Informationen zu Rollen

Eine Rolle enthält eine Reihe von Berechtigungen, mit denen Sie bestimmte Aktionen für Google Cloud-Ressourcen vornehmen können. Wenn Sie Hauptkonten Berechtigungen erteilen möchten, einschließlich Nutzern, Gruppen und Dienstkonten, weisen Sie den Hauptkonten Rollen zu.

Auf dieser Seite werden die IAM-Rollen beschrieben, die Sie zuweisen können.

Voraussetzungen für diese Anleitung

Machen Sie sich mit den grundlegenden Konzepten von IAM vertraut

Rollentypen

Es gibt drei Arten von Rollen in IAM:

Einfache Rollen, zu denen die Rollen "Inhaber", "Bearbeiter" und "Betrachter" gehören und die es schon vor der Einführung von IAM gab.
Vordefinierte Rollen, die detaillierten Zugriff auf einen bestimmten Dienst bieten und von Google Cloud verwaltet werden.
Benutzerdefinierte Rollen, die detaillierten Zugriff gemäß einer vom Nutzer angegebenen Liste von Berechtigungen bieten.

Mit einer der folgenden Methoden können Sie ermitteln, ob eine Berechtigung in einer einfachen, vordefinierten oder benutzerdefinierten Rolle enthalten ist:

Führen Sie den Befehl gcloud iam roles describe aus, um die Berechtigungen der Rolle aufzulisten:
Rufen Sie die REST API-Methode roles.get() auf, um die Berechtigungen in der Rolle aufzulisten.
Nur für einfache und vordefinierte Rollen: Suchen Sie in der Berechtigungsreferenz, ob die Berechtigung von der Rolle gewährt wird.
Nur für vordefinierte Rollen: Suchen Sie auf dieser Seite in den vordefinierten Rollenbeschreibungen, um zu sehen, welche Berechtigungen die Rolle enthält.

In den folgenden Abschnitten werden die einzelnen Rollentypen beschrieben und Beispiele für deren Verwendung gegeben.

Einfache Rollen

Vor der Einführung von IAM gab es mehrere einfache Rollen: "Inhaber", "Bearbeiter" und "Betrachter". Diese Rollen sind konzentrisch, was bedeutet, dass die Inhaberrolle die Berechtigungen der Bearbeiterrolle und die Bearbeiterrolle die Berechtigungen der Betrachterrolle beinhaltet. Sie wurden ursprünglich als „einfache Rollen“ bezeichnet.

In der folgenden Tabelle sind die Berechtigungen zusammengefasst, die die einfachen Rollen in allen Google Cloud-Diensten enthalten:

Definitionen für einfache Rollen

Name	Titel	Berechtigungen
`roles/viewer`	Betrachter	Berechtigungen für schreibgeschützte Aktionen, die sich nicht auf den Status auswirken, z. B. Anzeigen (aber nicht Ändern) vorhandener Ressourcen oder Daten
`roles/editor`	Bearbeiter	Alle Berechtigungen des Betrachters sowie Berechtigungen für Aktionen, durch die der Status geändert wird, z. B. das Ändern vorhandener Ressourcen Hinweis: Die Bearbeiterrolle enthält Berechtigungen zum Erstellen und Löschen von Ressourcen für die meisten Google Cloud-Dienste. Es enthält jedoch nicht die Berechtigung, sämtliche Aktionen für alle Dienste auszuführen. Weitere Informationen dazu, wie Sie prüfen können, ob eine Rolle die erforderlichen Berechtigungen hat, finden Sie im obigen Abschnitt.
`roles/owner`	Inhaber	Alle Berechtigungen des Bearbeiters und Berechtigungen für die folgenden Aktionen: Rollen und Berechtigungen für ein Projekt und alle Ressourcen innerhalb des Projekts verwalten Abrechnung für ein Projekt einrichten Hinweis: Durch das Zuweisen der Inhaberrolle auf Ressourcenebene, z. B. ein Pub/Sub-Thema, wird die Inhaberrolle im übergeordneten Projekt nicht zugewiesen. Wenn Sie die Inhaberrolle auf Organisationsebene zuweisen, können Sie die Metadaten der Organisation nicht aktualisieren. Sie können damit jedoch alle Projekte und andere Ressourcen in dieser Organisation ändern. Hinweis: Wenn Sie einem Nutzer außerhalb Ihrer Organisation die Rolle Inhaber für ein Projekt zuweisen möchten, müssen Sie die Google Cloud Console verwenden, nicht das `gcloud`-Tool. Wenn Ihr Projekt nicht zu einer Organisation gehört, müssen Sie die Cloud Console zum Erteilen der Rolle „Inhaber“ verwenden.

Sie können einfache Rollen auf Projekt- oder Dienstressourcenebene mithilfe der Cloud Console, der API und des gcloud-Tools zuweisen. Eine Anleitung finden Sie unter Zugriff gewähren, ändern und widerrufen.

Weitere Informationen zum Zuweisen von Rollen mit der Cloud Console finden Sie unter Zugriff gewähren, ändern und widerrufen.

Vordefinierte Rollen

Zusätzlich zu den einfachen Rollen bietet IAM weitere vordefinierte Rollen, die detaillierten Zugriff auf bestimmte Ressourcen von Google Cloud ermöglichen und unerwünschten Zugriff auf andere Ressourcen verhindern. Vordefinierte Rollen werden von Google erstellt und verwaltet. Google aktualisiert seine Berechtigungen bei Bedarf automatisch, z. B. wenn Google Cloud neue Features oder Dienste hinzufügt.

Die folgende Tabelle enthält diese Rollen, ihre Beschreibung und den Ressourcentyp der untersten Ebene, für den Rollen festgelegt werden. Eine bestimmte Rolle kann diesem Ressourcentyp oder in den meisten Fällen einem übergeordneten Typ in der Google Cloud-Hierarchie zugewiesen werden. Einem Nutzer können mehrere Rollen zugewiesen werden. Zum Beispiel kann ein Nutzer für ein Projekt die Rollen "Netzwerkadministrator" und "Log-Betrachter" und außerdem die Rolle "Publisher" für ein Pub/Sub-Thema in diesem Projekt haben. Eine Liste der in einer Rolle enthaltenen Berechtigungen finden Sie unter Rollenmetadaten abrufen.

