create, update, patch, delete
    • PSPF deployment logs, pods, pod logs:Get, list, watch
    		 N/A
    PSPF Monitor RoleBinding N/A PSPF deployment logs, pods, pod log:Get, list, watch N/A
    Policy Admin ClusterRoleBinding Constraints: Create, edit, and delete N/A N/A
    Remote Logger Admin RoleBinding Deployments: Read, update, patch, and delete Deployments: Read, update, patch, and delete N/A
    Remote Logger Viewer RoleBinding Deployments: Read Deployments: Read N/A
    Root Cortex Alertmanager Editor RoleBinding N/A Cortex Alertmanager, logging rules, and monitoring rules custom resources: Create, delete, read, patch, and update N/A
    Root Cortex Alertmanager Viewer RoleBinding N/A Cortex Alertmanager, logging rules, and monitoring rules custom resources: Read N/A
    Root Cortex Prometheus Viewer RoleBinding N/A Cortex system and Cortex Prometheus: Read N/A
    Root Session Admin RoleBinding N/A Istio resource manager: Create, read, update, delete, and patch N/A
    Security Viewer ClusterRoleBinding
    • RoleBinding and ClusterRoleBinding: Read
    • Role and ClusterRole: Read
    • GKE Identity Service custom resources (CR): Read
    		 N/A N/A
    Service Now Admin RoleBinding Dnsregistrations, Projectnetworkpolicies, Virtualservices, Envoyfilters, Destinationrules, Monitoringtargets, Monitoringrules, and Dashboards: Read and write N/A N/A
    Service Now Admin ProjectRoleBinding N/A Services, configmaps, pod logs, and secrets: Read and write N/A
    SSH Infra Debugger ProjectRoleBinding N/A SSH secrets: Get, list, watch, patch, update, create, delete N/A
    System Artifact Management Admin RoleBinding HarborProjects: Admin, create, read, write, delete, and view
    • Harbor projects and user credentials: Create, delete, and read
    • HarborProjects: Admin, read, write
    • Distribute artifacts: Create, delete, update, and read
    • image-label-map configmap: Create, delete, update, and read
    • Servers, trust store configmaps: Read
    		 N/A
    System Artifact Management Secrets Admin RoleBinding N/A
    • In-cluster registry: Read
    • Upgrade registry mirror: Create, read, update, and delete
    		 N/A
    System Artifact Registry Harbor Admin RoleBinding Harbor projects: Create, read, update, patch, and delete Harbor projects: Create, read, update, patch, and delete N/A
    System Cluster Admin OrganizationRoleBinding N/A System cluster: Create, delete, update, and read N/A
    System Artifact Registry Harbor Read RoleBinding N/A Harbor projects: Read N/A
    System Artifact Registry Harbor ReadWrite RoleBinding N/A Harbor projects: Create, read, and write N/A
    System Artifact Registry Debugger ClusterRoleBinding N/A
    • Harbor clusters, secrets, distribution policies, manual distribution, and configmaps: Create, read, update, patch and delete
    • PVCs, pods, and Harbor robot accounts: Create, read, and delete
    • Release metadata, organizations, database clusters, Harbor projects, certificates, servers, and clusters: Read
    • Database and CRDs: Read and delete
    • Deployments: Read, update, patch, and delete
    • Persistent volumes: Read, update, and patch
    		 N/A
    System Artifact Registry Monitor ClusterRoleBinding N/A Harbor clusters, secrets, and CRDs: Read N/A
    System Cluster DNS Debugger OrganizationRoleBinding N/A
    • Deployments and deployment logs: Read
    • Pods: Create and read
    		 N/A
    System Cluster UNET Debugger OrganizationRoleBinding
    • Configmaps: Get, create, and update
    • Deployments, deployment logs, daemon sets, and daemon sets logs: Get, patch, and update
    • Pods and pod logs: Get, read, create, and delete
    • Services, network policies, and Cilium: Get, read, create, update, and delete
    • Flow logs and flow logs status: Get, read, create, patch, update, and delete
    		 N/A N/A
