Predefined role descriptions

Google Distributed Cloud (GDC) air-gapped appliance has the following predefined roles that you can assign to team members:

IO roles

IOs have permissions to manage the admin cluster and the organization's lifecycle. These are the predefined roles that you can assign to team members:

  • Security Admin: Creates, updates, and deletes any permissions and policies within the root admin cluster. This role does not have access to organization and project resources.
  • AIS Admin: Has read and write access to GKE Identity Service (AIS) pods and deployments.
  • AIS Debugger: Has read and write access to AIS resources for mitigation.
  • AIS Monitor: Has read access to AIS resources in the iam-system namespace.
  • DNS Admin: Updates DNS files.
  • DNS Debugger: Has read and write permissions on all DNS resources.
  • DNS Monitor: Has read permissions on all DNS resources.
  • DNS Suffix Viewer: Views the DNS suffix configmap.
  • Emergency SSH Creds Admin: Has emergency access permissions and uses the SSH node in the admin cluster.
  • Grafana Debugger: Grants admin access to Grafana resources in the obs-system namespace.
  • Grafana Viewer: Grants permissions to access the Grafana instance in the system namespace of the admin cluster.
  • Hardware Admin: Has full access to hardware resources such as switches, racks, and servers.
  • Kiali Admin: Grants permissions to access the Kiali dashboard to debug Istio service mesh.
  • KUB Monitor: Has read-only permissions for all resources in KUB.
  • Observability Admin: Has read-write access to objects in the obs-system namespace.
  • Observability Admin Debugger: Has admin access to Observability resources in the obs-system namespace.
  • Observability Viewer: Has read-only view access to objects in the obs-system namespace.
  • Observability Debugger: Has full access to Observability resources in the obs-system namespace.
  • Observability System Debugger: Has admin access to Observability resources in the obs-system namespace.
  • Observability Viewer: Has read-only access to view objects in the obs-system namespace.
  • OCLCM Debugger: Has read and write access to debug OCLCM objects.
  • OCLCM Viewer: Has read-only access to view OCLCM objects.
  • Organization Admin: Creates and deletes organizations and manages the organization's lifecycle.
  • Organization System Artifact Management Admin: Has admin access to resources in all Harbor projects in the system namespace.
  • PNET Debugger: Has read and write permissions on all PNET resources.
  • PNET Monitor: Has read-only permissions on all PNET resources.
  • Policy Admin: Manages policy templates for the organization and has full access to constraints.
  • Remote Logger Admin: Has full access to remote-logger resources.
  • Remote Logger Viewer: Has read-only access to remote-logger resources.
  • Root Cortex Alertmanager Editor: Grants permissions to edit the Cortex Alertmanager instance on the root admin cluster.
  • Root Cortex Alertmanager Viewer: Grants permissions to access the Cortex Alertmanager instance on the root admin cluster.
  • Root Cortex Prometheus Viewer: Grants permissions to access the Cortex Prometheus instance on the root admin cluster.
  • Root Session Admin: Grants access to perform revocation operations in the root admin cluster.
  • Security Viewer: Has read-only access to all resources to which the Security Admin has access.
  • Service Now Admin (admin cluster): Has read-write access to networking components in the admin cluster needed to manage the ServiceNow application.
  • Service Now Admin (user cluster): Has read-write access to system components in the system cluster needed to manage the ServiceNow application.
  • System Artifact Management Admin: Has admin access to resources in all Harbor projects in the system namespace.
  • System Artifact Management Secrets Admin: Has admin access to secret resources to manage registry mirror configurations.
  • System Artifact Management Secrets Admin: Has admin access to secret resources to manage registry mirror configurations.
  • System Artifact Registry Harbor Admin: Has admin access to Harbor projects.
  • System Artifact Registry Harbor Read: Has read-only access to Harbor projects.
  • System Artifact Registry Harbor ReadWrite: Has read and write access to Harbor projects.
  • System Artifact Registry Debugger: Has read and write access to all Harbor resources.
  • System Artifact Registry Monitor: Has read and write access to Harbor resources in the root admin cluster.
  • System Cluster Admin: Has read and write access to any permissions and policies within the system cluster. This role has access at the organization level.
  • System Cluster DNS Debugger: Has create and read access to any permissions within the system cluster.
  • System Cluster Vertex AI Debugger: Has full access to the Vertex AI platform.
  • System Cluster Viewer: Has read-write access to any permissions and policies within the system cluster.
  • System Project VirtualMachine Admin: Has access to manage VMs in system projects.
  • Transfer Appliance Request Admin: Manages transfer appliance requests created by a Platform Administrator (PA). A transfer appliance allows you to quickly and securely transfer large amounts of data to GDC air-gapped appliance using a high-capacity storage server.
  • UNET CLI Org Admin Monitor: Has create and read permissions on UNET resources to run gdcloud system network commands in the org admin cluster.
  • UNET CLI Root Admin Monitor: Has create and read permissions on UNET resources to run gdcloud system network commands in the root admin cluster.
  • UNET CLI System Monitor: Has create and read permissions on UNET resources to run gdcloud system network commands on system clusters.
  • UNET CLI User Monitor: Has permissions on UNET resources to run gdcloud system network commands on user clusters.
  • Upgrade Admin: Grants permission to load new artifacts into the cluster's Harbor registry.
  • Upgrade Debugger: Has read-write permissions on upgrade resources in the system cluster.
  • User Cluster DNS Debugger: Has create and read permissions in user clusters.

