Como entender os papéis

Nesta página, descrevemos os papéis do IAM e listamos os papéis predefinidos que você pode conceder aos principais.

Um papel contém um conjunto de permissões que permitem realizar ações específicas nos recursos do Google Cloud. Para disponibilizar as permissões aos principais, incluindo usuários, grupos e contas de serviço, conceda papéis aos principais.

Pré-requisito para este guia

Entenda os conceitos básicos do IAM

Tipos de papel

Existem três tipos de papéis no IAM:

Papéis básicos, que incluem os de proprietário, editor e visualizador que existiam antes da introdução do IAM.
Papéis predefinidos, que fornecem acesso granular a um serviço específico e são gerenciados pelo Google Cloud.
Papéis personalizados, que fornecem acesso granular de acordo com uma lista de permissões especificada pelo usuário.

Para determinar se uma permissão está incluída em um papel básico, predefinido ou personalizado, use um dos métodos a seguir:

Execute o comando gcloud iam roles describe para listar as permissões do papel.
Chame o método da API REST roles.get() para listar as permissões do papel.
Apenas para papéis básicos e predefinidos: pesquise a referência de permissões para ver se a permissão foi concedida pelo papel.
Somente para papéis predefinidos: pesquise as descrições de papel predefinidas nesta página para ver quais permissões o papel inclui.

As seções abaixo descrevem cada tipo de papel e fornecem exemplos de como usá-los.

Papéis básicos

Há vários papéis básicos que existiam antes da introdução do IAM: proprietário, editor e visualizador. Esses papéis são concêntricos, isto é, o de Proprietário inclui as permissões no papel de Editor, e este no de Leitor. Esses papéis eram conhecidos anteriormente como "papéis primários".

A tabela a seguir resume as permissões que os papéis básicos têm em todos os serviços do Google Cloud:

Definições dos papéis básicos

Nome	Título	Permissões
`roles/viewer`	Leitor	Permissões para ações somente leitura que não afetam o estado, como ver (mas não modificar) recursos ou dados existentes.
`roles/editor`	Editor	Todas as permissões do leitor e as permissões para ações que modificam o estado, como a alteração de recursos atuais. Observação: o papel de editor contém permissões para criar e excluir recursos para a maioria dos serviços do Google Cloud. No entanto, ele não contém permissões para executar todas as ações de todos os serviços. Para mais informações sobre como verificar se um papel tem as permissões necessárias, consulte Tipos de papel nesta página.
`roles/owner`	Proprietário	Todas as permissões de editor e também para as seguintes ações: Gerenciar papéis e permissões para um projeto e todos os recursos dentro do projeto. Configurar o faturamento de um projeto Observação: A concessão do papel de proprietário em nível de recurso, como um tópico do Pub/Sub, não concede o papel de proprietário no projeto pai. A concessão do papel de proprietário no nível da organização não permite que você atualize os metadados da organização. No entanto, ele permite que você modifique projetos e outros recursos nessa organização. Para conceder o papel de proprietário em um projeto a um usuário fora da organização, você precisa usar o Console do Google Cloud, não a CLI gcloud. Se o projeto não fizer parte de uma organização, use o Console para conceder o papel de Proprietário.

É possível conceder papéis básicos com o console, a API e a CLI gcloud. Para conceder papéis básicos em um projeto, pasta ou organização, consulte Gerenciar o acesso a projetos, pastas e organizações. Para conceder papéis básicos em outros recursos, consulte Gerenciar o acesso a outros recursos.

Papéis predefinidos

Além dos papéis básicos, o IAM fornece outros papéis predefinidos que dão acesso granular a recursos específicos do Google Cloud e impedem o acesso indesejado a outros recursos. Esses papéis são criados e mantidos pelo Google. O Google atualiza automaticamente as permissões conforme necessário, como quando o Google Cloud adiciona novos recursos ou serviços.

A tabela a seguir lista esses papéis, as respectivas descrições e o tipo de recurso de menor nível em que os papéis podem ser configurados. Um papel específico pode ser concedido a esse tipo de recurso ou, na maioria dos casos, a qualquer tipo acima dele na hierarquia de recursos do Google Cloud.

É possível conceder vários papéis ao mesmo usuário, em qualquer nível da hierarquia de recursos. Por exemplo: é possível que o mesmo usuário tenha os papéis de administrador de rede do Compute e de visualizador de registros em um projeto, além do papel de editor do Pub/Sub em um tópico do Pub/Sub nesse projeto. Para listar as permissões contidas em um papel, consulte Como obter os metadados do papel.

Para receber ajuda para escolher os papéis predefinidos mais apropriados, consulte Escolher papéis predefinidos.

Papéis do Access Approval

Papel	Permissões
Aprovador do Access Approval ^Beta (`roles/accessapproval.approver`) Capacidade de visualizar ou agir em solicitações de aprovação de acesso e ver as configurações	accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
Editor de configuração do Access Approval ^Beta (`roles/accessapproval.configEditor`) Capacidade de atualizar a configuração de aprovação de acesso	accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
Invalidador de aprovação de acesso ^Beta (`roles/accessapproval.invalidator`) Poder para invalidar atuais solicitações de aprovação confirmadas	accessapproval.requests.invalidate accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
Leitor do Access Approval ^Beta (`roles/accessapproval.viewer`) Capacidade de visualizar solicitações de aprovação de acesso e a configuração	accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list

Papéis do Access Context Manager

Papel	Permissões
Administrador de vinculação de acesso à nuvem (`roles/accesscontextmanager.gcpAccessAdmin`) Criar, editar e alterar vinculações de acesso à nuvem.	accesscontextmanager.gcpUserAccessBindings.*
Leitor de vinculação de acesso à nuvem (`roles/accesscontextmanager.gcpAccessReader`) Acesso de leitura às vinculações de acesso da nuvem.	accesscontextmanager.gcpUserAccessBindings.get accesscontextmanager.gcpUserAccessBindings.list
Administrador do Access Context Manager (`roles/accesscontextmanager.policyAdmin`) Acesso total a políticas, níveis e zonas de acesso	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.* accesscontextmanager.accessZones.* accesscontextmanager.policies.* accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Editor do Access Context Manager (`roles/accesscontextmanager.policyEditor`) Acesso de edição a políticas. Cria, edita e altera níveis e zonas de acesso.	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Leitor do Access Context Manager (`roles/accesscontextmanager.policyReader`) Acesso de leitura a políticas, níveis e zonas de acesso.	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Leitor do solucionador de problemas do VPC Service Controls (`roles/accesscontextmanager.vpcScTroubleshooterViewer`)	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.sinks.get logging.sinks.list logging.usage.get resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Papéis de ações

Role	Permissions
Actions Admin (`roles/actions.Admin`) Access to edit and deploy an action	actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Actions Viewer (`roles/actions.Viewer`) Access to view an action	actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use

Papéis dos notebooks de IA

Role	Permissions
Notebooks Admin (`roles/notebooks.admin`) Full access to Notebooks, all resources. Lowest-level resources where you can grant this role: Instance	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Legacy Admin (`roles/notebooks.legacyAdmin`) Full access to Notebooks all resources through compute API.	compute.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Legacy Viewer (`roles/notebooks.legacyViewer`) Read-only access to Notebooks all resources through compute API.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Runner (`roles/notebooks.runner`) Restricted access for running scheduled Notebooks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.create notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.create notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.create notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.create notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Viewer (`roles/notebooks.viewer`) Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role: Instance	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Papéis do AI Platform