Rollen zur Zugriffsgenehmigung

Role	Permissions
Access Approval Approver ^Beta (`roles/accessapproval.approver`) Ability to view or act on access approval requests and view configuration	accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
Access Approval Config Editor ^Beta (`roles/accessapproval.configEditor`) Ability update the Access Approval configuration	accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
Access Approval Viewer ^Beta (`roles/accessapproval.viewer`) Ability to view access approval requests and configuration	accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list

Access Context Manager-Rollen

Role	Permissions
Cloud Access Binding Admin (`roles/accesscontextmanager.gcpAccessAdmin`) Create, edit, and change Cloud access bindings.	accesscontextmanager.gcpUserAccessBindings.*
Cloud Access Binding Reader (`roles/accesscontextmanager.gcpAccessReader`) Read access to Cloud access bindings.	accesscontextmanager.gcpUserAccessBindings.get accesscontextmanager.gcpUserAccessBindings.list
Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Full access to policies, access levels, and access zones	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.* accesscontextmanager.accessZones.* accesscontextmanager.policies.* accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Edit access to policies. Create, edit, and change access levels and access zones.	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) Read access to policies, access levels, and access zones.	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`)	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Actions-Rollen

Role	Permissions
Actions Admin (`roles/actions.Admin`) Access to edit and deploy an action	actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Actions Viewer (`roles/actions.Viewer`) Access to view an action	actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use

AI Notebooks-Rollen

Role	Permissions
Notebooks Admin (`roles/notebooks.admin`) Full access to Notebooks, all resources. Lowest-level resources where you can grant this role: Instance	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Legacy Admin (`roles/notebooks.legacyAdmin`) Full access to Notebooks all resources through compute API.	compute.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Legacy Viewer (`roles/notebooks.legacyViewer`) Read-only access to Notebooks all resources through compute API.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Runner (`roles/notebooks.runner`) Restricted access for running scheduled Notebooks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.create notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.create notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.create notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.create notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Viewer (`roles/notebooks.viewer`) Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role: Instance	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

AI Platform-Rollen

Rolle	Berechtigungen
AI Platform-Administrator (`roles/ml.admin`) Vollzugriff auf AI Platform-Ressourcen und die zugehörigen Jobs, Vorgänge, Modelle und Versionen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	ml.* resourcemanager.projects.get
AI Platform-Entwickler (`roles/ml.developer`) Verwendung von AI Platform-Ressourcen zur Erstellung von Modellen, Versionen und Jobs zu Schulungs- und Vorhersagezwecken sowie zum Senden von Online-Vorhersageanfragen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.* ml.studies.* ml.trials.* ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get
AI Platform-Jobinhaber (`roles/ml.jobOwner`) Vollzugriff auf alle Berechtigungen für eine bestimmte Jobressource. Diese Rolle wird dem Nutzer, der den Job erstellt, automatisch zugewiesen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Job	ml.jobs.*
AI Platform-Modellinhaber (`roles/ml.modelOwner`) Vollzugriff auf das Modell und seine Versionen. Diese Rolle wird dem Nutzer, der das Modell erstellt, automatisch zugewiesen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Modell	ml.models.* ml.versions.*
AI Platform-Modellnutzer (`roles/ml.modelUser`) Berechtigung zum Lesen des Modells und seiner Versionen sowie deren Nutzung für die Vorhersage. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Modell	ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict
AI Platform-Vorgangsinhaber (`roles/ml.operationOwner`) Vollzugriff auf alle Berechtigungen für eine bestimmte Betriebsressource. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Aktion	ml.operations.*
AI Platform-Betrachter (`roles/ml.viewer`) Lesezugriff auf AI Platform-Ressourcen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	ml.jobs.get ml.jobs.list ml.locations.* ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.* ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get

Android Management-Rollen

Role	Permissions
Android Management User (`roles/androidmanagement.user`) Full access to manage devices.	androidmanagement.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Anthos Multi-Cloud-Rollen

Role	Permissions
Anthos Multi-cloud Admin (`roles/gkemulticloud.admin`) Admin access to Anthos Multi-cloud resources.	gkemulticloud.* resourcemanager.projects.get resourcemanager.projects.list
Anthos Multi-cloud Telemetry Writer (`roles/gkemulticloud.telemetryWriter`) Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.	logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create opsconfigmonitoring.resourceMetadata.write
Anthos Multi-cloud Viewer (`roles/gkemulticloud.viewer`) Viewer access to Anthos Multi-cloud resources.	gkemulticloud.awsClusters.generateAccessToken gkemulticloud.awsClusters.get gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.get gkemulticloud.awsNodePools.list gkemulticloud.awsServerConfigs.* gkemulticloud.azureClients.get gkemulticloud.azureClients.list gkemulticloud.azureClusters.generateAccessToken gkemulticloud.azureClusters.get gkemulticloud.azureClusters.list gkemulticloud.azureNodePools.get gkemulticloud.azureNodePools.list gkemulticloud.azureServerConfigs.* gkemulticloud.operations.get gkemulticloud.operations.list gkemulticloud.operations.wait resourcemanager.projects.get resourcemanager.projects.list

API-Gateway-Rollen

Role Permissions

Role	Permissions
ApiGateway Admin (`roles/apigateway.admin`) Full access to ApiGateway and related resources.	apigateway.* monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list
ApiGateway Viewer (`roles/apigateway.viewer`) Read-only access to ApiGateway and related resources.	apigateway.apiconfigs.get apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.locations.* apigateway.operations.get apigateway.operations.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list

ApiGateway Admin
(roles/apigateway.admin)

Full access to ApiGateway and related resources.

apigateway.*
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list

ApiGateway Viewer
(roles/apigateway.viewer)

Read-only access to ApiGateway and related resources.

apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.locations.*
apigateway.operations.get
apigateway.operations.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list

