In Ablehnungsrichtlinien unterstützte Berechtigungen

Sie können einige, aber nicht alle IAM-Berechtigungen (Identity and Access Management) in Ablehnungsrichtlinien aufnehmen.

Ablehnungsrichtlinien erfordern das IAM-Berechtigungsformat v2beta, also SERVICE_FQDN/RESOURCE.ACTION. Der Wert von SERVICE_FQDN ist normalerweise der Wert von SERVICE_ID aus der v1 API, gefolgt von .googleapis.com. Die Berechtigung zum Löschen einer Rolle ist beispielsweise iam.googleapis.com/roles.delete. Ausnahmen sind auf dieser Seite dokumentiert.

Unterstützte Berechtigungen

In der folgenden Tabelle sind die Berechtigungen aufgeführt, die in Ablehnungsrichtlinien verwendet werden können.

Geben Sie für die Suche den Namen des gewünschten Dienstes oder der Berechtigung in das Textfeld ein:

Dienst Unterstützte Berechtigungen
API-Schlüssel

apikeys.googleapis.com/apiKeys.regenerate

apikeys.googleapis.com/apiKeys.revert

apikeys.googleapis.com/keys.create

apikeys.googleapis.com/keys.delete

apikeys.googleapis.com/keys.get

apikeys.googleapis.com/keys.list

apikeys.googleapis.com/keys.lookup

apikeys.googleapis.com/keys.update

Client Auth Config

clientauthconfig.googleapis.com/brands.create

clientauthconfig.googleapis.com/brands.delete

clientauthconfig.googleapis.com/brands.update

clientauthconfig.googleapis.com/clients.create

clientauthconfig.googleapis.com/clients.createSecret

clientauthconfig.googleapis.com/clients.delete

clientauthconfig.googleapis.com/clients.get

clientauthconfig.googleapis.com/clients.getWithSecret

clientauthconfig.googleapis.com/clients.listWithSecrets

clientauthconfig.googleapis.com/clients.undelete

clientauthconfig.googleapis.com/clients.update

Resource Manager

cloudresourcemanager.googleapis.com/folders.create

cloudresourcemanager.googleapis.com/folders.delete

cloudresourcemanager.googleapis.com/folders.get

cloudresourcemanager.googleapis.com/folders.getIamPolicy

cloudresourcemanager.googleapis.com/folders.list

cloudresourcemanager.googleapis.com/folders.move

cloudresourcemanager.googleapis.com/folders.setIamPolicy

cloudresourcemanager.googleapis.com/folders.undelete

cloudresourcemanager.googleapis.com/folders.update

cloudresourcemanager.googleapis.com/organizations.get

cloudresourcemanager.googleapis.com/organizations.getIamPolicy

cloudresourcemanager.googleapis.com/organizations.setIamPolicy

cloudresourcemanager.googleapis.com/projects.create

cloudresourcemanager.googleapis.com/projects.createBillingAssignment

cloudresourcemanager.googleapis.com/projects.delete

cloudresourcemanager.googleapis.com/projects.deleteBillingAssignment

cloudresourcemanager.googleapis.com/projects.get

cloudresourcemanager.googleapis.com/projects.getIamPolicy

cloudresourcemanager.googleapis.com/projects.move

cloudresourcemanager.googleapis.com/projects.setIamPolicy

cloudresourcemanager.googleapis.com/projects.undelete

cloudresourcemanager.googleapis.com/projects.update

cloudresourcemanager.googleapis.com/projects.updateLiens

Compute Engine

compute.googleapis.com/oslogin.updateExternalUser

Cloud DNS

dns.googleapis.com/changes.create

dns.googleapis.com/changes.get

dns.googleapis.com/changes.list

dns.googleapis.com/dnsKeys.get

dns.googleapis.com/dnsKeys.list

dns.googleapis.com/managedZoneOperations.get

dns.googleapis.com/managedZoneOperations.list

dns.googleapis.com/managedZones.create

dns.googleapis.com/managedZones.delete

dns.googleapis.com/managedZones.get

dns.googleapis.com/managedZones.list

dns.googleapis.com/managedZones.update

dns.googleapis.com/policies.create

dns.googleapis.com/policies.delete

dns.googleapis.com/policies.get

dns.googleapis.com/policies.list

dns.googleapis.com/policies.update

dns.googleapis.com/projects.get

dns.googleapis.com/resourceRecordSets.create

dns.googleapis.com/resourceRecordSets.delete

dns.googleapis.com/resourceRecordSets.get

dns.googleapis.com/resourceRecordSets.list

dns.googleapis.com/resourceRecordSets.update

Identity and Access Management

iam.googleapis.com/roles.create

iam.googleapis.com/roles.delete

iam.googleapis.com/roles.get

iam.googleapis.com/roles.list

iam.googleapis.com/roles.undelete

iam.googleapis.com/roles.update

iam.googleapis.com/serviceAccountKeys.create

iam.googleapis.com/serviceAccountKeys.delete

iam.googleapis.com/serviceAccountKeys.get

iam.googleapis.com/serviceAccountKeys.list

iam.googleapis.com/serviceAccounts.create

iam.googleapis.com/serviceAccounts.delete

iam.googleapis.com/serviceAccounts.disable

iam.googleapis.com/serviceAccounts.enable

iam.googleapis.com/serviceAccounts.get

iam.googleapis.com/serviceAccounts.getAccessToken

iam.googleapis.com/serviceAccounts.getIamPolicy

iam.googleapis.com/serviceAccounts.getOpenIdToken

iam.googleapis.com/serviceAccounts.implicitDelegation

iam.googleapis.com/serviceAccounts.list

iam.googleapis.com/serviceAccounts.setIamPolicy

iam.googleapis.com/serviceAccounts.signBlob

iam.googleapis.com/serviceAccounts.signJwt

iam.googleapis.com/serviceAccounts.undelete

iam.googleapis.com/serviceAccounts.update

iam.googleapis.com/workloadIdentityPoolProviders.create

