Predefined role descriptions for AOs

An Application Operator (AO) is a member of the development team within the Platform Administrator (PA) organization. AOs interact with project-level resources. You can assign the following predefined roles to team members:

  • Project IAM Admin: Manages the IAM allow policies of projects.
  • Vertex AI Optical Character Recognition (OCR) Developer: Accesses the OCR service.
  • Vertex AI Speech-to-Text Developer: Accesses the Speech-to-Text service.
  • Vertex AI Translation Developer: Accesses the Translation service.
  • K8s Network Policy Admin: Manages network policies in user clusters.
  • KMS Admin: Manages KMS keys in a project, including the AEADKey and SigningKey keys. This role can also import and export keys.
  • KMS Creator: Has create and read access on KMS keys in a project.
  • KMS Developer: Has access to perform crypto operations using keys in projects.
  • KMS Key Export Admin: Has access to export KMS keys as wrapped keys from the KMS.
  • KMS Key Import Admin: Has access to import KMS keys as wrapped keys to the KMS.
  • KMS Viewer: Has read-only access to KMS keys in their project, and can view key import and export.
  • Marketplace Editor: Has create, update, and delete access on service instances in a project.
  • MonitoringRule Editor: Has read and write access to MonitoringRule resources.
  • MonitoringRule Viewer: Has read-only access to MonitoringRule custom resources.
  • MonitoringTarget Editor: Has read and write access to MonitoringTarget custom resources.
  • MonitoringTarget Viewer: Has read-only access to MonitoringTarget custom resources.
  • Namespace Admin: Manages all resources within the project namespace.
  • ObservabilityPipeline Editor: Has read and write access on ObservabilityPipeine custom resources.
  • ObservabilityPipeline Viewer: Has read-only access on ObservabilityPipeline custom resources.
  • Project Bucket Admin: Manages the storage buckets and objects within buckets.
  • Project Bucket Object Admin: Has read-only access on buckets within a project, and read-write access on the objects in those buckets.
  • Project Bucket Object Viewer: Has read-only access on buckets within a project and the objects in those buckets.
  • Project Network Policy Admin: Manages the project network policies in the project namespace.
  • Project DB Admin: Administers Database Service for a project.
  • Project DB Editor: Has read-write access to Database Service for a project.
  • Project DB Viewer: Has read-only access to Database Service for a project.
  • Project Viewer: Has read-only access to all resources within project namespaces.
  • Project VirtualMachine Admin: Manages VMs in the project namespace.
  • Project VirtualMachine Image Admin: Manages VM images in the project namespace.
  • Secret Admin: Manages Kubernetes secrets in projects.
  • Secret Viewer: Views Kubernetes secrets in projects.
  • Service Configuration Admin: Has read and write access to service configurations within a project namespace.
  • Service Configuration Viewer: Has read access to service configurations within a project namespace.
  • Workbench Notebooks Admin: Has read-write access to all notebook resources within a project namespace.
  • Workbench Notebooks Viewer: Has read-only access to all notebook resources within a project namespace.

Common roles

The following predefined common roles apply to all authenticated users:

  • AI Platform Viewer: Grants permissions to view pre-trained services.
  • DB Options Viewer: Views all configuration options that can be used in Database Service.
  • DB UI Viewer: Grants permissions to authenticated users to view the Database Service UI.
  • DNS Suffix Viewer: Accesses the domain name service (DNS) suffix config map.
  • Marketplace Service Viewer: Has read access for all authenticated users to Marketplace services in the system namespace.
  • Marketplace Viewer: Has read only access on service versions and service instances.
  • Pricing Calculator User: Has read only access to stock keeping unit (SKU) descriptions.
  • Project Discovery Viewer: Has read access for all authenticated users to the project view.
  • Public Image Viewer: Has read access for all authenticated users on the public VM images in the namespace vm-images.
  • Virtual Machine Type Viewer: Has read access to cluster-scoped virtual machine types.
  • VM Type Viewer: Has read access to the predefined virtual machine types.