Papel	Permissões
Administrador da AI Platform (`roles/ml.admin`) Fornece acesso total aos recursos, jobs, operações, modelos e versões do AI Platform. Recursos de nível mais baixo em que você pode conceder esse papel: Projeto	ml.* resourcemanager.projects.get
Desenvolvedor da AI Platform (`roles/ml.developer`) Permite usar os recursos do AI Platform para criar modelos, versões e jobs de treinamento e de predição, além de enviar solicitações de predição on-line. Recursos de nível mais baixo em que você pode conceder esse papel: Projeto	ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.* ml.trials.* ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get
Proprietário de jobs da AI Platform (`roles/ml.jobOwner`) Dá acesso total a todas as permissões para um determinado recurso de job. Esse papel é automaticamente concedido ao usuário que cria o job. Recursos de nível mais baixo em que você pode conceder esse papel: Job	ml.jobs.*
Proprietário de modelos da AI Platform (`roles/ml.modelOwner`) Dá acesso total ao modelo e às versões dele. Esse papel é automaticamente concedido ao usuário que cria o modelo. Recursos de nível mais baixo em que você pode conceder esse papel: Modelo	ml.models.* ml.versions.*
Usuário de modelos da AI Platform (`roles/ml.modelUser`) Concede permissões para ler o modelo e as versões dele e usá-los para predição. Recursos de nível mais baixo em que você pode conceder esse papel: Modelo	ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict
Proprietário de operações da AI Platform (`roles/ml.operationOwner`) Dá acesso total a todas as permissões para um determinado recurso de operação. Recursos de nível mais baixo em que você pode conceder esse papel: Operação	ml.operations.*
Leitor da AI Platform (`roles/ml.viewer`) Fornece acesso somente leitura aos recursos da AI Platform. Recursos de nível mais baixo em que você pode conceder esse papel: Projeto	ml.jobs.get ml.jobs.list ml.locations.* ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get

Papéis do Analytics Hub

Papel	Permissões
Administrador do Analytics Hub ^Beta (`roles/analyticshub.admin`) Administrar trocas de dados e listagens	analyticshub.dataExchanges.* analyticshub.listings.create analyticshub.listings.delete analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.setIamPolicy analyticshub.listings.update resourcemanager.projects.get resourcemanager.projects.list
Administrador de listagens do Analytics Hub ^Beta (`roles/analyticshub.listingAdmin`) Concede controle total da lista de permissões, incluindo atualização, exclusão e configuração de ACLs.	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.delete analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.setIamPolicy analyticshub.listings.update resourcemanager.projects.get resourcemanager.projects.list
Editor do Analytics Hub ^Beta (`roles/analyticshub.publisher`) Pode publicar em trocas de dados, criando assim listas	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.create analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list
Assinante do Analytics Hub ^Beta (`roles/analyticshub.subscriber`) Pode procurar por trocas de dados e se inscrever em listagens	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.subscribe resourcemanager.projects.get resourcemanager.projects.list
Leitor do Analytics Hub ^Beta (`roles/analyticshub.viewer`) Pode procurar por trocas de dados e listagens	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list

Papéis de gerenciamento do Android

Role	Permissions
Android Management User (`roles/androidmanagement.user`) Full access to manage devices.	androidmanagement.enterprises.manage serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Papéis do Anthos para várias nuvens

Papel	Permissões
Administrador do Anthos em várias nuvens (`roles/gkemulticloud.admin`) Acesso de administrador aos recursos de várias nuvens do Anthos.	gkemulticloud.* resourcemanager.projects.get resourcemanager.projects.list
Gravador de telemetria de várias nuvens do Anthos (`roles/gkemulticloud.telemetryWriter`) Conceder acesso para gravar dados de telemetria do cluster como registros, métricas e metadados de recursos.	logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create opsconfigmonitoring.resourceMetadata.write
Visualizador de várias nuvens do Anthos (`roles/gkemulticloud.viewer`) Acessar os recursos de várias nuvens do Anthos como leitor.	gkemulticloud.awsClusters.generateAccessToken gkemulticloud.awsClusters.get gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.get gkemulticloud.awsNodePools.list gkemulticloud.awsServerConfigs.get gkemulticloud.azureClients.get gkemulticloud.azureClients.list gkemulticloud.azureClusters.generateAccessToken gkemulticloud.azureClusters.get gkemulticloud.azureClusters.list gkemulticloud.azureNodePools.get gkemulticloud.azureNodePools.list gkemulticloud.azureServerConfigs.get gkemulticloud.operations.get gkemulticloud.operations.list gkemulticloud.operations.wait resourcemanager.projects.get resourcemanager.projects.list

Papéis da API Gateway

Role Permissions

Role	Permissions
ApiGateway Admin (`roles/apigateway.admin`) Full access to ApiGateway and related resources.	apigateway.* monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list
ApiGateway Viewer (`roles/apigateway.viewer`) Read-only access to ApiGateway and related resources.	apigateway.apiconfigs.get apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.locations.* apigateway.operations.get apigateway.operations.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list

ApiGateway Admin
(roles/apigateway.admin)

Full access to ApiGateway and related resources.

apigateway.*
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list

ApiGateway Viewer
(roles/apigateway.viewer)

Read-only access to ApiGateway and related resources.

apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.locations.*
apigateway.operations.get
apigateway.operations.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list

Papéis do Apigee

Papel	Permissões
Administrador da organização da Apigee (`roles/apigee.admin`) Acesso total a todas as funcionalidades de recursos da Apigee	apigee.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Agente de análise da Apigee (`roles/apigee.analyticsAgent`) Conjunto de permissões selecionado para que a Apigee Universal Data Collection Agent gerencie análises para uma organização da Apigee	apigee.datalocation.get apigee.environments.getDataLocation apigee.runtimeconfigs.get
Editor de análise da Apigee (`roles/apigee.analyticsEditor`) Editor do Analytics para uma organização da Apigee	apigee.datacollectors.* apigee.datastores.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.* apigee.hostqueries.* apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list
Visualizador de análise da Apigee (`roles/apigee.analyticsViewer`) Visualizador do Analytics para uma organização da Apigee	apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list
Administrador de APIs da Apigee (`roles/apigee.apiAdminV2`) Acesso total de leitura/gravação a todos os recursos de APIs da Apigee	apigee.apiproductattributes.* apigee.apiproducts.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.* apigee.keyvaluemaps.* apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.* apigee.sharedflowrevisions.* apigee.sharedflows.* resourcemanager.projects.get resourcemanager.projects.list
Leitor de API da Apigee (`roles/apigee.apiReaderV2`) Visualizador de recursos da Apigee	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.get apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list resourcemanager.projects.get resourcemanager.projects.list
Administrador desenvolvedor da Apigee (`roles/apigee.developerAdmin`) Administrador desenvolvedor de recursos da apigee	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.apps.* apigee.datacollectors.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developers.* apigee.developersubscriptions.* apigee.environments.get apigee.environments.getStats apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee.rateplans.get apigee.rateplans.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Admin do ambiente Apigee (`roles/apigee.environmentAdmin`) Acesso total de leitura/gravação aos recursos do ambiente Apigee, incluindo implantações.	apigee.archivedeployments.* apigee.datacollectors.get apigee.datacollectors.list apigee.deployments.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.environments.update apigee.flowhooks.* apigee.ingressconfigs.get apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Administrador de monetização da Apigee (`roles/apigee.monetizationAdmin`) Todas as permissões relacionadas à monetização	apigee.apiproducts.get apigee.apiproducts.list apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developersubscriptions.* apigee.organizations.get apigee.organizations.list apigee.rateplans.* resourcemanager.projects.get resourcemanager.projects.list
Administrador do portal da Apigee (`roles/apigee.portalAdmin`) Administrador do portal para uma organização Apigee	apigee.organizations.get apigee.organizations.list apigee.portals.* resourcemanager.projects.get resourcemanager.projects.list
Administrador somente leitura da Apigee (`roles/apigee.readOnlyAdmin`) Visualizador de todos os recursos da apigee	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.archivedeployments.download apigee.archivedeployments.get apigee.archivedeployments.list apigee.caches.list apigee.canaryevaluations.get apigee.datacollectors.get apigee.datacollectors.list apigee.datalocation.get apigee.datastores.get apigee.datastores.list apigee.deployments.get apigee.deployments.list apigee.developerappattributes.get apigee.developerappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developerbalances.get apigee.developermonetizationconfigs.get apigee.developers.get apigee.developers.list apigee.developersubscriptions.get apigee.developersubscriptions.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.hostqueries.get apigee.hostqueries.list apigee.hostsecurityreports.get apigee.hostsecurityreports.list apigee.hoststats.get apigee.ingressconfigs.get apigee.instanceattachments.get apigee.instanceattachments.list apigee.instances.get apigee.instances.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemapentries.get apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.operations.* apigee.organizations.get apigee.organizations.list apigee.portals.get apigee.portals.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.rateplans.get apigee.rateplans.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.runtimeconfigs.get apigee.securityProfileEnvironments.computeScore apigee.securityProfiles.* apigee.securityStats.* apigee.securityreports.get apigee.securityreports.list apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Agente do ambiente de execução da Apigee (`roles/apigee.runtimeAgent`) Conjunto de permissões selecionadas para que um agente de ambiente de execução acesse os recursos da organização da Apigee	apigee.canaryevaluations.* apigee.ingressconfigs.get apigee.instances.reportStatus apigee.operations.* apigee.organizations.get apigee.runtimeconfigs.get
Administrador de segurança da Apigee (`roles/apigee.securityAdmin`) Administrador de segurança para uma organização da Apigee	apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.list apigee.hostsecurityreports.* apigee.organizations.get apigee.organizations.list apigee.securityProfileEnvironments.* apigee.securityProfiles.* apigee.securityStats.* apigee.securityreports.* resourcemanager.projects.get resourcemanager.projects.list
Leitor de segurança da Apigee (`roles/apigee.securityViewer`) Leitor de segurança para uma organização da Apigee	apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.list apigee.hostsecurityreports.get apigee.hostsecurityreports.list apigee.organizations.get apigee.organizations.list apigee.securityProfileEnvironments.computeScore apigee.securityProfiles.* apigee.securityStats.* apigee.securityreports.get apigee.securityreports.list resourcemanager.projects.get resourcemanager.projects.list
Gerenciador de sincronização da Apigee (`roles/apigee.synchronizerManager`) Conjunto selecionado de permissões para um sincronizador gerenciar ambientes em uma organização Apigee	apigee.environments.get apigee.environments.manageRuntime apigee.ingressconfigs.get
Administrador do Apigee Connect (`roles/apigeeconnect.Admin`) Administrador do Apigee Connect	apigeeconnect.connections.list
Agente do Apigee Connect (`roles/apigeeconnect.Agent`) Capacidade de configurar o agente do Apigee Connect entre clusters externos e o Google.	apigeeconnect.endpoints.connect

