Access control

This page describes the Identity and Access Management (IAM) roles and permissions needed to run Network Connectivity Center.

You can grant users or service accounts permissions in the following ways:

  • Assign them individual permissions.
  • Assign them predefined roles.
  • Create and assign them a custom role that uses permissions that you specify.

IAM permissions for Network Connectivity Center use a prefix of networkconnectivity.

Predefined roles

The following table lists predefined roles for Network Connectivity Center and the permissions that apply to each role.

Role Description Permissions
networkconnectivity.googleapis.com/hubAdmin Enables full access to hub and spoke resources.

networkconnectivity.hubs.*

networkconnectivity.spokes.*

networkconnectivity.googleapis.com/spokeAdmin

Enables creating spokes and attaching them to an existing hub.

In Shared VPC networks, a user must have permissions in the host project to create a spoke. A spoke and its related resources must reside in the host project.

networkconnectivity.spokes.*

networkconnectivity.googleapis.com/hubViewer Enables read-only access to hub and spoke resources.

networkconnectivity.hubs.get

networkconnectivity.hubs.list

networkconnectivity.spokes.get

networkconnectivity.spokes.list

For more information about project roles and Google Cloud resources, see the following documentation:

What's next