Permisos compatibles con las políticas de denegación

Puedes usar algunos permisos de Identity and Access Management (IAM) en las políticas de denegación.

Las políticas de denegación requieren el formato de permiso v2beta de IAM, que es SERVICE_FQDN/RESOURCE.ACTION. Por lo general, el valor de SERVICE_FQDN es el valor de SERVICE_ID de la API de v1, seguido de .googleapis.com. Por ejemplo, el permiso para borrar una función es iam.googleapis.com/roles.delete. Las excepciones se documentan en esta página.

Permisos compatibles

En la tabla siguiente, se enumeran los permisos que se pueden usar en las políticas de denegación.

Ingresa el servicio o el nombre del permiso que desees en el cuadro de texto para buscar:

Servicio Permisos compatibles
Claves de API

apikeys.googleapis.com/apiKeys.regenerate

apikeys.googleapis.com/apiKeys.revert

apikeys.googleapis.com/keys.create

apikeys.googleapis.com/keys.delete

apikeys.googleapis.com/keys.get

apikeys.googleapis.com/keys.list

apikeys.googleapis.com/keys.lookup

apikeys.googleapis.com/keys.update

Configuración de autenticación del cliente

clientauthconfig.googleapis.com/brands.create

clientauthconfig.googleapis.com/brands.delete

clientauthconfig.googleapis.com/brands.update

clientauthconfig.googleapis.com/clients.create

clientauthconfig.googleapis.com/clients.createSecret

clientauthconfig.googleapis.com/clients.delete

clientauthconfig.googleapis.com/clients.get

clientauthconfig.googleapis.com/clients.getWithSecret

clientauthconfig.googleapis.com/clients.listWithSecrets

clientauthconfig.googleapis.com/clients.undelete

clientauthconfig.googleapis.com/clients.update

Resource Manager

cloudresourcemanager.googleapis.com/folders.create

cloudresourcemanager.googleapis.com/folders.delete

cloudresourcemanager.googleapis.com/folders.get

cloudresourcemanager.googleapis.com/folders.getIamPolicy

cloudresourcemanager.googleapis.com/folders.list

cloudresourcemanager.googleapis.com/folders.move

cloudresourcemanager.googleapis.com/folders.setIamPolicy

cloudresourcemanager.googleapis.com/folders.undelete

cloudresourcemanager.googleapis.com/folders.update

cloudresourcemanager.googleapis.com/organizations.get

cloudresourcemanager.googleapis.com/organizations.getIamPolicy

cloudresourcemanager.googleapis.com/organizations.setIamPolicy

cloudresourcemanager.googleapis.com/projects.create

cloudresourcemanager.googleapis.com/projects.createBillingAssignment

cloudresourcemanager.googleapis.com/projects.delete

cloudresourcemanager.googleapis.com/projects.deleteBillingAssignment

cloudresourcemanager.googleapis.com/projects.get

cloudresourcemanager.googleapis.com/projects.getIamPolicy

cloudresourcemanager.googleapis.com/projects.move

cloudresourcemanager.googleapis.com/projects.setIamPolicy

cloudresourcemanager.googleapis.com/projects.undelete

cloudresourcemanager.googleapis.com/projects.update

cloudresourcemanager.googleapis.com/projects.updateLiens

Compute Engine

compute.googleapis.com/oslogin.updateExternalUser

Cloud DNS

dns.googleapis.com/changes.create

dns.googleapis.com/changes.get

dns.googleapis.com/changes.list

dns.googleapis.com/dnsKeys.get

dns.googleapis.com/dnsKeys.list

dns.googleapis.com/managedZoneOperations.get

dns.googleapis.com/managedZoneOperations.list

dns.googleapis.com/managedZones.create

dns.googleapis.com/managedZones.delete

dns.googleapis.com/managedZones.get

dns.googleapis.com/managedZones.list

dns.googleapis.com/managedZones.update

dns.googleapis.com/policies.create

dns.googleapis.com/policies.delete

dns.googleapis.com/policies.get

dns.googleapis.com/policies.list

dns.googleapis.com/policies.update

dns.googleapis.com/projects.get

dns.googleapis.com/resourceRecordSets.create

dns.googleapis.com/resourceRecordSets.delete

dns.googleapis.com/resourceRecordSets.get

dns.googleapis.com/resourceRecordSets.list

dns.googleapis.com/resourceRecordSets.update

Identity and Access Management

iam.googleapis.com/roles.create

iam.googleapis.com/roles.delete

iam.googleapis.com/roles.get

iam.googleapis.com/roles.list

iam.googleapis.com/roles.undelete

iam.googleapis.com/roles.update

iam.googleapis.com/serviceAccountKeys.create

iam.googleapis.com/serviceAccountKeys.delete

iam.googleapis.com/serviceAccountKeys.get

iam.googleapis.com/serviceAccountKeys.list

iam.googleapis.com/serviceAccounts.create

iam.googleapis.com/serviceAccounts.delete

iam.googleapis.com/serviceAccounts.disable

iam.googleapis.com/serviceAccounts.enable

iam.googleapis.com/serviceAccounts.get

iam.googleapis.com/serviceAccounts.getAccessToken

iam.googleapis.com/serviceAccounts.getIamPolicy

iam.googleapis.com/serviceAccounts.getOpenIdToken

iam.googleapis.com/serviceAccounts.implicitDelegation

iam.googleapis.com/serviceAccounts.list

iam.googleapis.com/serviceAccounts.setIamPolicy

iam.googleapis.com/serviceAccounts.signBlob

iam.googleapis.com/serviceAccounts.signJwt

iam.googleapis.com/serviceAccounts.undelete

iam.googleapis.com/serviceAccounts.update

iam.googleapis.com/workloadIdentityPoolProviders.create

iam.googleapis.com/workloadIdentityPoolProviders.delete

