Role definitions for projects

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

  • Name: The name of a role displayed in the user interface (UI).
  • Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
  • Level: The specification of whether this role is scoped by the organization or a project.
  • Type: The type of this role. For example, some possible values are Role, ProjectRole, ClusterRole, or ProjectClusterRole.
  • Binding type: The type of binding that you must apply to this role.
  • Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
  • Escalates to: The specification of whether this role escalates to other roles or not.

AO persona, predefined identity, and access roles

AO persona
Name Kubernetes resource name Initial admin Level Type
Project IAM Admin project-iam-admin True Project Role
AI OCR Developer ai-ocr-developer False Project Role
AI Platform Viewer ai-platform-viewer False Project Role
AI Speech Developer ai-speech-developer False Project Role
AI Translation Developer ai-translation-developer False Project Role
Artifact Management Admin artifact-management-admin False Project Role
Artifact Management Editor artifact-management-editor False Project Role
Backup Creator backup-creator False Project ProjectRole
KMS Admin kms-admin False Project Role
KMS Creator kms-creator False Project Role
KMS Developer kms-developer False Project Role
KMS Key Export Admin kms-keyexport-admin False Project Role
KMS Key Import Admin kms-keyimport-admin False Project Role
KMS Viewer kms-viewer False Project Role
Kubernetes Network Policy Admin k8s-networkpolicy-admin False Project ProjectRole
Marketplace Editor marketplace-editor False Project Role
Namespace Admin namespace-admin False Project ProjectRole
Project Bucket Admin project-bucket-admin False Project Role
Project Bucket Object Admin project-bucket-object-admin False Project Role
Project Bucket Object Viewer project-bucket-object-viewer False Project Role
Project Network Policy Admin project-networkpolicy-admin False Project Role
Project DB Admin project-db-admin False Project Role
Project DB Editor project-db-editor False Project Role
Project DB Viewer project-db-viewer False Project Role
Project Viewer project-viewer False Project Role
Project VirtualMachine Admin project-vm-admin False Project Role
Project VirtualMachine Image Admin project-vm-image-admin False Project Role
Secret Admin secret-admin False Project Role
Secret Viewer secret-viewer False Project Role
Service Configuration Admin service-configuration-admin False Project Role
Service Configuration Viewer service-configuration-viewer False Project Role
VM Admin vm-admin False Project ProjectRole
Workbench Notebooks Admin workbench-notebooks-admin False Project Role
Workbench Notebooks Viewer workbench-notebooks-viewer False Project Role

