迁移中心 IAM 角色和权限

如果您创建了要使用迁移中心的 Google Cloud 项目，那么您已经拥有激活迁移中心和管理产品中的资源所需的所有权限。

向项目中添加新成员时，您可以使用 Identity and Access Management (IAM) 政策为该成员授予一个或多个 IAM 角色，以控制该成员可以在迁移中心内执行的操作。

本页面介绍了您可能希望分配给项目成员的典型角色，以及执行各种操作所需的权限。

准备工作

阅读 IAM 文档。

角色和操作

您可以在迁移中心执行三大类操作：

激活迁移中心。
管理迁移中心资源。
查看迁移中心资源。

最佳做法是，为项目成员分配执行所需操作所需的最小权限。

创建迁移中心其他角色

为组织成员分配角色之前，请首先创建一个自定义角色，以简化权限管理权限。请按照以下步骤操作：

在 Google Cloud 控制台中，转到 IAM 和管理 > 角色。

打开“角色”
点击 创建角色
在创建角色页面中，填写以下字段：
- 标题：“迁移中心其他角色”
- 说明：“迁移中心场景所需的其他角色”
点击 添加权限。
从权限列表中搜索以下权限并将其选中：
- iam.serviceAccountKeys.list
- iam.serviceAccounts.list
- resourcemanager.projects.update
- serviceusage.services.enable
然后，如需添加权限，请点击添加。
点击创建即可完成。

激活迁移中心

您需要先通过 Google Cloud 控制台激活迁移中心，然后才能使用迁移中心。此一次性操作包括激活 API 以及选择区域来存储资源。

如需获取激活迁移中心所需的权限，请让管理员授予您项目的以下 IAM 角色：

迁移中心管理员 (migrationcenter.admin)
迁移中心其他角色

如需详细了解如何授予角色，请参阅管理访问权限。

这些预定义角色包含激活迁移中心所需的权限。如需查看所需的确切权限，请展开所需权限部分：

所需权限

需要以下权限才能激活迁移中心：

migrationcenter.*
resourcemanager.projects.get
resourcemanager.projects.list
rma.*
resourcemanager.projects.update
serviceusage.services.list
serviceusage.services.enable
iam.serviceAccountKeys.list
iam.serviceAccounts.list
resourcemanager.projects.update

您也可以使用自定义角色或其他预定义角色来获取这些权限。

管理迁移中心资源

管理迁移中心资源包括生成费用估算、创建资产识别客户端和移除资产等操作。

如需获取管理迁移中心资源所需的权限，请让管理员授予您项目的以下 IAM 角色：

迁移中心管理员 (migrationcenter.admin)
迁移中心其他角色
Viewer (viewer)
服务帐号密钥管理员 (iam.serviceAccountKeyAdmin)

如需详细了解如何授予角色，请参阅管理访问权限。

这些预定义角色包含管理迁移中心资源所需的权限。如需查看所需的确切权限，请展开所需权限部分：

所需权限

如需管理迁移中心资源，您需要拥有以下权限：

migrationcenter.*
resourcemanager.projects.get
resourcemanager.projects.list
rma.*
serviceusage.services.list
iam.serviceAccounts.list
iam.serviceAccountKeys.list

您也可以使用自定义角色或其他预定义角色来获取这些权限。

查看迁移中心资源

如需获取查看迁移中心资源所需的权限，请让管理员授予您项目的以下 IAM 角色：

迁移中心查看者 (migrationcenter.viewer)
Viewer (viewer)
Rapid Migration Assessment Viewer (rma.viewer)

如需详细了解如何授予角色，请参阅管理访问权限。

这些预定义角色包含查看迁移中心资源所需的权限。如需查看所需的确切权限，请展开所需权限部分：

所需权限

需要以下权限才能查看迁移中心资源：

migrationcenter.assets.get
migrationcenter.assets.list
migrationcenter.groups.get
migrationcenter.groups.list
migrationcenter.importJobs.get
migrationcenter.importJobs.list
migrationcenter.locations.*
migrationcenter.operations.get
migrationcenter.operations.list
migrationcenter.sources.get
migrationcenter.sources.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.locations.*
rma.operations.get
rma.operations.list