Apigee-Rollen

Role	Permissions
Apigee Organization Admin (`roles/apigee.admin`) Full access to all apigee resource features	apigee.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Analytics Agent (`roles/apigee.analyticsAgent`) Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization	apigee.environments.getDataLocation apigee.runtimeconfigs.*
Apigee Analytics Editor (`roles/apigee.analyticsEditor`) Analytics editor for an Apigee Organization	apigee.datacollectors.* apigee.datastores.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.* apigee.hostqueries.* apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Analytics Viewer (`roles/apigee.analyticsViewer`) Analytics viewer for an Apigee Organization	apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list
Apigee API Admin (`roles/apigee.apiAdmin`) Full read/write access to all apigee API resources	apigee.apiproductattributes.* apigee.apiproducts.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.* apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.list
Apigee API Reader (`roles/apigee.apiReader`) Reader of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Developer Admin (`roles/apigee.developerAdmin`) Developer admin of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.apps.* apigee.datacollectors.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developers.* apigee.developersubscriptions.* apigee.environments.get apigee.environments.getStats apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.rateplans.get apigee.rateplans.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Environment Admin (`roles/apigee.environmentAdmin`) Full read/write access to apigee environment resources, including deployments.	apigee.archivedeployments.* apigee.datacollectors.get apigee.datacollectors.list apigee.deployments.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.environments.update apigee.flowhooks.* apigee.ingressconfigs.* apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Monetization Admin (`roles/apigee.monetizationAdmin`) All permissions related to monetization	apigee.apiproducts.get apigee.apiproducts.list apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developersubscriptions.* apigee.organizations.get apigee.organizations.list apigee.rateplans.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Portal Admin (`roles/apigee.portalAdmin`) Portal admin for an Apigee Organization	apigee.organizations.get apigee.organizations.list apigee.portals.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Read-only Admin (`roles/apigee.readOnlyAdmin`) Viewer of all apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.archivedeployments.download apigee.archivedeployments.get apigee.archivedeployments.list apigee.caches.list apigee.canaryevaluations.get apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.deployments.get apigee.deployments.list apigee.developerappattributes.get apigee.developerappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developerbalances.get apigee.developermonetizationconfigs.get apigee.developers.get apigee.developers.list apigee.developersubscriptions.get apigee.developersubscriptions.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.hostqueries.get apigee.hostqueries.list apigee.hostsecurityreports.get apigee.hostsecurityreports.list apigee.hoststats.* apigee.ingressconfigs.* apigee.instanceattachments.get apigee.instanceattachments.list apigee.instances.get apigee.instances.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.operations.* apigee.organizations.get apigee.organizations.list apigee.portals.get apigee.portals.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.rateplans.get apigee.rateplans.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.runtimeconfigs.* apigee.securityreports.get apigee.securityreports.list apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Runtime Agent (`roles/apigee.runtimeAgent`) Curated set of permissions for a runtime agent to access Apigee Organization resources	apigee.canaryevaluations.* apigee.ingressconfigs.* apigee.instances.reportStatus apigee.operations.* apigee.organizations.get apigee.runtimeconfigs.*
Apigee Security Admin (`roles/apigee.securityAdmin`) Security admin for an Apigee Organization	apigee.hostsecurityreports.* apigee.securityreports.*
Apigee Security Viewer (`roles/apigee.securityViewer`) Security viewer for an Apigee Organization	apigee.hostsecurityreports.get apigee.hostsecurityreports.list apigee.securityreports.get apigee.securityreports.list
Apigee Synchronizer Manager (`roles/apigee.synchronizerManager`) Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization	apigee.environments.get apigee.environments.manageRuntime apigee.ingressconfigs.*
Apigee Connect Admin (`roles/apigeeconnect.Admin`) Admin of Apigee Connect	apigeeconnect.connections.*
Apigee Connect Agent (`roles/apigeeconnect.Agent`) Ability to set up Apigee Connect agent between external clusters and Google.	apigeeconnect.endpoints.*

App Engine-Rollen

Rolle	Berechtigungen
App Engine-Administrator (`roles/appengine.appAdmin`) Berechtigung zum Lesen/Schreiben/Ändern für die gesamte Anwendungskonfiguration und die Einstellungen Um neue Versionen bereitstellen zu können, muss ein Hauptkonto die Rolle Dienstkontonutzer (`roles/iam.serviceAccountUser`) für das Standarddienstkonto von App Engine haben. und die Rollen „Cloud Build-Bearbeiter“ (`roles/cloudbuild.builds.editor`) und „Cloud Storage-Objekt-Administrator“ (`roles/storage.objectAdmin`) für das Projekt verwenden. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list
App Engine-Ersteller (`roles/appengine.appCreator`) Fähigkeit zur Erstellung der App Engine-Ressource für das Projekt. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	appengine.applications.create resourcemanager.projects.get resourcemanager.projects.list
App Engine-Betrachter (`roles/appengine.appViewer`) Schreibgeschützter Zugriff auf die gesamte Anwendungskonfiguration und die Einstellungen Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine-Codebetrachter (`roles/appengine.codeViewer`) Lesezugriff auf die gesamte Anwendungskonfiguration, die Einstellungen und den bereitgestellten Quellcode Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine-Bereitsteller (`roles/appengine.deployer`) Schreibgeschützter Zugriff auf die gesamte Anwendungskonfiguration und die Einstellungen Zum Bereitstellen neuer Versionen benötigen Sie außerdem die Rolle Dienstkontonutzer (`roles/iam.serviceAccountUser`) für das Standarddienstkonto von App Engine. und die Rollen „Cloud Build-Bearbeiter“ (`roles/cloudbuild.builds.editor`) und „Cloud Storage-Objekt-Administrator“ (`roles/storage.objectAdmin`) für das Projekt verwenden. Sie können vorhandene Versionen nicht bearbeiten, sondern nur Versionen löschen, die keinen Traffic empfangen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine-Dienstadministrator (`roles/appengine.serviceAdmin`) Schreibgeschützter Zugriff auf die gesamte Anwendungskonfiguration und die Einstellungen Schreibberechtigung für Einstellungen auf Modul- und Versionsebene Kann keine neue Version bereitstellen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list

Artifact Registry-Rollen

Role	Permissions
Artifact Registry Administrator (`roles/artifactregistry.admin`) Administrator access to create and manage repositories.	artifactregistry.*
Artifact Registry Reader (`roles/artifactregistry.reader`) Access to read repository items.	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list
Artifact Registry Repository Administrator (`roles/artifactregistry.repoAdmin`) Access to manage artifacts in repositories.	artifactregistry.aptartifacts.* artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.* artifactregistry.yumartifacts.*
Artifact Registry Writer (`roles/artifactregistry.writer`) Access to read and write repository items.	artifactregistry.aptartifacts.* artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.*