AO persona, predefined identity, and access roles

AO persona
Name Binding type Org admin cluster permissions User cluster permissions Escalates to
Project IAM Admin RoleBinding
  • RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, ProjectClusterRole, ProjectRoleBinding, and ProjectClusterRoleBinding: Create, read, update, delete, and bind
  • ProjectServiceAccount: Create, read, update, and delete
  • List project namespace
N/A All other AO roles
AI OCR Developer RoleBinding OCR resources: Read and write N/A N/A
AI Speech Developer RoleBinding Speech resources: Read and write N/A N/A
AI Translation Developer RoleBinding Translation resources: Read and write N/A N/A
Backup Creator ProjectRoleBinding N/A
  • Manual backups and restores: Create, read, and delete
  • Backups, restores, backup plans, and restore plans, volume backups, volume restores, delete backup requests: Read
N/A
KMS Admin RoleBinding
  • AEADKey: Create, read, update, delete, patch, encrypt, and decrypt
  • SigningKey: Create, read, update, delete, patch, and sign
  • KeyImport and KeyExport: Read
N/A N/A
KMS Creator RoleBinding AEADKey and SigningKey: Create and read N/A N/A
KMS Developer RoleBinding
  • AEADKey in the project namespace: Read, encrypt, and decrypt
  • SigningKey in the project namespace: Read and sign
N/A N/A
KMS Key Export Admin RoleBinding KeyExport resource: Create, read, update, patch, and delete N/A N/A
KMS Key Import Admin RoleBinding KeyImport resource: Create, read, update, patch, and delete N/A N/A
KMS Viewer RoleBinding AEADKey, SigningKey, KeyImport, KeyExport: Read N/A N/A
Kubernetes Network Policy Admin ProjectRoleBinding N/A Kubernetes network policies: Read and write in the user cluster N/A
Marketplace Editor RoleBinding N/A Service instances: Create, update, and delete N/A
Namespace Admin ProjectRoleBinding N/A All resources: Read and write access in the project namespace, excluding the system cluster N/A
Project Bucket Admin RoleBinding Bucket: Read and write in the project namespace N/A N/A
Project Bucket Object Admin RoleBinding
  • Bucket: Read
  • Objects: Read and write
N/A N/A
Project Bucket Object Viewer RoleBinding Bucket and objects: Read N/A N/A
Project Network Policy Admin RoleBinding Project network policies: Read and write in the project namespace N/A N/A
Project DB Admin RoleBinding
  • Database versions, flags, maintenance policies, software libraries, and database project properties: Read
  • Backup plans and database clusters: Create, read, update, and delete
  • Imports, exports, and restores: Create, read, and delete
  • Secrets: Create, delete, and update
  • Migrations and external servers: Create, read, update, delete, and patch
N/A N/A
Project DB Editor RoleBinding
  • Database versions, flags, maintenance policies, software libraries, backup plans, and restores: Read
  • Imports: Create, read, and delete
  • Database clusters: Read and update
  • Secrets: Create and delete
N/A N/A
Project DB Viewer RoleBinding Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read N/A N/A
Project Viewer RoleBinding All resources in the project namespace: Read N/A N/A
Project VirtualMachine Admin RoleBinding
  • Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, and restores: Read, create, update, and delete
  • Virtual machine restart: Put
  • Virtual machine images, backup plans, and backup plan templates: Read
N/A N/A
Project VirtualMachine Image Admin RoleBinding
  • VM images: Read
  • VM image imports: Read and write
N/A N/A
Secret Admin RoleBinding Kubernetes secrets: Read, create, update, delete, and patch N/A N/A
Secret Viewer RoleBinding Kubernetes secrets: Read N/A N/A
Service Configuration Admin RoleBinding ServiceConfigurations: Read and write N/A N/A
Service Configuration Viewer RoleBinding ServiceConfigurations: Read N/A N/A
VM Admin ProjectRoleBinding N/A
  • VMs and disks, VM backups and requests, and VM restores and requests: Read and write
  • VM backup plans and templates: Read
  • Services: Read and write
  • ClusterInfo objects: Read
N/A
Workbench Notebooks Admin RoleBinding N/A
  • Notebook custom resources (CR) in the project namespace: Create, read, update, and delete
  • ClusterInfo objects: Read
N/A
Workbench Notebooks Viewer RoleBinding N/A
  • Notebook custom resources (CR) in the project namespace: Read
N/A

Common predefined identity and access roles

Common roles
Name Kubernetes resource name Initial admin Level Type
AI Platform Viewer ai-platform-viewer False Project Role
DB UI Viewer db-ui-viewer False Project ClusterRole
DB Options Viewer db-options-viewer False Project ClusterRole
DNS Suffix Viewer dnssuffix-viewer False Organization Role
Marketplace Service Viewer marketplace-service-viewer False Project ClusterRole
Marketplace Viewer marketplace-viewer False Project ClusterRole
Pricing Calculator User pricingcalculator-user False Project ClusterRole
Project Discovery Viewer projectdiscovery-viewer False Project ClusterRole
Public Image Viewer public-image-viewer False Organization Role
Virtual Machine Type Viewer virtualmachinetype-viewer True Organization OrganizationRole
VM Type Viewer vmtype-viewer False Organization Role

Common predefined identity and access roles

Common roles
Name Binding type Admin cluster permissions User cluster permissions Escalates to
AI Platform Viewer RoleBinding Pre-trained services: Read N/A N/A
DB Options Viewer ClusterRoleBinding DBS configurations: Read N/A N/A
DB UI Viewer ClusterRoleBinding DBS UI configurations: Read N/A N/A
DNS Suffix Viewer RoleBinding DNS suffix config maps: Read N/A N/A
Marketplace Service Viewer ClusterRoleBinding Marketplace services: Read N/A N/A
Marketplace Viewer ClusterRoleBinding Service versions and service instances: Read N/A N/A
Pricing Calculator User ClusterRoleBinding N/A SkuDescriptions: Read N/A
Project Discovery Viewer ClusterRoleBinding Projects: Read N/A N/A
Public Image Viewer RoleBinding VM images: Read N/A N/A
VM Type Viewer ClusterRoleBinding VM types: Read N/A N/A