提供意見
使用 IAM 控管存取權
Identity and Access Management (IAM) 角色會規定 Managed Service for Microsoft Active Directory (Managed Microsoft AD) API 的使用方式。以下列出可用於 Managed Microsoft AD 的各項 IAM 角色,以及這些角色可用的做法。
此外,服務帳戶必須具備 servicemanagement.services.bind 權限,才能查看及啟用 Managed Microsoft AD。進一步瞭解服務管理角色和權限 。
Role
Permissions
Google Cloud Managed Identities Admin
(roles/managedidentities.admin )
Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.
managedidentities.*
managedidentities.backups.create managedidentities.backups.delete managedidentities.backups.getmanagedidentities.backups.getIamPolicy managedidentities.backups.listmanagedidentities.backups.setIamPolicy managedidentities.backups.update managedidentities.domains.attachTrust managedidentities.domains.checkMigrationPermission managedidentities.domains.create managedidentities.domains.createTagBinding managedidentities.domains.delete managedidentities.domains.deleteTagBinding managedidentities.domains.detachTrust managedidentities.domains.disableMigration managedidentities.domains.domainJoinMachine managedidentities.domains.enableMigration managedidentities.domains.extendSchema managedidentities.domains.getmanagedidentities.domains.getIamPolicy managedidentities.domains.listmanagedidentities.domains.listEffectiveTags managedidentities.domains.listTagBindings managedidentities.domains.reconfigureTrust managedidentities.domains.resetpassword managedidentities.domains.restore managedidentities.domains.setIamPolicy managedidentities.domains.update managedidentities.domains.updateLDAPSSettings managedidentities.domains.validateTrust managedidentities.locations.get managedidentities.locations.list managedidentities.operations.cancel managedidentities.operations.delete managedidentities.operations.get managedidentities.operations.list managedidentities.peerings.create managedidentities.peerings.delete managedidentities.peerings.getmanagedidentities.peerings.getIamPolicy managedidentities.peerings.list managedidentities.peerings.setIamPolicy managedidentities.peerings.update managedidentities.sqlintegrations.get managedidentities.sqlintegrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Backup Admin
(roles/managedidentities.backupAdmin )
Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level
managedidentities.backups.*
managedidentities.backups.create managedidentities.backups.delete managedidentities.backups.getmanagedidentities.backups.getIamPolicy managedidentities.backups.listmanagedidentities.backups.setIamPolicy managedidentities.backups.update
managedidentities.domains.get
managedidentities.locations.*
managedidentities.locations.get managedidentities.locations.list
managedidentities.operations.*
managedidentities.operations.cancel managedidentities.operations.delete managedidentities.operations.get managedidentities.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Backup Viewer
(roles/managedidentities.backupViewer )
Read-only access to Google Cloud Managed Identities Backup and related resources.
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.domains.get
managedidentities.locations.*
managedidentities.locations.get managedidentities.locations.list
managedidentities.operations.get
managedidentities.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Domain Admin
(roles/managedidentities.domainAdmin )
Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.
