Predefined role descriptions

Google Distributed Cloud (GDC) air-gapped has the following predefined roles that you can assign to team members:

PA roles

Platform Administrators (PA) manage organization level resources and project lifecycle management. You can assign the following predefined roles to team members:

  • Audit Logs Platform Restore Bucket Creator: Create backup buckets to restore the platform audit logs.
  • Audit Logs Platform Bucket Viewer: View backup buckets of platform audit logs.
  • AI Platform Admin: Grants permissions to manage pre-trained services.
  • Backup Repository Admin: Manages backup repositories.
  • Billing Viewer: Has read-only access to SKU descriptions, inventory machines, and fleets on the cost table page.
  • Bucket Admin: Manages storage buckets within organizations and projects and the objects in those buckets.
  • Bucket Admin (global): Manages single zone buckets within the organization and projects, as well as the objects in those buckets.
  • Bucket Object Admin: Has read-only access on buckets within an organization, and read-write access on the objects in those buckets.
  • Bucket Object Admin (global) Has read-only on dual-zone buckets within the organization and its projects, as well as read-write on the objects in those buckets.
  • Bucket Object Viewer: Has read-only access on buckets within a organization and the objects in those buckets.
  • Bucket Object Viewer (global) Bucket Object Viewer has read-only on dual-zone buckets within the organization and its projects, as well as read-only on the objects in those buckets.
  • Custom Role Org Admin: Creates and manages custom roles within an organization or project.
  • Dashboard PA Creator: Creates Dashboard custom resources for the entire organization.
  • Dashboard PA Editor: Has read and write access on Dashboard custom resources for the entire organization.
  • Dashboard PA Viewer: Has read-only access on Dashboard custom resources for the entire organization.
  • DR Backup Admin: Performs disaster recovery backups.
  • DR System Admin: Manages resources in the dr-system namespace for setting up backups on the management cluster.
  • Flow Log Admin: Manages flow log resources for logging network traffic metadata.
  • Flow Log Viewer: Provides read-only access to flow log configurations.
  • GDCH Restrict By Attributes Policy Admin: Has full access to the GDCHRestrictByAttributes constraint.
  • GDCH Restricted Service Policy Admin: Manages policy templates for the organization and has full access to constraints. Applies or rolls back policies for an organization or project.
  • Global PNP Admin: Has write permissions on all multi-zone project network policy (PNP) resources in global project namespace.
  • IdP Federation Admin: Has full access to configure identity providers.
  • Interconnect Admin: Has access to configure interconnect resources.
  • KMS Rotation Job Admin: Has full access to create and manage the RotationJob resource, which rotate key management system (KMS) root keys.
  • Log Query API Querier: Has read-only access to reach the audit log or operational log endpoint from the Log Query API to view logs for a project.
  • LoggingRule PA Creator: Creates LoggingRule custom resources for the entire organization.
  • LoggingRule PA Editor: Edits LoggingRule custom resources for the entire organization.
  • LoggingRule PA Viewer: Views LoggingRule custom resources for the entire organization.
  • LoggingTarget PA Creator: Creates LoggingTarget custom resources for the entire organization.
  • LoggingTarget PA Editor: Edits LoggingTarget custom resources for the entire organization.
  • LoggingTarget PA Viewer: Views LoggingTarget custom resources for the entire organization.
  • MonitoringRule PA Creator: Creates MonitoringRule custom resources for the entire organization.