    System Cluster UNET Monitor OrganizationRoleBinding Projects, project network policies, configmaps, secrets, certificates, bundles, deployments, daemon sets, stateful sets, pods, pod logs, services, endpoints, endpoint slices, network policies, network loggings, networks, network interfaces, networking, virtual machines, virtual machine instances, cluster CIDR configs, flow logs, flow logs status, BGP peers, BGP advertised routes, BGP received routes, BGP sessions, BGP load balancers, egress NAT policies, network gateway groups, network gateway nodes, flat IP modes, multi- cluster connectivity configs, VPN tunnels, traffic steerings, configmap forwarders, secret forwarders, health checks, node pool claims, node pools, and AddOn configurations: Get and read N/A N/A
    System Cluster Viewer OrganizationRoleBinding N/A System cluster: Read and write N/A
    Tenable Nessus Admin RoleBinding Networking components for managing Nessus: Read and write N/A N/A
    Tenable Nessus Admin ProjectRoleBinding Networking components for managing Nessus: Read and write N/A N/A
    Transfer Appliance Request Admin ClusterRoleBinding Transferappliancerequests: Read and write N/A N/A
    Trust Bundle Root Monitor RoleBinding Config maps: Get, list, watch N/A N/A
    UI Debugger ClusterRoleBinding Backend UI server: Read, patch, update N/A N/A
    UNET CLI Org Admin Monitor ClusterRoleBinding
    • Networking resources, secrets, configmaps, Cilium endpoints, VMs, VM runtimes, clusters, and namespaces: Read
    • Pods: Read and create
    		 N/A N/A
    UNET CLI Root Admin Monitor ClusterRoleBinding N/A
    • Networking resources, secrets, configmaps, Cilium endpoints, and namespaces: Read
    • Pods: Read and create
    		 N/A
    UNET CLI System Monitor OrganizationRoleBinding N/A
    • Networking resources, secrets, configmaps, Cilium endpoints, VMs, VM runtimes, deployments, clusters, namespaces, CRDs: Read
    • Pods: Read and create
    		 N/A
    UNET CLI User Monitor OrganizationRoleBinding N/A
    • Networking resources, secrets, configmaps, Cilium endpoints, virtual machines (VM), VM runtimes, deployments, clusters, namespaces, CRDs: Read
    • Pods: Read and create
    		 N/A
    Upgrade Appliance Admin ClusterRoleBinding SubcomponentOverrides: Get, list, create, update, and patch
    • Organization: Get, list, update, patch,and watch
    • OrganizationUpgrade: Get
    		 N/A
    Upgrade Debugger OrganizationRoleBinding N/A
    • Upgrade resources: Create, read, update, delete, and patch
    • Harbor projects: Harbor-admin
    		 N/A
    User Cluster DNS Debugger OrganizationRoleBinding N/A
    • Deployments, Deployment logs, Pods, Pod logs: Read
    • Pods: Create
    		 N/A
    User Cluster Debugger OrganizationRoleBinding N/A User clusters: Get, read, create, update, patch, and delete N/A
    User Cluster UNET Debugger OrganizationRoleBinding N/A
    • Configmaps: Get, update, and read
    • Deployments, deployment logs, daemon sets, and daemon sets logs: Get, read, patch, and update
    • Pods and pod logs: Get, read, create, and delete
    • Services, cilium, and network policies: Get, read, create, update, and delete
    • Flow logs and flow logs status: Get, read, create, patch, update, and delete
    		 N/A
    User Cluster UNET Monitor OrganizationRoleBinding N/A Projects, project network policies, configmaps, secrets, certificates, certificate issuers, bundles, deployments, daemon sets, stateful sets, pods, pod logs, services, endpoints, endpoint slices, network policies, network loggings, cilium, networks, network interfaces, virtual machines, virtual machine instances, networking, cluster CIDR configs, flat IP modes, configmap forwarders, secret forwarders, health checks, node pool claims, node pools, AddOn configurations, flow logs, and flow logs status, BGP peers, BGP advertised routes, BGP received routes, BGP sessions, BGP load balancers, egress NAT policies, network gateway groups, network gateway nodes, flat IP modes, multi-cluster connectivity configs, VPN tunnels, and traffic steerings: Get and read N/A
    VAISEARCH Secret Rotator ProjectRoleBinding N/A Vertex AI Search secrets: Get, list, watch, delete N/A
    VPN Debugger For Management Plane API server RoleBinding N/A