Papéis do Apigee Registry

Papel	Permissões
Administrador do Cloud Apigee Registry ^Beta (`roles/apigeeregistry.admin`) Acesso total aos recursos de registro e ambiente de execução do Cloud Apigee.	apigeeregistry.* resourcemanager.projects.get resourcemanager.projects.list
Editor do registro do Cloud Apigee ^Beta (`roles/apigeeregistry.editor`) Acesso para edição aos recursos de registro do Cloud Apigee.	apigeeregistry.apis.create apigeeregistry.apis.delete apigeeregistry.apis.get apigeeregistry.apis.getIamPolicy apigeeregistry.apis.list apigeeregistry.apis.update apigeeregistry.artifacts.create apigeeregistry.artifacts.delete apigeeregistry.artifacts.get apigeeregistry.artifacts.getIamPolicy apigeeregistry.artifacts.list apigeeregistry.artifacts.update apigeeregistry.deployments.* apigeeregistry.specs.create apigeeregistry.specs.delete apigeeregistry.specs.get apigeeregistry.specs.getIamPolicy apigeeregistry.specs.list apigeeregistry.specs.update apigeeregistry.versions.create apigeeregistry.versions.delete apigeeregistry.versions.get apigeeregistry.versions.getIamPolicy apigeeregistry.versions.list apigeeregistry.versions.update resourcemanager.projects.get resourcemanager.projects.list
Leitor do Registro do Cloud Apigee ^Beta (`roles/apigeeregistry.viewer`) Acesso somente leitura aos recursos de registro do Cloud Apigee.	apigeeregistry.apis.get apigeeregistry.apis.list apigeeregistry.artifacts.get apigeeregistry.artifacts.list apigeeregistry.deployments.get apigeeregistry.deployments.list apigeeregistry.specs.get apigeeregistry.specs.list apigeeregistry.versions.get apigeeregistry.versions.list resourcemanager.projects.get resourcemanager.projects.list
Worker do registro do Cloud Apigee ^Beta (`roles/apigeeregistry.worker`) O papel usado pelos workers dos aplicativos de registro da Apigee para ler e atualizar os artefatos do registro da Apigee.	apigeeregistry.apis.get apigeeregistry.apis.list apigeeregistry.apis.update apigeeregistry.artifacts.create apigeeregistry.artifacts.delete apigeeregistry.artifacts.get apigeeregistry.artifacts.list apigeeregistry.artifacts.update apigeeregistry.deployments.get apigeeregistry.deployments.list apigeeregistry.deployments.update apigeeregistry.specs.get apigeeregistry.specs.list apigeeregistry.specs.update apigeeregistry.versions.get apigeeregistry.versions.list apigeeregistry.versions.update resourcemanager.projects.get resourcemanager.projects.list

Papéis do App Engine

Papel	Permissões
Administrador do App Engine (`roles/appengine.appAdmin`) Acesso de leitura/gravação/modificação a todas as configurações do aplicativo. Para implantar novas versões, o principal precisa ter o papel de Usuário da conta de serviço (`roles/iam.serviceAccountUser`) na conta de serviço padrão do App Engine, bem como os papéis de Editor do Cloud Build (`roles/cloudbuild.builds.editor`) e Administrador de objeto do Cloud Storage (`roles/storage.objectAdmin`) no projeto. Recursos de nível mais baixo em que é possível conceder esse papel: Projeto	appengine.applications.get appengine.applications.update appengine.instances.* appengine.memcache.addKey appengine.memcache.flush appengine.memcache.get appengine.memcache.update appengine.operations.* appengine.runtimes.actAsAdmin appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list
Criador do App Engine (`roles/appengine.appCreator`) Capacidade para criar o recurso do App Engine para o projeto. Recursos de nível mais baixo em que é possível conceder esse papel: Projeto	appengine.applications.create resourcemanager.projects.get resourcemanager.projects.list
Leitor do App Engine (`roles/appengine.appViewer`) Acesso somente de leitura a todas as configurações do aplicativo. Recursos de nível mais baixo em que é possível conceder esse papel: Projeto	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
Leitor de código do App Engine (`roles/appengine.codeViewer`) Acesso somente leitura a todas as configurações e ao código-fonte implantado do aplicativo. Recursos de nível mais baixo em que é possível conceder esse papel: Projeto	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
Implantador do App Engine (`roles/appengine.deployer`) Acesso somente de leitura a todas as configurações do aplicativo. Para implantar novas versões, você também precisa ter o papel de usuário da conta de serviço (`roles/iam.serviceAccountUser`) na conta de serviço padrão do App Engine e o papel de editor do Cloud Build (`roles/cloudbuild.builds.editor`) e de administrador de objeto do Cloud Storage (`roles/storage.objectAdmin`) no projeto. Não é possível modificar versões existentes, a não ser para excluir versões que não estejam recebendo tráfego. Recursos de nível mais baixo em que é possível conceder esse papel: Projeto	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
Administrador de serviço do App Engine (`roles/appengine.serviceAdmin`) Acesso somente de leitura a todas as configurações do aplicativo. Acesso de gravação a configurações de módulo e versão. Não permite implantar versões novas. Recursos de nível mais baixo em que é possível conceder esse papel: Projeto	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list

