使用 IAM 进行访问权限控制

Identity and Access Management (IAM) 角色介绍了如何使用 Managed Service for Microsoft Active Directory (Managed Microsoft AD) API。下面列出了一系列可用于代管式 Microsoft AD 的 IAM 角色及其可用的方法。

此外,服务帐号必须具有 servicemanagement.services.bind 权限才能查看和启用托管式 Microsoft AD。详细了解服务管理角色和权限

角色 权限

Google Cloud Managed Identities Admin
(roles/managedidentities.admin)

拥有对 Google Cloud Managed Identities 网域及相关资源的完全访问权限。应在项目级层授予此角色。

  • managedidentities.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Cloud Managed Identities Backup Admin
(roles/managedidentities.backupAdmin)

拥有对 Google Cloud Managed Identities 备份及相关资源的完全访问权限。应在项目级层授予此角色

  • managedidentities.backups.*
  • managedidentities.domains.get
  • managedidentities.locations.*
  • managedidentities.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Cloud Managed Identities Backup Viewer
(roles/managedidentities.backupViewer)

拥有对 Google Cloud Managed Identities 备份及相关资源的只读权限。

  • managedidentities.backups.get
  • managedidentities.backups.getIamPolicy
  • managedidentities.backups.list
  • managedidentities.domains.get
  • managedidentities.locations.*
  • managedidentities.operations.get
  • managedidentities.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Cloud Managed Identities Domain Admin
(roles/managedidentities.domainAdmin)

拥有 Google Cloud Managed Identities 网域及相关资源的读取/更新/删除权限。应在资源(网域)级层授予此角色。

  • managedidentities.backups.*
  • managedidentities.domains.attachTrust
  • managedidentities.domains.createTagBinding
  • managedidentities.domains.delete
  • managedidentities.domains.deleteTagBinding
  • managedidentities.domains.detachTrust
  • managedidentities.domains.extendSchema
  • managedidentities.domains.get
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.listEffectiveTags
  • managedidentities.domains.listTagBindings
  • managedidentities.domains.reconfigureTrust
  • managedidentities.domains.resetpassword
  • managedidentities.domains.restore
  • managedidentities.domains.update
  • managedidentities.domains.updateLDAPSSettings
  • managedidentities.domains.validateTrust
  • managedidentities.locations.*
  • managedidentities.operations.get
  • managedidentities.operations.list
  • managedidentities.sqlintegrations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Cloud Managed Identities Domain Controller Operator
(roles/managedidentities.domaincontrollerOperator)

拥有代管式 AD 网域控制器的操作者访问权限

  • pubsub.schemas.attach
  • pubsub.schemas.create
  • pubsub.schemas.delete
  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.schemas.validate
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list

Google Cloud Managed Identities Peering Admin
(roles/managedidentities.peeringAdmin)

拥有对 Google Cloud Managed Identities 网域及相关资源的完全访问权限。应在项目级层授予此角色

  • managedidentities.locations.*
  • managedidentities.operations.*
  • managedidentities.peerings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Cloud Managed Identities Peering Viewer
(roles/managedidentities.peeringViewer)

拥有对 Google Cloud Managed Identities 对等互连及相关资源的只读权限。

  • managedidentities.locations.*
  • managedidentities.operations.get
  • managedidentities.operations.list
  • managedidentities.peerings.get
  • managedidentities.peerings.getIamPolicy
  • managedidentities.peerings.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Cloud Managed Identities Viewer
(roles/managedidentities.viewer)

拥有对 Google Cloud Managed Identities 网域及相关资源的只读权限。

  • managedidentities.backups.get
  • managedidentities.backups.getIamPolicy
  • managedidentities.backups.list
  • managedidentities.domains.get
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains .list
  • managedidentities.domains.listEffectiveTags
  • managedidentities.domains.listTagBindings
  • managedidentities.locations.*
  • managedidentities.operations.get
  • managedidentities.operations.list
  • managedidentities.peerings.get
  • managedidentities.peerings.getIamPolicy
  • managedidentities.peerings.list
  • managedidentities.sqlintegrations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

如需详细了解 IAM 角色,请参阅 了解角色