使用 IAM 进行访问权限控制

Identity and Access Management (IAM) 角色介绍了如何使用 Managed Service for Microsoft Active Directory (Managed Microsoft AD) API。下面列出了一系列可用于代管式 Microsoft AD 的 IAM 角色及其可用的方法。

此外,服务帐号必须具有 servicemanagement.services.bind 权限才能查看和启用托管式 Microsoft AD。详细了解服务管理角色和权限

Role Permissions

(roles/managedidentities.admin)

Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.

managedidentities.*

  • managedidentities.backups.create
  • managedidentities.backups.delete
  • managedidentities.backups.get
  • managedidentities.backups.getIamPolicy
  • managedidentities.backups.list
  • managedidentities.backups.setIamPolicy
  • managedidentities.backups.update
  • managedidentities.domains.attachTrust
  • managedidentities.domains.checkMigrationPermission
  • managedidentities.domains.create
  • managedidentities.domains.createTagBinding
  • managedidentities.domains.delete
  • managedidentities.domains.deleteTagBinding
  • managedidentities.domains.detachTrust
  • managedidentities.domains.disableMigration
  • managedidentities.domains.domainJoinMachine
  • managedidentities.domains.enableMigration
  • managedidentities.domains.extendSchema
  • managedidentities.domains.get
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.list
  • managedidentities.domains.listEffectiveTags
  • managedidentities.domains.listTagBindings
  • managedidentities.domains.reconfigureTrust
  • managedidentities.domains.resetpassword
  • managedidentities.domains.restore
  • managedidentities.domains.setIamPolicy
  • managedidentities.domains.update
  • managedidentities.domains.updateLDAPSSettings
  • managedidentities.domains.validateTrust
  • managedidentities.locations.get
  • managedidentities.locations.list
  • managedidentities.operations.cancel
  • managedidentities.operations.delete
  • managedidentities.operations.get
  • managedidentities.operations.list
  • managedidentities.peerings.create
  • managedidentities.peerings.delete
  • managedidentities.peerings.get
  • managedidentities.peerings.getIamPolicy
  • managedidentities.peerings.list
  • managedidentities.peerings.setIamPolicy
  • managedidentities.peerings.update
  • managedidentities.sqlintegrations.get
  • managedidentities.sqlintegrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.backupAdmin)

Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level

managedidentities.backups.*

  • managedidentities.backups.create
  • managedidentities.backups.delete
  • managedidentities.backups.get
  • managedidentities.backups.getIamPolicy
  • managedidentities.backups.list
  • managedidentities.backups.setIamPolicy
  • managedidentities.backups.update

managedidentities.domains.get

managedidentities.locations.*

  • managedidentities.locations.get
  • managedidentities.locations.list

managedidentities.operations.*

  • managedidentities.operations.cancel
  • managedidentities.operations.delete
  • managedidentities.operations.get
  • managedidentities.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.backupViewer)

Read-only access to Google Cloud Managed Identities Backup and related resources.

managedidentities.backups.get

managedidentities.backups.getIamPolicy

managedidentities.backups.list

managedidentities.domains.get

managedidentities.locations.*

  • managedidentities.locations.get
  • managedidentities.locations.list

managedidentities.operations.get

managedidentities.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.domainAdmin)

Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.

managedidentities.backups.*

  • managedidentities.backups.create
  • managedidentities.backups.delete
  • managedidentities.backups.get
  • managedidentities.backups.getIamPolicy
  • managedidentities.backups.list
  • managedidentities.backups.setIamPolicy
  • managedidentities.backups.update

managedidentities.domains.attachTrust

managedidentities.domains.checkMigrationPermission

managedidentities.domains.createTagBinding

managedidentities.domains.delete

managedidentities.domains.deleteTagBinding

managedidentities.domains.detachTrust

managedidentities.domains.disableMigration

managedidentities.domains.domainJoinMachine

managedidentities.domains.enableMigration

managedidentities.domains.extendSchema

managedidentities.domains.get

managedidentities.domains.getIamPolicy

managedidentities.domains.listEffectiveTags

managedidentities.domains.listTagBindings

managedidentities.domains.reconfigureTrust

managedidentities.domains.resetpassword

managedidentities.domains.restore

managedidentities.domains.update

managedidentities.domains.updateLDAPSSettings

managedidentities.domains.validateTrust

managedidentities.locations.*

  • managedidentities.locations.get
  • managedidentities.locations.list

managedidentities.operations.get

managedidentities.operations.list

managedidentities.sqlintegrations.*

  • managedidentities.sqlintegrations.get
  • managedidentities.sqlintegrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.domainJoin)

Access to domain join VMs with Cloud AD

managedidentities.domains.domainJoinMachine

managedidentities.domains.get

(roles/managedidentities.peeringAdmin)

Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level

managedidentities.locations.*

  • managedidentities.locations.get
  • managedidentities.locations.list

managedidentities.operations.*

  • managedidentities.operations.cancel
  • managedidentities.operations.delete
  • managedidentities.operations.get
  • managedidentities.operations.list

managedidentities.peerings.*

  • managedidentities.peerings.create
  • managedidentities.peerings.delete
  • managedidentities.peerings.get
  • managedidentities.peerings.getIamPolicy
  • managedidentities.peerings.list
  • managedidentities.peerings.setIamPolicy
  • managedidentities.peerings.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.peeringViewer)

Read-only access to Google Cloud Managed Identities Peering and related resources.

managedidentities.locations.*

  • managedidentities.locations.get
  • managedidentities.locations.list

managedidentities.operations.get

managedidentities.operations.list

managedidentities.peerings.get

managedidentities.peerings.getIamPolicy

managedidentities.peerings.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.viewer)

Read-only access to Google Cloud Managed Identities Domains and related resources.

managedidentities.backups.get

managedidentities.backups.getIamPolicy

managedidentities.backups.list

managedidentities.domains.get

managedidentities.domains.getIamPolicy

managedidentities.domains.list

managedidentities.domains.listEffectiveTags

managedidentities.domains.listTagBindings

managedidentities.locations.*

  • managedidentities.locations.get
  • managedidentities.locations.list

managedidentities.operations.get

managedidentities.operations.list

managedidentities.peerings.get

managedidentities.peerings.getIamPolicy

managedidentities.peerings.list

managedidentities.sqlintegrations.*

  • managedidentities.sqlintegrations.get
  • managedidentities.sqlintegrations.list

resourcemanager.projects.get

resourcemanager.projects.list

如需详细了解 IAM 角色,请参阅 了解角色