Papéis do Artifact Registry

Papel	Permissões
Administrador do Artifact Registry (`roles/artifactregistry.admin`) Acesso de administrador para a criação e o gerenciamento de repositórios.	artifactregistry.*
Leitor do Artifact Registry (`roles/artifactregistry.reader`) Acesso para leitura de itens do repositório.	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list
Administrador do repositório do Artifact Registry (`roles/artifactregistry.repoAdmin`) Acesso para gerenciar artefatos em repositórios.	artifactregistry.aptartifacts.create artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.* artifactregistry.pythonpackages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.* artifactregistry.yumartifacts.create
Gravador do Artifact Registry (`roles/artifactregistry.writer`) Acesso para leitura e gravação de itens do repositório.	artifactregistry.aptartifacts.create artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.create

Papéis do Assured Workloads

Role	Permissions
Assured Workloads Administrator (`roles/assuredworkloads.admin`) Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* logging.cmekSettings.update orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
Assured Workloads Editor (`roles/assuredworkloads.editor`) Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
Assured Workloads Reader (`roles/assuredworkloads.reader`) Grants read access to all Assured Workloads resources and CRM resources - project/folder	assuredworkloads.operations.* assuredworkloads.violations.get assuredworkloads.violations.list assuredworkloads.workload.get assuredworkloads.workload.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Papéis do AutoML

Papel	Permissões
Administrador do AutoML ^Beta (`roles/automl.admin`) Acesso total a todos os recursos do AutoML Recursos de nível mais baixo em que é possível conceder esse papel: Conjunto de dados Modelo	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
Editor do AutoML ^Beta (`roles/automl.editor`) Editor de todos os recursos do AutoML Recursos de nível mais baixo em que é possível conceder esse papel: Conjunto de dados Modelo	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.files.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
Preditor do AutoML ^Beta (`roles/automl.predictor`) Prever com modelos Recursos de nível mais baixo em que é possível conceder esse papel: Modelo	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list
Leitor do AutoML ^Beta (`roles/automl.viewer`) Acesso de leitura a todos os recursos do AutoML Recursos de nível mais baixo em que é possível conceder esse papel: Conjunto de dados Modelo	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.files.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list

Backup para papéis do GKE

Role	Permissions
Backup for GKE Admin ^Beta (`roles/gkebackup.admin`) Full access to all Backup for GKE resources.	gkebackup.* resourcemanager.projects.get resourcemanager.projects.list
Backup for GKE Backup Admin ^Beta (`roles/gkebackup.backupAdmin`) Allows administrators to manage all BackupPlan and Backup resources.	gkebackup.backupPlans.* gkebackup.backups.* gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.volumeBackups.* resourcemanager.projects.get resourcemanager.projects.list
Backup for GKE Delegated Backup Admin ^Beta (`roles/gkebackup.delegatedBackupAdmin`) Allows administrators to manage Backup resources for specific BackupPlans	gkebackup.backupPlans.get gkebackup.backups.* gkebackup.volumeBackups.*
Backup for GKE Delegated Restore Admin ^Beta (`roles/gkebackup.delegatedRestoreAdmin`) Allows administrators to manage Restore resources for specific RestorePlans	gkebackup.restorePlans.get gkebackup.restores.* gkebackup.volumeRestores.*
Backup for GKE Restore Admin ^Beta (`roles/gkebackup.restoreAdmin`) Allows administrators to manage all RestorePlan and Restore resources.	gkebackup.backupPlans.get gkebackup.backupPlans.list gkebackup.backups.get gkebackup.backups.list gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.restorePlans.* gkebackup.restores.* gkebackup.volumeBackups.* gkebackup.volumeRestores.* resourcemanager.projects.get resourcemanager.projects.list
Backup for GKE Viewer ^Beta (`roles/gkebackup.viewer`) Read-only access to all Backup for GKE resources.	gkebackup.backupPlans.get gkebackup.backupPlans.getIamPolicy gkebackup.backupPlans.list gkebackup.backups.get gkebackup.backups.list gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.restorePlans.get gkebackup.restorePlans.getIamPolicy gkebackup.restorePlans.list gkebackup.restores.get gkebackup.restores.list gkebackup.volumeBackups.* gkebackup.volumeRestores.* resourcemanager.projects.get resourcemanager.projects.list

Papéis do BeyondCorp

Role	Permissions
Cloud BeyondCorp Admin ^Beta (`roles/beyondcorp.admin`) Full access to all Cloud BeyondCorp resources.	beyondcorp.appConnections.* beyondcorp.appConnectors.* beyondcorp.appGateways.* beyondcorp.clientConnectorServices.create beyondcorp.clientConnectorServices.delete beyondcorp.clientConnectorServices.get beyondcorp.clientConnectorServices.getIamPolicy beyondcorp.clientConnectorServices.list beyondcorp.clientConnectorServices.setIamPolicy beyondcorp.clientConnectorServices.update beyondcorp.clientGateways.* beyondcorp.locations.* beyondcorp.operations.* resourcemanager.projects.get resourcemanager.projects.list
Cloud BeyondCorp Client Connector Admin ^Beta (`roles/beyondcorp.clientConnectorAdmin`) Full access to all BeyondCorp Client Connector resources.	beyondcorp.clientConnectorServices.create beyondcorp.clientConnectorServices.delete beyondcorp.clientConnectorServices.get beyondcorp.clientConnectorServices.getIamPolicy beyondcorp.clientConnectorServices.list beyondcorp.clientConnectorServices.setIamPolicy beyondcorp.clientConnectorServices.update beyondcorp.clientGateways.* resourcemanager.projects.get resourcemanager.projects.list
Cloud BeyondCorp Client Connector Service User ^Beta (`roles/beyondcorp.clientConnectorServiceUser`) Access Client Connector Service	beyondcorp.clientConnectorServices.access
Cloud BeyondCorp Client Connector Viewer ^Beta (`roles/beyondcorp.clientConnectorViewer`) Read-only access to all BeyondCorp Client Connector resources.	beyondcorp.clientConnectorServices.get beyondcorp.clientConnectorServices.getIamPolicy beyondcorp.clientConnectorServices.list beyondcorp.clientGateways.get beyondcorp.clientGateways.getIamPolicy beyondcorp.clientGateways.list resourcemanager.projects.get resourcemanager.projects.list
Cloud BeyondCorp Viewer ^Beta (`roles/beyondcorp.viewer`) Read-only access to all Cloud BeyondCorp resources.	beyondcorp.appConnections.get beyondcorp.appConnections.getIamPolicy beyondcorp.appConnections.list beyondcorp.appConnectors.get beyondcorp.appConnectors.getIamPolicy beyondcorp.appConnectors.list beyondcorp.appGateways.get beyondcorp.appGateways.getIamPolicy beyondcorp.appGateways.list beyondcorp.clientConnectorServices.get beyondcorp.clientConnectorServices.getIamPolicy beyondcorp.clientConnectorServices.list beyondcorp.clientGateways.get beyondcorp.clientGateways.getIamPolicy beyondcorp.clientGateways.list beyondcorp.locations.* beyondcorp.operations.get beyondcorp.operations.list resourcemanager.projects.get resourcemanager.projects.list

Papéis do BigQuery

Role	Permissions
BigQuery Admin (`roles/bigquery.admin`) Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Lowest-level resources where you can grant this role: Datasets Row access policies Tables Views	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.* bigquery.reservations.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.overrideTimeTravelRestrictions bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration.translation.translate resourcemanager.projects.get resourcemanager.projects.list
BigQuery Connection Admin (`roles/bigquery.connectionAdmin`)	bigquery.connections.*
BigQuery Connection User (`roles/bigquery.connectionUser`)	bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
BigQuery Data Editor (`roles/bigquery.dataEditor`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Owner (`roles/bigquery.dataOwner`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	bigquery.config.get bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Viewer (`roles/bigquery.dataViewer`) When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.createSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Filtered Data Viewer (`roles/bigquery.filteredDataViewer`) Access to view filtered table data defined by a row access policy	bigquery.rowAccessPolicies.getFilteredData
BigQuery Job User (`roles/bigquery.jobUser`) Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role: Project	bigquery.config.get bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list
BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) When applied to a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Read Session User (`roles/bigquery.readSessionUser`) Access to create and use read sessions	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) Administer all BigQuery resources.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.* bigquery.reservations.* recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Editor (`roles/bigquery.resourceEditor`) Manage all BigQuery resources, but cannot make purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) View all BigQuery resources but cannot make changes or purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery User (`roles/bigquery.user`) When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (`roles/bigquery.dataOwner`) on these new datasets. Lowest-level resources where you can grant this role: Dataset	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get bigquerymigration.translation.translate resourcemanager.projects.get resourcemanager.projects.list
Masked Reader ^Beta (`roles/bigquerydatapolicy.maskedReader`) Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns	bigquery.dataPolicies.maskedGet

