Google Distributed Cloud (GDC) air-gapped appliance has the following predefined roles that you can assign to team members:
IO roles
IOs have permissions to manage the cluster and the organization's lifecycle. These are the predefined roles that you can assign to team members:
- Security Admin: Creates, updates, and deletes any permissions and policies within the org infrastructure cluster. This role does not have access to organization and project resources.
- APPLSTOR debugger: Access to debug appliance storage.
- APPLSTOR monitor: Access to monitor appliance storage.
- APPLSTOR secret rotator: Access to rotate appliance storage secrets.
- AuditLoggingTarget Creator: Create
AuditLoggingTarget
custom resources in the org infrastructure cluster. - AuditLoggingTarget Editor: Edit
AuditLoggingTarget
custom resources in the org infrastructure cluster. - AuditLoggingTarget Viewer: View
AuditLoggingTarget
custom resources in the org infrastructure cluster. - AuditLoggingTarget IO Creator: Create
AuditLoggingTarget
custom resources in the project namespace. - AuditLoggingTarget IO Editor: Edit
AuditLoggingTarget
custom resources in the project namespace. - AuditLoggingTarget IO Viewer: View
AuditLoggingTarget
custom resources in the project namespace. - Audit Logs Backup Restore Creator: Create a backup transfer job configuration and restore audit logs.
- Audit Logs Backup Restore Editor: Edit the backup transfer job configuration and restore audit logs.
- Audit Logs Infra Bucket Viewer: View backup buckets of infrastructure audit logs.
- AIS Admin: Has read and write access to GKE Identity Service (AIS) pods and deployments.
- AIS Debugger: Has read and write access to AIS resources for mitigation.
- AIS Monitor: Has read access to AIS resources in the
iam-system
namespace. - AuthzPDP Debugger: Has read and write access on authorization policy decision point (PDP) resources for mitigation and debugging.
- Cert Manager System Cluster Debugger: Manages cert-manager related resources.
- Dashboard Creator: Create
Dashboard
custom resources in the org infrastructure cluster. - Dashboard Editor: Edit
Dashboard
custom resources in the org infrastructure cluster. - Dashboard Viewer: View
Dashboard
custom resources in the org infrastructure cluster. - Dashboard IO Creator: Create
Dashboard
custom resources in the project namespace. - Dashboard IO Editor: Edit
Dashboard
custom resources in the project namespace. - Dashboard IO Viewer: View
Dashboard
custom resources in the project namespace. - Debugging AuditLoggingTarget custom resource: Monitor in the
obs-system
namespace. - DNS Admin: Updates DNS files.
- DNS Debugger: Has read and write permissions on all DNS resources.
- DNS Monitor: Has read permissions on all DNS resources.
- DNS Suffix Viewer: Views the DNS suffix configmap.
- Emergency SSH Creds Admin: Has emergency access permissions and uses the SSH node in the org infrastructure cluster.
- FluentBit Creator: Create
FluentBit
custom resources in the org infrastructure cluster. - FluentBit Editor: Edit
FluentBit
custom resources in the org infrastructure cluster. - FluentBit Viewer: View
FluentBit
custom resources in the org infrastructure cluster. - FluentBit IO Creator: Create
FluentBit
custom resources in the project namespace. - FluentBit IO Editor: Edit
FluentBit
custom resources in the project namespace. - FluentBit IO Viewer: View
FluentBit
custom resources in the project namespace. - Gatekeeper Admin: Has access to restart deployments and patch secrets.
- Grafana Debugger: Grants admin access to Grafana resources in the
obs-system
namespace. - Grafana Viewer: Grants permissions to access the Grafana instance in the system namespace of the org infrastructure cluster.
- Hardware Admin: Has full access to hardware resources such as switches, racks, and servers.
- HDWR Admin: Has full access to hardware-related resources.
- HWDR Viewer: Has read-only access to hardware-related resources.
- Infra PKI Debugger: Has access to configure an infra PKI certificate issuer and certificate authority.
- Interconnect Admin: Has admin access to interconnect resources.