    • VPNGateway: Create, read, write
    • PeerGateway: Create, read, write
    • VPNBGPPeer: Create, read, write
    • VPNTunnel: Create, read, write
    		 N/A
    VPN Debugger For Perimeter Cluster RoleBinding N/A
    • NetworkGatewayNodes: Create, read, write
    • NetworkGatewayGroups: Create, read, write
    • BGPAdvertisedRoutes: Create, read, write
    • BGPReceivedRoutes: Create, read, write
    • BGPPeers: Create, read, write
    • BGPSessions: Create, read, write
    • VPNTunnels: Create, read, write
    • TrafficSteering: Create, read, write
    		 N/A
    Web TLS Certificate Debugger RoleBinding N/A Secrets and PKI certificates: Get, list, watch, update, patch, create, delete N/A

    PA Persona, predefined identity and access roles

    PA persona
    Name Kubernetes resource name Initial admin Level Type
    Organization IAM Admin organization-iam-admin True Organization ClusterRole
    AI Platform Admin ai-platform-admin True Organization ClusterRole
    Audit Logs Platform Restore Bucket Creator audit-logs-platform-restore-bucket-creator False Organization Role
    Audit Logs Platform Bucket Viewer audit-logs-platform-bucket-viewer False Organization Role
    Bucket Admin bucket-admin False Organization ClusterRole
    Bucket Object Admin bucket-object-admin False Organization ClusterRole
    Bucket Object Viewer bucket-object-viewer False Organization ClusterRole
    Bucket Admin global-bucket-admin False Organization ClusterRole
    Bucket Object Admin global-bucket-object-admin False Organization ClusterRole
    Bucket Object Viewer global-bucket-object-viewer False Organization ClusterRole
    Dashboard PA Creator dashboard-pa-creator False Organization ClusterRole
    Dashboard PA Editor dashboard-pa-editor False Organization ClusterRole
    Dashboard PA Viewer dashboard-pa-viewer False Organization ClusterRole
    Flow Log Admin flowlog-admin False Organization ClusterRole
    Flow Log Viewer flowlog-viewer False Organization ClusterRole
    GDCH Restrict By Attributes Policy Admin gdchrestrictbyattributes-policy-admin False Organization ClusterRole
    GDCH Restricted Service Policy Admin gdchrestrictedservice-policy-admin False Organization ClusterRole
    IdP Federation Admin idp-federation-admin False Organization Role
    Infra PKI Admin infra-pki-admin False Project Role
    Interconnect Admin interconnect-admin-mp False Organization ClusterRole
    Log Query API Querier log-query-api-querier False Project Role
    LoggingRule PA Creator loggingrule-pa-creator False Organization ClusterRole
    LoggingRule PA Viewer loggingrule-pa-viewer False Organization ClusterRole
    LoggingRule PA Editor loggingrule-pa-editor False Organization ClusterRole
    LoggingTarget PA Creator loggingtarget-pa-creator False Organization ClusterRole
    LoggingTarget PA Viewer loggingtarget-pa-viewer False Organization ClusterRole
    LoggingTarget PA Editor loggingtarget-pa-editor False Organization ClusterRole
    MonitoringRule PA Creator monitoringrule-pa-creator False Organization ClusterRole
    MonitoringRule PA Viewer monitoringrule-pa-viewer False Organization ClusterRole
    MonitoringRule PA Editor monitoringrule-pa-editor False Organization ClusterRole
    MonitoringTarget PA Creator monitoringtarget-pa-creator False Organization ClusterRole
    MonitoringTarget PA Viewer monitoringtarget-pa-viewer False Organization ClusterRole
    MonitoringTarget PA Editor monitoringtarget-pa-editor False Organization ClusterRole
    MP OCLCM Debugger mp-oclcm-debugger False Organization ClusterRole
    MP OCLCM Viewer mp-oclcm-viewer False Organization ClusterRole
    ObservabilityPipeline PA Creator observabilitypipeline-pa-creator False Organization ClusterRole
    ObservabilityPipeline PA Viewer observabilitypipeline-pa-viewer False Organization ClusterRole
    ObservabilityPipeline PA Editor observabilitypipeline-pa-editor False Organization ClusterRole
    Org Network Policy Admin org-network-policy-admin False Organization Role
