Noções básicas sobre papéis

Um papel contém um conjunto de permissões que permitem realizar ações específicas nos recursos do Google Cloud. Para disponibilizar as permissões aos principais, incluindo usuários, grupos e contas de serviço, conceda papéis aos principais.

Nesta página, descrevemos os papéis do IAM que podem ser concedidos.

Pré-requisito para este guia

Tipos de papel

Existem três tipos de papéis no IAM:

  • Papéis básicos, que incluem os de proprietário, editor e visualizador que existiam antes da introdução do IAM.
  • Papéis predefinidos, que fornecem acesso granular a um serviço específico e são gerenciados pelo Google Cloud.
  • Papéis personalizados, que fornecem acesso granular de acordo com uma lista de permissões especificada pelo usuário.

Para determinar se uma permissão está incluída em um papel básico, predefinido ou personalizado, use um dos métodos a seguir:

As seções abaixo descrevem cada tipo de papel e fornecem exemplos de como usá-los.

Papéis básicos

Há vários papéis básicos que existiam antes da introdução do IAM: proprietário, editor e visualizador. Esses papéis são concêntricos, isto é, o de Proprietário inclui as permissões no papel de Editor, e este no de Leitor. Esses papéis eram conhecidos anteriormente como "papéis primários".

A tabela a seguir resume as permissões que os papéis básicos têm em todos os serviços do Google Cloud:

Definições dos papéis básicos

Nome Título Permissões
roles/viewer Leitor Permissões para ações somente leitura que não afetam o estado, como ver (mas não modificar) recursos ou dados existentes.
roles/editor Editor Todas as permissões do leitor e as permissões para ações que modificam o estado, como a alteração de recursos atuais.
Observação: o papel de editor contém permissões para criar e excluir recursos para a maioria dos serviços do Google Cloud. No entanto, ele não contém permissões para executar todas as ações de todos os serviços. Consulte a seção acima para ver mais informações sobre como verificar se um papel tem as permissões necessárias.
roles/owner Proprietário Todas as permissões de editor e também para as seguintes ações:
  • Gerenciar papéis e permissões para um projeto e todos os recursos dentro do projeto.
  • Configurar o faturamento de um projeto
Observação:
  • A concessão do papel de proprietário em nível de recurso, como um tópico do Pub/Sub, não concede o papel de proprietário no projeto pai.
  • A concessão do papel de proprietário no nível da organização não permite que você atualize os metadados da organização. No entanto, ele permite que você modifique projetos e outros recursos nessa organização.
  • Para conceder o papel de proprietário em um projeto a um usuário fora da organização, você precisa usar o Console do Google Cloud, não a ferramenta gcloud. Se o projeto não fizer parte de uma organização, use o Console do Cloud para conceder o papel de Proprietário.

É possível conceder papéis básicos no nível dos recursos do projeto ou do serviço. Para fazer isso, use o Console do Cloud, a API ou a ferramenta gcloud. Para mais instruções, consulte Como conceder, alterar e revogar acesso a recursos.

Para saber como conceder papéis usando o Console do Cloud, consulte Como conceder, alterar e revogar acesso.

Papéis predefinidos

Além dos papéis básicos, o IAM fornece outros papéis predefinidos que dão acesso granular a recursos específicos do Google Cloud e impedem o acesso indesejado a outros recursos. Esses papéis são criados e mantidos pelo Google. O Google atualiza automaticamente as permissões conforme necessário, como quando o Google Cloud adiciona novos recursos ou serviços.

A tabela a seguir lista esses papéis, as respectivas descrições e o tipo de recurso de menor nível em que os papéis são configurados. Um papel específico pode ser concedido a esse tipo de recurso ou, na maioria dos casos, a qualquer tipo acima dele na hierarquia do Google Cloud. É possível atribuir vários papéis ao mesmo usuário. Por exemplo: é possível que o mesmo usuário tenha papéis de Administrador de rede, bem como o de Visualizador de registro em um projeto e também o de Editor em um tópico Pub/Sub nesse projeto. Para uma lista de permissões contidas em um papel, consulte Como conseguir os metadados do papel.

Papéis do Access Approval

Role Permissions

Access Approval Approver Beta
(roles/accessapproval.approver)

Ability to view or act on access approval requests and view configuration

  • accessapproval.requests.*
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Approval Config Editor Beta
(roles/accessapproval.configEditor)

Ability update the Access Approval configuration

  • accessapproval.settings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Approval Viewer Beta
(roles/accessapproval.viewer)

Ability to view access approval requests and configuration

  • accessapproval.requests.get
  • accessapproval.requests.list
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Access Context Manager

Papel Permissões

Administrador de vinculação de acesso à nuvem
(roles/accesscontextmanager.gcpAccessAdmin)

Criar, editar e alterar vinculações de acesso à nuvem.

  • accesscontextmanager.gcpUserAccessBindings.*

Leitor de vinculação de acesso à nuvem
(roles/accesscontextmanager.gcpAccessReader)

Acesso de leitura às vinculações de acesso da nuvem.

  • accesscontextmanager.gcpUserAccessBindings.get
  • accesscontextmanager.gcpUserAccessBindings.list

Administrador do Access Context Manager
(roles/accesscontextmanager.policyAdmin)

Acesso total a políticas, níveis e zonas de acesso

  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.*
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.*
  • accesscontextmanager.servicePerimeters.*
  • cloudasset.assets.searchAllResources
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor do Access Context Manager
(roles/accesscontextmanager.policyEditor)

Acesso de edição a políticas. Cria, edita e altera níveis e zonas de acesso.

  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.create
  • accesscontextmanager.accessPolicies.delete
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessPolicies.update
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.create
  • accesscontextmanager.policies.delete
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.policies.update
  • accesscontextmanager.servicePerimeters.*
  • cloudasset.assets.searchAllResources
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do Access Context Manager
(roles/accesscontextmanager.policyReader)

Acesso de leitura a políticas, níveis e zonas de acesso.

  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessZones.get
  • accesscontextmanager.accessZones.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do solucionador de problemas do VPC Service Controls
(roles/accesscontextmanager.vpcScTroubleshooterViewer)

  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis de ações

Papel Permissões

Administrador de ações
(roles/actions.Admin)

Acesso para editar e implantar uma ação

  • actions.*
  • firebase.projects.get
  • firebase.projects.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Visualizador de ações
(roles/actions.Viewer)

Acesso para visualizar uma ação

  • actions.agent.get
  • actions.agentVersions.get
  • actions.agentVersions.list
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Papéis dos notebooks de IA

Papel Permissões

Administrador de notebooks
(roles/notebooks.admin)

Acesso total a todos os recursos de notebooks.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Instância
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Administrador legado de notebooks
(roles/notebooks.legacyAdmin)

Acesso total a todos os recursos de notebooks por meio da API Compute.

  • compute.*
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Leitor legado de notebooks
(roles/notebooks.legacyViewer)

Acesso somente leitura a todos os recursos de notebooks por meio da API Compute.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Executor de notebooks
(roles/notebooks.runner)

Acesso restrito para executar notebooks programados.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.create
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.create
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.create
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.create
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Leitor do Notebooks
(roles/notebooks.viewer)

Acesso somente leitura a todos os recursos de notebooks.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Instância
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Papéis do AI Platform

Role Permissions

AI Platform Admin
(roles/ml.admin)

Provides full access to AI Platform resources, and its jobs, operations, models, and versions.

Lowest-level resources where you can grant this role:

  • Project
  • ml.*
  • resourcemanager.projects.get

AI Platform Developer
(roles/ml.developer)

Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests.

Lowest-level resources where you can grant this role:

  • Project
  • ml.jobs.create
  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.jobs.list
  • ml.locations.*
  • ml.models.create
  • ml.models.get
  • ml.models.getIamPolicy
  • ml.models.list
  • ml.models.predict
  • ml.operations.get
  • ml.operations.list
  • ml.projects.*
  • ml.studies.*
  • ml.trials.*
  • ml.versions.get
  • ml.versions.list
  • ml.versions.predict
  • resourcemanager.projects.get

AI Platform Job Owner
(roles/ml.jobOwner)

Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job.

Lowest-level resources where you can grant this role:

  • Job
  • ml.jobs.*

AI Platform Model Owner
(roles/ml.modelOwner)

Provides full access to the model and its versions. This role is automatically granted to the user who creates the model.