Assured Workloads-Rollen

Role	Permissions
Assured Workloads Administrator (`roles/assuredworkloads.admin`) Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
Assured Workloads Editor (`roles/assuredworkloads.editor`) Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
Assured Workloads Reader (`roles/assuredworkloads.reader`) Grants read access to all Assured Workloads resources and CRM resources - project/folder	assuredworkloads.operations.* assuredworkloads.workload.get assuredworkloads.workload.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

AutoML-Rollen

Rolle	Berechtigungen
AutoML-Administrator ^Beta (`roles/automl.admin`) Voller Zugriff auf alle AutoML-Ressourcen Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Dataset Modell	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
AutoML-Bearbeiter ^Beta (`roles/automl.editor`) Bearbeiter aller AutoML-Ressourcen Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Dataset Modell	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
AutoML-Erkennung ^Beta (`roles/automl.predictor`) Erkennen mit Modellen Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Modell	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list
AutoML-Betrachter ^Beta (`roles/automl.viewer`) Betrachter von allen AutoML-Ressourcen Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Dataset Modell	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list

BigQuery-Rollen

Rolle	Berechtigungen
BigQuery-Administrator (`roles/bigquery.admin`) Berechtigungen zum Verwalten aller Ressourcen im Projekt. Es können damit alle Daten im Projekt verwaltet und Jobs von anderen Nutzern abgebrochen werden, die im Projekt ausgeführt werden. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.* bigquery.reservations.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery-Verbindungsadministrator (`roles/bigquery.connectionAdmin`)	bigquery.connections.*
BigQuery-Verbindungsnutzer (`roles/bigquery.connectionUser`)	bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
BigQuery-Datenbearbeiter (`roles/bigquery.dataEditor`) Bei Anwendung auf eine Tabelle oder Ansicht gewährt diese Rolle Berechtigungen für: Daten und Metadaten für die Tabelle oder Ansicht lesen und aktualisieren. Die Tabelle oder Ansicht löschen. Diese Rolle kann nicht auf einzelne Modelle oder Routinen angewendet werden. Bei Anwendung auf ein Dataset gewährt diese Rolle Berechtigungen für: Metadaten des Datasets lesen und Tabellen im Dataset auflisten. Tabellen des Datasets erstellen, aktualisieren, abrufen und löschen. Bei Anwendung auf Projekt- oder Organisationsebene ermöglicht die Rolle zusätzlich das Erstellen neuer Datasets. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Tabelle Ansehen	bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list
BigQuery-Dateninhaber (`roles/bigquery.dataOwner`) Bei Anwendung auf eine Tabelle oder Ansicht gewährt diese Rolle Berechtigungen für: Daten und Metadaten für die Tabelle oder Ansicht lesen und aktualisieren. Tabelle oder Ansicht freigeben. Die Tabelle oder Ansicht löschen. Diese Rolle kann nicht auf einzelne Modelle oder Routinen angewendet werden. Bei Anwendung auf ein Dataset gewährt diese Rolle Berechtigungen für: Das Lesen, Aktualisieren und Löschen des Datasets. Tabellen des Datasets erstellen, aktualisieren, abrufen und löschen. Bei Anwendung auf Projekt- oder Organisationsebene ermöglicht die Rolle zusätzlich das Erstellen neuer Datasets. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Tabelle Ansehen	bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery-Datenbetrachter (`roles/bigquery.dataViewer`) Bei Anwendung auf eine Tabelle oder Ansicht gewährt diese Rolle Berechtigungen für: Daten und Metadaten aus der Tabelle oder Ansicht lesen. Diese Rolle kann nicht auf einzelne Modelle oder Routinen angewendet werden. Bei Anwendung auf ein Dataset gewährt diese Rolle Berechtigungen für: Metadaten des Datasets lesen und Tabellen im Dataset auflisten. Daten und Metadaten aus den Tabellen des Datasets lesen. Bei Anwendung auf Projekt- oder Organisationsebene ermöglicht diese Rolle die Aufzählung aller Datasets im Projekt. Für die Ausführung von Jobs sind jedoch weitere Rollen erforderlich. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Tabelle Ansehen	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.createSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
Betrachter von gefilterten BigQuery-Daten (`roles/bigquery.filteredDataViewer`) Ermöglicht das Ansehen von gefilterten Tabellendaten, die durch eine Zugriffsrichtlinie für Zeilen definiert werden	bigquery.rowAccessPolicies.getFilteredData
BigQuery-Jobnutzer (`roles/bigquery.jobUser`) Berechtigungen zum Ausführen von Jobs im Projekt, einschließlich Abfragen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list
BigQuery-Metadaten-Betrachter (`roles/bigquery.metadataViewer`) Bei Anwendung auf eine Tabelle oder Ansicht gewährt diese Rolle Berechtigungen für: Metadaten aus der Tabelle oder Ansicht lesen. Diese Rolle kann nicht auf einzelne Modelle oder Routinen angewendet werden. Bei Anwendung auf ein Dataset gewährt diese Rolle Berechtigungen für: Tabellen und Ansichten im Dataset auflisten. Metadaten aus den Tabellen und Ansichten des Datasets lesen. Bei Anwendung auf Projekt- oder Organisationsebene gewährt diese Rolle Berechtigungen für: Alle Datasets auflisten und Metadaten für alle Datasets im Projekt lesen. Alle Tabellen und Ansichten auflisten sowie Metadaten für alle Tabellen und Ansichten im Projekt lesen Für die Ausführung von Jobs sind weitere Rollen erforderlich. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Tabelle Ansehen	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery-Lesesitzungsnutzer (`roles/bigquery.readSessionUser`) Zugriff zum Erstellen und Verwenden von Lesesitzungen	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery-Ressourcen-Administrator (`roles/bigquery.resourceAdmin`) Verwalten Sie alle BigQuery-Ressourcen.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery-Ressourcenbearbeiter (`roles/bigquery.resourceEditor`) Kann alle BigQuery-Ressourcen verwalten, aber keine Kaufentscheidungen treffen.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery-Ressourcenbetrachter (`roles/bigquery.resourceViewer`) Kann alle BigQuery-Ressourcen betrachten, aber keine Änderungen vornehmen oder Kaufentscheidungen treffen.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery-Nutzer (`roles/bigquery.user`) Bei Anwendung auf ein Dataset ermöglicht diese Rolle das Lesen der Metadaten des Datasets und das Auflisten von Tabellen im Dataset. Bei Anwendung auf ein Projekt bietet diese Rolle auch die Möglichkeit, Jobs, einschließlich Abfragen, innerhalb des Projekts auszuführen. Ein Hauptkonto mit dieser Rolle kann seine eigenen Jobs auflisten, seine eigenen Jobs abbrechen und Datasets innerhalb eines Projekts aufzählen. Darüber hinaus ermöglicht die Rolle das Erstellen neuer Datasets im Projekt. Dem Ersteller wird für diese neuen Datasets die Rolle "BigQuery Data-Inhaber" (`roles/bigquery.dataOwner`) zugewiesen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Dataset	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list

