拒绝政策支持的权限

您可以在拒绝政策中使用某些(但不是所有)Identity and Access Management (IAM) 权限。

拒绝政策需要 IAM v2beta 权限格式,即 SERVICE_FQDN/RESOURCE.ACTIONSERVICE_FQDN 的值通常是 v1 API 的 SERVICE_ID 的值,后跟 .googleapis.com。例如,删除角色的权限为 iam.googleapis.com/roles.delete。 本页面记录了此类例外情况。

支持的权限

下表列出了可用于拒绝政策的权限。

在文本框中输入所需的服务或权限名称进行搜索:

服务 支持的权限
API 密钥

apikeys.googleapis.com/apiKeys.regenerate

apikeys.googleapis.com/apiKeys.revert

apikeys.googleapis.com/keys.create

apikeys.googleapis.com/keys.delete

apikeys.googleapis.com/keys.get

apikeys.googleapis.com/keys.list

apikeys.googleapis.com/keys.lookup

apikeys.googleapis.com/keys.update

Client Auth Config

clientauthconfig.googleapis.com/brands.create

clientauthconfig.googleapis.com/brands.delete

clientauthconfig.googleapis.com/brands.update

clientauthconfig.googleapis.com/clients.create

clientauthconfig.googleapis.com/clients.createSecret

clientauthconfig.googleapis.com/clients.delete

clientauthconfig.googleapis.com/clients.get

clientauthconfig.googleapis.com/clients.getWithSecret

clientauthconfig.googleapis.com/clients.listWithSecrets

clientauthconfig.googleapis.com/clients.undelete

clientauthconfig.googleapis.com/clients.update

Resource Manager

cloudresourcemanager.googleapis.com/folders.create

cloudresourcemanager.googleapis.com/folders.delete

cloudresourcemanager.googleapis.com/folders.get

cloudresourcemanager.googleapis.com/folders.getIamPolicy

cloudresourcemanager.googleapis.com/folders.list

cloudresourcemanager.googleapis.com/folders.move

cloudresourcemanager.googleapis.com/folders.setIamPolicy

cloudresourcemanager.googleapis.com/folders.undelete

cloudresourcemanager.googleapis.com/folders.update

cloudresourcemanager.googleapis.com/organizations.get

cloudresourcemanager.googleapis.com/organizations.getIamPolicy

cloudresourcemanager.googleapis.com/organizations.setIamPolicy

cloudresourcemanager.googleapis.com/projects.create

cloudresourcemanager.googleapis.com/projects.createBillingAssignment

cloudresourcemanager.googleapis.com/projects.delete

cloudresourcemanager.googleapis.com/projects.deleteBillingAssignment

cloudresourcemanager.googleapis.com/projects.get

cloudresourcemanager.googleapis.com/projects.getIamPolicy

cloudresourcemanager.googleapis.com/projects.move

cloudresourcemanager.googleapis.com/projects.setIamPolicy

cloudresourcemanager.googleapis.com/projects.undelete

cloudresourcemanager.googleapis.com/projects.update

cloudresourcemanager.googleapis.com/projects.updateLiens

Compute Engine

compute.googleapis.com/oslogin.updateExternalUser

Cloud DNS

dns.googleapis.com/changes.create

dns.googleapis.com/changes.get

dns.googleapis.com/changes.list

dns.googleapis.com/dnsKeys.get

dns.googleapis.com/dnsKeys.list

dns.googleapis.com/managedZoneOperations.get

dns.googleapis.com/managedZoneOperations.list

dns.googleapis.com/managedZones.create

dns.googleapis.com/managedZones.delete

dns.googleapis.com/managedZones.get

dns.googleapis.com/managedZones.list

dns.googleapis.com/managedZones.update

dns.googleapis.com/policies.create

dns.googleapis.com/policies.delete

dns.googleapis.com/policies.get

dns.googleapis.com/policies.list

dns.googleapis.com/policies.update

dns.googleapis.com/projects.get

dns.googleapis.com/resourceRecordSets.create

dns.googleapis.com/resourceRecordSets.delete

dns.googleapis.com/resourceRecordSets.get

dns.googleapis.com/resourceRecordSets.list

dns.googleapis.com/resourceRecordSets.update

Identity and Access Management

iam.googleapis.com/roles.create

iam.googleapis.com/roles.delete

iam.googleapis.com/roles.get

iam.googleapis.com/roles.list

iam.googleapis.com/roles.undelete

iam.googleapis.com/roles.update

iam.googleapis.com/serviceAccountKeys.create

iam.googleapis.com/serviceAccountKeys.delete

iam.googleapis.com/serviceAccountKeys.get

iam.googleapis.com/serviceAccountKeys.list

iam.googleapis.com/serviceAccounts.create

iam.googleapis.com/serviceAccounts.delete

iam.googleapis.com/serviceAccounts.disable

iam.googleapis.com/serviceAccounts.enable

iam.googleapis.com/serviceAccounts.get

iam.googleapis.com/serviceAccounts.getAccessToken

iam.googleapis.com/serviceAccounts.getIamPolicy

iam.googleapis.com/serviceAccounts.getOpenIdToken

iam.googleapis.com/serviceAccounts.implicitDelegation

iam.googleapis.com/serviceAccounts.list

iam.googleapis.com/serviceAccounts.setIamPolicy

iam.googleapis.com/serviceAccounts.signBlob

iam.googleapis.com/serviceAccounts.signJwt

iam.googleapis.com/serviceAccounts.undelete

iam.googleapis.com/serviceAccounts.update

iam.googleapis.com/workloadIdentityPoolProviders.create

iam.googleapis.com/workloadIdentityPoolProviders.delete

iam.googleapis.com/workloadIdentityPoolProviders.get

iam.googleapis.com/workloadIdentityPoolProviders.list

iam.googleapis.com/workloadIdentityPoolProviders.undelete