Papéis de faturamento

Papel	Permissões
Administrador da conta de faturamento (`roles/billing.admin`) Dá acesso para visualizar e gerenciar todos os aspectos das contas de faturamento. Recursos de nível mais baixo em que é possível conceder esse papel: Conta de faturamento	billing.accounts.close billing.accounts.get billing.accounts.getCarbonInformation billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.list billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.activities.list cloudsupport.properties.get cloudsupport.techCases.* commerceoffercatalog.offers.get consumerprocurement.accounts.* consumerprocurement.orderAttributions.* consumerprocurement.orders.* dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list logging.logEntries.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.privateLogEntries.list recommender.commitmentUtilizationInsights.* recommender.costInsights.* recomendador.spendBasedCommitInsights.* recomendador.spendBasedCommitmentRecommendations.** recommender.usageCommitmentRecommendations.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment resourcemanager.projects.get resourcemanager.projects.list
Gerente de custos da conta de faturamento (`roles/billing.costsManager`) Gerenciar orçamentos de uma conta de faturamento e visualizar, analisar e exportar informações de custo de uma conta de faturamento. Recursos de nível mais baixo em que você pode conceder esse papel: Conta de faturamento	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.updateUsageExportSpec billing.budgets.* billing.resourceAssociations.list recommender.costInsights.*
Criador da conta de faturamento (`roles/billing.creator`) Dá acesso para criar contas de faturamento. Recursos de nível mais baixo em que é possível conceder esse papel: Organização	billing.accounts.create resourcemanager.organizations.get
Gerente de faturamento do projeto (`roles/billing.projectManager`) Quando concedido com o papel de usuário da conta de faturamento, fornece acesso para atribuir a conta de faturamento de um projeto ou desativar o faturamento. Recursos de nível mais baixo em que você pode conceder esse papel: Projeto	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment
Usuário da conta de faturamento (`roles/billing.user`) Quando concedido com o papel de proprietário ou gerente de projeto do faturamento, fornece acesso para associar projetos a contas de faturamento. Recursos de nível mais baixo em que você pode conceder esse papel: Conta de faturamento	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.list billing.resourceAssociations.create
Leitor da conta de faturamento (`roles/billing.viewer`) Veja informações sobre custos e preços das contas de faturamento, transações e recomendações de faturamento e compromisso. Recursos de nível mais baixo em que você pode conceder esse papel: Conta de faturamento	billing.accounts.get billing.accounts.getCarbonInformation billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.list billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list commerceoffercatalog.offers.get consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orderAttributions.get consumerprocurement.orderAttributions.list consumerprocurement.orders.get consumerprocurement.orders.list dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.costInsights.get recommender.costInsights.list recommender.spendBasedCommitmentInsights.get recommender.spendBasedCommitmentInsights.list recommender.spendBasedCommitmentRecommendations.get recomendador.spendBasedCommitmentRecommendations.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list

Papéis de autorização binária

Papel	Permissões
Administrador do atestador de autorização binária (`roles/binaryauthorization.attestorsAdmin`) Administrador de atestadores de autorização binária	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
Editor do atestador de autorização binária (`roles/binaryauthorization.attestorsEditor`) Editor de atestadores de autorização binária	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
Verificador de imagens do atestador de autorização binária (`roles/binaryauthorization.attestorsVerifier`) Autor de chamadas do "VerifyImageAttested" de atestadores de autorização binária	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
Visualizador do atestador de autorização binária (`roles/binaryauthorization.attestorsViewer`) Leitor de certificações de autorização binárias	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
Administrador da política de autorização binária (`roles/binaryauthorization.policyAdmin`) Administrador da política de autorização binária	binaryauthorization.continuousValidationConfig.* binaryauthorization.platformPolicies.* binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
Editor da política de autorização binária (`roles/binaryauthorization.policyEditor`) Editor da política de autorização binária	binaryauthorization.continuousValidationConfig.get binaryauthorization.continuousValidationConfig.update binaryauthorization.platformPolicies.* binaryauthorization.policy.evaluatePolicy binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
Avaliador da política de autorização binária ^Beta (`roles/binaryauthorization.policyEvaluator`) Avaliador da política de autorização binária	binaryauthorization.platformPolicies.evaluatePolicy binaryauthorization.platformPolicies.get binaryauthorization.platformPolicies.list binaryauthorization.policy.evaluatePolicy binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list
Visualizador da política de autorização binária (`roles/binaryauthorization.policyViewer`) Visualizador da política de autorização binária	binaryauthorization.continuousValidationConfig.get binaryauthorization.platformPolicies.get binaryauthorization.platformPolicies.list binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list

Papéis do serviço de CA

Role	Permissions
CA Service Admin (`roles/privateca.admin`) Full access to all CA Service resources.	privateca.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
CA Service Auditor (`roles/privateca.auditor`) Read-only access to all CA Service resources.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
CA Service Operation Manager (`roles/privateca.caManager`) Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.	privateca.caPools.create privateca.caPools.delete privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.caPools.update privateca.certificateAuthorities.create privateca.certificateAuthorities.delete privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateAuthorities.update privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateRevocationLists.update privateca.certificateTemplates.create privateca.certificateTemplates.delete privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificateTemplates.update privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.certificates.update privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.create privateca.reusableConfigs.delete privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list privateca.reusableConfigs.update resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
CA Service Certificate Manager (`roles/privateca.certificateManager`) Create certificates and read-only access for CA Service resources.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.create privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
CA Service Certificate Requester (`roles/privateca.certificateRequester`) Request certificates from CA Service.	privateca.certificates.create
CA Service Certificate Template User (`roles/privateca.templateUser`) Read, list and use certificate templates.	privateca.certificateTemplates.get privateca.certificateTemplates.list privateca.certificateTemplates.use
CA Service Workload Certificate Requester (`roles/privateca.workloadCertificateRequester`) Request certificates from CA Service with caller's identity.	privateca.certificates.createForSelf

Papéis do gerenciador de certificados

Papel	Permissões
Editor do Gerenciador de certificados (`roles/certificatemanager.editor`) Acesso para edição de todos os recursos do Gerenciador de certificados.	certificatemanager.certmapentries.create certificatemanager.certmapentries.get certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmapentries.update certificatemanager.certmaps.create certificatemanager.certmaps.get certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certmaps.update certificatemanager.certmaps.use certificatemanager.certs.create certificatemanager.certs.get certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.certs.update certificatemanager.certs.use certificatemanager.dnsauthorizations.create certificatemanager.dnsauthorizations.get certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.dnsauthorizations.update certificatemanager.dnsauthorizations.use certificatemanager.locations.* certificatemanager.operations.get certificatemanager.operations.list resourcemanager.projects.get resourcemanager.projects.list
Proprietário do Gerenciador de certificados (`roles/certificatemanager.owner`) Acesso total ao todos os recursos do Gerenciador de certificados.	certificatemanager.* resourcemanager.projects.get resourcemanager.projects.list
Visualizador do Gerenciador de certificados (`roles/certificatemanager.viewer`) Acesso somente leitura a todos os recursos do Gerenciador de certificados.	certificatemanager.certmapentries.get certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmaps.get certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certs.get certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.dnsauthorizations.get certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.locations.* certificatemanager.operations.get certificatemanager.operations.list resourcemanager.projects.get resourcemanager.projects.list