Abrechnungsrollen

Rolle	Berechtigungen
Rechnungskontoadministrator (`roles/billing.admin`) Berechtigung zum Aufrufen und Verwalten aller Aspekte von Abrechnungskonten Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Rechnungskonto	billing.accounts.close billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.* billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.* commerceoffercatalog.* consumerprocurement.accounts.* consumerprocurement.orders.* dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list logging.logEntries.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* recommender.commitmentUtilizationInsights.* recommender.usageCommitmentRecommendations.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment
Kostenverwalter für Rechnungskonto (`roles/billing.costsManager`) Kann Kosteninformationen von Rechnungskonten aufrufen und exportieren.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.updateUsageExportSpec billing.budgets.* billing.resourceAssociations.list
Rechnungskonto-Ersteller (`roles/billing.creator`) Berechtigung zum Erstellen von Abrechnungskonten Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Organisation	billing.accounts.create resourcemanager.organizations.get
Administrator für die Projektabrechnung (`roles/billing.projectManager`) Berechtigung zum Zuweisen des Rechnungskontos eines Projekts oder zum Deaktivieren seiner Abrechnung Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment
Rechnungskontonutzer (`roles/billing.user`) Berechtigung zum Verbinden von Projekten mit Abrechnungskonten Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Rechnungskonto	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.* billing.resourceAssociations.create
Rechnungskontobetrachter (`roles/billing.viewer`) Kontoinformationen und Transaktionen im Rechnungskonto aufrufen Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Rechnungskonto	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list commerceoffercatalog.* consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orders.get consumerprocurement.orders.list dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list

Binärautorisierungsrollen

Role	Permissions
Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Administrator of Binary Authorization Attestors	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Editor of Binary Authorization Attestors	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Image Verifier (`roles/binaryauthorization.attestorsVerifier`) Caller of Binary Authorization Attestors VerifyImageAttested	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Viewer (`roles/binaryauthorization.attestorsViewer`) Viewer of Binary Authorization Attestors	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Administrator of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.* binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Editor of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.get binaryauthorization.continuousValidationConfig.update binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Viewer of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.get binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list

CA Service-Rollen

Role	Permissions
CA Service Admin (`roles/privateca.admin`) Full access to all CA Service resources.	privateca.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
CA Service Auditor (`roles/privateca.auditor`) Read-only access to all CA Service resources.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
CA Service Operation Manager (`roles/privateca.caManager`) Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.	privateca.caPools.create privateca.caPools.delete privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.caPools.update privateca.certificateAuthorities.create privateca.certificateAuthorities.delete privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateAuthorities.update privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateRevocationLists.update privateca.certificateTemplates.create privateca.certificateTemplates.delete privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificateTemplates.update privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.certificates.update privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.create privateca.reusableConfigs.delete privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list privateca.reusableConfigs.update resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
CA Service Certificate Manager (`roles/privateca.certificateManager`) Create certificates and read-only access for CA Service resources.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.create privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
CA Service Certificate Requester (`roles/privateca.certificateRequester`) Request certificates from CA Service.	privateca.certificates.create
CA Service Certificate Template User (`roles/privateca.templateUser`) Read, list and use certificate templates.	privateca.certificateTemplates.get privateca.certificateTemplates.list privateca.certificateTemplates.use
CA Service Workload Certificate Requester (`roles/privateca.workloadCertificateRequester`) Request certificates from CA Service with caller's identity.	privateca.certificates.createForSelf

Cloud-Asset-Rollen

Rolle	Berechtigungen
Cloud-Asset-Inhaber (`roles/cloudasset.owner`) Kompletter Zugriff auf Cloud-Asset-Metadaten	cloudasset.* recommender.cloudAssetInsights.* recommender.locations.*
Cloud-Asset-Betrachter (`roles/cloudasset.viewer`) Lesezugriff auf Cloud-Asset-Metadaten	cloudasset.assets.* recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.*

Cloud Bigtable-Rollen

Role	Permissions
Bigtable Administrator (`roles/bigtable.admin`) Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. Lowest-level resources where you can grant this role: Table	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable Reader (`roles/bigtable.reader`) Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. Lowest-level resources where you can grant this role: Table	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable User (`roles/bigtable.user`) Provides read-write access to the data stored within tables. Intended for application developers or service accounts. Lowest-level resources where you can grant this role: Table	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable Viewer (`roles/bigtable.viewer`) Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Bigtable. Lowest-level resources where you can grant this role: Table	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get

Cloud Build-Rollen

Role	Permissions
Cloud Build Approver (`roles/cloudbuild.builds.approver`) Can approve or reject pending builds.	cloudbuild.builds.approve cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Provides access to perform builds.	artifactregistry.aptartifacts.* artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.* cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Cloud Build Editor (`roles/cloudbuild.builds.editor`) Provides access to create and cancel builds. Lowest-level resources where you can grant this role: Project	cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Viewer (`roles/cloudbuild.builds.viewer`) Provides access to view builds. Lowest-level resources where you can grant this role: Project	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Editor (`roles/cloudbuild.integrationsEditor`) Can update Integrations	resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Owner (`roles/cloudbuild.integrationsOwner`) Can create/delete Integrations	compute.firewalls.create compute.firewalls.get compute.firewalls.list compute.networks.get compute.networks.updatePolicy compute.regions.get compute.subnetworks.get compute.subnetworks.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Viewer (`roles/cloudbuild.integrationsViewer`) Can view Integrations	resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool Editor (`roles/cloudbuild.workerPoolEditor`) Can update and view WorkerPools	cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool Owner (`roles/cloudbuild.workerPoolOwner`) Can create, delete, update, and view WorkerPools	cloudbuild.workerpools.create cloudbuild.workerpools.delete cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool User (`roles/cloudbuild.workerPoolUser`) Can run builds in the WorkerPool	cloudbuild.workerpools.use
Cloud Build WorkerPool Viewer (`roles/cloudbuild.workerPoolViewer`) Can view WorkerPools	cloudbuild.workerpools.get cloudbuild.workerpools.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Composer-Rollen