Lowest-level resources where you can grant this role:

  • Model
  • ml.models.*
  • ml.versions.*

AI Platform Model User
(roles/ml.modelUser)

Provides permissions to read the model and its versions, and use them for prediction.

Lowest-level resources where you can grant this role:

  • Model
  • ml.models.get
  • ml.models.predict
  • ml.versions.get
  • ml.versions.list
  • ml.versions.predict

AI Platform Operation Owner
(roles/ml.operationOwner)

Provides full access to all permissions for a particular operation resource.

Lowest-level resources where you can grant this role:

  • Operation
  • ml.operations.*

AI Platform Viewer
(roles/ml.viewer)

Provides read-only access to AI Platform resources.

Lowest-level resources where you can grant this role:

  • Project
  • ml.jobs.get
  • ml.jobs.list
  • ml.locations.*
  • ml.models.get
  • ml.models.list
  • ml.operations.get
  • ml.operations.list
  • ml.projects.*
  • ml.studies.get
  • ml.studies.getIamPolicy
  • ml.studies.list
  • ml.trials.get
  • ml.trials.list
  • ml.versions.get
  • ml.versions.list
  • resourcemanager.projects.get

Papéis de gerenciamento do Android

Role Permissions

Android Management User
(roles/androidmanagement.user)

Full access to manage devices.

  • androidmanagement.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Papéis do Anthos para várias nuvens

Role Permissions

Anthos Multi-cloud Admin Beta
(roles/gkemulticloud.admin)

Administrator of Anthos Multi-cloud resources

  • gkemulticloud.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Anthos Multi-cloud Viewer Beta
(roles/gkemulticloud.viewer)

Viewer of Anthos Multi-cloud resources

  • gkemulticloud.awsClusters.get
  • gkemulticloud.awsClusters.list
  • gkemulticloud.awsNodePools.get
  • gkemulticloud.awsNodePools.list
  • gkemulticloud.awsServerConfigs.*
  • gkemulticloud.azureClients.get
  • gkemulticloud.azureClients.list
  • gkemulticloud.azureClusters.get
  • gkemulticloud.azureClusters.list
  • gkemulticloud.azureNodePools.get
  • gkemulticloud.azureNodePools.list
  • gkemulticloud.azureServerConfigs.*
  • gkemulticloud.operations.get
  • gkemulticloud.operations.list
  • gkemulticloud.operations.wait
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis da API Gateway

Role Permissions

ApiGateway Admin
(roles/apigateway.admin)

Full access to ApiGateway and related resources.

  • apigateway.*
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get
  • serviceusage.services.list

ApiGateway Viewer
(roles/apigateway.viewer)

Read-only access to ApiGateway and related resources.

  • apigateway.apiconfigs.get
  • apigateway.apiconfigs.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apis.get
  • apigateway.apis.getIamPolicy
  • apigateway.apis.list
  • apigateway.gateways.get
  • apigateway.gateways.getIamPolicy
  • apigateway.gateways.list
  • apigateway.locations.*
  • apigateway.operations.get
  • apigateway.operations.list
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get
  • serviceusage.services.list

Papéis do Apigee

Papel Permissões

Administrador da organização da Apigee
(roles/apigee.admin)

Acesso total a todas as funcionalidades de recursos da Apigee

  • apigee.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Agente de análise da Apigee
(roles/apigee.analyticsAgent)

Conjunto de permissões selecionado para que o agente universal de coleta de dados da Apigee gerencie análises para uma organização da Apigee

  • apigee.environments.getDataLocation
  • apigee.runtimeconfigs.*

Editor de análise da Apigee
(roles/apigee.analyticsEditor)

Editor do Analytics para uma organização da Apigee

  • apigee.datacollectors.*
  • apigee.datastores.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.*
  • apigee.hostqueries.*
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.*
  • apigee.reports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Visualizador de análise da Apigee
(roles/apigee.analyticsViewer)

Visualizador do Analytics para uma organização da Apigee

  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.get
  • apigee.exports.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.reports.get
  • apigee.reports.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de APIs da Apigee
(roles/apigee.apiAdmin)

Acesso total de leitura/gravação a todos os recursos de APIs da Apigee

  • apigee.apiproductattributes.*
  • apigee.apiproducts.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.keyvaluemaps.list
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.*
  • apigee.proxyrevisions.*
  • apigee.sharedflowrevisions.*
  • apigee.sharedflows.*
  • apigee.tracesessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de API da Apigee
(roles/apigee.apiReader)

Visualizador de recursos da Apigee

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.keyvaluemaps.list
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.deploy
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.undeploy
  • apigee.sharedflowrevisions.deploy
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflowrevisions.undeploy
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.tracesessions.get
  • apigee.tracesessions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador desenvolvedor da Apigee
(roles/apigee.developerAdmin)

Administrador desenvolvedor de recursos da apigee

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.*
  • apigee.apps.*
  • apigee.datacollectors.*
  • apigee.developerappattributes.*
  • apigee.developerapps.*
  • apigee.developerattributes.*
  • apigee.developerbalances.*
  • apigee.developermonetizationconfigs.*
  • apigee.developers.*
  • apigee.developersubscriptions.*
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.rateplans.get
  • apigee.rateplans.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Admin do ambiente Apigee
(roles/apigee.environmentAdmin)

Acesso total de leitura/gravação aos recursos do ambiente Apigee, incluindo implantações.

  • apigee.archivedeployments.*
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.deployments.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.environments.setIamPolicy
  • apigee.flowhooks.*
  • apigee.ingressconfigs.*
  • apigee.keystorealiases.*
  • apigee.keystores.*
  • apigee.keyvaluemaps.*
  • apigee.maskconfigs.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.deploy
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.undeploy
  • apigee.references.*
  • apigee.resourcefiles.*
  • apigee.sharedflowrevisions.deploy
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflowrevisions.undeploy
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.targetservers.*
  • apigee.tracesessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Administrador de monetização da Apigee
(roles/apigee.monetizationAdmin)

Todas as permissões relacionadas à monetização

  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.developerbalances.*
  • apigee.developermonetizationconfigs.*
  • apigee.developersubscriptions.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.rateplans.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador do portal da Apigee
(roles/apigee.portalAdmin)

Administrador do portal para uma organização Apigee

  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.portals.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador somente leitura da Apigee
(roles/apigee.readOnlyAdmin)

Visualizador de todos os recursos da apigee

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.get
  • apigee.apps.*
  • apigee.archivedeployments.download
  • apigee.archivedeployments.get
  • apigee.archivedeployments.list
  • apigee.caches.list
  • apigee.canaryevaluations.get
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.deployments.get
  • apigee.deployments.list
  • apigee.developerappattributes.get
  • apigee.developerappattributes.list
  • apigee.developerapps.get
  • apigee.developerapps.list
  • apigee.developerattributes.get
  • apigee.developerattributes.list
  • apigee.developerbalances.get
  • apigee.developermonetizationconfigs.get
  • apigee.developers.get
  • apigee.developers.list
  • apigee.developersubscriptions.get
  • apigee.developersubscriptions.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getDataLocation
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.get
  • apigee.exports.list
  • apigee.flowhooks.getSharedFlow
  • apigee.flowhooks.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hostsecurityreports.get
  • apigee.hostsecurityreports.list
  • apigee.hoststats.*
  • apigee.ingressconfigs.*
  • apigee.instanceattachments.get
  • apigee.instanceattachments.list
  • apigee.instances.get
  • apigee.instances.list
  • apigee.keystorealiases.get
  • apigee.keystorealiases.list
  • apigee.keystores.get
  • apigee.keystores.list
  • apigee.keyvaluemaps.list
  • apigee.maskconfigs.get
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.portals.get
  • apigee.portals.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.rateplans.get
  • apigee.rateplans.list
  • apigee.references.get
  • apigee.references.list
  • apigee.reports.get
  • apigee.reports.list
  • apigee.resourcefiles.get
  • apigee.resourcefiles.list
  • apigee.runtimeconfigs.*
  • apigee.securityreports.get
  • apigee.securityreports.list
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.targetservers.get
  • apigee.targetservers.list
  • apigee.tracesessions.get
  • apigee.tracesessions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Agente do ambiente de execução da Apigee
(roles/apigee.runtimeAgent)

Conjunto de permissões selecionadas para que um agente de ambiente de execução acesse os recursos da organização da Apigee

  • apigee.canaryevaluations.*
  • apigee.ingressconfigs.*
  • apigee.instances.reportStatus
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.runtimeconfigs.*

Gerenciador de sincronização da Apigee
(roles/apigee.synchronizerManager)

Conjunto selecionado de permissões para um sincronizador gerenciar ambientes em uma organização Apigee

  • apigee.environments.get
  • apigee.environments.manageRuntime
  • apigee.ingressconfigs.*

Administrador do Apigee Connect
(roles/apigeeconnect.Admin)

Administrador do Apigee Connect

  • apigeeconnect.connections.*

Agente do Apigee Connect
(roles/apigeeconnect.Agent)

Capacidade de configurar o agente do Apigee Connect entre clusters externos e o Google.