Papéis do Cloud AlloyDB

Papel	Permissões
Administrador do Cloud AlloyDB ^Beta (`roles/alloydb.admin`) Acesso total a todos os recursos do Cloud AlloyDB.	alloydb.* resourcemanager.projects.get resourcemanager.projects.list
Cliente do Cloud AlloyDB ^Beta (`roles/alloydb.client`) Acesso de conectividade a instâncias do Cloud AlloyDB.	alloydb.clusters.generateClientCertificate alloydb.clusters.get alloydb.instances.connect alloydb.instances.get resourcemanager.projects.get resourcemanager.projects.list
Leitor do Cloud AlloyDB ^Beta (`roles/alloydb.viewer`) Acesso somente leitura a todos os recursos do Cloud AlloyDB.	alloydb.backups.get alloydb.backups.list alloydb.clusters.get alloydb.clusters.list alloydb.instances.get alloydb.instances.list alloydb.locations.* alloydb.operations.get alloydb.operations.list alloydb.supportedDatabaseFlags.* resourcemanager.projects.get resourcemanager.projects.list

Papéis de recursos do Cloud

Papel	Permissões
Proprietário de recursos do Cloud (`roles/cloudasset.owner`) Acesso total aos metadados de recursos do Cloud	cloudasset.* recommender.cloudAssetInsights.* recommender.locations.*
Leitor de recursos do Cloud (`roles/cloudasset.viewer`) Acesso somente leitura aos metadados de recursos do cloud	cloudasset.assets.* recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.*

Papéis do Cloud Bigtable

Papel	Permissões
Administrador do Bigtable (`roles/bigtable.admin`) Administra todas as instâncias do Bigtable em um projeto, incluindo os dados armazenados nas tabelas. Pode criar novas instâncias. Destinado a administradores de projeto. Recursos de nível mais baixo em que você pode conceder esse papel: Tabela	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Leitor do Bigtable (`roles/bigtable.reader`) Concede acesso somente leitura aos dados armazenados em tabelas do Bigtable. Destinado a analistas de dados, geradores de painéis e outros cenários de análise de dados. Recursos de nível mais baixo em que você pode conceder esse papel: Tabela	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.list bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Usuário do Bigtable (`roles/bigtable.user`) Concede acesso de leitura e gravação aos dados armazenados em tabelas do Bigtable. Destinado a contas de serviço ou desenvolvedores de aplicativos. Recursos de nível mais baixo em que você pode conceder esse papel: Tabela	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.list bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Leitor do Bigtable (`roles/bigtable.viewer`) Não fornece acesso a dados. Serve como um conjunto mínimo de permissões para acessar o Console do Cloud para Bigtable. Recursos de nível mais baixo em que você pode conceder esse papel: Tabela	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.list bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get

Papéis do Cloud Build

Papel	Permissões
Aprovador do Cloud Build (`roles/cloudbuild.builds.approver`) Pode aprovar ou rejeitar builds pendentes.	cloudbuild.builds.approve cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Conta de serviço do Cloud Build (`roles/cloudbuild.builds.builder`) Concede acesso para executar builds.	artifactregistry.aptartifacts.create artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.create cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use: containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create logging.logEntries.list logging.privateLogEntries.list logging.views.access pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Editor do Cloud Build (`roles/cloudbuild.builds.editor`) Concede acesso para criar e cancelar versões. Recursos de nível mais baixo em que é possível conceder esse papel: Projeto	cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Leitor do Cloud Build (`roles/cloudbuild.builds.viewer`) Dá acesso para visualizar versões. Recursos de nível mais baixo em que é possível conceder esse papel: Projeto	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Editor de integrações do Cloud Build (`roles/cloudbuild.integrationsEditor`) Pode atualizar as integrações	cloudbuild.integrations.get cloudbuild.integrations.list cloudbuild.integrations.update resourcemanager.projects.get resourcemanager.projects.list
Proprietário de integrações do Cloud Build (`roles/cloudbuild.integrationsOwner`) Pode criar/excluir integrações	cloudbuild.integrations.* compute.firewalls.create compute.firewalls.get compute.firewalls.list compute.networks.get compute.networks.updatePolicy compute.regions.get compute.subnetworks.get compute.subnetworks.list resourcemanager.projects.get resourcemanager.projects.list
Leitor de integrações do Cloud Build (`roles/cloudbuild.integrationsViewer`) Pode ver as integrações	cloudbuild.integrations.get cloudbuild.integrations.list resourcemanager.projects.get resourcemanager.projects.list
Editor do WorkerPool do Cloud Build (`roles/cloudbuild.workerPoolEditor`) Pode atualizar e visualizar WorkerPools	cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
Proprietário do WorkerPool do Cloud Build (`roles/cloudbuild.workerPoolOwner`) Pode criar, excluir, atualizar e visualizar WorkerPools	cloudbuild.workerpools.create cloudbuild.workerpools.delete cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
Usuário do WorkerPool do Cloud Build (`roles/cloudbuild.workerPoolUser`) Pode executar builds no WorkerPool	cloudbuild.workerpools.use
Leitor do WorkerPool do Cloud Build (`roles/cloudbuild.workerPoolViewer`) Pode visualizar WorkerPools	cloudbuild.workerpools.get cloudbuild.workerpools.list resourcemanager.projects.get resourcemanager.projects.list

Papéis do Cloud Composer

Role	Permissions
Cloud Composer v2 API Service Agent Extension (`roles/composer.ServiceAgentV2Ext`) Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.	iam.serviceAccounts.getIamPolicy iam.serviceAccounts.setIamPolicy
Composer Administrator (`roles/composer.admin`) Provides full control of Cloud Composer resources. Lowest-level resources where you can grant this role: Project	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Provides full control of Cloud Composer resources and of the objects in all project buckets. Lowest-level resources where you can grant this role: Project	composer.* orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.multipartUploads.* storage.objects.*
Environment User and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets. Lowest-level resources where you can grant this role: Project	composer.dags.* composer.environments.get composer.environments.list composer.imageversions.list composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list
Composer Shared VPC Agent (`roles/composer.sharedVpcAgent`) Role that should be assigned to Composer Agent service account in Shared VPC host project	compute.networks.access compute.networks.addPeering compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.updatePeering compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.*
Composer User (`roles/composer.user`) Provides the permissions necessary to list and get Cloud Composer environments and operations. Lowest-level resources where you can grant this role: Project	composer.dags.* composer.environments.get composer.environments.list composer.imageversions.list composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Composer Worker (`roles/composer.worker`) Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts. Lowest-level resources where you can grant this role: Project	artifactregistry.* cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use composer.environments.get container.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create logging.logEntries.list logging.privateLogEntries.list logging.views.access monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* orgpolicy.policy.get pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.multipartUploads.* storage.objects.*

Papéis do Cloud Connectors

Role Permissions

Role	Permissions
Connector Admin (`roles/connectors.admin`) Full access to all resources of Connectors Service.	connectors.* resourcemanager.projects.get resourcemanager.projects.list
Connectors Viewer (`roles/connectors.viewer`) Read-only access to Connectors all resources.	connectors.connections.get connectors.connections.getConnectionSchemaMetadata connectors.connections.getIamPolicy connectors.connections.getRuntimeActionSchema connectors.connections.getRuntimeEntitySchema connectors.connections.list connectors.connectors.* connectors.locations.* connectors.operations.get connectors.operations.list connectors.providers.* connectors.runtimeconfig.get connectors.versions.* resourcemanager.projects.get resourcemanager.projects.list

Connector Admin
(roles/connectors.admin)

Full access to all resources of Connectors Service.

connectors.*
resourcemanager.projects.get
resourcemanager.projects.list

Connectors Viewer
(roles/connectors.viewer)

Read-only access to Connectors all resources.

connectors.connections.get
connectors.connections.getConnectionSchemaMetadata
connectors.connections.getIamPolicy
connectors.connections.getRuntimeActionSchema
connectors.connections.getRuntimeEntitySchema
connectors.connections.list
connectors.connectors.*
connectors.locations.*
connectors.operations.get
connectors.operations.list
connectors.providers.*
connectors.runtimeconfig.get
connectors.versions.*
resourcemanager.projects.get
resourcemanager.projects.list