Rolle	Berechtigungen
Dienst-Agent-Erweiterung für die Cloud Composer v2 API (`roles/composer.ServiceAgentV2Ext`) Die Dienst-Agent-Erweiterung für die Cloud Composer v2 API ist eine zusätzliche Rolle, die zum Verwalten von Composer v2-Umgebungen erforderlich ist.	iam.serviceAccounts.getIamPolicy iam.serviceAccounts.setIamPolicy
Composer-Administrator (`roles/composer.admin`) Uneingeschränkte Kontrolle über Cloud Composer-Ressourcen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Administrator für Umgebung und Storage-Objekte (`roles/composer.environmentAndStorageObjectAdmin`) Uneingeschränkte Kontrolle über Cloud Composer-Ressourcen und die Objekte in allen Projekt-Buckets. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	composer.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.*
Umgebungsnutzer und Betrachter von Storage-Objekten (`roles/composer.environmentAndStorageObjectViewer`) Berechtigung zum Auflisten und Abrufen von Cloud Composer-Umgebungen und -Vorgängen. Lesezugriff auf Objekte in allen Projekt-Buckets. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list
Composer-Agent für freigegebene VPC (`roles/composer.sharedVpcAgent`) Rolle, die dem Dienstkonto des Composer-Agents im Hostprojekt der freigegebenen VPC zugewiesen wurde	compute.networks.access compute.networks.addPeering compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.updatePeering compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.*
Composer-Nutzer (`roles/composer.user`) Berechtigung zum Auflisten und Abrufen von Cloud Composer-Umgebungen und -Vorgängen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Composer-Worker (`roles/composer.worker`) Berechtigung zum Ausführen einer VM in einer Cloud Composer-Umgebung. Für Dienstkonten bestimmt. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	artifactregistry.* cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use composer.environments.get container.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.*

Cloud Connectors-Rollen

Role Permissions

Role	Permissions
Connector Admin (`roles/connectors.admin`) Full access to all resources of Connectors Service.	connectors.* resourcemanager.projects.get resourcemanager.projects.list
Connectors Viewer (`roles/connectors.viewer`) Read-only access to Connectors all resources.	connectors.connections.get connectors.connections.getConnectionSchemaMetadata connectors.connections.getIamPolicy connectors.connections.getRuntimeActionSchema connectors.connections.getRuntimeEntitySchema connectors.connections.list connectors.connectors.* connectors.locations.* connectors.operations.get connectors.operations.list connectors.providers.* connectors.runtimeconfig.* connectors.versions.* resourcemanager.projects.get resourcemanager.projects.list

Connector Admin
(roles/connectors.admin)

Full access to all resources of Connectors Service.

connectors.*
resourcemanager.projects.get
resourcemanager.projects.list

Connectors Viewer
(roles/connectors.viewer)

Read-only access to Connectors all resources.

connectors.connections.get
connectors.connections.getConnectionSchemaMetadata
connectors.connections.getIamPolicy
connectors.connections.getRuntimeActionSchema
connectors.connections.getRuntimeEntitySchema
connectors.connections.list
connectors.connectors.*
connectors.locations.*
connectors.operations.get
connectors.operations.list
connectors.providers.*
connectors.runtimeconfig.*
connectors.versions.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Fusion-Rollen

Rolle Berechtigungen

Rolle	Berechtigungen
Cloud Data Fusion-Administrator ^Beta (`roles/datafusion.admin`) Vollständiger Zugriff auf Cloud Data Fusion-Instanzen, -Namespaces und zugehörige Ressourcen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	datafusion.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Data Fusion-Runner ^Beta (`roles/datafusion.runner`) Zugriff auf Cloud Data Fusion-Laufzeitressourcen.	datafusion.instances.runtime
Cloud Data Fusion-Betrachter ^Beta (`roles/datafusion.viewer`) Schreibzugriff auf Cloud Data Fusion-Instanzen, -Namespaces und zugehörige Ressourcen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.runtime datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Data Fusion-Administrator ^Beta
(roles/datafusion.admin)

Vollständiger Zugriff auf Cloud Data Fusion-Instanzen, -Namespaces und zugehörige Ressourcen.

Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können:

Projekt

datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Fusion-Runner ^Beta
(roles/datafusion.runner)

Zugriff auf Cloud Data Fusion-Laufzeitressourcen.

datafusion.instances.runtime

Cloud Data Fusion-Betrachter ^Beta
(roles/datafusion.viewer)

Schreibzugriff auf Cloud Data Fusion-Instanzen, -Namespaces und zugehörige Ressourcen.

Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können:

Projekt

datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.runtime
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Labeling-Rollen

Rolle	Berechtigungen
Data Labeling Service-Administrator ^Beta (`roles/datalabeling.admin`) Vollständiger Zugriff auf alle Data Labeling-Ressourcen	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service-Bearbeiter ^Beta (`roles/datalabeling.editor`) Bearbeiter aller Data Labeling-Ressourcen	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service-Betrachter ^Beta (`roles/datalabeling.viewer`) Betrachter aller Data Labeling-Ressourcen	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Debugger-Rollen

Rolle Berechtigungen

Rolle	Berechtigungen
Cloud Debugger-Agent ^Beta (`roles/clouddebugger.agent`) Ermöglicht das Registrieren des Debug-Ziels, das Lesen aktiver Haltepunkte und das Melden von Haltepunktergebnissen. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Dienstkonto	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create
Cloud Debugger-Nutzer ^Beta (`roles/clouddebugger.user`) Ermöglicht das Erstellen, Aufrufen, Auflisten und Löschen von Haltepunkten (Snapshots und Logpoints) sowie das Auflisten von Debug-Zielen, d. h. von Komponenten, für die ein Debugging ausgeführt werden soll. Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können: Projekt	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list

Cloud Debugger-Agent ^Beta
(roles/clouddebugger.agent)

Ermöglicht das Registrieren des Debug-Ziels, das Lesen aktiver Haltepunkte und das Melden von Haltepunktergebnissen.

Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können:

Dienstkonto

clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create

Cloud Debugger-Nutzer ^Beta
(roles/clouddebugger.user)

Ermöglicht das Erstellen, Aufrufen, Auflisten und Löschen von Haltepunkten (Snapshots und Logpoints) sowie das Auflisten von Debug-Zielen, d. h. von Komponenten, für die ein Debugging ausgeführt werden soll.

Ressourcen auf der niedrigsten Ebene, für die Sie diese Rolle zuweisen können:

Projekt

clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list

Cloud Deployment-Rollen

Role	Permissions
Cloud Deploy Admin ^Beta (`roles/clouddeploy.admin`) Full control of Cloud Deploy resources.	clouddeploy.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Approver ^Beta (`roles/clouddeploy.approver`) Permission to approve or reject rollouts.	clouddeploy.locations.* clouddeploy.operations.* clouddeploy.rollouts.approve clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Developer ^Beta (`roles/clouddeploy.developer`) Permission to manage deployment configuration without permission to access operational resources, such as targets.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Runner ^Beta (`roles/clouddeploy.jobRunner`) Permission to execute Cloud Deploy work without permission to deliver to a target.	logging.logEntries.create storage.objects.create storage.objects.get storage.objects.list
Cloud Deploy Operator ^Beta (`roles/clouddeploy.operator`) Permission to manage deployment configuration.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.create clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list clouddeploy.targets.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Releaser ^Beta (`roles/clouddeploy.releaser`) Permission to create Cloud Deploy releases and rollouts.	clouddeploy.deliveryPipelines.get clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.create clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Viewer ^Beta (`roles/clouddeploy.viewer`) Can view Cloud Deploy resources.	clouddeploy.config.* clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.locations.* clouddeploy.operations.get clouddeploy.operations.list clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list resourcemanager.projects.get resourcemanager.projects.list

Cloud DLP-Rollen

Rolle	Berechtigungen
DLP-Administrator (`roles/dlp.admin`) DLP einschließlich Jobs und Vorlagen verwalten.	dlp.* serviceusage.services.use
Bearbeiter von DLP-Risikoanalysevorlagen (`roles/dlp.analyzeRiskTemplatesEditor`) DLP-Analyse-Risikovorlagen bearbeiten.	dlp.analyzeRiskTemplates.*
Leser von DLP-Risikoanalysevorlagen (`roles/dlp.analyzeRiskTemplatesReader`) DLP-Risikoanalysevorlagen lesen.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
Leser von DLP-Spaltendatenprofilen (`roles/dlp.columnDataProfilesReader`) DLP-Spaltenprofile lesen.	dlp.columnDataProfiles.*
Leser von DLP-Datenprofilen (`roles/dlp.dataProfilesReader`) DLP-Profile lesen.	dlp.columnDataProfiles.* dlp.projectDataProfiles.* dlp.tableDataProfiles.*
DLP-De-identify-Vorlageneditor (`roles/dlp.deidentifyTemplatesEditor`) DLP-DE-identify-Vorlagen bearbeiten.	dlp.deidentifyTemplates.*
Leser von DLP-De-identify-Vorlagen (`roles/dlp.deidentifyTemplatesReader`) DLP-de-identify-Vorlagen lesen.	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
DLP-Kostenschätzung (`roles/dlp.estimatesAdmin`) DLP-Kostenschätzungen verwalten.	dlp.estimates.*
Leser von DLP-Prüfungsergebnissen (`roles/dlp.inspectFindingsReader`) Gespeicherte DLP-Ergebnisse lesen.	dlp.inspectFindings.*
Bearbeiter von DLP-Prüfungsvorlagen (`roles/dlp.inspectTemplatesEditor`) DLP-Prüfungsvorlagen lesen.	dlp.inspectTemplates.*
Leser von DLP-Prüfungsvorlagen (`roles/dlp.inspectTemplatesReader`) DLP Prüfungsvorlagen lesen.	dlp.inspectTemplates.get dlp.inspectTemplates.list
DLP-Job-Trigger-Bearbeiter (`roles/dlp.jobTriggersEditor`) Job-Trigger-Konfigurationen bearbeiten.	dlp.jobTriggers.*
DLP-Job-Trigger-Leser (`roles/dlp.jobTriggersReader`) Job-Trigger lesen.	dlp.jobTriggers.get dlp.jobTriggers.list
DLP-Jobs-Bearbeiter (`roles/dlp.jobsEditor`) Jobs bearbeiten und erstellen	dlp.jobs.* dlp.kms.*
DLP-Jobs-Leser (`roles/dlp.jobsReader`) Jobs lesen	dlp.jobs.get dlp.jobs.list
Treiber von DLP-Organisationsdatenprofilen (`roles/dlp.orgdriver`) Berechtigungen, die vom DLP-Dienstkonto zum Generieren von Datenprofilen in einer Organisation oder einem Ordner benötigt werden.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Leser von DLP-Projektdatenprofilen (`roles/dlp.projectDataProfilesReader`) DLP-Projektprofile lesen.	dlp.projectDataProfiles.*
Treiber von DLP-Projektdatenprofilen (`roles/dlp.projectdriver`) Berechtigungen, die vom DLP-Dienstkonto zum Generieren von Datenprofilen in einem Projekt benötigt werden.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
DLP-Leser (`roles/dlp.reader`) Lesen von DLP-Entitäten wie Jobs oder Vorlagen.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectFindings.* dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.storedInfoTypes.get dlp.storedInfoTypes.list
Bearbeiter von für DLP gespeicherten InfoTypes (`roles/dlp.storedInfoTypesEditor`) Für DLP gespeicherte InfoTypes bearbeiten.	dlp.storedInfoTypes.*
Leser von für DLP gespeicherte InfoTypes (`roles/dlp.storedInfoTypesReader`) Für DLP gespeicherte InfoTypes lesen.	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
Leser von DLP-Tabellendatenprofilen (`roles/dlp.tableDataProfilesReader`) DLP-Tabellenprofile lesen.	dlp.tableDataProfiles.*
DLP-Nutzer (`roles/dlp.user`) Inhalte prüfen, entfernen und ihre Identifizierung aufheben	dlp.kms.* serviceusage.services.use