- Kiali Admin: Grants permissions to access the Kiali dashboard to debug Istio service mesh.
- KUB IPAM Debugger: Has read and write access for
CIDRClaim
custom resources. - KUB Monitor: Has read-only permissions for all resources in KUB.
- LogCollector Creator: Create
LogCollector
custom resources in the org infrastructure cluster. - LogCollector Editor: Edit
LogCollector
custom resources in the org infrastructure cluster. - LogCollector Viewer: View
LogCollector
custom resources in the org infrastructure cluster. - LogCollector IO Creator: Create
LogCollector
custom resources in the project namespace. - LogCollector IO Editor: Edit
LogCollector
custom resources in the project namespace. - LogCollector IO Viewer: View
LogCollector
custom resources in the project namespace. - LoggingRule Creator: Create
LoggingRule
custom resources in the org infrastructure cluster. - LoggingRule Editor: Edit
LoggingRule
custom resources in the org infrastructure cluster. - LoggingRule Viewer: View
LoggingRule
custom resources in the org infrastructure cluster. - LoggingRule IO Creator: Create
LoggingRule
custom resources in the project namespace. - LoggingRule IO Editor: Edit
LoggingRule
custom resources in the project namespace. - LoggingRule IO Viewer: View
LoggingRule
custom resources in the project namespace. - LoggingTarget IO Creator: Create
LoggingTarget
custom resources in the project namespace. - LoggingTarget IO Editor: Edit
LoggingTarget
custom resources in the project namespace. - LoggingTarget IO Viewer: View
LoggingTarget
custom resources in the project namespace. - Log Query API Querier: Access the Log Query API to query logs.
- MonitoringRule Creator: Create
MonitoringRule
custom resources in the org infrastructure cluster. - MonitoringRule Editor: Edit
MonitoringRule
custom resources in the org infrastructure cluster. - MonitoringRule Viewer: View
MonitoringRule
custom resources in the org infrastructure cluster. - MonitoringRule IO Creator: Create
MonitoringRule
custom resources in the project namespace. - MonitoringRule IO Editor: Edit
MonitoringRule
custom resources in the project namespace. - MonitoringRule IO Viewer: View
MonitoringRule
custom resources in the project namespace. - MonitoringTarget Creator: Create
MonitoringTarget
custom resources in the org infrastructure cluster. - MonitoringTarget Editor: Edit
MonitoringTarget
custom resources in the org infrastructure cluster. - MonitoringTarget Viewer: View
MonitoringTarget
custom resources in the org infrastructure cluster. - MonitoringTarget IO Creator: Create
MonitoringTarget
custom resources in the project namespace. - MonitoringTarget IO Editor: Edit
MonitoringTarget
custom resources in the project namespace. - MonitoringTarget IO Viewer: View
MonitoringTarget
custom resources in the project namespace. - Observability Admin: Has read-write access to objects in the
obs-system
namespace. - Observability Admin Debugger: Has cluster-specific administrator
access to observability resources in the
obs-system
namespace. This role grants granular control over access within the org infrastructure cluster. - Observability Debugger: Has full access to Observability resources
in the
obs-system
namespace. - ObservabilityPipeline Creator: Create
ObservabilityPipeline
custom resources in the org infrastructure cluster. - ObservabilityPipeline Editor: Edit
ObservabilityPipeline
custom resources in the org infrastructure cluster. - ObservabilityPipeline Viewer: View
ObservabilityPipeline
custom resources in the org infrastructure cluster. - ObservabilityPipeline IO Creator: Create
ObservabilityPipeline
custom resources in the project namespace. - ObservabilityPipeline IO Editor: Edit
ObservabilityPipeline
custom resources in the project namespace. - ObservabilityPipeline IO Viewer: View
ObservabilityPipeline
custom resources in the project namespace. - Observability System Debugger: Has organization-wide administrator
access to observability resources in the
obs-system
namespace. This role grants centralized management of observability administrator access. - Observability Viewer: Has read-only access to view objects in the
obs-system
namespace. - OCLCM Debugger: Has read and write access to debug OCLCM objects.