  • apigeeconnect.endpoints.*

Papéis do App Engine

Papel Permissões

Administrador do App Engine
(roles/appengine.appAdmin)

Acesso de leitura/gravação/modificação a todas as configurações do aplicativo.

Para implantar novas versões, o principal precisa ter o papel de Usuário da conta de serviço (roles/iam.serviceAccountUser) na conta de serviço padrão do App Engine, bem como os papéis de Editor do Cloud Build (roles/cloudbuild.builds.editor) e Administrador de objeto do Cloud Storage (roles/storage.objectAdmin) no projeto.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • appengine.applications.get
  • appengine.applications.update
  • appengine.instances.*
  • appengine.operations.*
  • appengine.runtimes.*
  • appengine.services.*
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Criador do App Engine
(roles/appengine.appCreator)

Capacidade para criar o recurso do App Engine para o projeto.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • appengine.applications.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do App Engine
(roles/appengine.appViewer)

Acesso somente de leitura a todas as configurações do aplicativo.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de código do App Engine
(roles/appengine.codeViewer)

Acesso somente leitura a todas as configurações e ao código-fonte implantado do aplicativo.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.getFileContents
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Implantador do App Engine
(roles/appengine.deployer)

Acesso somente de leitura a todas as configurações do aplicativo.

Para implantar novas versões, você também precisa ter o papel de usuário da conta de serviço (roles/iam.serviceAccountUser) na conta de serviço padrão do App Engine e o papel de editor do Cloud Build (roles/cloudbuild.builds.editor) e de administrador de objeto do Cloud Storage (roles/storage.objectAdmin) no projeto.

Não é possível modificar versões existentes, a não ser para excluir versões que não estejam recebendo tráfego.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de serviço do App Engine
(roles/appengine.serviceAdmin)

Acesso somente de leitura a todas as configurações do aplicativo.

Acesso de gravação a configurações de módulo e versão. Não permite implantar versões novas.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • appengine.applications.get
  • appengine.instances.*
  • appengine.operations.*
  • appengine.services.*
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Artifact Registry

Papel Permissões

Administrador do Artifact Registry
(roles/artifactregistry.admin)

Acesso de administrador para a criação e o gerenciamento de repositórios.

  • artifactregistry.*

Leitor do Artifact Registry
(roles/artifactregistry.reader)

Acesso para leitura de itens do repositório.

  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list

Administrador do repositório do Artifact Registry
(roles/artifactregistry.repoAdmin)

Acesso para gerenciar artefatos em repositórios.

  • artifactregistry.aptartifacts.*
  • artifactregistry.files.*
  • artifactregistry.packages.*
  • artifactregistry.repositories.deleteArtifacts
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.*
  • artifactregistry.versions.*
  • artifactregistry.yumartifacts.*

Gravador do Artifact Registry
(roles/artifactregistry.writer)

Acesso para leitura e gravação de itens do repositório.

  • artifactregistry.aptartifacts.*
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • artifactregistry.yumartifacts.*

Papéis do Assured Workloads

Papel Permissões

Administrador do Assured Workloads
(roles/assuredworkloads.admin)

Concede acesso total aos recursos do Assured Workloads e de CRM: administração de políticas da organização e projetos/pastas

  • assuredworkloads.*
  • orgpolicy.policy.*
  • resourcemanager.folders.create
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor do Assured Workloads
(roles/assuredworkloads.editor)

Concede acesso de leitura e gravação aos recursos do Assured Workloads e de CRM: projeto/pasta e administração das políticas da organização

  • assuredworkloads.*
  • orgpolicy.policy.*
  • resourcemanager.folders.create
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do Assured Workloads
(roles/assuredworkloads.reader)

Concede acesso de leitura a todos os recursos do Assured Workloads e aos recursos de CRM: projeto/pasta

  • assuredworkloads.operations.*
  • assuredworkloads.workload.get
  • assuredworkloads.workload.list
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do AutoML

Papel Permissões

Administrador do AutoML Beta
(roles/automl.admin)

Acesso total a todos os recursos do AutoML

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Conjunto de dados
  • Modelo
  • automl.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

Editor do AutoML Beta
(roles/automl.editor)

Editor de todos os recursos do AutoML

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Conjunto de dados
  • Modelo
  • automl.annotationSpecs.*
  • automl.annotations.*
  • automl.columnSpecs.*
  • automl.datasets.create
  • automl.datasets.delete
  • automl.datasets.export
  • automl.datasets.get
  • automl.datasets.import
  • automl.datasets.list
  • automl.datasets.update
  • automl.examples.*
  • automl.humanAnnotationTasks.*
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.*
  • automl.models.create
  • automl.models.delete
  • automl.models.deploy
  • automl.models.export
  • automl.models.get
  • automl.models.list
  • automl.models.predict
  • automl.models.undeploy
  • automl.operations.*
  • automl.tableSpecs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

Preditor do AutoML Beta
(roles/automl.predictor)

Prever com modelos

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Modelo
  • automl.models.predict
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do AutoML Beta
(roles/automl.viewer)

Acesso de leitura a todos os recursos do AutoML

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Conjunto de dados
  • Modelo
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

Papéis do BigQuery

Papel Permissões

Administrador do BigQuery
(roles/bigquery.admin)

Concede permissões para gerenciar todos os recursos no projeto. Pode gerenciar todos os dados no projeto e cancelar jobs de outros usuários que estejam sendo executados.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Projeto
  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.config.*
  • bigquery.connections.*
  • bigquery.datasets.*
  • bigquery.jobs.*
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.savedqueries.*
  • bigquery.tables.*
  • bigquery.transfers.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de conexão do BigQuery
(roles/bigquery.connectionAdmin)

  • bigquery.connections.*

Usuário de conexão do BigQuery
(roles/bigquery.connectionUser)

  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.use

Editor de dados do BigQuery
(roles/bigquery.dataEditor)

Quando aplicado a uma tabela ou visualização, esse papel fornece permissões para:

  • ler e atualizar dados e metadados da tabela ou visualização;
  • excluir a tabela ou a visualização.

Esse papel não pode ser aplicado a modelos ou rotinas individuais.

Quando aplicado a um conjunto de dados, esse papel fornece permissões para:

  • ler os metadados do conjunto de dados e listar as tabelas no conjunto de dados;
  • criar, atualizar, receber e excluir as tabelas do conjunto de dados.

Quando aplicado no nível do projeto ou da organização, esse papel também cria novos conjuntos de dados.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Tabela
  • Ver
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.create
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Proprietário de dados do BigQuery
(roles/bigquery.dataOwner)

Quando aplicado a uma tabela ou visualização, esse papel fornece permissões para:

  • ler e atualizar dados e metadados da tabela ou visualização;
  • compartilhar a tabela ou a visualização;
  • excluir a tabela ou a visualização.

Esse papel não pode ser aplicado a modelos ou rotinas individuais.

Quando aplicado a um conjunto de dados, esse papel fornece permissões para:

  • ler, atualizar e excluir o conjunto de dados;
  • criar, atualizar, receber e excluir as tabelas do conjunto de dados.

Quando aplicado no nível do projeto ou da organização, esse papel também cria novos conjuntos de dados.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Tabela
  • Ver
  • bigquery.datasets.*
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.tables.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Visualizador de dados do BigQuery
(roles/bigquery.dataViewer)

Quando aplicado a uma tabela ou visualização, esse papel fornece permissões para:

  • ler dados e metadados da tabela ou visualização.