iam.googleapis.com/workloadIdentityPoolProviders.get

iam.googleapis.com/workloadIdentityPoolProviders.list

iam.googleapis.com/workloadIdentityPoolProviders.undelete

iam.googleapis.com/workloadIdentityPoolProviders.update

iam.googleapis.com/workloadIdentityPools.create

iam.googleapis.com/workloadIdentityPools.delete

iam.googleapis.com/workloadIdentityPools.get

iam.googleapis.com/workloadIdentityPools.list

iam.googleapis.com/workloadIdentityPools.undelete

iam.googleapis.com/workloadIdentityPools.update

Servicio de políticas de la organización

orgpolicy.googleapis.com/policy.set

Security Command Center

securitycenter.googleapis.com/assets.group

securitycenter.googleapis.com/assets.list

securitycenter.googleapis.com/assets.listAssetPropertyNames

securitycenter.googleapis.com/assets.runDiscovery

securitycenter.googleapis.com/assetsecuritymarks.update

securitycenter.googleapis.com/containerthreatdetectionsettings.calculate

securitycenter.googleapis.com/containerthreatdetectionsettings.get

securitycenter.googleapis.com/containerthreatdetectionsettings.update

securitycenter.googleapis.com/eventthreatdetectionsettings.calculate

securitycenter.googleapis.com/eventthreatdetectionsettings.get

securitycenter.googleapis.com/eventthreatdetectionsettings.update

securitycenter.googleapis.com/findings.bulkMuteUpdate

securitycenter.googleapis.com/findings.group

securitycenter.googleapis.com/findings.list

securitycenter.googleapis.com/findings.listFindingPropertyNames

securitycenter.googleapis.com/findings.setMute

securitycenter.googleapis.com/findings.setState

securitycenter.googleapis.com/findings.setWorkflowState

securitycenter.googleapis.com/findings.update

securitycenter.googleapis.com/findingsecuritymarks.update

securitycenter.googleapis.com/muteconfigs.create

securitycenter.googleapis.com/muteconfigs.delete

securitycenter.googleapis.com/muteconfigs.get

securitycenter.googleapis.com/muteconfigs.list

securitycenter.googleapis.com/muteconfigs.update

securitycenter.googleapis.com/notificationconfig.create

securitycenter.googleapis.com/notificationconfig.delete

securitycenter.googleapis.com/notificationconfig.get

securitycenter.googleapis.com/notificationconfig.list

securitycenter.googleapis.com/notificationconfig.update

securitycenter.googleapis.com/organizationsettings.get

securitycenter.googleapis.com/organizationsettings.update

securitycenter.googleapis.com/securitycentersettings.get

securitycenter.googleapis.com/securitycentersettings.update

securitycenter.googleapis.com/securityhealthanalyticssettings.calculate

securitycenter.googleapis.com/securityhealthanalyticssettings.get

securitycenter.googleapis.com/securityhealthanalyticssettings.update

securitycenter.googleapis.com/sources.get

securitycenter.googleapis.com/sources.getIamPolicy

securitycenter.googleapis.com/sources.list

securitycenter.googleapis.com/sources.setIamPolicy

securitycenter.googleapis.com/sources.update

securitycenter.googleapis.com/subscription.get

securitycenter.googleapis.com/userinterfacemetadata.get

securitycenter.googleapis.com/websecurityscannersettings.calculate

securitycenter.googleapis.com/websecurityscannersettings.get

securitycenter.googleapis.com/websecurityscannersettings.update

Service Networking

servicenetworking.googleapis.com/services.addPeering

servicenetworking.googleapis.com/services.get

Service Usage

serviceusage.googleapis.com/operations.cancel

serviceusage.googleapis.com/operations.delete

serviceusage.googleapis.com/operations.get

serviceusage.googleapis.com/operations.list

serviceusage.googleapis.com/quotas.get

serviceusage.googleapis.com/quotas.update

serviceusage.googleapis.com/services.disable

serviceusage.googleapis.com/services.enable

serviceusage.googleapis.com/services.get

serviceusage.googleapis.com/services.list

serviceusage.googleapis.com/services.use

Cloud Storage

storage.googleapis.com/buckets.create

storage.googleapis.com/buckets.createTagBinding

storage.googleapis.com/buckets.delete

storage.googleapis.com/buckets.deleteTagBinding

storage.googleapis.com/buckets.get

storage.googleapis.com/buckets.getIamPolicy

storage.googleapis.com/buckets.list

storage.googleapis.com/buckets.listTagBindings

storage.googleapis.com/buckets.setIamPolicy

storage.googleapis.com/buckets.update

storage.googleapis.com/hmacKeys.create

storage.googleapis.com/hmacKeys.delete

storage.googleapis.com/hmacKeys.get

storage.googleapis.com/hmacKeys.list

storage.googleapis.com/hmacKeys.update

storage.googleapis.com/multipartUploads.abort

storage.googleapis.com/multipartUploads.create

storage.googleapis.com/multipartUploads.list

storage.googleapis.com/multipartUploads.listParts

Acceso a VPC sin servidores

vpcaccess.googleapis.com/connectors.create

vpcaccess.googleapis.com/connectors.delete

vpcaccess.googleapis.com/connectors.get

vpcaccess.googleapis.com/connectors.list

vpcaccess.googleapis.com/connectors.use

vpcaccess.googleapis.com/locations.list

vpcaccess.googleapis.com/operations.get

vpcaccess.googleapis.com/operations.list