Cloud Domains-Rollen

Role	Permissions
Cloud Domains Admin (`roles/domains.admin`) Full access to Cloud Domains Registrations and related resources.	domains.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Domains Viewer (`roles/domains.viewer`) Read-only access to Cloud Domains Registrations and related resources.	domains.locations.* domains.operations.get domains.operations.list domains.registrations.get domains.registrations.getIamPolicy domains.registrations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Filestore-Rollen

Rolle	Berechtigungen
Cloud Filestore-Bearbeiter ^Beta (`roles/file.editor`) Lese- und Schreibzugriff auf Filestore-Instanzen und zugehörige Ressourcen.	file.*
Cloud Filestore-Betrachter ^Beta (`roles/file.viewer`) Schreibzugriff auf Filestore-Instanzen und zugehörige Ressourcen.	file.backups.get file.backups.list file.instances.get file.instances.list file.locations.* file.operations.get file.operations.list

Cloud Functions-Rollen

Role	Permissions
Cloud Functions Admin (`roles/cloudfunctions.admin`) Full access to functions, operations and locations.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.* eventarc.* recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud Functions Developer (`roles/cloudfunctions.developer`) Read and write access to all functions-related resources.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* eventarc.locations.* eventarc.operations.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.update serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud Functions Invoker (`roles/cloudfunctions.invoker`) Ability to invoke HTTP functions with restricted access.	cloudfunctions.functions.invoke
Cloud Functions Viewer (`roles/cloudfunctions.viewer`) Read-only access to functions and locations.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Game Services-Rollen

Rolle Berechtigungen

Rolle	Berechtigungen
Game Services API-Administrator (`roles/gameservices.admin`) Vollständiger Zugriff auf die Game Services API und zugehörige Ressourcen.	gameservices.* resourcemanager.projects.get resourcemanager.projects.list
Game Services API-Betrachter (`roles/gameservices.viewer`) Lesezugriff auf Game Services API und zugehörige Ressourcen.	gameservices.gameServerClusters.get gameservices.gameServerClusters.list gameservices.gameServerConfigs.get gameservices.gameServerConfigs.list gameservices.gameServerDeployments.get gameservices.gameServerDeployments.list gameservices.locations.* gameservices.operations.get gameservices.operations.list gameservices.realms.get gameservices.realms.list resourcemanager.projects.get resourcemanager.projects.list

Game Services API-Administrator
(roles/gameservices.admin)

Vollständiger Zugriff auf die Game Services API und zugehörige Ressourcen.

gameservices.*
resourcemanager.projects.get
resourcemanager.projects.list

Game Services API-Betrachter
(roles/gameservices.viewer)

Lesezugriff auf Game Services API und zugehörige Ressourcen.

gameservices.gameServerClusters.get
gameservices.gameServerClusters.list
gameservices.gameServerConfigs.get
gameservices.gameServerConfigs.list
gameservices.gameServerDeployments.get
gameservices.gameServerDeployments.list
gameservices.locations.*
gameservices.operations.get
gameservices.operations.list
gameservices.realms.get
gameservices.realms.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Healthcare-Rollen

Role	Permissions
Healthcare Annotation Editor (`roles/healthcare.annotationEditor`) Create, delete, update, read and list annotations.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Reader (`roles/healthcare.annotationReader`) Read and list annotations in an Annotation store.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.get healthcare.annotations.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Administrator (`roles/healthcare.annotationStoreAdmin`) Administer Annotation stores.	healthcare.annotationStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Store Viewer (`roles/healthcare.annotationStoreViewer`) List Annotation Stores in a dataset.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Attribute Definition Editor (`roles/healthcare.attributeDefinitionEditor`) Edit AttributeDefinition objects.	healthcare.attributeDefinitions.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Attribute Definition Reader (`roles/healthcare.attributeDefinitionReader`) Read AttributeDefinition objects in a consent store.	healthcare.attributeDefinitions.get healthcare.attributeDefinitions.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Administrator (`roles/healthcare.consentArtifactAdmin`) Administer ConsentArtifact objects.	healthcare.consentArtifacts.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Editor (`roles/healthcare.consentArtifactEditor`) Edit ConsentArtifact objects.	healthcare.consentArtifacts.create healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Reader (`roles/healthcare.consentArtifactReader`) Read ConsentArtifact objects in a consent store.	healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Editor (`roles/healthcare.consentEditor`) Edit Consent objects.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.consents.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Reader (`roles/healthcare.consentReader`) Read Consent objects in a consent store.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.consents.get healthcare.consents.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Store Administrator (`roles/healthcare.consentStoreAdmin`) Administer Consent stores.	healthcare.consentStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Store Viewer (`roles/healthcare.consentStoreViewer`) List Consent Stores in a dataset.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Dataset Administrator (`roles/healthcare.datasetAdmin`) Administer Healthcare Datasets.	healthcare.datasets.* healthcare.locations.* healthcare.operations.* resourcemanager.projects.get resourcemanager.projects.list
Healthcare Dataset Viewer (`roles/healthcare.datasetViewer`) List the Healthcare Datasets in a project.	healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Editor (`roles/healthcare.dicomEditor`) Edit DICOM images individually and in bulk.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.dicomWebRead healthcare.dicomStores.dicomWebWrite healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.import healthcare.dicomStores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Store Administrator (`roles/healthcare.dicomStoreAdmin`) Administer DICOM stores.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.create healthcare.dicomStores.deidentify healthcare.dicomStores.delete healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.get healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.dicomStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Store Viewer (`roles/healthcare.dicomStoreViewer`) List DICOM Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Viewer (`roles/healthcare.dicomViewer`) Retrieve DICOM images from a DICOM store.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebRead healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Resource Editor (`roles/healthcare.fhirResourceEditor`) Create, delete, update, read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.create healthcare.fhirResources.delete healthcare.fhirResources.get healthcare.fhirResources.patch healthcare.fhirResources.translateConceptMap healthcare.fhirResources.update healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Resource Reader