您也可以使用自定义角色或其他预定义角色来获取这些权限。

角色与权限

下表显示了迁移中心中提供的角色和权限。

迁移中心角色和权限

Role Permissions

Role	Permissions
Migration Center Admin ^Beta (`roles/migrationcenter.admin`) Full access to Migration Center all resources.	`migrationcenter.` `migrationcenter.assets.create` `migrationcenter.assets.delete` `migrationcenter.assets.get` `migrationcenter.assets.list` `migrationcenter.assets.reportFrames` `migrationcenter.assets.update` `migrationcenter.discoveryClients.create` `migrationcenter.discoveryClients.delete` `migrationcenter.discoveryClients.get` `migrationcenter.discoveryClients.list` `migrationcenter.discoveryClients.sendHeartbeat` `migrationcenter.discoveryClients.update` `migrationcenter.errorFrames.get` `migrationcenter.errorFrames.list` `migrationcenter.groups.create` `migrationcenter.groups.delete` `migrationcenter.groups.get` `migrationcenter.groups.list` `migrationcenter.groups.update` `migrationcenter.importDataFiles.create` `migrationcenter.importDataFiles.delete` `migrationcenter.importDataFiles.get` `migrationcenter.importDataFiles.list` `migrationcenter.importJobs.create` `migrationcenter.importJobs.delete` `migrationcenter.importJobs.get` `migrationcenter.importJobs.list` `migrationcenter.importJobs.update` `migrationcenter.locations.get` `migrationcenter.locations.list` `migrationcenter.operations.cancel` `migrationcenter.operations.delete` `migrationcenter.operations.get` `migrationcenter.operations.list` `migrationcenter.preferenceSets.create` `migrationcenter.preferenceSets.delete` `migrationcenter.preferenceSets.get` `migrationcenter.preferenceSets.list` `migrationcenter.preferenceSets.update` `migrationcenter.reportConfigs.create` `migrationcenter.reportConfigs.delete` `migrationcenter.reportConfigs.get` `migrationcenter.reportConfigs.list` `migrationcenter.reports.create` `migrationcenter.reports.delete` `migrationcenter.reports.get` `migrationcenter.reports.list` `migrationcenter.settings.get` `migrationcenter.settings.update` `migrationcenter.sources.create` `migrationcenter.sources.delete` `migrationcenter.sources.get` `migrationcenter.sources.list` `migrationcenter.sources.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `rma.` `rma.annotations.create` `rma.annotations.get` `rma.collectors.create` `rma.collectors.delete` `rma.collectors.get` `rma.collectors.list` `rma.collectors.update` `rma.locations.get` `rma.locations.list` `rma.operations.cancel` `rma.operations.delete` `rma.operations.get` `rma.operations.list` `serviceusage.quotas.get`
Migration Center Discovery Client ^Beta (`roles/migrationcenter.discoveryClient`) Migration Center Discover Client role	`migrationcenter.assets.reportFrames` `migrationcenter.discoveryClients.get` `migrationcenter.discoveryClients.sendHeartbeat`
Migration Center Discovery Client Registrator ^Beta (`roles/migrationcenter.discoveryClientRegistrator`) Registrator of Migration Center Discover Clients	`migrationcenter.discoveryClients.create` `migrationcenter.discoveryClients.delete` `migrationcenter.discoveryClients.update` `migrationcenter.operations.get` `migrationcenter.sources.create` `migrationcenter.sources.delete` `resourcemanager.projects.get` `resourcemanager.projects.list`
Migration Center Viewer ^Beta (`roles/migrationcenter.viewer`) Read-only access to Migration Center all resources.	`migrationcenter.assets.get` `migrationcenter.assets.list` `migrationcenter.discoveryClients.get` `migrationcenter.discoveryClients.list` `migrationcenter.errorFrames.` `migrationcenter.errorFrames.get` `migrationcenter.errorFrames.list` `migrationcenter.groups.get` `migrationcenter.groups.list` `migrationcenter.importDataFiles.get` `migrationcenter.importDataFiles.list` `migrationcenter.importJobs.get` `migrationcenter.importJobs.list` `migrationcenter.locations.` `migrationcenter.locations.get` `migrationcenter.locations.list` `migrationcenter.operations.get` `migrationcenter.operations.list` `migrationcenter.preferenceSets.get` `migrationcenter.preferenceSets.list` `migrationcenter.reportConfigs.get` `migrationcenter.reportConfigs.list` `migrationcenter.reports.get` `migrationcenter.reports.list` `migrationcenter.settings.get` `migrationcenter.sources.get` `migrationcenter.sources.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `rma.annotations.get` `rma.collectors.get` `rma.collectors.list` `rma.locations.*` `rma.locations.get` `rma.locations.list` `rma.operations.get` `rma.operations.list` `serviceusage.quotas.get`