- OCLCM Viewer: Has read-only access to view OCLCM objects.
- Organization Admin: Creates and deletes organizations and manages the organization's lifecycle.
- Organization System Artifact Management Admin: Has admin access to resources in all Harbor projects in the system namespace.
- PERF Admin Monitor: Has read permission on PERF buckets, service accounts, and secrets.
- PERF Admin Resource Maintainer: Has read and write access on all virtual machines (VM), VM disks, VM external accesses, VM requests, buckets, project service accounts, AEAD keys, Signing keys, and PERF service accounts.
- PERF Debugger: Has read and write access for jobs in the project namespace.
- PERF System Monitor: Has read-only access for all pods and PERF configmaps and cron jobs in the project namespace.
- PERF System Resource Maintainer: Has read and write access to all services in the project namespace.
- PNET Debugger: Has read and write permissions on all PNET resources.
- PNET Monitor: Has read-only permissions on all PNET resources.
- PNET Secret Debugger: Has access to network switch credentials.
- PSPF Debugger: Has read and write permissions for Jobs in the project namespace.
- PSPF Monitor: Monitors PSPF resources.
- Policy Admin: Manages policy templates for the organization and has full access to constraints.
- Project Cortex Alertmanager Editor: Edit the Cortex Alertmanager instance in the project namespace.
- Project Cortex Alertmanager Viewer: View the Cortex Alertmanager instance in the project namespace.
- Project Cortex Prometheus Viewer: View the Cortex Prometheus instance in the project namespace.
- Project Grafana Viewer: View the Grafana instance in the project namespace.
- Remote Logger Admin: Has full access to
remote-logger
resources. - Remote Logger Viewer: Has read-only access to
remote-logger
resources. - Root Cortex Alertmanager Editor: Grants permissions to edit the Cortex Alertmanager instance on the org infrastructure cluster.
- Root Cortex Alertmanager Viewer: Grants permissions to access the Cortex Alertmanager instance on the org infrastructure cluster.
- Root Cortex Prometheus Viewer: Grants permissions to access the Cortex Prometheus instance on the org infrastructure cluster.
- Root Session Admin: Grants access to perform revocation operations in the org infrastructure cluster.
- Security Viewer: Has read-only access to all resources to which the Security Admin has access.
- SSH Infra Debugger: Has read and write access to SSH infra secrets.
- System Artifact Management Admin: Has admin access to resources in all Harbor projects in the system namespace.
- System Artifact Management Secrets Admin: Has admin access to secret resources to manage registry mirror configurations.
- System Artifact Registry Harbor Admin: Has admin access to Harbor projects.
- System Artifact Registry Harbor Read: Has read-only access to Harbor projects.
- System Artifact Registry Harbor ReadWrite: Has read and write access to Harbor projects.
- System Artifact Registry Debugger: Has read and write access to all Harbor resources.
- System Artifact Registry Monitor: Has read and write access to Harbor resources in the org infrastructure cluster.
- System Cluster Admin: Has read and write access to any permissions and policies within the org infrastructure cluster. This role has access at the organization level.
- System Cluster DNS Debugger: Has create and read access to any permissions within the org infrastructure cluster.
- System Cluster Vertex AI Debugger: Has full access to the Vertex AI platform.
- System Cluster Viewer: Has read-write access to any permissions and policies within the org infrastructure cluster.
- System Project VirtualMachine Admin: Has access to manage VMs in system projects.
- Tenable Nessus Admin: Has read and write access to networking components that manage the Tenable.sc and Nessus applications.
- Transfer Appliance Request Admin: Manages transfer appliance requests created by a Platform Administrator (PA). A transfer appliance allows you to quickly and securely transfer large amounts of data to GDC air-gapped appliance using a high-capacity storage server.
- Trust Bundle Root Monitor: Has read access to trust bundles.
