Ruoli e autorizzazioni

Questa pagina descrive i ruoli e le autorizzazioni di Identity and Access Management (IAM) necessari per utilizzare Network Connectivity Center.

A livello generale, sono necessari i seguenti elementi:

Tieni presente che se devi utilizzare Network Connectivity Center in una rete VPC condiviso, devi disporre di tutte le autorizzazioni necessarie nel progetto host. Un hub, i relativi spoke e tutte le risorse correlate devono trovarsi nel progetto ospitante.

Per informazioni su come concedere le autorizzazioni, consulta la panoramica di IAM.

Ruoli predefiniti

La tabella seguente descrive i ruoli predefiniti di Network Connectivity Center.

Role Permissions

(roles/networkconnectivity.consumerNetworkAdmin)

Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.

networkconnectivity.serviceConnectionPolicies.*

  • networkconnectivity.serviceConnectionPolicies.create
  • networkconnectivity.serviceConnectionPolicies.delete
  • networkconnectivity.serviceConnectionPolicies.get
  • networkconnectivity.serviceConnectionPolicies.list
  • networkconnectivity.serviceConnectionPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.groups.*

  • networkconnectivity.groups.acceptSpoke
  • networkconnectivity.groups.get
  • networkconnectivity.groups.getIamPolicy
  • networkconnectivity.groups.list
  • networkconnectivity.groups.rejectSpoke
  • networkconnectivity.groups.setIamPolicy
  • networkconnectivity.groups.use

networkconnectivity.hubRouteTables.*

  • networkconnectivity.hubRouteTables.get
  • networkconnectivity.hubRouteTables.getIamPolicy
  • networkconnectivity.hubRouteTables.list
  • networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.*

  • networkconnectivity.hubRoutes.get
  • networkconnectivity.hubRoutes.getIamPolicy
  • networkconnectivity.hubRoutes.list
  • networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.*

  • networkconnectivity.hubs.create
  • networkconnectivity.hubs.delete
  • networkconnectivity.hubs.get
  • networkconnectivity.hubs.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.hubs.listSpokes
  • networkconnectivity.hubs.queryStatus
  • networkconnectivity.hubs.setIamPolicy
  • networkconnectivity.hubs.update

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.*

  • networkconnectivity.operations.cancel
  • networkconnectivity.operations.delete
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.hubs.queryStatus

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.regionalEndpointAdmin)

Full access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.*

  • networkconnectivity.regionalEndpoints.create
  • networkconnectivity.regionalEndpoints.delete
  • networkconnectivity.regionalEndpoints.get
  • networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.regionalEndpointViewer)

Read-only access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.get

networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceClassUser)

Service Class User uses a ServiceClass

networkconnectivity.serviceClasses.get

networkconnectivity.serviceClasses.list

networkconnectivity.serviceClasses.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceProducerAdmin)

Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.serviceClasses.*

  • networkconnectivity.serviceClasses.create
  • networkconnectivity.serviceClasses.delete
  • networkconnectivity.serviceClasses.get
  • networkconnectivity.serviceClasses.list
  • networkconnectivity.serviceClasses.update
  • networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

  • networkconnectivity.serviceConnectionMaps.create
  • networkconnectivity.serviceConnectionMaps.delete
  • networkconnectivity.serviceConnectionMaps.get
  • networkconnectivity.serviceConnectionMaps.list
  • networkconnectivity.serviceConnectionMaps.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Autorizzazioni aggiuntive richieste

A seconda delle azioni che devi intraprendere in Network Connectivity Center, potresti dover avere le autorizzazioni descritte nelle sezioni seguenti.

Autorizzazione per creare un raggio

Per creare un albero, devi disporre dell'autorizzazione per leggere il tipo di risorsa dell'albero. Ad esempio:

  • Per gli spoke del tunnel VPN, gli spoke del collegamento VLAN e gli spoke dell'appliance router, hai bisogno di compute.routers.get.
  • Per creare spoke dell'appliance router, devi disporre di compute.instances.get. Inoltre, prima di poter utilizzare uno spoke dell'appliance router, devi configurare il peering tra il router Cloud e l'istanza dell'appliance router. Per stabilire il peering, devi disporre delle seguenti autorizzazioni:
    • compute.instances.use
    • compute.routers.update
  • Per creare spoke di collegamento VLAN, devi averecompute.interconnectAttachments.get.
  • Per creare spoke del tunnel VPN, devi disporre di compute.vpnTunnels.get.
  • Per creare spoke VPC, devi disporre delle seguenti autorizzazioni:

    • compute.networks.use
    • compute.networks.get
  • Per creare spoke VPC in un progetto diverso dall'hub a cui è associato, hai bisogno di networkconnectivity.groups.use.

Autorizzazione per l'utilizzo di Network Connectivity Center nella console Google Cloud

Per utilizzare Network Connectivity Center nella console Google Cloud, devi avere un ruolo, ad esempio Visualizzatore della rete di Compute (roles/compute.networkViewer), che includa le autorizzazioni descritte nella tabella seguente. Per utilizzare queste autorizzazioni, devi prima creare un ruolo personalizzato.

Attività

Autorizzazioni obbligatorie

Accedi alla pagina Network Connectivity Center
  • compute.projects.get
  • compute.networks.get
Accedere e utilizzare la pagina Aggiungi spoke
  • compute.networks.list
  • compute.regions.list
  • compute.routers.list
  • compute.zones.list
  • compute.networks.get
Aggiungi uno spoke del collegamento VLAN
  • compute.interconnectAttachments.list
  • compute.interconnectAttachments.get
  • compute.networks.get
  • compute.routers.list
  • compute.routers.get
Aggiungi uno spoke del tunnel VPN
  • compute.forwardingRules.list
  • compute.networks.get
  • compute.routers.get
  • compute.routers.list
  • compute.targetVpnGateways.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
Aggiungere uno spoke dell'appliance router
  • compute.instances.list
  • compute.instances.get
  • compute.networks.get
Aggiungi uno spoke VPC
  • compute.networks.use
  • compute.networks.get
  • compute.subnetworks.list

Protezione delle risorse con Controlli di servizio VPC

Per proteggere ulteriormente le risorse di Network Connectivity Center, utilizza i Controlli di servizio VPC.

I Controlli di servizio VPC offrono alle tue risorse una maggiore sicurezza per contribuire a mitigare il rischio di esfiltrazione di dati. Utilizzando i Controlli di servizio VPC, puoi posizionare le risorse di Network Connectivity Center all'interno dei perimetri di servizio. Controlli di servizio VPC protegge quindi queste risorse dalle richieste provenienti dall'esterno del perimetro.

Per scoprire di più sui perimetri di servizio, consulta la pagina Configurazione del perimetro di servizio della documentazione dei Controlli di servizio VPC.

Passaggi successivi

Per ulteriori informazioni sui ruoli del progetto e sulle risorse Google Cloud, consulta la seguente documentazione: