Access control

Identity and Access Management (IAM) roles prescribe how you can use the Managed Service for Microsoft Active Directory (Managed Microsoft AD) API. Below is a list of each IAM role available for Managed Microsoft AD and the methods available to them.

Additionally, services accounts must have the servicemanagement.services.bind permission to see and enable Managed Microsoft AD. Learn more about service management roles and permissions.

Role Title Description Permissions Lowest resource
roles/managedidentities.admin Google Cloud Managed Identities Admin Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.
  • managedidentities.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/managedidentities.domainAdmin Google Cloud Managed Identities Domain Admin Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.
  • managedidentities.domains.attachTrust
  • managedidentities.domains.delete
  • managedidentities.domains.detachTrust
  • managedidentities.domains.get
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.reconfigureTrust
  • managedidentities.domains.resetpassword
  • managedidentities.domains.update
  • managedidentities.domains.updateLDAPSSettings
  • managedidentities.domains.validateTrust
  • managedidentities.locations.*
  • managedidentities.operations.get
  • managedidentities.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/managedidentities.viewer Google Cloud Managed Identities Viewer Read-only access to Google Cloud Managed Identities Domains and related resources.
  • managedidentities.domains.get
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.list
  • managedidentities.locations.*
  • managedidentities.operations.get
  • managedidentities.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

For more information about IAM roles, see understanding roles.