    Org Session Admin org-session-admin False Organization Role
    Organization Grafana Viewer organization-grafana-viewer False Organization ClusterRole
    Organization IAM Viewer organization-iam-viewer False Organization ClusterRole
    Organization Upgrade Admin organization-upgrade-admin False Organization ClusterRole
    Organization Upgrade Viewer organization-upgrade-viewer False Organization ClusterRole
    Project Bucket Admin global-project-bucket-admin False Organization Project
    Project Bucket Object Admin project-bucket-object-admin False Organization Project
    Project Bucket Object Viewer global-project-bucket-object-viewer False Organization Project
    Project Creator project-creator False Organization ClusterRole
    Project Editor project-editor False Organization ClusterRole
    SIEM Export Org Creator siemexport-org-creator False Project Role
    SIEM Export Org Editor siemexport-org-editor False Project Role
    SIEM Export Org Viewer siemexport-org-viewer False Project Role
    Transfer Appliance Request Creator transfer-appliance-request-creator False Organization ClusterRole
    User Cluster Admin user-cluster-admin False Organization ClusterRole
    User Cluster CRD Viewer user-cluster-crd-viewer False Organization OrganizationRole
    User Cluster Developer user-cluster-developer False Organization OrganizationRole
    User Node Viewer user-cluster-node-viewer False Organization OrganizationRole
    VPN Admin vpn-admin False Project Role
    VPN Viewer vpn-viewer False Project Role

    PA persona, predefined identity, and access roles

    PA persona
    Name Binding type Management API server permissions Kubernetes cluster permissions Escalates to
    Organization IAM Admin

    		ClusterRoleBinding
    • RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, OrganizationClusterRole, ProjectRoleBinding, and OrganizationClusterRoleBinding: Create, read, update, and delete
    • List project namespace
    		 N/A Project IAM Admin and all other PA roles
    AI Platform Admin

    		ClusterRoleBinding
    • Pre-trained services: Create, read, update, and delete
    		 N/A N/A
    Audit Logs Platform Restore Bucket Creator ClusterRoleBinding Backup buckets: Read and write N/A N/A
    Audit Logs Platform Bucket Viewer ClusterRoleBinding Backup buckets: Read N/A N/A
    Bucket Admin ClusterRoleBinding Bucket and objects: Read and write N/A N/A
    Bucket Object Admin ClusterRoleBinding
    • Bucket: Read
    • Objects: Read and write
    		 N/A N/A
    Bucket Object Viewer ClusterRoleBinding Bucket and objects: Read N/A N/A
    Dashboard PA Creator ClusterRoleBinding Dashboard custom resources: Read and write N/A N/A
    Dashboard PA Editor ClusterRoleBinding Dashboard custom resources: Read and write N/A N/A
    Dashboard PA Viewer ClusterRoleBinding Dashboard custom resources: Read N/A N/A
    Flow Log Admin ClusterRoleBinding Flow log resources: Read and write N/A N/A
    Flow Log Viewer ClusterRoleBinding Flow log resources: Read N/A N/A
    GDCH Restrict By Attributes Policy Admin ClusterRoleBinding GDCH restricted attributes policies: Create, edit, and delete N/A N/A
    GDCH Restricted Service Policy Manager ClusterRoleBinding GDCH restricted service policies: Create, edit, and delete N/A N/A
    IdP Federation Admin RoleBinding Identity provider configs and secrets: Create, read, update, patch, and delete N/A N/A
    Infra PKI Admin RoleBinding N/A
    • PKI certificate issuers and certificate authorities: Get, list, watch, create, update, delete, patch
    • PKI secrets: Get, list
    		 N/A
    Interconnect Admin ClusterRoleBinding N/A Interconnect attachments and attachment groups: Get, list, watch, create, update, delete, patch N/A
    Log Query API Querier RoleBinding Log Query API project logs: Read N/A N/A
    LoggingRule PA Creator ClusterRoleBinding LoggingRule custom resources: Read and write N/A N/A
    LoggingRule PA Editor ClusterRoleBinding LoggingRule custom resources: Read and write N/A N/A
    LoggingRule PA Viewer ClusterRoleBinding LoggingRule custom resources: Read N/A N/A