- UNET CLI Org Admin Monitor: Has create and read permissions on UNET
resources to run
gdcloud system network
commands in the org infrastructure cluster. - UNET CLI Root Admin Monitor: Has create and read permissions on UNET
resources to run
gdcloud system network
commands in the org infrastructure cluster. - UNET CLI System Monitor: Has create and read permissions on UNET
resources to run
gdcloud system network
commands on org infrastructure clusters. - UNET CLI User Monitor: Has permissions on UNET resources to run
gdcloud system network
commands on user clusters. - Upgrade Appliance Admin: Has read-write permissions on performing upgrades on appliances,
access to Organization and read-only access to
OrganizationUpgrade
. - Upgrade Debugger: Has read-write permissions on upgrade resources in the org infrastructure cluster.
- User Cluster Debugger: Has full access to debug and mitigate issues in user clusters.
- User Cluster DNS Debugger: Has create and read permissions in user clusters.
- UI Debugger: Has permissions to restart UI deployments.
- VAISEARCH Secret Rotator: Has permissions to rotate secrets for Vertex AI Search.
- VPN Debugger For Management Plane API server: Has read and write permissions on all resources related to the VPN in the Management API server.
- VPN Debugger For Org Perimeter Cluster: Has read and write permissions on all resources related to the VPN in the Perimeter Cluster.
- Web TLS Certificate Debugger: Has read and write access to the Istio web-tls certificate and secret.
PA roles
Platform Administrators (PA) manage organization level resources and project lifecycle management. You can assign the following predefined roles to team members:
- Organization IAM Admin: Creates, updates, and deletes any permissions and allow policies within the organization.
- AI Platform Admin: Grant permissions to manage pre-trained services.
- Audit Logs Platform Restore Bucket Creator: Create backup buckets to restore the platform audit logs.
- Audit Logs Platform Bucket Viewer: View backup buckets of platform audit logs.
- Bucket Admin: Manages storage buckets within organizations and projects and the objects in those buckets.
- Bucket Admin (global): Manages single zone buckets within the organization and projects, as well as the objects in those buckets.
- Bucket Object Admin: Has read-only access on buckets within an organization, and read-write access on the objects in those buckets.
- Bucket Object Admin (global) Has read-only on dual-zone buckets within the organization and its projects, as well as read-write on the objects in those buckets.
- Bucket Object Viewer: Has read-only access on buckets within a organization and the objects in those buckets.
- Bucket Object Viewer (global) Has read-only on dual-zone buckets within the organization and its projects, as well as read-only on the objects in those buckets.
- Dashboard PA Creator: Creates
Dashboard
custom resources for the entire organization. - Dashboard PA Editor: Has read and write access on
Dashboard
custom resources for the entire organization. - Dashboard PA Viewer: Has read-only access on
Dashboard
custom resources for the entire organization. - Flow Log Admin: Manages flow log resources for logging network traffic metadata.
- Flow Log Viewer: Provides read-only access to flow log configurations.
- GDCH Restrict By Attributes Policy Admin: Has full access to the
GDCHRestrictByAttributes
constraint. - GDCH Restricted Service Policy Admin: Manages policy templates for the organization and has full access to constraints. Applies or rolls back policies for an organization or project.
- IdP Federation Admin: Has full access to configure identity providers.
- Infra PKI Admin: Has access to configure an infra PKI certificate issuer and certificate authority.
- Interconnect Admin: Has admin access to interconnect resources.
- Log Query API Querier: Has read-only access to reach the audit log or operational log endpoint from the Log Query API to view logs for a project.
- LoggingRule PA Creator: Creates
LoggingRule
custom resources for the entire organization. - LoggingRule PA Editor: Edits
LoggingRule
custom resources for the entire organization. - LoggingRule PA Viewer: Views
LoggingRule
custom resources for the entire organization. - LoggingTarget PA Creator: Creates
LoggingTarget
custom resources for the entire organization. - LoggingTarget PA Editor: Edits
LoggingTarget
custom resources for the entire organization. - LoggingTarget PA Viewer: Views
LoggingTarget
custom resources for the entire organization. - MonitoringRule PA Creator: Creates
MonitoringRule
custom resources for the entire organization. - MonitoringRule PA Editor: Has read and write access to
MonitoringRule
resources for the entire organization. - MonitoringRule PA Viewer: Has read-only access to
MonitoringRule
custom resources for the entire organization. - MonitoringTarget PA Creator: Creates
MonitoringTarget
custom resources for the entire organization. - MonitoringTarget PA Editor: Has read and write access to
MonitoringTarget
custom resources for the entire organization. - MonitoringTarget PA Viewer: Has read-only access to
MonitoringTarget
custom resources for the entire organization. - MP OCLCM Debugger: Debugs OCLCM related objects.