managedidentities.backups.*
managedidentities.backups.create managedidentities.backups.delete managedidentities.backups.getmanagedidentities.backups.getIamPolicy managedidentities.backups.listmanagedidentities.backups.setIamPolicy managedidentities.backups.update
managedidentities.domains.attachTrust
managedidentities.domains.checkMigrationPermission
managedidentities.domains.createTagBinding
managedidentities.domains.delete
managedidentities.domains.deleteTagBinding
managedidentities.domains.detachTrust
managedidentities.domains.disableMigration
managedidentities.domains.domainJoinMachine
managedidentities.domains.enableMigration
managedidentities.domains.extendSchema
managedidentities.domains.get
managedidentities.domains.getIamPolicy
managedidentities.domains.listEffectiveTags
managedidentities.domains.listTagBindings
managedidentities.domains.reconfigureTrust
managedidentities.domains.resetpassword
managedidentities.domains.restore
managedidentities.domains.update
managedidentities.domains.updateLDAPSSettings
managedidentities.domains.validateTrust
managedidentities.locations.*
managedidentities.locations.get managedidentities.locations.list
managedidentities.operations.get
managedidentities.operations.list
managedidentities.sqlintegrations.*
managedidentities.sqlintegrations.get managedidentities.sqlintegrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Domain Join
Beta
(roles/managedidentities.domainJoin )
Access to domain join VMs with Cloud AD
managedidentities.domains.domainJoinMachine
managedidentities.domains.get
Google Cloud Managed Identities Peering Admin
(roles/managedidentities.peeringAdmin )
Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level
managedidentities.locations.*
managedidentities.locations.get managedidentities.locations.list
managedidentities.operations.*
managedidentities.operations.cancel managedidentities.operations.delete managedidentities.operations.get managedidentities.operations.list
managedidentities.peerings.*
managedidentities.peerings.create managedidentities.peerings.delete managedidentities.peerings.getmanagedidentities.peerings.getIamPolicy managedidentities.peerings.list managedidentities.peerings.setIamPolicy managedidentities.peerings.update
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Peering Viewer
(roles/managedidentities.peeringViewer )
Read-only access to Google Cloud Managed Identities Peering and related resources.
managedidentities.locations.*
managedidentities.locations.get managedidentities.locations.list
managedidentities.operations.get
managedidentities.operations.list
managedidentities.peerings.get
managedidentities.peerings.getIamPolicy
managedidentities.peerings.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Managed Identities Service Agent
(roles/managedidentities.serviceAgent )
Gives Managed Identities service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.list
dns.changes.*
dns.changes.createdns.changes.getdns.changes.list
dns.dnsKeys.*
dns.dnsKeys.getdns.dnsKeys.list
dns.managedZoneOperations.*
dns.managedZoneOperations.getdns.managedZoneOperations.list
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.managedZones.update
dns.networks.bindPrivateDNSPolicy
dns.networks.bindPrivateDNSZone
dns.policies.*
dns.policies.createdns.policies.deletedns.policies.getdns.policies.listdns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.resourceRecordSets.createdns.resourceRecordSets.deletedns.resourceRecordSets.getdns.resourceRecordSets.listdns.resourceRecordSets.update
dns.responsePolicies.*
dns.responsePolicies.createdns.responsePolicies.deletedns.responsePolicies.getdns.responsePolicies.listdns.responsePolicies.update
dns.responsePolicyRules.*
dns.responsePolicyRules.createdns.responsePolicyRules.deletedns.responsePolicyRules.getdns.responsePolicyRules.listdns.responsePolicyRules.update
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
telemetry.metrics.write
Google Cloud Managed Identities Viewer
(roles/managedidentities.viewer )
Read-only access to Google Cloud Managed Identities Domains and related resources.
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.domains.get
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.domains.listEffectiveTags
managedidentities.domains.listTagBindings
managedidentities.locations.*
managedidentities.locations.get managedidentities.locations.list
managedidentities.operations.get
managedidentities.operations.list
managedidentities.peerings.get
managedidentities.peerings.getIamPolicy
managedidentities.peerings.list
managedidentities.sqlintegrations.*
managedidentities.sqlintegrations.get managedidentities.sqlintegrations.list
resourcemanager.projects.get
resourcemanager.projects.list
如要進一步瞭解身分與存取權管理 (IAM) 角色,請參閱「瞭解角色 」一文。
提供意見
除非另有註明,否則本頁面中的內容是採用創用 CC 姓名標示 4.0 授權 ,程式碼範例則為阿帕契 2.0 授權 。詳情請參閱《Google Developers 網站政策 》。Java 是 Oracle 和/或其關聯企業的註冊商標。
上次更新時間:2025-10-24 (世界標準時間)。
想進一步說明嗎?
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-10-24 (世界標準時間)。"],[],[]]