Esse papel não pode ser aplicado a modelos ou rotinas individuais.

Quando aplicado a um conjunto de dados, esse papel fornece permissões para:

  • ler os metadados do conjunto de dados e listar as tabelas no conjunto de dados;
  • ler dados e metadados das tabelas do conjunto de dados.

Quando aplicado no nível do projeto ou da organização, esse papel também enumera todos os conjuntos de dados no projeto. No entanto, são necessários papéis extras para permitir a execução de jobs.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Tabela
  • Ver
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.createSnapshot
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Visualizador de dados filtrados do BigQuery
(roles/bigquery.filteredDataViewer)

Acesso de visualização de dados de tabelas filtrados definido por uma política de acesso de linha

  • bigquery.rowAccessPolicies.getFilteredData

Usuário de jobs do BigQuery
(roles/bigquery.jobUser)

Concede permissões para executar jobs, incluindo consultas, no projeto.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Projeto
  • bigquery.jobs.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de metadados do BigQuery
(roles/bigquery.metadataViewer)

Quando aplicado a uma tabela ou visualização, esse papel fornece permissões para:

  • ler metadados da tabela ou visualização.

Esse papel não pode ser aplicado a modelos ou rotinas individuais.

Quando aplicado a um conjunto de dados, esse papel fornece permissões para:

  • listar tabelas e visualizações no conjunto de dados;
  • ler metadados das tabelas e visualizações do conjunto de dados.

Quando aplicado no nível do projeto ou da organização, esse papel fornece permissões para:

  • listar todos os conjuntos de dados e ler metadados para todos os conjuntos de dados no projeto;
  • listar todas as tabelas e visualizações e ler metadados para todas as tabelas e visualizações no projeto.

São necessários papéis extras para permitir a execução de jobs.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Tabela
  • Ver
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.get
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Usuário de sessão de leitura do BigQuery
(roles/bigquery.readSessionUser)

Acesso para criar e usar sessões de leitura

  • bigquery.readsessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de recursos do BigQuery
(roles/bigquery.resourceAdmin)

Administra todos os recursos do BigQuery.

  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • recommender.bigqueryCapacityCommitmentsInsights.*
  • recommender.bigqueryCapacityCommitmentsRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor de recursos do BigQuery
(roles/bigquery.resourceEditor)

Gerencia todos os recursos do BigQuery, mas não pode tomar decisões de compra.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Visualizador de recursos do BigQuery
(roles/bigquery.resourceViewer)

Visualiza todos os recursos do BigQuery, mas não pode editar ou tomar decisões de compra.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Usuário do BigQuery
(roles/bigquery.user)

Quando aplicado a um conjunto de dados, esse papel fornece a capacidade de ler os metadados do conjunto de dados e listar as tabelas no conjunto de dados.

Quando aplicado a um projeto, esse papel também dá a capacidade de executar jobs, incluindo consultas, dentro do projeto. Um participante com esse papel consegue enumerar e cancelar os próprios jobs, bem como enumerar conjuntos de dados em um projeto. Além disso, permite a criação de novos conjuntos de dados no projeto. O criador recebe o papel de proprietário de dados do BigQuery (roles/bigquery.dataOwner) nesses novos conjuntos de dados.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Conjunto de dados
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.list
  • bigquery.transfers.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis de faturamento

Papel Permissões

Administrador da conta de faturamento
(roles/billing.admin)

Dá acesso para visualizar e gerenciar todos os aspectos das contas de faturamento.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Conta de faturamento
  • billing.accounts.close
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.move
  • billing.accounts.redeemPromotion
  • billing.accounts.removeFromOrganization
  • billing.accounts.reopen
  • billing.accounts.setIamPolicy
  • billing.accounts.update
  • billing.accounts.updatePaymentInfo
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.credits.*
  • billing.resourceAssociations.*
  • billing.subscriptions.*
  • cloudnotifications.*
  • commerceoffercatalog.*
  • consumerprocurement.accounts.*
  • consumerprocurement.orders.*
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • logging.logEntries.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.privateLogEntries.*
  • recommender.commitmentUtilizationInsights.*
  • recommender.usageCommitmentRecommendations.*
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment

Gerente de custos da conta de faturamento
(roles/billing.costsManager)

Pode ver e exportar informações de custo das contas de faturamento.

  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.resourceAssociations.list

Criador da conta de faturamento
(roles/billing.creator)

Dá acesso para criar contas de faturamento.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Organização
  • billing.accounts.create
  • resourcemanager.organizations.get

Gerente de faturamento do projeto
(roles/billing.projectManager)

Concede acesso para atribuir uma conta de faturamento de um projeto ou desativar o faturamento.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment

Usuário da conta de faturamento
(roles/billing.user)

Dá acesso para associar projetos a contas de faturamento.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Conta de faturamento
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.accounts.redeemPromotion
  • billing.credits.*
  • billing.resourceAssociations.create

Leitor da conta de faturamento
(roles/billing.viewer)

Visualizar as informações de custo da conta de faturamento e as transações.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Conta de faturamento
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.budgets.get
  • billing.budgets.list
  • billing.credits.*
  • billing.resourceAssociations.list
  • billing.subscriptions.get
  • billing.subscriptions.list
  • commerceoffercatalog.*
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list

Papéis de autorização binária

Role Permissions

Binary Authorization Attestor Admin
(roles/binaryauthorization.attestorsAdmin)

Administrator of Binary Authorization Attestors

  • binaryauthorization.attestors.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Attestor Editor
(roles/binaryauthorization.attestorsEditor)

Editor of Binary Authorization Attestors

  • binaryauthorization.attestors.create
  • binaryauthorization.attestors.delete
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.update
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Attestor Image Verifier
(roles/binaryauthorization.attestorsVerifier)

Caller of Binary Authorization Attestors VerifyImageAttested

  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Attestor Viewer
(roles/binaryauthorization.attestorsViewer)

Viewer of Binary Authorization Attestors

  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Administrator
(roles/binaryauthorization.policyAdmin)

Administrator of Binary Authorization Policy

  • binaryauthorization.continuousValidationConfig.*
  • binaryauthorization.policy.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Editor
(roles/binaryauthorization.policyEditor)

Editor of Binary Authorization Policy

  • binaryauthorization.continuousValidationConfig.get
  • binaryauthorization.continuousValidationConfig.update
  • binaryauthorization.policy.get
  • binaryauthorization.policy.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Viewer
(roles/binaryauthorization.policyViewer)

Viewer of Binary Authorization Policy

  • binaryauthorization.continuousValidationConfig.get
  • binaryauthorization.policy.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do serviço de CA

Papel Permissões

Administrador de serviço de CA
(roles/privateca.admin)

Acesso completo a todos os recursos de serviço de CA.

  • privateca.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create

Auditor de serviço de CA
(roles/privateca.auditor)

Acesso somente leitura a todos os recursos de serviço de CA.

  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Gerente de operações de serviço de CA
(roles/privateca.caManager)

Cria e gerencia CAs, revoga certificados, cria modelos de certificados e acesso somente leitura para recursos de serviço de CA.

  • privateca.caPools.create
  • privateca.caPools.delete
  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.caPools.update
  • privateca.certificateAuthorities.create
  • privateca.certificateAuthorities.delete
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateAuthorities.update
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateRevocationLists.update
  • privateca.certificateTemplates.create
  • privateca.certificateTemplates.delete
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.update
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.certificates.update
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.create
  • privateca.reusableConfigs.delete
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • privateca.reusableConfigs.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create

Gerente de certificado de serviço de CA
(roles/privateca.certificateManager)

Cria certificados e acesso somente leitura a recursos de serviço de CA.

  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificates.create
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Requerente do certificado de serviço de CA
(roles/privateca.certificateRequester)

Solicitar certificados do serviço de CA.

  • privateca.certificates.create

Usuário do modelo de certificado de serviço de CA
(roles/privateca.templateUser)

Lê, lista e usa os modelos de certificados.

  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.use

Requerente de certificado da carga de trabalho de serviço de CA
(roles/privateca.workloadCertificateRequester)

Solicita certificados do serviço da CA com a identidade do autor da chamada.