    LoggingTarget PA Creator ClusterRoleBinding LoggingTarget custom resources: Read and write N/A N/A
    LoggingTarget PA Editor ClusterRoleBinding LoggingTarget custom resources: Read and write N/A N/A
    LoggingTarget PA Viewer ClusterRoleBinding LoggingTarget custom resources: Read N/A N/A
    MonitoringRule PA Creator ClusterRoleBinding MonitoringRule custom resources: Read and write N/A N/A
    MonitoringRule PA Editor ClusterRoleBinding MonitoringRule custom resources: Read and write N/A N/A
    MonitoringRule PA Viewer ClusterRoleBinding MonitoringRule custom resources: Read N/A N/A
    MonitoringTarget PA Creator ClusterRoleBinding MonitoringTarget custom resources: Read and write N/A N/A
    MonitoringTarget PA Editor ClusterRoleBinding MonitoringTarget custom resources: Read and write N/A N/A
    MonitoringTarget PA Viewer ClusterRoleBinding MonitoringTarget custom resources: Read N/A N/A
    MP OCLCM Debugger ClusterRoleBinding
    • Components: Get, list, create
    • ComponentOverrides, SubcomponentOverrides: Get, list, create, update, patch
    • ComponentRollouts, Subcomponents: Get, list, update, patch
    		 N/A N/A
    MP OCLCM Viewer ClusterRoleBinding Components, ComponentOverrides, SubcomponentOverrides, ComponentRollouts, Subcomponents: Get, list N/A N/A
    ObservabilityPipeline PA Creator ClusterRoleBinding ObservabilityPipeline custom resources: Read and write N/A N/A
    ObservabilityPipeline PA Editor ClusterRoleBinding ObservabilityPipeline custom resources: Read and write N/A N/A
    ObservabilityPipeline PA Viewer ClusterRoleBinding ObservabilityPipeline custom resources: Read N/A N/A
    Org Network Policy Admin RoleBinding OrganizationNetworkPolicy in platform namespace: Create, read, update, and delete N/A N/A
    Org Session Admin RoleBinding Istio authorization resource: Create, read, update, and delete N/A N/A
    Organization Grafana Viewer RoleBinding GrafanaSystem and Grafana: Read and write N/A N/A
    Organization IAM Viewer
    		 ClusterRoleBinding
    • Role-based access control (RBAC) objects: Read
    • OrganizationClusterRole and OrganizationClusterRoleBinding: Read
    		 N/A N/A
    Organization Upgrade Admin ClusterRoleBinding Maintenance windows: Get, list, watch, update, and patch N/A N/A
    Organization Upgrade Viewer ClusterRoleBinding Maintenance windows: Get, list, and watch N/A N/A
    Project Creator ClusterRoleBinding
    • Project custom resources (CR): Read and create
    • Fleet CR: Read and create
    • Clusters: Read
    		 N/A N/A
    Project Editor ClusterRoleBinding
    • Project custom resources (CR): Read, delete, patch, update, and view
    • Fleet CR: Read and delete
    • Cluster CR: Read
    		 N/A N/A
    SIEM Export Org Creator RoleBinding SIEMOrgForwarder custom resources and secrets: Get, create, and read N/A N/A
    SIEM Export Org Editor RoleBinding SIEMOrgForwarder custom resources and secrets: Get, read, update, delete, and patch N/A N/A
    SIEM Export Org Viewer RoleBinding SIEMOrgForwarder custom resources and secrets: Read N/A N/A
    Transfer Appliance Request Creator ClusterRoleBinding TransferApplianceRequest custom resource (CR): Read and create N/A N/A
    User Cluster Admin ClusterRoleBinding
    • AddressPoolClaims: Create, read, update, and delete
    • UserClusterUpgrade: Read and write
    • UserClusterMetadata, ClusterBgpRouters, InventoryMachines, and project custom resources (CR): Read
    • CidrClaims: Create, read, update, and delete
    • Namespace: Create and delete
    • ClusterCidrConfigs and clusters: Create, read, update, patch, and delete
    • NodeUpgrades: Read, create, patch, and update
    • HarborClusters, Projects, UserClusterUpgradeRequests: Read
    • Clusters and NodePoolClaims: Read and write
    • NodePools, MachineClasses, VirtualMachineTypes, and ClusterInfos: Read
    		 N/A
    User Cluster CRD Viewer OrganizationRoleBinding N/A CustomResourceDefinitions: Read N/A
    User Cluster Developer OrganizationRoleBinding N/A Clusters: Read and write N/A