PA roles

Platform Administrators (PA) manage organization level resources and project lifecycle management. You can assign the following predefined roles to team members:

  • Organization IAM Admin: Creates, updates, and deletes any permissions and allow policies within the org admin cluster.
  • Bucket Admin: Manages storage buckets within organizations and projects and the objects in those buckets.
  • Bucket Object Admin: Has read-only access on buckets within an organization, and read-write access on the objects in those buckets.
  • Bucket Object Viewer: Has read-only access on buckets within a organization and the objects in those buckets.
  • GDCH Restrict By Attributes Policy Admin: Has full access to the GDCHRestrictByAttributes constraint.
  • GDCH Restricted Service Policy Admin: Manages policy templates for the organization and has full access to constraints. Applies or rolls back policies for an organization or project.
  • IdP Federation Admin: Has full access to configure identity providers.
  • Marketplace Service Editor: Updates and deletes marketplace services.
  • Org Session Admin: Has access to the revocation command. Users bound to this Role are added to the Istio ACLs for authentication and authorization.
  • Organization Grafana Viewer: Grants permissions to access the Grafana instance in the system namespace of the org admin cluster. Users bound to this ClusterRole are added to the Istio ACLs for authentication and authorization.
  • Organization IAM Viewer: Has read-only access to all resources that the Organization IAM Administrator has access to.
  • Organization DB Admin: Manages Database Service resources for an organization.
  • Organization Upgrade Admin: Modifies maintenance windows for an organization. Maintenance windows are created automatically during organization creation.
  • Organization Upgrade Viewer: Views maintenance windows.
  • Project Creator: Creates new projects.
  • Project Editor: Deletes projects.
  • Transfer Appliance Request Creator: Can read and create transfer appliance requests, which allow you to quickly and securely transfer large amounts of data to GDC air-gapped appliance using a high capacity storage server.
  • User Cluster Backup Admin: Manages backup resources such as backup and restore plans in user clusters.
  • User Cluster Admin: Creates, updates, and deletes the user cluster, and manages the user cluster's lifecycle.
  • User Cluster Developer: Has cluster admin permissions in user clusters.
  • User Cluster Node Viewer: Has read-only cluster admin permissions in user clusters.

AO roles

An Application Operator (AO) is a member of the development team within the Platform Administrator (PA) organization. AOs interact with project-level resources. You can assign the following predefined roles to team members:

  • Project IAM Admin: Manages the IAM allow policies of projects.
  • Artifact Management Admin: Has admin access to resources in all Harbor projects in the project namespace.
  • Artifact Management Editor: Has read and write access to resources in all Harbor projects in the project namespace.
  • Dashboard Editor: Has read and write access on Dashboard custom resources.
  • Dashboard Viewer: Has read-only access on Dashboard custom resources.
  • Harbor Instance Admin: Has full access to manage Harbor instances in a project.
  • Harbor Instance Viewer: Has read-only access to view Harbor instances in a project.
  • K8s Network Policy Admin: Manages network policies in user clusters.
  • Marketplace Editor: Has create, update, and delete access on service instances in a project.
  • MonitoringRule Editor: Has read and write access to MonitoringRule resources.
  • MonitoringRule Viewer: Has read-only access to MonitoringRule custom resources.
  • MonitoringTarget Editor: Has read and write access to MonitoringTarget custom resources.
  • MonitoringTarget Viewer: Has read-only access to MonitoringTarget custom resources.
  • Namespace Admin: Manages all resources within the project namespace.
  • ObservabilityPipeline Editor: Has read and write access on ObservabilityPipeine custom resources.
  • ObservabilityPipeline Viewer: Has read-only access on ObservabilityPipeline custom resources.
  • Project Bucket Admin: Manages the storage buckets and objects within buckets.
  • Project Bucket Object Admin: Has read-only access on buckets within a project, and read-write access on the objects in those buckets.
  • Project Bucket Object Viewer: Has read-only access on buckets within a project and the objects in those buckets.
  • Project Cortex Alertmanager Viewer: Grants permissions to access the Cortex Alertmanager instance in the project namespace.
  • Project Cortex Prometheus Viewer: Grants permissions to access the Cortex Prometheus instance in the project namespace.
  • Project Grafana Viewer: Accesses the Grafana instance in the project namespace of the fleet admin cluster.
  • Project Network Policy Admin: Manages the project network policies in the project namespace.
  • Project Viewer: Has read-only access to all resources within project namespaces.
  • Project VirtualMachine Admin: Manages VMs in the project namespace.
  • Project VirtualMachine Image Admin: Manages VM images in the project namespace.
  • Secret Admin: Manages Kubernetes secrets in projects.
  • Secret Viewer: Views Kubernetes secrets in projects.

Common roles

The following predefined common roles apply to all authenticated users:

  • AIS Debugger: Has full access to all GKE Identity Service (AIS) resources in the iam-system namespace.
  • AIS Monitor: Has read-only access to all AIS resources in the iam-system namespace.
  • DNS Key Manager: Has read and write permissions on resources DNSSEC key configurations and key material.
  • DNS Suffix Viewer: Accesses the domain name service (DNS) suffix config map.
  • IAM Debugger: Has read and write on all IAM resources for mitigation in the iam-system namespace for the role type Role and ClusterRole.
  • IAM Monitor: Has read-only access to all Identity and Access Management (IAM) resources in the iam-system namespace for the role type Role and ClusterRole.
  • Marketplace Service Viewer: Has read access for all authenticated users to Marketplace services in the system namespace.
  • Marketplace Viewer: Has read-only access on service versions and service instances.
  • Project Discovery Viewer: Has read access for all authenticated users to the project view.
  • Public Image Viewer: Has read access for all authenticated users on the public VM images in the namespace vm-images.
  • Virtual Machine Type Viewer: Has read access to cluster-scoped virtual machine types.
  • VM Type Viewer: Has read access to the predefined virtual machine types on the admin clusters.