  • privateca.certificates.createForSelf

Papéis de recursos do Cloud

Papel Permissões

Proprietário de recursos do Cloud
(roles/cloudasset.owner)

Acesso total aos metadados de recursos do Cloud

  • cloudasset.*
  • recommender.cloudAssetInsights.*
  • recommender.locations.*

Leitor de recursos do Cloud
(roles/cloudasset.viewer)

Acesso somente leitura aos metadados de recursos do cloud

  • cloudasset.assets.*
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*

Papéis do Cloud Bigtable

Role Permissions

Bigtable Administrator
(roles/bigtable.admin)

Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators.

Lowest-level resources where you can grant this role:

  • Table
  • bigtable.*
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Bigtable Reader
(roles/bigtable.reader)

Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios.

Lowest-level resources where you can grant this role:

  • Table
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Bigtable User
(roles/bigtable.user)

Provides read-write access to the data stored within tables. Intended for application developers or service accounts.

Lowest-level resources where you can grant this role:

  • Table
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.mutateRows
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Bigtable Viewer
(roles/bigtable.viewer)

Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Bigtable.

Lowest-level resources where you can grant this role:

  • Table
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Papéis do Cloud Build

Role Permissions

Cloud Build Approver
(roles/cloudbuild.builds.approver)

Can approve or reject pending builds.

  • cloudbuild.builds.approve
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Service Account
(roles/cloudbuild.builds.builder)

Provides access to perform builds.

  • artifactregistry.aptartifacts.*
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • artifactregistry.yumartifacts.*
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • pubsub.topics.create
  • pubsub.topics.publish
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Cloud Build Editor
(roles/cloudbuild.builds.editor)

Provides access to create and cancel builds.

Lowest-level resources where you can grant this role:

  • Project
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Viewer
(roles/cloudbuild.builds.viewer)

Provides access to view builds.

Lowest-level resources where you can grant this role:

  • Project
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Integrations Editor
(roles/cloudbuild.integrationsEditor)

Can update Integrations

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Integrations Owner
(roles/cloudbuild.integrationsOwner)

Can create/delete Integrations

  • compute.firewalls.create
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.networks.get
  • compute.networks.updatePolicy
  • compute.regions.get
  • compute.subnetworks.get
  • compute.subnetworks.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Integrations Viewer
(roles/cloudbuild.integrationsViewer)

Can view Integrations

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build WorkerPool Editor
(roles/cloudbuild.workerPoolEditor)

Can update and view WorkerPools

  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • cloudbuild.workerpools.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build WorkerPool Owner
(roles/cloudbuild.workerPoolOwner)

Can create, delete, update, and view WorkerPools

  • cloudbuild.workerpools.create
  • cloudbuild.workerpools.delete
  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • cloudbuild.workerpools.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build WorkerPool User
(roles/cloudbuild.workerPoolUser)

Can run builds in the WorkerPool

  • cloudbuild.workerpools.use

Cloud Build WorkerPool Viewer
(roles/cloudbuild.workerPoolViewer)

Can view WorkerPools

  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud Composer

Papel Permissões

Extensão do agente de serviço da API Cloud Composer v2
(roles/composer.ServiceAgentV2Ext)

A extensão do agente de serviço da API Cloud Composer v2 é um papel complementar necessário para gerenciar os ambientes da Composer v2.

  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy

Administrador do Composer
(roles/composer.admin)

Concede controle total dos recursos do Cloud Composer.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • composer.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Administrador de objetos do armazenamento e do ambiente
(roles/composer.environmentAndStorageObjectAdmin)

Concede controle total dos recursos do Cloud Composer e dos objetos em todos os buckets do projeto.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • composer.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.*

Usuário do ambiente e leitor de objetos do armazenamento
(roles/composer.environmentAndStorageObjectViewer)

Concede as permissões necessárias para listar e receber ambientes e operações do Cloud Composer. Concede acesso somente leitura a objetos em todos os buckets do projeto.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list

Agente de VPC compartilhada do Cloud Composer
(roles/composer.sharedVpcAgent)

Papel a ser atribuído à conta de serviço do agente do Cloud Composer no projeto host da VPC compartilhada

  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.removePeering
  • compute.networks.updatePeering
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zones.*

Usuário do Cloud Composer
(roles/composer.user)

Concede as permissões necessárias para listar e receber ambientes e operações do Cloud Composer.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Worker do Composer
(roles/composer.worker)

Concede as permissões necessárias para executar uma VM de ambiente do Cloud Composer. Destinado a contas de serviço.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • artifactregistry.*
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • container.*
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.*
  • pubsub.schemas.attach
  • pubsub.schemas.create
  • pubsub.schemas.delete
  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.schemas.validate
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.*

Papéis do Cloud Connectors

Papel Permissões

Administrador do Connectors
(roles/connectors.admin)

Acesso total a todos os recursos do serviço Connectors.

  • connectors.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do Connectors
(roles/connectors.viewer)

Acesso para ler a todos os recursos do Connectors.

  • connectors.connections.get
  • connectors.connections.getConnectionSchemaMetadata
  • connectors.connections.getIamPolicy
  • connectors.connections.getRuntimeActionSchema
  • connectors.connections.getRuntimeEntitySchema
  • connectors.connections.list
  • connectors.connectors.*
  • connectors.locations.*
  • connectors.operations.get
  • connectors.operations.list
  • connectors.providers.*
  • connectors.runtimeconfig.*
  • connectors.versions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud Data Fusion

Papel Permissões

Administrador do Cloud Data Fusion Beta
(roles/datafusion.admin)

Acesso completo às instâncias do Cloud Data Fusion, aos namespaces e aos recursos relacionados.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Projeto
  • datafusion.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Executor do Cloud Data Fusion Beta
(roles/datafusion.runner)

Acesso aos recursos do ambiente de execução do Cloud Data Fusion.

  • datafusion.instances.runtime

Leitor do Cloud Data Fusion Beta
(roles/datafusion.viewer)

Acesso para ler às instâncias do Cloud Data Fusion, aos namespaces e aos recursos relacionados.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Projeto
  • datafusion.instances.get
  • datafusion.instances.getIamPolicy
  • datafusion.instances.list
  • datafusion.instances.runtime
  • datafusion.locations.*
  • datafusion.operations.get
  • datafusion.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud Data Labeling

Papel Permissões

Administrador de serviço do DataLabeling Beta
(roles/datalabeling.admin)

Acesso total a todos os recursos de rotulagem de dados

  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor de serviço do DataLabeling Beta
(roles/datalabeling.editor)

Editor de todos os recursos de rotulagem de dados

  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Visualizador de serviço do DataLabeling Beta
(roles/datalabeling.viewer)

Leitor de todos os recursos de rotulagem de dados

  • datalabeling.annotateddatasets.get
  • datalabeling.annotateddatasets.list
  • datalabeling.annotationspecsets.get
  • datalabeling.annotationspecsets.list
  • datalabeling.dataitems.*
  • datalabeling.datasets.get
  • datalabeling.datasets.list
  • datalabeling.examples.*
  • datalabeling.instructions.get
  • datalabeling.instructions.list
  • datalabeling.operations.get
  • datalabeling.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud Debugger

Papel Permissões

Agente do Cloud Debugger Beta
(roles/clouddebugger.agent)

Concede permissões para registrar o alvo da depuração, ler pontos de interrupção ativos e relatar resultados dos pontos de interrupção.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Conta de serviço
  • clouddebugger.breakpoints.list
  • clouddebugger.breakpoints.listActive
  • clouddebugger.breakpoints.update
  • clouddebugger.debuggees.create

Usuário do Cloud Debugger Beta
(roles/clouddebugger.user)

Concede permissões para criar, visualizar, listar e excluir pontos de interrupção (instantâneos e logpoints), bem como listar alvos de depuração (depurados).

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • clouddebugger.breakpoints.create
  • clouddebugger.breakpoints.delete
  • clouddebugger.breakpoints.get
  • clouddebugger.breakpoints.list
  • clouddebugger.debuggees.list

Papéis do Cloud Deploy

Papel Permissões

Administrador do Cloud Deploy Beta
(roles/clouddeploy.admin)

Controle total dos recursos do Cloud Deploy.

  • clouddeploy.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Aprovador do Cloud Deploy Beta
(roles/clouddeploy.approver)

Permissão para aprovar ou rejeitar lançamentos.