iam.googleapis.com/workloadIdentityPoolProviders.update

iam.googleapis.com/workloadIdentityPools.create

iam.googleapis.com/workloadIdentityPools.delete

iam.googleapis.com/workloadIdentityPools.get

iam.googleapis.com/workloadIdentityPools.list

iam.googleapis.com/workloadIdentityPools.undelete

iam.googleapis.com/workloadIdentityPools.update

组织政策服务

orgpolicy.googleapis.com/policy.set

Security Command Center

securitycenter.googleapis.com/assets.group

securitycenter.googleapis.com/assets.list

securitycenter.googleapis.com/assets.listAssetPropertyNames

securitycenter.googleapis.com/assets.runDiscovery

securitycenter.googleapis.com/assetsecuritymarks.update

securitycenter.googleapis.com/containerthreatdetectionsettings.calculate

securitycenter.googleapis.com/containerthreatdetectionsettings.get

securitycenter.googleapis.com/containerthreatdetectionsettings.update

securitycenter.googleapis.com/eventthreatdetectionsettings.calculate

securitycenter.googleapis.com/eventthreatdetectionsettings.get

securitycenter.googleapis.com/eventthreatdetectionsettings.update

securitycenter.googleapis.com/findings.bulkMuteUpdate

securitycenter.googleapis.com/findings.group

securitycenter.googleapis.com/findings.list

securitycenter.googleapis.com/findings.listFindingPropertyNames

securitycenter.googleapis.com/findings.setMute

securitycenter.googleapis.com/findings.setState

securitycenter.googleapis.com/findings.setWorkflowState

securitycenter.googleapis.com/findings.update

securitycenter.googleapis.com/findingsecuritymarks.update

securitycenter.googleapis.com/muteconfigs.create

securitycenter.googleapis.com/muteconfigs.delete

securitycenter.googleapis.com/muteconfigs.get

securitycenter.googleapis.com/muteconfigs.list

securitycenter.googleapis.com/muteconfigs.update

securitycenter.googleapis.com/notificationconfig.create

securitycenter.googleapis.com/notificationconfig.delete

securitycenter.googleapis.com/notificationconfig.get

securitycenter.googleapis.com/notificationconfig.list

securitycenter.googleapis.com/notificationconfig.update

securitycenter.googleapis.com/organizationsettings.get

securitycenter.googleapis.com/organizationsettings.update

securitycenter.googleapis.com/securitycentersettings.get

securitycenter.googleapis.com/securitycentersettings.update

securitycenter.googleapis.com/securityhealthanalyticssettings.calculate

securitycenter.googleapis.com/securityhealthanalyticssettings.get

securitycenter.googleapis.com/securityhealthanalyticssettings.update

securitycenter.googleapis.com/sources.get

securitycenter.googleapis.com/sources.getIamPolicy

securitycenter.googleapis.com/sources.list

securitycenter.googleapis.com/sources.setIamPolicy

securitycenter.googleapis.com/sources.update

securitycenter.googleapis.com/subscription.get

securitycenter.googleapis.com/userinterfacemetadata.get

securitycenter.googleapis.com/websecurityscannersettings.calculate

securitycenter.googleapis.com/websecurityscannersettings.get

securitycenter.googleapis.com/websecurityscannersettings.update

Service Networking

servicenetworking.googleapis.com/services.addPeering

servicenetworking.googleapis.com/services.get

Service Usage

serviceusage.googleapis.com/operations.cancel

serviceusage.googleapis.com/operations.delete

serviceusage.googleapis.com/operations.get

serviceusage.googleapis.com/operations.list

serviceusage.googleapis.com/quotas.get

serviceusage.googleapis.com/quotas.update

serviceusage.googleapis.com/services.disable

serviceusage.googleapis.com/services.enable

serviceusage.googleapis.com/services.get

serviceusage.googleapis.com/services.list

serviceusage.googleapis.com/services.use

Cloud Storage

storage.googleapis.com/buckets.create

storage.googleapis.com/buckets.createTagBinding

storage.googleapis.com/buckets.delete

storage.googleapis.com/buckets.deleteTagBinding

storage.googleapis.com/buckets.get

storage.googleapis.com/buckets.getIamPolicy

storage.googleapis.com/buckets.list

storage.googleapis.com/buckets.listTagBindings

storage.googleapis.com/buckets.setIamPolicy

storage.googleapis.com/buckets.update

storage.googleapis.com/hmacKeys.create

storage.googleapis.com/hmacKeys.delete

storage.googleapis.com/hmacKeys.get

storage.googleapis.com/hmacKeys.list

storage.googleapis.com/hmacKeys.update

storage.googleapis.com/multipartUploads.abort

storage.googleapis.com/multipartUploads.create

storage.googleapis.com/multipartUploads.list

storage.googleapis.com/multipartUploads.listParts

无服务器 VPC 访问通道

vpcaccess.googleapis.com/connectors.create

vpcaccess.googleapis.com/connectors.delete

vpcaccess.googleapis.com/connectors.get

vpcaccess.googleapis.com/connectors.list

vpcaccess.googleapis.com/connectors.use

vpcaccess.googleapis.com/locations.list

vpcaccess.googleapis.com/operations.get

vpcaccess.googleapis.com/operations.list