    User Cluster Node Viewer OrganizationRoleBinding N/A Clusters: Read N/A
    VPN Admin RoleBinding N/A
    • VPNGateway: Create, read, write
    • PeerGateway: Create, read, write
    • VPNBGPPeer: Create, read, write
    • VPNTunnel: Create, read, write
    		 N/A
    VPN Viewer RoleBinding N/A
    • VPNGateway: Read
    • PeerGateway: Read
    • VPNBGPPeer: Read
    • VPNTunnel: Read
    		 N/A

    AO Persona, predefined identity and access roles

    AO persona
    Name Kubernetes resource name Initial admin Level Type
    Project IAM Admin project-iam-admin True Project Role
    AI OCR Developer ai-ocr-developer False Project Role
    AI Platform Viewer ai-platform-viewer False Project Role
    AI Speech Developer ai-speech-developer False Project Role
    AI Translation Developer ai-translation-developer False Project Role
    Artifact Management Admin artifact-management-admin False Project Role
    Artifact Management Editor artifact-management-editor False Project Role
    Certificate Authority Service Admin certificate-authority-service-admin False Project Role
    Certificate Service Admin certificate-service-admin False Project Role
    Dashboard Editor dashboard-editor False Project Role
    Dashboard Viewer dashboard-viewer False Project Role
    Harbor Instance Admin harbor-instance-admin False Project Role
    Harbor Instance Viewer harbor-instance-viewer False Project Role
    Harbor Project Creator harbor-project-creator False Project Role
    K8s Network Policy Admin k8s-networkpolicy-admin False Project ProjectRole
    Load Balancer Admin load-balancer-admin False Project ProjectRole
    LoggingRule Creator loggingrule-creator False Project Role
    LoggingRule Editor loggingrule-editor False Project Role
    LoggingRule Viewer loggingrule-viewer False Project Role
    LoggingTarget Creator loggingtarget-creator False Project Role
    LoggingTarget Editor loggingtarget-editor False Project Role
    LoggingTarget Viewer loggingtarget-viewer False Project Role
    MonitoringRule Editor monitoringrule-editor False Project Role
    MonitoringRule Viewer monitoringrule-viewer False Project Role
    MonitoringTarget Editor monitoringtarget-editor False Project Role
    MonitoringTarget Viewer monitoringtarget-viewer False Project Role
    Namespace Admin namespace-admin False Project ProjectRole
    NAT Viewer nat-viewer False Project ProjectRole
    ObservabilityPipeline Editor observabilitypipeline-editor False Project Role
    ObservabilityPipeline Viewer observabilitypipeline-viewer False Project Role
    Project Bucket Admin project-bucket-admin False Project Role
    Project Bucket Object Admin project-bucket-object-admin False Project Role
    Project Bucket Object Viewer project-bucket-object-viewer False Project Role
    Project Cortex Alertmanager Editor project-cortex-alertmanager-editor False Project Role
    Project Cortex Alertmanager Viewer project-cortex-alertmanager-viewer False Project Role
    Project Cortex Prometheus Viewer project-cortex-prometheus-viewer False Project Role
    Project Grafana Viewer project-grafana-viewer False Project Role
    Project NetworkPolicy Admin project-networkpolicy-admin False Project Role
    Project Viewer project-viewer False Project Role
    Project VirtualMachine Admin project-vm-admin False Project Role
    Project VirtualMachine Image Admin project-vm-image-admin False Project Role
    Secret Admin secret-admin False Project Role
    Secret Viewer secret-viewer False Project Role
    Service Configuration Admin service-configuration-admin False Project Role
    Service Configuration Viewer service-configuration-viewer False Project Role
    Workbench Notebooks Admin workbench-notebooks-admin False Project Role
    Volume Replication Admin app-volume-replication-admin False Cluster Role
    Workbench Notebooks Viewer workbench-notebooks-viewer False Project Role
    Workload Viewer workload-viewer False Project Role

    AO persona, predefined identity, and access roles

    AO persona