  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.rollouts.approve
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Desenvolvedor do Cloud Deploy Beta
(roles/clouddeploy.developer)

Permissão para gerenciar a configuração de implantação sem permissão para acessar recursos operacionais, como destinos.

  • clouddeploy.deliveryPipelines.create
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.deliveryPipelines.update
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.*
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Executor do Cloud Deploy Beta
(roles/clouddeploy.jobRunner)

Permissão para executar o trabalho do Cloud Deploy sem permissão para entregar a um destino.

  • logging.logEntries.create
  • storage.objects.create
  • storage.objects.get
  • storage.objects.list

Operador do Cloud Deploy Beta
(roles/clouddeploy.operator)

Permissão para gerenciar a configuração de implantação.

  • clouddeploy.deliveryPipelines.create
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.deliveryPipelines.update
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.*
  • clouddeploy.rollouts.create
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.create
  • clouddeploy.targets.get
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • clouddeploy.targets.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Lançador do Cloud Deploy Beta
(roles/clouddeploy.releaser)

Permissão para criar versões e lançamentos do Cloud Deploy.

  • clouddeploy.deliveryPipelines.get
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.create
  • clouddeploy.releases.get
  • clouddeploy.releases.list
  • clouddeploy.rollouts.create
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do Cloud Deploy Beta
(roles/clouddeploy.viewer)

Pode ver recursos do Cloud Deploy.

  • clouddeploy.config.*
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.locations.*
  • clouddeploy.operations.get
  • clouddeploy.operations.list
  • clouddeploy.releases.get
  • clouddeploy.releases.list
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.get
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud DLP

Papel Permissões

Administrador da DLP
(roles/dlp.admin)

Administra o DLP, incluindo jobs e modelos.

  • dlp.*
  • serviceusage.services.use

Editor de modelos de análise de risco da DLP
(roles/dlp.analyzeRiskTemplatesEditor)

Edita os modelos de análise de risco do DLP.

  • dlp.analyzeRiskTemplates.*

Leitor de modelos de análise de risco da DLP
(roles/dlp.analyzeRiskTemplatesReader)

Lê modelos de análise de risco de DLP.

  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list

Leitor de perfis de dados na coluna da DLP
(roles/dlp.columnDataProfilesReader)

Lê perfis de colunas da DLP.

  • dlp.columnDataProfiles.*

Leitor de perfis de dados da DLP
(roles/dlp.dataProfilesReader)

Lê perfis da DLP.

  • dlp.columnDataProfiles.*;
  • dlp.projectDataProfiles.*;
  • dlp.tableDataProfiles.*;

Editor de modelos de desidentificação do DLP
(roles/dlp.deidentifyTemplatesEditor)

Edita modelos de desidentificação do DLP.

  • dlp.deidentifyTemplates.*

Leitor de modelos de desidentificação do DLP
(roles/dlp.deidentifyTemplatesReader)

Lê modelos de desidentificação de DLP.

  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list

Estimativa de custo da DLP
(roles/dlp.estimatesAdmin)

Gerenciar estimativas de custo da DLP.

  • dlp.estimates.*

Leitor de resultados de inspeção da DLP
(roles/dlp.inspectFindingsReader)

Lê as descobertas armazenadas do DLP.

  • dlp.inspectFindings.*

Editor de modelos de inspeção da DLP
(roles/dlp.inspectTemplatesEditor)

Edita modelos de inspeção de DLP.

  • dlp.inspectTemplates.*

Leitor de modelos de inspeção da DLP
(roles/dlp.inspectTemplatesReader)

Lê modelos de inspeção do DLP.

  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list

Editor de acionadores de job da DLP
(roles/dlp.jobTriggersEditor)

Edita configurações de acionadores de job.

  • dlp.jobTriggers.*

Leitor de acionadores de jobs da DLP
(roles/dlp.jobTriggersReader)

Lê acionadores de jobs.

  • dlp.jobTriggers.get
  • dlp.jobTriggers.list

Editor de jobs da DLP
(roles/dlp.jobsEditor)

Edita e cria jobs

  • dlp.jobs.*
  • dlp.kms.*

Leitor de jobs do DLP
(roles/dlp.jobsReader)

Lê jobs

  • dlp.jobs.get
  • dlp.jobs.list

Driver dos perfis de dados da organização da DLP
(roles/dlp.orgdriver)

Permissões necessárias para a conta de serviço de DLP gerar perfis de dados em uma organização ou pasta.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.connections.updateTag
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.*
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.create
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • bigquery.transfers.get
  • cloudasset.assets.*
  • datacatalog.categories.fineGrainedGet
  • datacatalog.entries.updateTag
  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • dlp.*
  • pubsub.topics.updateTag
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Leitor de perfis de dados do projeto da DLP
(roles/dlp.projectDataProfilesReader)

Lê perfis de projetos da DLP.

  • dlp.projectDataProfiles.*

Driver dos perfis de dados do projeto da DLP
(roles/dlp.projectdriver)

Permissões necessárias para que a conta de serviço DLP gere perfis de dados em um projeto.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.connections.updateTag
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.*
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.create
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • bigquery.transfers.get
  • cloudasset.assets.*
  • datacatalog.categories.fineGrainedGet
  • datacatalog.entries.updateTag
  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • dlp.*
  • pubsub.topics.updateTag
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Leitor da DLP
(roles/dlp.reader)

Lê entidades de DLP, como jobs e modelos.

  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list
  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list
  • dlp.inspectFindings.*
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
  • dlp.jobTriggers.get
  • dlp.jobTriggers.list
  • dlp.jobs.get
  • dlp.jobs.list
  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list

Editor de DLP Stored InfoTypes
(roles/dlp.storedInfoTypesEditor)

Edita de DLP de tipos de informações armazenadas.

  • dlp.storedInfoTypes.*

Leitor de InfoTypes armazenados da DLP
(roles/dlp.storedInfoTypesReader)

Lê DLP de tipos de informações armazenadas.

  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list

Leitor de perfis de dados da tabela da DLP
(roles/dlp.tableDataProfilesReader)

Lê perfis de tabelas da DLP.

  • dlp.tableDataProfiles.*;

Usuário da DLP
(roles/dlp.user)

Inspeciona, edita e desidentifica conteúdo

  • dlp.kms.*
  • serviceusage.services.use

Papéis do Cloud Domains

Papel Permissões

Administrador de domínios do Cloud Beta
(roles/domains.admin)

Acesso total aos registros de domínios do Cloud e recursos relacionados.

  • domains.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Visualizador de domínios do Cloud Beta
(roles/domains.viewer)

Acesso somente leitura aos registros de domínios do Cloud e recursos relacionados.

  • domains.locations.*
  • domains.operations.get
  • domains.operations.list
  • domains.registrations.get
  • domains.registrations.getIamPolicy
  • domains.registrations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud Filestore

Papel Permissões

Editor do Cloud Filestore Beta
(roles/file.editor)

Acesso de leitura e gravação a instâncias do Filestore e recursos relacionados.

  • file.*

Leitor do Cloud Filestore Beta
(roles/file.viewer)

Acesso somente leitura às instâncias do Filestore e recursos relacionados.

  • file.backups.get
  • file.backups.list
  • file.instances.get
  • file.instances.list
  • file.locations.*
  • file.operations.get
  • file.operations.list

Papéis do Cloud Functions

Papel Permissões

Administrador do Cloud Functions
(roles/cloudfunctions.admin)

Acesso total a funções, operações e locais.

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.*
  • eventarc.*
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Desenvolvedor do Cloud Functions
(roles/cloudfunctions.developer)

Acesso de leitura e gravação a todos os recursos relacionados a funções.

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.functions.call
  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.invoke
  • cloudfunctions.functions.list
  • cloudfunctions.functions.sourceCodeGet
  • cloudfunctions.functions.sourceCodeSet
  • cloudfunctions.functions.update
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • eventarc.locations.*
  • eventarc.operations.*
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.undelete
  • eventarc.triggers.update
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.*
  • run.routes.*
  • run.services.create
  • run.services.delete
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • run.services.update
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Chamador do Cloud Functions
(roles/cloudfunctions.invoker)

Capacidade de chamar funções HTTP com acesso restrito.