  • MonitoringRule PA Editor: Has read and write access to MonitoringRule resources for the entire organization.
  • MonitoringRule PA Viewer: Has read-only access to MonitoringRule custom resources for the entire organization.
  • MonitoringTarget PA Creator: Creates MonitoringTarget custom resources for the entire organization.
  • MonitoringTarget PA Editor: Has read and write access to MonitoringTarget custom resources for the entire organization.
  • MonitoringTarget PA Viewer: Has read-only access to MonitoringTarget custom resources for the entire organization.
  • ObservabilityPipeline PA Creator: Creates ObservabilityPipeine custom resources for the entire organization.
  • ObservabilityPipeline PA Editor: Has read and write access on ObservabilityPipeine custom resources for the entire organization.
  • ObservabilityPipeline PA Viewer: Has read-only access on ObservabilityPipeline custom resources for the entire organization.
  • Org Network Policy Admin: Manages organization network policies in the platform namespace.
  • Org Session Admin: Has access to the revocation command. Users bound to this Role are added to the ACLs for authentication and authorization.
  • Organization Backup Admin: Has read and write access to manage backups.
  • Organization Cluster Backup Admin: Has access to manage backups in admin clusters.
  • Organization IAM Viewer: Has read-only access to all resources that the Organization IAM Administrator has access to.
  • Organization DB Admin: Manages Database Service resources for an organization.
  • Organization Grafana Viewer: Visualize organization-related observability data on dashboards of the Grafana monitoring instance.
  • Organization IAM Admin: Creates, updates, and deletes any permissions and allow policies within the Management API server.
  • Organization Upgrade Admin: Modifies maintenance windows for an organization. Maintenance windows are created automatically during organization creation.
  • Organization Upgrade Viewer: Views maintenance windows.
  • Project Bucket Admin: Manages the dual-zone buckets of a project, as well as the objects in those buckets.
  • Project Bucket Object Admin: Has read-only on dual-zone buckets within a project, as well as read-write on the objects in those buckets.
  • Project Bucket Object Viewer: Has read-only on dual-zone buckets within a project, as well as read-only on the objects in those buckets.
  • Project Creator: Creates new projects.
  • Project Editor: Deletes projects.
  • Subnet Organization Admin (global): Manages multiple zone subnets within the organization.
  • Subnet Organization Admin: Manages zonal subnets within the organization.
  • SIEM Export Org Creator: Creates SIEMOrgForwarder custom resources.
  • SIEM Export Org Editor: Has read and write access on SIEMOrgForwarder custom resources.
  • SIEM Export Org Viewer Has read-only access to view SIEMOrgForwarder custom resources.
  • System Cluster Backup Repository Admin: Has full access to manage backup repositories.
  • Transfer Appliance Request Creator: Can read and create transfer appliance requests, which allow you to quickly and securely transfer large amounts of data to Distributed Cloud using a high capacity storage server.
  • User Cluster Backup Admin: Manages backup resources such as backup and restore plans in user clusters.
  • User Cluster Admin: Creates, updates, and deletes the user cluster, and manages the user cluster's lifecycle.
  • User Cluster CRD Viewer: Read-only access to Custom Resource Definitions (CRDs) within a user cluster.
  • User Cluster Developer: Has cluster admin permissions in user clusters.
  • User Cluster Node Viewer: Has read-only cluster admin permissions in user clusters.
  • VPN Admin: Has read and write permissions on all VPN-related resources.
  • VPN Viewer: Has read permissions on all VPN-related resources.