Migration Center Admin ^Beta

(roles/migrationcenter.admin)

Full access to Migration Center all resources.

migrationcenter.*

migrationcenter.assets.create
migrationcenter.assets.delete
migrationcenter.assets.get
migrationcenter.assets.list
migrationcenter.assets.reportFrames
migrationcenter.assets.update
migrationcenter.discoveryClients.create
migrationcenter.discoveryClients.delete
migrationcenter.discoveryClients.get
migrationcenter.discoveryClients.list
migrationcenter.discoveryClients.sendHeartbeat
migrationcenter.discoveryClients.update
migrationcenter.errorFrames.get
migrationcenter.errorFrames.list
migrationcenter.groups.create
migrationcenter.groups.delete
migrationcenter.groups.get
migrationcenter.groups.list
migrationcenter.groups.update
migrationcenter.importDataFiles.create
migrationcenter.importDataFiles.delete
migrationcenter.importDataFiles.get
migrationcenter.importDataFiles.list
migrationcenter.importJobs.create
migrationcenter.importJobs.delete
migrationcenter.importJobs.get
migrationcenter.importJobs.list
migrationcenter.importJobs.update
migrationcenter.locations.get
migrationcenter.locations.list
migrationcenter.operations.cancel
migrationcenter.operations.delete
migrationcenter.operations.get
migrationcenter.operations.list
migrationcenter.preferenceSets.create
migrationcenter.preferenceSets.delete
migrationcenter.preferenceSets.get
migrationcenter.preferenceSets.list
migrationcenter.preferenceSets.update
migrationcenter.reportConfigs.create
migrationcenter.reportConfigs.delete
migrationcenter.reportConfigs.get
migrationcenter.reportConfigs.list
migrationcenter.reports.create
migrationcenter.reports.delete
migrationcenter.reports.get
migrationcenter.reports.list
migrationcenter.settings.get
migrationcenter.settings.update
migrationcenter.sources.create
migrationcenter.sources.delete
migrationcenter.sources.get
migrationcenter.sources.list
migrationcenter.sources.update

resourcemanager.projects.get

resourcemanager.projects.list

rma.*

rma.annotations.create
rma.annotations.get
rma.collectors.create
rma.collectors.delete
rma.collectors.get
rma.collectors.list
rma.collectors.update
rma.locations.get
rma.locations.list
rma.operations.cancel
rma.operations.delete
rma.operations.get
rma.operations.list

serviceusage.quotas.get

Migration Center Discovery Client ^Beta

(roles/migrationcenter.discoveryClient)

Migration Center Discover Client role

migrationcenter.assets.reportFrames

migrationcenter.discoveryClients.get

migrationcenter.discoveryClients.sendHeartbeat

Migration Center Discovery Client Registrator ^Beta

(roles/migrationcenter.discoveryClientRegistrator)

Registrator of Migration Center Discover Clients

migrationcenter.discoveryClients.create

migrationcenter.discoveryClients.delete

migrationcenter.discoveryClients.update

migrationcenter.operations.get

migrationcenter.sources.create

migrationcenter.sources.delete

resourcemanager.projects.get

resourcemanager.projects.list

Migration Center Viewer ^Beta

(roles/migrationcenter.viewer)