  • cloudfunctions.functions.invoke

Leitor do Cloud Functions
(roles/cloudfunctions.viewer)

Acesso somente leitura a funções e locais.

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • eventarc.locations.*
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.get
  • run.revisions.list
  • run.routes.get
  • run.routes.list
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Papéis do Cloud Game Services

Papel Permissões

Administrador da API Game Services
(roles/gameservices.admin)

Acesso total à API Game Services e aos recursos relacionados.

  • gameservices.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor da API Game Services
(roles/gameservices.viewer)

Acesso somente leitura à API Game Services e recursos relacionados.

  • gameservices.gameServerClusters.get
  • gameservices.gameServerClusters.list
  • gameservices.gameServerConfigs.get
  • gameservices.gameServerConfigs.list
  • gameservices.gameServerDeployments.get
  • gameservices.gameServerDeployments.list
  • gameservices.locations.*
  • gameservices.operations.get
  • gameservices.operations.list
  • gameservices.realms.get
  • gameservices.realms.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud Healthcare

Papel Permissões

Editor de anotações do Healthcare
(roles/healthcare.annotationEditor)

Cria, exclui, atualiza, lê e lista anotações.

  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.annotations.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de anotações do Healthcare
(roles/healthcare.annotationReader)

Lê e lista anotações em um repositório de anotações.

  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.annotations.get
  • healthcare.annotations.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de anotações do Healthcare
(roles/healthcare.annotationStoreAdmin)

Administra repositórios de anotações.

  • healthcare.annotationStores.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de repositórios de anotações do Healthcare
(roles/healthcare.annotationStoreViewer)

Lista repositório de anotações em um conjunto de dados.

  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor de definição de atributos do Healthcare
(roles/healthcare.attributeDefinitionEditor)

Edita objetos AttributeDefinition.

  • healthcare.attributeDefinitions.*
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de definição de atributo do Healthcare
(roles/healthcare.attributeDefinitionReader)

Lê objetos AttributeDefinition em um repositório de consentimentos.

  • healthcare.attributeDefinitions.get
  • healthcare.attributeDefinitions.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador do artefato de consentimento do Healthcare
(roles/healthcare.consentArtifactAdmin)

Administra objetos ConsentArtifact.

  • healthcare.consentArtifacts.*
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor de artefato de consentimento do Healthcare
(roles/healthcare.consentArtifactEditor)

Edita objetos ConsentArtifact.

  • healthcare.consentArtifacts.create
  • healthcare.consentArtifacts.get
  • healthcare.consentArtifacts.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de artefato de consentimento do Healthcare
(roles/healthcare.consentArtifactReader)

Lê objetos ConsentArtifact em um repositório de consentimentos.

  • healthcare.consentArtifacts.get
  • healthcare.consentArtifacts.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor de consentimentos do Healthcare
(roles/healthcare.consentEditor)

Edita objetos de consentimento.

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.consents.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de consentimentos do Healthcare
(roles/healthcare.consentReader)

Lê objetos de consentimento no respectivo repositório.

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.consents.get
  • healthcare.consents.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de repositório de consentimentos do Healthcare
(roles/healthcare.consentStoreAdmin)

Administra os repositórios de consentimentos.

  • healthcare.consentStores.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de repositório de consentimentos do Healthcare
(roles/healthcare.consentStoreViewer)

Lista os repositórios de consentimentos de um conjunto de dados

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de conjuntos de dados do Healthcare
(roles/healthcare.datasetAdmin)

Administra conjuntos de dados do Healthcare.

  • healthcare.datasets.*
  • healthcare.locations.*
  • healthcare.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do conjunto de dados do Healthcare
(roles/healthcare.datasetViewer)

Lista os conjuntos de dados do Healthcare em um projeto.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor DICOM do Healthcare
(roles/healthcare.dicomEditor)

Edita imagens DICOM individualmente e em massa.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.dicomWebDelete
  • healthcare.dicomStores.dicomWebRead
  • healthcare.dicomStores.dicomWebWrite
  • healthcare.dicomStores.export
  • healthcare.dicomStores.get
  • healthcare.dicomStores.import
  • healthcare.dicomStores.list
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de repositórios DICOM do Healthcare
(roles/healthcare.dicomStoreAdmin)

Administra repositórios DICOM.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.create
  • healthcare.dicomStores.deidentify
  • healthcare.dicomStores.delete
  • healthcare.dicomStores.dicomWebDelete
  • healthcare.dicomStores.get
  • healthcare.dicomStores.getIamPolicy
  • healthcare.dicomStores.list
  • healthcare.dicomStores.setIamPolicy
  • healthcare.dicomStores.update
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de repositório DICOM do Healthcare
(roles/healthcare.dicomStoreViewer)

Lista repositórios DICOM em um conjunto de dados.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.get
  • healthcare.dicomStores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor DICOM do Healthcare
(roles/healthcare.dicomViewer)

Recupera imagens DICOM de um repositório DICOM.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.dicomWebRead
  • healthcare.dicomStores.export
  • healthcare.dicomStores.get
  • healthcare.dicomStores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor de recursos FHIR do Healthcare
(roles/healthcare.fhirResourceEditor)

Cria, exclui, atualiza, lê e pesquisa recursos FHIR.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirResources.create
  • healthcare.fhirResources.delete
  • healthcare.fhirResources.get
  • healthcare.fhirResources.patch
  • healthcare.fhirResources.translateConceptMap
  • healthcare.fhirResources.update
  • healthcare.fhirStores.executeBundle
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
  • healthcare.fhirStores.searchResources
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de recursos FHIR do Healthcare
(roles/healthcare.fhirResourceReader)

Lê e pesquisa recursos FHIR.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirResources.get
  • healthcare.fhirResources.translateConceptMap
  • healthcare.fhirStores.executeBundle
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
  • healthcare.fhirStores.searchResources
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de repositórios FHIR do Healthcare
(roles/healthcare.fhirStoreAdmin)

Administra repositórios de recursos FHIR.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirResources.purge
  • healthcare.fhirStores.configureSearch
  • healthcare.fhirStores.create
  • healthcare.fhirStores.deidentify
  • healthcare.fhirStores.delete
  • healthcare.fhirStores.export
  • healthcare.fhirStores.get
  • healthcare.fhirStores.getIamPolicy
  • healthcare.fhirStores.import
  • healthcare.fhirStores.list
  • healthcare.fhirStores.setIamPolicy
  • healthcare.fhirStores.update
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de repositórios FHIR do Healthcare
(roles/healthcare.fhirStoreViewer)

Lista repositórios FHIR em um conjunto de dados.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Consumidor de mensagens HL7v2 do Healthcare
(roles/healthcare.hl7V2Consumer)

Lista e lê mensagens HL7v2, atualiza rótulos de mensagens e publica novas mensagens.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Messages.create
  • healthcare.hl7V2Messages.get
  • healthcare.hl7V2Messages.list
  • healthcare.hl7V2Messages.update
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor de mensagens HL7v2 do Healthcare
(roles/healthcare.hl7V2Editor)

Lê, grava e exclui o acesso a mensagens HL7v2.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Messages.*
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Ingestão de mensagens HL7v2 do Healthcare
(roles/healthcare.hl7V2Ingest)

Ingere mensagens HL7v2 recebidas de uma rede de origem.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Messages.ingest
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de repositórios HL7v2 do Healthcare
(roles/healthcare.hl7V2StoreAdmin)

Administra repositórios HL7v2.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Stores.*
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de repositórios HL7v2 do Healthcare
(roles/healthcare.hl7V2StoreViewer)

Ver os armazenamentos HL7v2 em um conjunto de dados.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de serviços de PLN do Healthcare Beta
(roles/healthcare.nlpServiceViewer)

Extrair e analisar entidades médicas de determinado texto.

  • healthcare.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor do mapeamento de dados do usuário do Healthcare
(roles/healthcare.userDataMappingEditor)

Edita objetos UserDataMapping.

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • healthcare.userDataMappings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de mapeamento de dados do usuário do Healthcare
(roles/healthcare.userDataMappingReader)

Lê objetos UserDataMapping em um repositório de consentimentos.