Papéis do Cloud Data Fusion

Role Permissions

Role	Permissions
Cloud Data Fusion Admin ^Beta (`roles/datafusion.admin`) Full access to Cloud Data Fusion Instances, Namespaces and related resources. Lowest-level resources where you can grant this role: Project	datafusion.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Data Fusion Runner ^Beta (`roles/datafusion.runner`) Access to Cloud Data Fusion runtime resources.	datafusion.instances.runtime
Cloud Data Fusion Viewer ^Beta (`roles/datafusion.viewer`) Read-only access to Cloud Data Fusion Instances, Namespaces and related resources. Lowest-level resources where you can grant this role: Project	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.runtime datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Data Fusion Admin ^Beta
(roles/datafusion.admin)

Full access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

Project

datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Fusion Runner ^Beta
(roles/datafusion.runner)

Access to Cloud Data Fusion runtime resources.

datafusion.instances.runtime

Cloud Data Fusion Viewer ^Beta
(roles/datafusion.viewer)

Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

Project

datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.runtime
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Papéis do Cloud Data Labeling

Role	Permissions
Data Labeling Service Admin ^Beta (`roles/datalabeling.admin`) Full access to all Data Labeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service Editor ^Beta (`roles/datalabeling.editor`) Editor of all Data Labeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service Viewer ^Beta (`roles/datalabeling.viewer`) Viewer of all Data Labeling resources	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list

Papéis do Cloud Dataplex

Papel	Permissões
Administrador do Dataplex (`roles/dataplex.admin`) Acesso total a todos os recursos do Dataplex.	cloudasset.assets.analyzeIamPolicy cloudasset.assets.searchAllIamPolicies cloudasset.assets.searchAllResources dataplex.assetActions.list dataplex.assets.create dataplex.assets.delete dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.setIamPolicy dataplex.assets.update dataplex.content.* dataplex.entities.* dataplex.environments.* dataplex.lakeActions.list dataplex.lakes.* dataplex.locations.* dataplex.operations.* dataplex.partitions.* dataplex.tasks.* dataplex.zoneActions.list dataplex.zones.* resourcemanager.projects.get resourcemanager.projects.list
Proprietário de dados do Dataplex (`roles/dataplex.dataOwner`) Acesso de proprietário aos dados. Concedido apenas aos recursos data lake, zona ou recurso do Dataplex.	dataplex.assets.ownData dataplex.assets.readData dataplex.assets.writeData
Leitor de dados do Dataplex (`roles/dataplex.dataReader`) Acesso somente leitura aos dados. Concedido apenas aos recursos data lake, zona ou recurso do Dataplex.	dataplex.assets.readData
Gravador de dados do Dataplex (`roles/dataplex.dataWriter`) Acesso de gravação aos dados. Concedido apenas aos recursos data lake, zona ou recurso do Dataplex.	dataplex.assets.writeData
Desenvolvedor do Dataplex (`roles/dataplex.developer`) Permite executar cargas de trabalho de análise de dados em um lake.	dataplex.content.* dataplex.environments.execute dataplex.environments.get dataplex.environments.list dataplex.tasks.cancel dataplex.tasks.create dataplex.tasks.delete dataplex.tasks.get dataplex.tasks.list dataplex.tasks.update
Editor do Dataplex (`roles/dataplex.editor`) Acesso de gravação aos recursos do Dataplex.	cloudasset.assets.analyzeIamPolicy dataplex.assetActions.list dataplex.assets.create dataplex.assets.delete dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.update dataplex.content.delete dataplex.content.get dataplex.content.getIamPolicy dataplex.content.list dataplex.environments.create dataplex.environments.delete dataplex.environments.get dataplex.environments.getIamPolicy dataplex.environments.list dataplex.environments.update dataplex.lakeActions.list dataplex.lakes.create dataplex.lakes.delete dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.lakes.update dataplex.operations.* dataplex.tasks.cancel dataplex.tasks.create dataplex.tasks.delete dataplex.tasks.get dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.tasks.update dataplex.zoneActions.list dataplex.zones.create dataplex.zones.delete dataplex.zones.get dataplex.zones.getIamPolicy dataplex.zones.list dataplex.zones.update
Leitor de metadados do Dataplex (`roles/dataplex.metadataReader`) Acesso somente leitura aos metadados.	dataplex.assets.get dataplex.assets.list dataplex.entities.get dataplex.entities.list dataplex.partitions.get dataplex.partitions.list dataplex.zones.get dataplex.zones.list
Gravador de metadados do Dataplex (`roles/dataplex.metadataWriter`) Acesso de leitura e gravação aos metadados.	dataplex.assets.get dataplex.assets.list dataplex.entities.* dataplex.partitions.* dataplex.zones.get dataplex.zones.list
Proprietário de dados de armazenamento do Dataplex (`roles/dataplex.storageDataOwner`) Acesso de proprietário aos dados. Não pode ser usado diretamente. Este papel é concedido pelo Dataplex aos recursos gerenciados, como buckets do Cloud Storage, conjuntos de dados do BigQuery etc.	bigquery.datasets.get bigquery.models.create bigquery.models.delete bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.models.updateData bigquery.models.updateMetadata bigquery.routines.create bigquery.routines.delete bigquery.routines.get bigquery.routines.list bigquery.routines.update bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Leitor de dados de armazenamento do Dataplex (`roles/dataplex.storageDataReader`) Acesso somente leitura aos dados. Não pode ser usado diretamente. Este papel é concedido pelo Dataplex aos recursos gerenciados, como buckets do Cloud Storage, conjuntos de dados do BigQuery etc.	bigquery.datasets.get bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list storage.buckets.get storage.objects.get storage.objects.list
Gravador de dados de armazenamento do Dataplex (`roles/dataplex.storageDataWriter`) Acesso de gravação aos dados. Não pode ser usado diretamente. Este papel é concedido pelo Dataplex aos recursos gerenciados, como buckets do Cloud Storage, conjuntos de dados do BigQuery etc.	bigquery.tables.updateData storage.objects.create storage.objects.delete storage.objects.update
Leitor do Dataplex (`roles/dataplex.viewer`) Acesso de leitura aos recursos do Dataplex.	cloudasset.assets.analyzeIamPolicy dataplex.assetActions.list dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.content.get dataplex.content.getIamPolicy dataplex.content.list dataplex.environments.get dataplex.environments.getIamPolicy dataplex.environments.list dataplex.lakeActions.list dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.operations.get dataplex.operations.list dataplex.tasks.get dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.zoneActions.list dataplex.zones.get dataplex.zones.getIamPolicy dataplex.zones.list

Papéis do Cloud Debugger

Papel Permissões

Papel	Permissões
Agente do Cloud Debugger ^Beta (`roles/clouddebugger.agent`) Concede permissões para registrar o alvo da depuração, ler pontos de interrupção ativos e relatar resultados dos pontos de interrupção. Recursos de nível mais baixo em que é possível conceder esse papel: Conta de serviço	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create
Usuário do Cloud Debugger ^Beta (`roles/clouddebugger.user`) Concede permissões para criar, visualizar, listar e excluir pontos de interrupção (instantâneos e logpoints), bem como listar alvos de depuração (depurados). Recursos de nível mais baixo em que é possível conceder esse papel: Projeto	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list

Agente do Cloud Debugger ^Beta
(roles/clouddebugger.agent)

Concede permissões para registrar o alvo da depuração, ler pontos de interrupção ativos e relatar resultados dos pontos de interrupção.

Recursos de nível mais baixo em que é possível conceder esse papel:

Conta de serviço

clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create

Usuário do Cloud Debugger ^Beta
(roles/clouddebugger.user)

Concede permissões para criar, visualizar, listar e excluir pontos de interrupção (instantâneos e logpoints), bem como listar alvos de depuração (depurados).