- MP OCLCM Viewer: Views OCLCM related objects.
- ObservabilityPipeline PA Creator: Creates
ObservabilityPipeine
custom resources for the entire organization. - ObservabilityPipeline PA Editor: Has read and write access on
ObservabilityPipeine
custom resources for the entire organization. - ObservabilityPipeline PA Viewer: Has read-only access on
ObservabilityPipeline
custom resources for the entire organization. - Org Session Admin: Has access to the revocation command. Users bound
to this
Role
are added to the ACLs for authentication and authorization. - Organization Grafana Viewer: Visualize organization-related observability data on dashboards of the Grafana monitoring instance.
- Organization IAM Viewer: Has read-only access to all resources that the Organization IAM Administrator has access to.
- Organization Upgrade Admin: Modifies maintenance windows for an organization. Maintenance windows are created automatically during organization creation.
- Organization Upgrade Viewer: Views maintenance windows.
- Project Bucket Admin: Manages the dual-zone buckets of a project, as well as the objects in those buckets.
- Project Bucket Object Admin: Has read-only on dual-zone buckets within a project, as well as read-write on the objects in those buckets.
- Project Bucket Object Viewer: Has read-only on dual-zone buckets within a project, as well as read-only on the objects in those buckets.
- Project Creator: Creates new projects.
- Project Editor: Deletes projects.
- SIEM Export Org Creator: Creates
SIEMOrgForwarder
custom resources. - SIEM Export Org Editor: Has read and write access on
SIEMOrgForwarder
custom resources. - SIEM Export Org Viewer Has read-only access to view
SIEMOrgForwarder
custom resources. - Transfer Appliance Request Creator: Can read and create transfer appliance requests, which allow you to quickly and securely transfer large amounts of data to GDC air-gapped appliance using a high capacity storage server.
- User Cluster Admin: Creates, updates, and deletes the user cluster, and manages the user cluster's lifecycle.
- User Cluster CRD Viewer: Read-only access to Custom Resource Definitions (CRDs) within a user cluster.
- User Cluster Developer: Has cluster admin permissions in user clusters.
- User Cluster Node Viewer: Has read-only cluster admin permissions in user clusters.
- VPN Admin: Has read and write permissions on all VPN-related resources.
- VPN Viewer: Has read permissions on all VPN-related resources.
AO roles
An Application Operator (AO) is a member of the development team within the Platform Administrator (PA) organization. AOs interact with project-level resources. You can assign the following predefined roles to team members:
- Project IAM Admin: Manages the IAM allow policies of projects.
- AI OCR Developer: Access the Optical Character Recognition service to detect text in images.
- AI Speech Developer: Access the Speech-to-Text service to recognize speech and transcribe audio.
- AI Translation Developer: Access the Vertex AI Translation service to translate text.
- Artifact Management Admin: Has admin access to resources in all Harbor projects in the project namespace.
- Artifact Management Editor: Has read and write access to resources in all Harbor projects in the project namespace.
- Certificate Authority Service Admin: Has access to manage certificate authorities and certificate requests in their project.
- Certificate Service Admin: Has access to manage certificates and certificate issuers in their project.
- Dashboard Editor: Has read and write access on
Dashboard
custom resources. - Dashboard Viewer: Has read-only access on
Dashboard
custom resources. - Harbor Instance Admin: Has full access to manage Harbor instances in a project.
- Harbor Instance Viewer: Has read-only access to view Harbor instances in a project.
- Harbor Project Creator: Has access to manage Harbor instance projects.