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • healthcare.userDataMappings.get
  • healthcare.userDataMappings.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud IAP

Papel Permissões

Administrador de políticas do IAP
(roles/iap.admin)

Concede acesso total aos recursos do Identity-Aware Proxy.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Projeto
  • iap.tunnel.*
  • iap.tunnelInstances.getIamPolicy
  • iap.tunnelInstances.setIamPolicy
  • iap.tunnelZones.*
  • iap.web.getIamPolicy
  • iap.web.setIamPolicy
  • iap.webServiceVersions.getIamPolicy
  • iap.webServiceVersions.setIamPolicy
  • iap.webServices.getIamPolicy
  • iap.webServices.setIamPolicy
  • iap.webTypes.getIamPolicy
  • iap.webTypes.setIamPolicy

Usuário do app da Web protegido pelo IAP
(roles/iap.httpsResourceAccessor)

Concede permissões para acessar os recursos HTTPS que usam o Identity-Aware Proxy.

  • iap.webServiceVersions.accessViaIAP

Administrador de configurações do IAP
(roles/iap.settingsAdmin)

Administrador de configurações do IAP.

  • iap.projects.*
  • iap.web.getSettings
  • iap.web.updateSettings
  • iap.webServiceVersions.getSettings
  • iap.webServiceVersions.updateSettings
  • iap.webServices.getSettings
  • iap.webServices.updateSettings
  • iap.webTypes.getSettings
  • iap.webTypes.updateSettings

Usuário do túnel protegido pelo IAP
(roles/iap.tunnelResourceAccessor)

Acesso a recursos de túnel que usam o Identity-Aware Proxy

  • iap.tunnelInstances.accessViaIAP

Papéis do Cloud IoT

Role Permissions

Cloud IoT Admin
(roles/cloudiot.admin)

Full control of all Cloud IoT resources and permissions.

Lowest-level resources where you can grant this role:

  • Device
  • cloudiot.*
  • cloudiottoken.*

Cloud IoT Device Controller
(roles/cloudiot.deviceController)

Access to update the device configuration, but not to create or delete devices.

Lowest-level resources where you can grant this role:

  • Device
  • cloudiot.devices.get
  • cloudiot.devices.list
  • cloudiot.devices.sendCommand
  • cloudiot.devices.updateConfig
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get

Cloud IoT Editor
(roles/cloudiot.editor)

Read-write access to all Cloud IoT resources.

Lowest-level resources where you can grant this role:

  • Device
  • cloudiot.devices.*
  • cloudiot.registries.create
  • cloudiot.registries.delete
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiot.registries.update
  • cloudiottoken.*

Cloud IoT Provisioner
(roles/cloudiot.provisioner)

Access to create and delete devices from registries, but not to modify the registries, and enable devices to publish to topics associated with IoT registry.

Lowest-level resources where you can grant this role:

  • Device
  • cloudiot.devices.*
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get

Cloud IoT Viewer
(roles/cloudiot.viewer)

Read-only access to all Cloud IoT resources.

Lowest-level resources where you can grant this role:

  • Device
  • cloudiot.devices.get
  • cloudiot.devices.list
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get

Papéis do Cloud KMS

Papel Permissões

Administrador do Cloud KMS
(roles/cloudkms.admin)

Concede acesso total aos recursos do Cloud KMS, com exceção das operações de criptografia e descriptografia.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • CryptoKey
  • cloudkms.cryptoKeyVersions.create
  • cloudkms.cryptoKeyVersions.destroy
  • cloudkms.cryptoKeyVersions.get
  • cloudkms.cryptoKeyVersions.list
  • cloudkms.cryptoKeyVersions.restore
  • cloudkms.cryptoKeyVersions.update
  • cloudkms.cryptoKeys.*
  • cloudkms.importJobs.*
  • cloudkms.keyRings.*
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Descriptografador de CryptoKey do Cloud KMS
(roles/cloudkms.cryptoKeyDecrypter)

Permite usar os recursos do Cloud KMS apenas para operações de descriptografia.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • CryptoKey
  • cloudkms.cryptoKeyVersions.useToDecrypt
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Criptografador de CryptoKey do Cloud KMS
(roles/cloudkms.cryptoKeyEncrypter)

Permite usar os recursos do Cloud KMS apenas para operações de criptografia.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • CryptoKey
  • cloudkms.cryptoKeyVersions.useToEncrypt
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Criptografador/Descriptografador de CryptoKey do Cloud KMS
(roles/cloudkms.cryptoKeyEncrypterDecrypter)

Permite usar os recursos do Cloud KMS apenas para operações de criptografia e descriptografia.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • CryptoKey
  • cloudkms.cryptoKeyVersions.useToDecrypt
  • cloudkms.cryptoKeyVersions.useToEncrypt
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Operador de Crypto do Cloud KMS
(roles/cloudkms.cryptoOperator)

Ativa todas as operações Crypto.

  • cloudkms.cryptoKeyVersions.useToDecrypt
  • cloudkms.cryptoKeyVersions.useToEncrypt
  • cloudkms.cryptoKeyVersions.useToSign
  • cloudkms.cryptoKeyVersions.useToVerify
  • cloudkms.cryptoKeyVersions.viewPublicKey
  • cloudkms.locations.*
  • resourcemanager.projects.get

Cloud KMS Importer
(roles/cloudkms.importer)

Ativa as operações ImportCryptoKeyVersion, CreateImportJob, ListImportJobs e GetImportJob

  • cloudkms.importJobs.create
  • cloudkms.importJobs.get
  • cloudkms.importJobs.list
  • cloudkms.importJobs.useToImport
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Visualizador de chaves públicas de CryptoKey do Cloud KMS
(roles/cloudkms.publicKeyViewer)

Permite operações GetPublicKey

  • cloudkms.cryptoKeyVersions.viewPublicKey
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Signatário de CryptoKey do Cloud KMS
(roles/cloudkms.signer)

Ativa operações Sign

  • cloudkms.cryptoKeyVersions.useToSign
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Signatário/verificador de CryptoKey do Cloud KMS
(roles/cloudkms.signerVerifier)

Ativa as operações Sign, Verify e GetPublicKey

  • cloudkms.cryptoKeyVersions.useToSign
  • cloudkms.cryptoKeyVersions.useToVerify
  • cloudkms.cryptoKeyVersions.viewPublicKey
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Verificador de CryptoKey do Cloud KMS
(roles/cloudkms.verifier)

Ativa as operações Verify e GetPublicKey

  • cloudkms.cryptoKeyVersions.useToVerify
  • cloudkms.cryptoKeyVersions.viewPublicKey
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Papéis do Cloud Life Sciences

Papel Permissões

Administrador do Cloud Life Sciences Beta
(roles/lifesciences.admin)

Controle total sobre os recursos do Cloud Life Sciences.

  • lifesciences.*

Editor do Cloud Life Sciences Beta
(roles/lifesciences.editor)

Acesso para ler e editar recursos do Cloud Life Sciences.

  • lifesciences.*

Visualizador do Cloud Life Sciences Beta
(roles/lifesciences.viewer)

Acesso para ler recursos do Cloud Life Sciences.

  • lifesciences.operations.get
  • lifesciences.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Executor de fluxos de trabalho do Cloud Life Sciences Beta
(roles/lifesciences.workflowsRunner)

Acesso total para operar em fluxos de trabalho do Cloud Life Sciences.

  • lifesciences.*

Papéis do Cloud Managed Identities

Papel Permissões

Administrador de identidades gerenciadas do Google Cloud
(roles/managedidentities.admin)

Acesso total aos domínios de identidades gerenciadas do Google Cloud e recursos relacionados. Para ser concedido no nível do projeto.

  • managedidentities.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de domínio das identidades gerenciadas do Google Cloud
(roles/managedidentities.domainAdmin)

Acesso leitura, atualização e exclusão aos domínios de identidades gerenciadas do Google Cloud e recursos relacionados. Para ser concedido no nível do recurso (domínio).

  • managedidentities.domains.attachTrust
  • managedidentities.domains.delete
  • managedidentities.domains.detachTrust
  • managedidentities.domains.get
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.reconfigureTrust
  • managedidentities.domains.resetpassword
  • managedidentities.domains.update
  • managedidentities.domains.updateLDAPSSettings
  • managedidentities.domains.validateTrust
  • managedidentities.locations.*
  • managedidentities.operations.get
  • managedidentities.operations.list
  • managedidentities.sqlintegrações.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de pee