AO roles

An Application Operator (AO) is a member of the development team within the Platform Administrator (PA) organization. AOs interact with project-level resources. You can assign the following predefined roles to team members:

  • AI OCR Developer: Access the Optical Character Recognition service to detect text in images.
  • AI Speech Chirp Developer: Access the Chirp model of the Speech-to-Text service to recognize speech and transcribe audio.
  • AI Speech Developer: Access the Speech-to-Text service to recognize speech and transcribe audio.
  • AI Text Embedding Developer: Access the Text Embedding service to convert English natural language into numerical vectors.
  • AI Text Embedding Multilingual Developer: Access the Text Embedding service to convert multilingual natural language into numerical vectors.
  • AI Translation Developer: Access the Vertex AI Translation service to translate text.
  • Backup Creator: Creates manual backups and restores.
  • Certificate Authority Service Admin: Has access to manage certificate authorities and certificate requests in their project.
  • Custom Role Project Admin: Creates and manages custom roles within a project.
  • Dashboard Editor: Has read and write access on Dashboard custom resources.
  • Dashboard Viewer: Has read-only access on Dashboard custom resources.
  • Discovery Engine Admin: Get full access to all Discovery Engine resources.
  • Discovery Engine Developer: Get read and write access to all Discovery Engine resources.
  • Discovery Engine Reader: Get read access to all Discovery Engine resources.
  • Global Load Balancer Admin: Has read and write permissions on all load balancer resources in the project namespace in the global API server.
  • Harbor Instance Admin: Has full access to manage Harbor instances in a project.
  • Harbor Instance Viewer: Has read-only access to view Harbor instances in a project.
  • Harbor Project Creator: Has access to manage Harbor instance projects.
  • K8s Network Policy Admin: Manages network policies in user clusters.
  • KMS Admin: Manages KMS keys in a project, including the AEADKey and SigningKey keys. This role can also import and export keys.
  • KMS Creator: Has create and read access on KMS keys in a project.
  • KMS Developer: Has access to perform crypto operations using keys in projects.
  • KMS Key Export Admin: Has access to export KMS keys as wrapped keys from the KMS.
  • KMS Key Import Admin: Has access to import KMS keys as wrapped keys to the KMS.
  • KMS Viewer: Has read-only access to KMS keys in their project, and can view key import and export.
  • LoggingRule Creator: Creates LoggingRule custom resources in the project namespace.
  • LoggingRule Editor: Edits LoggingRule custom resources in the project namespace.
  • LoggingRule Viewer: Views LoggingRule custom resources in the project namespace.
  • LoggingTarget Creator: Creates LoggingTarget custom resources in the project namespace.
  • LoggingTarget Editor: Edits LoggingTarget custom resources in the project namespace.
  • LoggingTarget Viewer: Views LoggingTarget custom resources in the project namespace.
  • Load Balancer Admin: has read and write permissions on all load balancer resources in the project namespace.
  • Marketplace Editor: Has create, update, and delete access on service instances in a project.
  • MonitoringRule Editor: Has read and write access to MonitoringRule resources.
  • MonitoringRule Viewer: Has read-only access to MonitoringRule custom resources.
  • MonitoringTarget Editor: Has read and write access to MonitoringTarget custom resources.
  • MonitoringTarget Viewer: Has read-only access to MonitoringTarget custom resources.
  • Namespace Admin: Manages all resources within the project namespace.
  • NAT Viewer: Has read-only access to deployments in user clusters.
  • ObservabilityPipeline Editor: Has read and write access on ObservabilityPipeine custom resources.
  • ObservabilityPipeline Viewer: Has read-only access on ObservabilityPipeline custom resources.
  • Project Bucket Admin: Manages the storage buckets and objects within buckets.
  • Project Bucket Object Admin: Has read-only access on buckets within a project, and read-write access on the objects in those buckets.
  • Project Bucket Object Viewer: Has read-only access on buckets within a project and the objects in those buckets.
  • Project IAM Admin: Manages the IAM allow policies of projects.
  • Project NetworkPolicy Admin: Manages the project network policies in the project namespace.
  • Project DB Admin: Administers Database Service for a project.
  • Project DB Editor: Has read-write access to Database Service for a project.
  • Project DB Viewer: Has read-only access to Database Service for a project.
  • Project Viewer: Has read-only access to all resources within project namespaces.
  • Project VirtualMachine Admin: Manages VMs in the project namespace.
  • Project VirtualMachine Image Admin: Manages VM images in the project namespace.
  • Secret Admin: Manages Kubernetes secrets in projects.
  • Secret Viewer: Views Kubernetes secrets in projects.
  • Service Configuration Admin: Has read and write access to service configurations within a project namespace.
  • Service Configuration Viewer: Has read access to service configurations within a project namespace.
  • Subnet Project Admin (global): Manages multiple zone subnets within projects.
  • Subnet Project Admin: Manages zonal subnets within projects.
  • Subnet Project Operator: Manages leaf type auto-allocated subnets within projects.
  • Vertex AI Prediction User: Access the Online Prediction service to make requests to your model endpoint.
  • Volume Replication Admin: Manages volume replication resources.
  • Workbench Notebooks Admin: Get read and write access to all notebook resources within a project namespace.
  • Workbench Notebooks Viewer: Get read-only access to all notebook resources within a project namespace and view the Vertex AI Workbench user interface.
  • Workload Viewer: Has read access to workloads in a project.

Common roles

The following predefined common roles apply to all authenticated users:

  • AI Platform Viewer: Grants permissions to view pre-trained services.
  • DB Options Viewer: Views all configuration options that can be used in Database Service.
  • DB UI Viewer: Grants permissions to authenticated users to view the Database Service UI.
  • DNS Suffix Viewer: Accesses the domain name service (DNS) suffix config map.
  • Flow Log Admin: Has read and write access to all Flow Log resources.
  • Flow Log Viewer: Has read-only access to all Flow Log resources.
  • Marketplace Viewer: Has read-only access on service versions.
  • Pricing Calculator User: Has read-only access to stock keeping unit (SKU) descriptions.
  • Project Discovery Viewer: Has read access for all authenticated users to the project view.
  • Public Image Viewer: Has read access for all authenticated users on the public VM images in the namespace vm-images.
  • Virtual Machine Type Viewer: Has read access to cluster-scoped virtual machine types.
  • VM Type Viewer: Has read access to the predefined virtual machine types.