    Name Binding type Management API server permissions Kubernetes cluster permissions Escalates to
    Project IAM Admin RoleBinding
    • RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, ProjectClusterRole, ProjectRoleBinding, and ProjectClusterRoleBinding: Create, read, update, delete, and bind
    • ProjectServiceAccount: Create, read, update, and delete
    • List project namespace
    		 N/A All other AO roles
    AI OCR Developer RoleBinding OCR resources: Read and write N/A N/A
    AI Speech Developer RoleBinding Speech resources: Read and write N/A N/A
    AI Translation Developer RoleBinding Translation resources: Read and write N/A N/A
    Artifact Management Admin RoleBinding HarborProjects: Admin, create, read, write, delete, and view N/A N/A
    Artifact Management Editor RoleBinding HarborProjects: Read, write, and view N/A N/A
    Certificate Authority Service Admin RoleBinding Certificate authorities and certificate requests: Get, list, watch, update, create, delete, and patch N/A N/A
    Certificate Service Admin RoleBinding Certificates and certificate issuers: Get, list, watch, update, create, delete, and patch N/A N/A
    Dashboard Editor RoleBinding Dashboard custom resources: Get, read, create, update, delete, and patch N/A N/A
    Dashboard Viewer RoleBinding Dashboard: Get and read N/A N/A
    Harbor Instance Admin RoleBinding Harbor instances: Create, read, update, delete, and patch N/A N/A
    Harbor Instance Viewer RoleBinding Harbor instances: Read N/A N/A
    Harbor Project Creator RoleBinding Harbor instance projects: Create, get, and watch N/A N/A
    K8s NetworkPolicy Admin ProjectRoleBinding N/A NetworkPolicy resources: Create, read, get, update, delete, and patch N/A
    Load Balancer Admin RoleBinding N/A
    • Backend: Get, watch, list, create, patch, update, and delete
    • HealthCheck: Get, watch, list, create, patch, update, and delete
    • BackendService: Get, watch, list, create, patch, update, and delete
    • ForwardingRuleExternal: Get, watch, list, create, patch, update, and delete
    • ForwardingRuleInternal: Get, watch, list, create, patch, update, and delete
    		 N/A
    LoggingRule Creator RoleBinding LoggingRule custom resources: Create, read, update, delete, and patch N/A N/A
    LoggingRule Editor RoleBinding LoggingRule custom resources: Create, read, update, delete, and patch N/A N/A
    LoggingRule Viewer RoleBinding LoggingRule custom resources: Read N/A N/A
    LoggingTarget Creator RoleBinding LoggingTarget custom resources: Create, read, update, delete, and patch N/A N/A
    LoggingTarget Editor RoleBinding LoggingTarget custom resources: Create, read, update, delete, and patch N/A N/A
    LoggingTarget Viewer RoleBinding LoggingTarget custom resources: Read N/A N/A
    MonitoringRule Editor RoleBinding MonitoringRule custom resources: Create, read, update, delete, and patch N/A N/A
    MonitoringRule Viewer RoleBinding MonitoringRule custom resources: Read N/A N/A
    MonitoringTarget Editor RoleBinding MonitoringTarget custom resources: Create, read, update, delete, and patch N/A N/A
    MonitoringTarget Viewer RoleBinding MonitoringTarget custom resources: Read N/A N/A
    Namespace Admin ProjectRoleBinding N/A All resources: Read and write access in the project namespace N/A
    NAT Viewer ProjectRoleBinding N/A Deployments: Get and read N/A
    ObservabilityPipeline Editor RoleBinding ObservabilityPipeline resources: Get, read, create, update, delete, and patch N/A N/A
    ObservabilityPipeline Viewer RoleBinding ObservabilityPipeline resources: Get and read N/A N/A
    Project Bucket Admin RoleBinding Bucket: Read and write in the project namespace N/A N/A
    Project Bucket Object Admin RoleBinding
    • Bucket: Read
    • Objects: Read and write
    		 N/A N/A
    Project Bucket Object Viewer RoleBinding Bucket and objects: Read N/A N/A
    Project Cortex Alertmanager Editor RoleBinding Cortex system and Cortex Alertmanager: Read and write N/A N/A
    Project Cortex Alertmanager Viewer RoleBinding Cortex system and Cortex Alertmanager: Read N/A N/A