- K8s Network Policy Admin: Manages network policies in Kubernetes clusters.
- LoggingRule Creator: Creates
LoggingRule
custom resources in the project namespace. - LoggingRule Editor: Edits
LoggingRule
custom resources in the project namespace. - LoggingRule Viewer: Views
LoggingRule
custom resources in the project namespace. - LoggingTarget Creator: Creates
LoggingTarget
custom resources in the project namespace. - LoggingTarget Editor: Edits
LoggingTarget
custom resources in the project namespace. - LoggingTarget Viewer: Views
LoggingTarget
custom resources in the project namespace. - Load Balancer Admin: has read and write permissions on all load balancer resources in project namespace.
- MonitoringRule Editor: Has read and write access to
MonitoringRule
resources. - MonitoringRule Viewer: Has read-only access to
MonitoringRule
custom resources. - MonitoringTarget Editor: Has read and write access to
MonitoringTarget
custom resources. - MonitoringTarget Viewer: Has read-only access to
MonitoringTarget
custom resources. - NAT Viewer: Has read-only access to deployments in Kubernetes clusters.
- Namespace Admin: Manages all resources within the project namespace.
- ObservabilityPipeline Editor: Has read and write access on
ObservabilityPipeine
custom resources. - ObservabilityPipeline Viewer: Has read-only access on
ObservabilityPipeline
custom resources. - Project Bucket Admin: Manages the storage buckets and objects within buckets.
- Project Bucket Object Admin: Has read-only access on buckets within a project, and read-write access on the objects in those buckets.
- Project Bucket Object Viewer: Has read-only access on buckets within a project and the objects in those buckets.
- Project Cortex Alertmanager Editor: Grants permissions to edit the Cortex Alertmanager instance in the project namespace.
- Project Cortex Alertmanager Viewer: Grants permissions to access the Cortex Alertmanager instance in the project namespace.
- Project Cortex Prometheus Viewer: Grants permissions to access the Cortex Prometheus instance in the project namespace.
- Project Grafana Viewer: Accesses the Grafana instance in the project namespace of the fleet admin cluster.
- Project NetworkPolicy Admin: Manages the project network policies in the project namespace.
- Project Viewer: Has read-only access to all resources within project namespaces.
- Project VirtualMachine Admin: Manages VMs in the project namespace.
- Project VirtualMachine Image Admin: Manages VM images in the project namespace.
- Secret Admin: Manages Kubernetes secrets in projects.
- Secret Viewer: Views Kubernetes secrets in projects.
- Service Configuration Admin: Has read and write access to service configurations within a project namespace.
- Service Configuration Viewer: Has read access to service configurations within a project namespace.
- Volume Replication Admin: Manages volume replication resources.
- Workbench Notebooks Admin: Get read and write access to all notebook resources within a project namespace.
- Workbench Notebooks Viewer: Get read-only access to all notebook resources within a project namespace and view the Vertex AI Workbench user interface.
- Workload Viewer: Has read access to workloads in a project.
Common roles
The following predefined common roles apply to all authenticated users:
- AI Platform Viewer: Grants permissions to view pre-trained services.
- DNS Suffix Viewer: Accesses the domain name service (DNS) suffix config map.
- Flow Log Admin: Has read and write access to all Flow Log resources.
- Flow Log Viewer: Has read-only access to all Flow Log resources.
- Project Discovery Viewer: Has read access for all authenticated users to the project view.
- Public Image Viewer: Has read access for all authenticated users on the
public VM images in the namespace
vm-images
. - System Artifact Registry anthos-creds secret Monitor: Has read-only
access to secrets in the
anthos-creds
namespace. - System Artifact Registry gpc-system secret Monitor: Has read-only
access to secrets in the
gpc-system
namespace. - System Artifact Registry harbor-system secret Monitor: Has read-only
access to secrets in the
harbor-system
namespace. - Virtual Machine Type Viewer: Has read access to cluster-scoped virtual machine types.
- VM Type Viewer: Has read access to the predefined virtual machine types on the admin clusters.