iam.googleapis.com/workloadIdentityPoolProviders.delete

iam.googleapis.com/workloadIdentityPoolProviders.get

iam.googleapis.com/workloadIdentityPoolProviders.list

iam.googleapis.com/workloadIdentityPoolProviders.undelete

iam.googleapis.com/workloadIdentityPoolProviders.update

iam.googleapis.com/workloadIdentityPools.create

iam.googleapis.com/workloadIdentityPools.delete

iam.googleapis.com/workloadIdentityPools.get

iam.googleapis.com/workloadIdentityPools.list

iam.googleapis.com/workloadIdentityPools.undelete

iam.googleapis.com/workloadIdentityPools.update

Organisationsrichtliniendienst

orgpolicy.googleapis.com/policy.set

Security Command Center

securitycenter.googleapis.com/assets.group

securitycenter.googleapis.com/assets.list

securitycenter.googleapis.com/assets.listAssetPropertyNames

securitycenter.googleapis.com/assets.runDiscovery

securitycenter.googleapis.com/assetsecuritymarks.update

securitycenter.googleapis.com/containerthreatdetectionsettings.calculate

securitycenter.googleapis.com/containerthreatdetectionsettings.get

securitycenter.googleapis.com/containerthreatdetectionsettings.update

securitycenter.googleapis.com/eventthreatdetectionsettings.calculate

securitycenter.googleapis.com/eventthreatdetectionsettings.get

securitycenter.googleapis.com/eventthreatdetectionsettings.update

securitycenter.googleapis.com/findings.bulkMuteUpdate

securitycenter.googleapis.com/findings.group

securitycenter.googleapis.com/findings.list

securitycenter.googleapis.com/findings.listFindingPropertyNames

securitycenter.googleapis.com/findings.setMute

securitycenter.googleapis.com/findings.setState

securitycenter.googleapis.com/findings.setWorkflowState

securitycenter.googleapis.com/findings.update

securitycenter.googleapis.com/findingsecuritymarks.update

securitycenter.googleapis.com/muteconfigs.create

securitycenter.googleapis.com/muteconfigs.delete

securitycenter.googleapis.com/muteconfigs.get

securitycenter.googleapis.com/muteconfigs.list

securitycenter.googleapis.com/muteconfigs.update

securitycenter.googleapis.com/notificationconfig.create

securitycenter.googleapis.com/notificationconfig.delete

securitycenter.googleapis.com/notificationconfig.get

securitycenter.googleapis.com/notificationconfig.list

securitycenter.googleapis.com/notificationconfig.update

securitycenter.googleapis.com/organizationsettings.get

securitycenter.googleapis.com/organizationsettings.update

securitycenter.googleapis.com/securitycentersettings.get

securitycenter.googleapis.com/securitycentersettings.update

securitycenter.googleapis.com/securityhealthanalyticssettings.calculate

securitycenter.googleapis.com/securityhealthanalyticssettings.get

securitycenter.googleapis.com/securityhealthanalyticssettings.update

securitycenter.googleapis.com/sources.get

securitycenter.googleapis.com/sources.getIamPolicy

securitycenter.googleapis.com/sources.list

securitycenter.googleapis.com/sources.setIamPolicy

securitycenter.googleapis.com/sources.update

securitycenter.googleapis.com/subscription.get

securitycenter.googleapis.com/userinterfacemetadata.get

securitycenter.googleapis.com/websecurityscannersettings.calculate

securitycenter.googleapis.com/websecurityscannersettings.get

securitycenter.googleapis.com/websecurityscannersettings.update

Dienstnetzwerk

servicenetworking.googleapis.com/services.addPeering

servicenetworking.googleapis.com/services.get

Service Usage

serviceusage.googleapis.com/operations.cancel

serviceusage.googleapis.com/operations.delete

serviceusage.googleapis.com/operations.get

serviceusage.googleapis.com/operations.list

serviceusage.googleapis.com/quotas.get

serviceusage.googleapis.com/quotas.update

serviceusage.googleapis.com/services.disable

serviceusage.googleapis.com/services.enable

serviceusage.googleapis.com/services.get

serviceusage.googleapis.com/services.list

serviceusage.googleapis.com/services.use

Cloud Storage

storage.googleapis.com/buckets.create

storage.googleapis.com/buckets.createTagBinding

storage.googleapis.com/buckets.delete

storage.googleapis.com/buckets.deleteTagBinding

storage.googleapis.com/buckets.get

storage.googleapis.com/buckets.getIamPolicy

storage.googleapis.com/buckets.list

storage.googleapis.com/buckets.listTagBindings

storage.googleapis.com/buckets.setIamPolicy

storage.googleapis.com/buckets.update

storage.googleapis.com/hmacKeys.create

storage.googleapis.com/hmacKeys.delete

storage.googleapis.com/hmacKeys.get

storage.googleapis.com/hmacKeys.list

storage.googleapis.com/hmacKeys.update

storage.googleapis.com/multipartUploads.abort

storage.googleapis.com/multipartUploads.create

storage.googleapis.com/multipartUploads.list

storage.googleapis.com/multipartUploads.listParts

Serverloser VPC-Zugriff

vpcaccess.googleapis.com/connectors.create

vpcaccess.googleapis.com/connectors.delete

vpcaccess.googleapis.com/connectors.get

vpcaccess.googleapis.com/connectors.list

vpcaccess.googleapis.com/connectors.use

vpcaccess.googleapis.com/locations.list

vpcaccess.googleapis.com/operations.get

vpcaccess.googleapis.com/operations.list