    Project Cortex Prometheus Viewer RoleBinding Cortex system and Cortex Prometheus: Read N/A N/A
    Project Grafana Viewer RoleBinding Grafana system and Grafana: Read and write N/A N/A
    Project NetworkPolicy Admin RoleBinding Project network policies: Read and write in the project namespace N/A N/A
    Project Viewer RoleBinding All resources in the project namespace: Read N/A N/A
    Project VirtualMachine Admin RoleBinding
    • Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete
    • Virtual machine restart: Put
    • Virtual machine images, backup plans, and backup plan templates: Read
    		 N/A N/A
    Project VirtualMachine Image Admin RoleBinding
    • VM images: Read
    • VM image imports: Read and write
    		 N/A N/A
    Secret Admin RoleBinding Kubernetes secrets: Read, create, update, delete, and patch N/A N/A
    Secret Viewer RoleBinding Kubernetes secrets: Read N/A N/A
    Service Configuration Admin RoleBinding ServiceConfigurations: Read and write N/A N/A
    Service Configuration Viewer RoleBinding ServiceConfigurations: Read N/A N/A
    Volume Replication Admin ClusterRoleBinding Volume failovers, volume relationship replicas: Create, get, list, watch, delete N/A N/A
    Workbench Notebooks Admin RoleBinding N/A
    • Notebook custom resources (CR) in the project namespace: Create, read, update, and delete
    • ClusterInfo objects: Read
    		 N/A
    Workbench Notebooks Viewer RoleBinding N/A
    • Notebook custom resources (CR) in the project namespace: Read
    		 N/A
    Workload Viewer ProjectRoleBinding N/A
    • Pod custom resources in the project namespace: Read
    • Deployment custom resources in the project namespace: Read
    		 N/A

    Common predefined identity and access roles

    Common roles
    Name Kubernetes resource name Initial admin Level Type
    AI Platform Viewer ai-platform-viewer False Project Role
    DNS Suffix Viewer dnssuffix-viewer False Organization Role
    Flow Log Admin flowlog-admin False Organization ClusterRole
    Flow Log Viewer flowlog-viewer False Project ClusterRole
    Project Discovery Viewer projectdiscovery-viewer False Project ClusterRole
    Public Image Viewer public-image-viewer False Organization Role
    System Artifact Registry anthos-creds secret Monitor sar-anthos-creds-secret-monitor False Organization Role
    System Artifact Registry gpc-system secret Monitor sar-gpc-system-secret-monitor False Organization Role
    System Artifact Registry harbor-system secret Monitor sar-harbor-system-secret-monitor False Organization Role
    Virtual Machine Type Viewer virtualmachinetype-viewer False Organization OrganizationRole
    VM Type Viewer vmtype-viewer False Organization Role

    Common predefined identity and access roles

    Common roles
    Name Binding type Admin cluster permissions Kubernetes cluster permissions Escalates to
    AI Platform Viewer RoleBinding Pre-trained services: Read N/A N/A
    DNS Suffix Viewer ClusterRoleBinding DNS suffix config maps: Read N/A N/A
    Flow Log Admin ClusterRoleBinding Flow log resources: Get and read Flow log resources: Get and read N/A
    Flow Log Viewer ClusterRoleBinding Flow log resources: Create, get, read, patch, update, and delete Flow log resources: Create, get, read, patch, update, and delete N/A
    Project Discovery Viewer ClusterRoleBinding Projects: Read N/A N/A
    Public Image Viewer RoleBinding VM images: Read N/A N/A
    System Artifact Registry anthos-creds secret Monitor RoleBinding anthos-creds secrets: Get and read anthos-creds secrets: Get and read N/A
    System Artifact Registry gpc-system secret Monitor RoleBinding gpc-system secrets: Get and read gpc-system secrets: Get and read N/A
    System Artifact Registry harbor-system secret Monitor RoleBinding harbor-system secrets: Get and read harbor-system secrets: Get and read N/A
    Virtual Machine Type Viewer OrganizationRoleBinding N/A VM types: Read N/A
    VM Type Viewer ClusterRoleBinding VM types: Read N/A N/A