Read-only access to Migration Center all resources.

migrationcenter.assets.get

migrationcenter.assets.list

migrationcenter.discoveryClients.get

migrationcenter.discoveryClients.list

migrationcenter.errorFrames.*

migrationcenter.errorFrames.get
migrationcenter.errorFrames.list

migrationcenter.groups.get

migrationcenter.groups.list

migrationcenter.importDataFiles.get

migrationcenter.importDataFiles.list

migrationcenter.importJobs.get

migrationcenter.importJobs.list

migrationcenter.locations.*

migrationcenter.locations.get
migrationcenter.locations.list

migrationcenter.operations.get

migrationcenter.operations.list

migrationcenter.preferenceSets.get

migrationcenter.preferenceSets.list

migrationcenter.reportConfigs.get

migrationcenter.reportConfigs.list

migrationcenter.reports.get

migrationcenter.reports.list

migrationcenter.settings.get

migrationcenter.sources.get

migrationcenter.sources.list

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.locations.*

rma.locations.get
rma.locations.list

rma.operations.get

rma.operations.list

serviceusage.quotas.get

Rapid Migration Assessment 角色和权限

角色权限

角色	权限
Rapid Migration Assessment Admin (`roles/rma.admin`) 拥有对所有 Rapid Migration Assessment 资源的完整权限。	resourcemanager.projects.get resourcemanager.projects.list rma.* rma.annotations.create rma.annotations.get rma.collectors.create rma.collectors.delete rma.collectors.get rma.collectors.list rma.collectors.update rma.locations.get rma.locations.list rma.operations.cancel rma.operations.delete rma.operations.get rma.operations.list
Rapid Migration Assessment Runner (`roles/rma.runner`) 拥有对所有 Rapid Migration Assessment 资源的更新和读取权限。	resourcemanager.projects.get resourcemanager.projects.list rma.annotations.get rma.collectors.get rma.collectors.list rma.collectors.update rma.locations.* rma.locations.get rma.locations.list rma.operations.get rma.operations.list
Rapid Migration Assessment Viewer (`roles/rma.viewer`) 拥有对所有 Rapid Migration Assessment 资源的只读权限。	resourcemanager.projects.get resourcemanager.projects.list rma.annotations.get rma.collectors.get rma.collectors.list rma.locations.* rma.locations.get rma.locations.list rma.operations.get rma.operations.list

Rapid Migration Assessment Admin

(roles/rma.admin)

拥有对所有 Rapid Migration Assessment 资源的完整权限。

resourcemanager.projects.get

resourcemanager.projects.list

rma.*

rma.annotations.create
rma.annotations.get
rma.collectors.create
rma.collectors.delete
rma.collectors.get
rma.collectors.list
rma.collectors.update
rma.locations.get
rma.locations.list
rma.operations.cancel
rma.operations.delete
rma.operations.get
rma.operations.list

Rapid Migration Assessment Runner

(roles/rma.runner)

拥有对所有 Rapid Migration Assessment 资源的更新和读取权限。

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.collectors.update

rma.locations.*

rma.locations.get
rma.locations.list

rma.operations.get

rma.operations.list

Rapid Migration Assessment Viewer

(roles/rma.viewer)

拥有对所有 Rapid Migration Assessment 资源的只读权限。

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.locations.*

rma.locations.get
rma.locations.list

rma.operations.get

rma.operations.list

迁移中心 IAM 角色和权限

准备工作

角色和操作

创建迁移中心其他角色

激活迁移中心

所需权限

管理迁移中心资源

所需权限

查看迁移中心资源

所需权限

角色与权限

迁移中心角色和权限

Migration Center Admin Beta

Migration Center Discovery Client Beta

Migration Center Discovery Client Registrator Beta

Migration Center Viewer Beta

Rapid Migration Assessment 角色和权限

Rapid Migration Assessment Admin

Rapid Migration Assessment Runner

Rapid Migration Assessment Viewer

Migration Center Admin ^Beta

Migration Center Discovery Client ^Beta

Migration Center Discovery Client Registrator ^Beta

Migration Center Viewer ^Beta