If you create the Google Cloud project where you want to use Migration Center, you already have all the permissions required to activate Migration Center and manage resources in the product.
When you add a new member to your project, you can use an Identity and Access Management (IAM) policy to give that member one or more IAM roles to control the actions that the member can perform in Migration Center.
This page describes the typical roles you might want to assign to your project members and the permissions required to perform various actions.
Before you begin
- Read the IAM documentation.
Roles and actions
There are three main categories of actions that you can perform in Migration Center:
As a best practice, assign members of your project the roles with the least amount of privileges required to perform the actions they need to perform.
Create the Migration Center Additional Role
As a preliminary step before you assign roles to the members of your organization, create a custom role to simplify how you manage permissions. Follow these steps:
In the Google Cloud console, go to IAM & Admin > Roles.
Click Create role
In the Create role page, fill in the following fields:
Title: "Migration Center Additional Role"
Description: "Additional roles needed for Migration Center scenarios"
Click Add permissions.
From the list of permissions, search for the following permissions and select them:
iam.serviceAccountKeys.listiam.serviceAccounts.listresourcemanager.projects.updateserviceusage.services.enable
Then, to add your permissions, click Add.
To finish, click Create.
Activate Migration Center
Before you can use Migration Center, you need to activate it from the Google Cloud console. This one-time action includes activating the APIs and selecting a region to store your resources.
To get the permissions that you need to activate Migration Center, ask your administrator to grant you the following IAM roles on the project:
-
Migration Center Admin (
migrationcenter.admin) - Migration Center Additional Role
For more information about granting roles, see Manage access.
These predefined roles contain the permissions required to activate Migration Center. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to activate Migration Center:
-
migrationcenter.* -
resourcemanager.projects.get -
resourcemanager.projects.list -
rma.* -
resourcemanager.projects.update -
serviceusage.services.list -
serviceusage.services.enable -
iam.serviceAccountKeys.list -
iam.serviceAccounts.list -
resourcemanager.projects.update
You might also be able to get these permissions with custom roles or other predefined roles.
Manage Migration Center resources
Managing Migration Center resources includes actions such as generating a cost estimate, creating a discovery client, and removing assets.
To get the permissions that you need to manage Migration Center resources, ask your administrator to grant you the following IAM roles on the project:
-
Migration Center Admin (
migrationcenter.admin) - Migration Center Additional Role
-
Viewer (
viewer) -
Service Account Key Admin (
iam.serviceAccountKeyAdmin)
For more information about granting roles, see Manage access.
These predefined roles contain the permissions required to manage Migration Center resources. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to manage Migration Center resources:
-
migrationcenter.* -
resourcemanager.projects.get -
resourcemanager.projects.list -
rma.* -
serviceusage.services.list -
iam.serviceAccounts.list -
iam.serviceAccountKeys.list
You might also be able to get these permissions with custom roles or other predefined roles.
View Migration Center resources
To get the permissions that you need to view Migration Center resources, ask your administrator to grant you the following IAM roles on the project:
-
Migration Center Viewer (
migrationcenter.viewer) -
Viewer (
viewer) -
Rapid Migration Assessment Viewer (
rma.viewer)
For more information about granting roles, see Manage access.
These predefined roles contain the permissions required to view Migration Center resources. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to view Migration Center resources:
-
migrationcenter.assets.get -
migrationcenter.assets.list -
migrationcenter.groups.get -
migrationcenter.groups.list -
migrationcenter.importJobs.get -
migrationcenter.importJobs.list -
migrationcenter.locations.* -
migrationcenter.operations.get -
migrationcenter.operations.list -
migrationcenter.sources.get -
migrationcenter.sources.list -
resourcemanager.projects.get -
resourcemanager.projects.list -
serviceusage.services.list -
resourcemanager.projects.get -
resourcemanager.projects.list -
rma.annotations.get -
rma.collectors.get -
rma.collectors.list -
rma.locations.* -
rma.operations.get -
rma.operations.list
You might also be able to get these permissions with custom roles or other predefined roles.
Roles and permissions
The following tables show the roles and permissions available in Migration Center.
Migration Center roles and permissions
| Role | Permissions |
|---|---|
Migration Center Admin Beta( Full access to Migration Center all resources. |
|
Migration Center Discovery Client Beta( Migration Center Discover Client role |
|
Migration Center Discovery Client Registrator Beta( Registrator of Migration Center Discover Clients |
|
Migration Center Viewer Beta( Read-only access to Migration Center all resources. |
|
Rapid Migration Assessment roles and permissions
| Role | Permissions |
|---|---|
Rapid Migration Assessment Admin( Full access to Rapid Migration Assessment all resources. |
|
Rapid Migration Assessment Runner( Update and Read access to Rapid Migration Assessment all resources. |
|
Rapid Migration Assessment Viewer( Read-only access to Rapid Migration Assessment all resources. |
|