Recursos de nível mais baixo em que é possível conceder esse papel:

Projeto

clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list

Papéis do Cloud Deploy

Papel	Permissões
Administrador do Cloud Deploy ^Beta (`roles/clouddeploy.admin`) Controle total dos recursos do Cloud Deploy.	clouddeploy.* resourcemanager.projects.get resourcemanager.projects.list
Aprovador do Cloud Deploy ^Beta (`roles/clouddeploy.approver`) Permissão para aprovar ou rejeitar lançamentos.	clouddeploy.locations.* clouddeploy.operations.* clouddeploy.rollouts.approve clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
Desenvolvedor do Cloud Deploy ^Beta (`roles/clouddeploy.developer`) Permissão para gerenciar a configuração de implantação sem permissão para acessar recursos operacionais, como destinos.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
Executor do Cloud Deploy ^Beta (`roles/clouddeploy.jobRunner`) Permissão para executar o trabalho do Cloud Deploy sem permissão para entregar a um destino.	logging.logEntries.create storage.objects.create storage.objects.get storage.objects.list
Operador do Cloud Deploy ^Beta (`roles/clouddeploy.operator`) Permissão para gerenciar a configuração de implantação.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.create clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list clouddeploy.targets.update resourcemanager.projects.get resourcemanager.projects.list
Lançador do Cloud Deploy ^Beta (`roles/clouddeploy.releaser`) Permissão para criar versões e lançamentos do Cloud Deploy.	clouddeploy.deliveryPipelines.get clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.create clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get resourcemanager.projects.get resourcemanager.projects.list
Leitor do Cloud Deploy ^Beta (`roles/clouddeploy.viewer`) Pode ver recursos do Cloud Deploy.	clouddeploy.config.get clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.locations.* clouddeploy.operations.get clouddeploy.operations.list clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list resourcemanager.projects.get resourcemanager.projects.list

Papéis do Cloud DLP

Role	Permissions
DLP Administrator (`roles/dlp.admin`) Administer DLP including jobs and templates.	dlp.* serviceusage.services.use
DLP Analyze Risk Templates Editor (`roles/dlp.analyzeRiskTemplatesEditor`) Edit DLP analyze risk templates.	dlp.analyzeRiskTemplates.*
DLP Analyze Risk Templates Reader (`roles/dlp.analyzeRiskTemplatesReader`) Read DLP analyze risk templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
DLP Column Data Profiles Reader (`roles/dlp.columnDataProfilesReader`) Read DLP column profiles.	dlp.columnDataProfiles.*
DLP Data Profiles Reader (`roles/dlp.dataProfilesReader`) Read DLP profiles.	dlp.columnDataProfiles.* dlp.projectDataProfiles.* dlp.tableDataProfiles.*
DLP De-identify Templates Editor (`roles/dlp.deidentifyTemplatesEditor`) Edit DLP de-identify templates.	dlp.deidentifyTemplates.*
DLP De-identify Templates Reader (`roles/dlp.deidentifyTemplatesReader`) Read DLP de-identify templates.	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
DLP Cost Estimation (`roles/dlp.estimatesAdmin`) Manage DLP Cost Estimates.	dlp.estimates.*
DLP Inspect Findings Reader (`roles/dlp.inspectFindingsReader`) Read DLP stored findings.	dlp.inspectFindings.list
DLP Inspect Templates Editor (`roles/dlp.inspectTemplatesEditor`) Edit DLP inspect templates.	dlp.inspectTemplates.*
DLP Inspect Templates Reader (`roles/dlp.inspectTemplatesReader`) Read DLP inspect templates.	dlp.inspectTemplates.get dlp.inspectTemplates.list
DLP Job Triggers Editor (`roles/dlp.jobTriggersEditor`) Edit job triggers configurations.	dlp.jobTriggers.*
DLP Job Triggers Reader (`roles/dlp.jobTriggersReader`) Read job triggers.	dlp.jobTriggers.get dlp.jobTriggers.list
DLP Jobs Editor (`roles/dlp.jobsEditor`) Edit and create jobs	dlp.jobs.* dlp.kms.encrypt
DLP Jobs Reader (`roles/dlp.jobsReader`) Read jobs	dlp.jobs.get dlp.jobs.list
DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) Permissions needed by the DLP service account to generate data profiles within an organization or folder.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration.translation.translate cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
DLP Project Data Profiles Reader (`roles/dlp.projectDataProfilesReader`) Read DLP project profiles.	dlp.projectDataProfiles.*
DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Permissions needed by the DLP service account to generate data profiles within a project.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration.translation.translate cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
DLP Reader (`roles/dlp.reader`) Read DLP entities, such as jobs and templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectFindings.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.locations.* dlp.storedInfoTypes.get dlp.storedInfoTypes.list
DLP Stored InfoTypes Editor (`roles/dlp.storedInfoTypesEditor`) Edit DLP stored info types.	dlp.storedInfoTypes.*
DLP Stored InfoTypes Reader (`roles/dlp.storedInfoTypesReader`) Read DLP stored info types.	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
DLP Table Data Profiles Reader (`roles/dlp.tableDataProfilesReader`) Read DLP table profiles.	dlp.tableDataProfiles.*
DLP User (`roles/dlp.user`) Inspect, Redact, and De-identify Content	dlp.kms.encrypt dlp.locations.* serviceusage.services.use

Papéis do Cloud Domains

Role	Permissions
Cloud Domains Admin (`roles/domains.admin`) Full access to Cloud Domains Registrations and related resources.	domains.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Domains Viewer (`roles/domains.viewer`) Read-only access to Cloud Domains Registrations and related resources.	domains.locations.* domains.operations.get domains.operations.list domains.registrations.get domains.registrations.getIamPolicy domains.registrations.list domains.registrations.listEffectiveTags domains.registrations.listTagBindings resourcemanager.projects.get resourcemanager.projects.list

Papéis do Cloud Filestore

Role	Permissions
Cloud Filestore Editor ^Beta (`roles/file.editor`) Read-write access to Filestore instances and related resources.	file.*
Cloud Filestore Viewer ^Beta (`roles/file.viewer`) Read-only access to Filestore instances and related resources.	file.backups.get file.backups.list file.backups.listEffectiveTags file.backups.listTagBindings file.instances.get file.instances.list file.instances.listEffectiveTags file.instances.listTagBindings file.locations.* file.operations.get file.operations.list file.snapshots.listEffectiveTags file.snapshots.listTagBindings

Papéis do Cloud Functions

Papel Permissões

Papel	Permissões
Administrador do Cloud Functions (`roles/cloudfunctions.admin`) Acesso total a funções, operações e locais.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.* eventarc.* recommender.locations.* recommender.runServiceIdentityInsights.* recommender.runServiceIdentityRecommendations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Desenvolvedor do Cloud Functions (`roles/cloudfunctions.developer`) Acesso de leitura e gravação a todos os recursos relacionados a funções.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* cloudfunctions.runtimes.list eventarc.channelConnections.create eventarc.channelConnections.delete eventarc.channelConnections.get eventarc.channelConnections.getIamPolicy eventarc.channelConnections.list eventarc.channelConnections.publish eventarc.c

Administrador do Cloud Functions
(roles/cloudfunctions.admin)

Acesso total a funções, operações e locais.

cloudbuild.builds.get
cloudbuild.builds.list
cloudfunctions.*
eventarc.*
recommender.locations.*
recommender.runServiceIdentityInsights.*
recommender.runServiceIdentityRecommendations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Desenvolvedor do Cloud Functions
(roles/cloudfunctions.developer)

Acesso de leitura e gravação a todos os recursos relacionados a funções.

cloudbuild.builds.get
cloudbuild.builds.list
cloudfunctions.functions.call
cloudfunctions.functions.create
cloudfunctions.functions.delete
cloudfunctions.functions.get
cloudfunctions.functions.invoke
cloudfunctions.functions.list
cloudfunctions.functions.sourceCodeGet
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.update
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudfunctions.runtimes.list
eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.c