Esta página se ha traducido con Cloud Translation API.

Roles y permisos

En esta página se describen los roles y permisos de Gestión de Identidades y Accesos (IAM) necesarios para usar Network Connectivity Center.

En términos generales, necesitas lo siguiente:

Permisos predefinidos de Network Connectivity Center, que se describen en Roles predefinidos.
Permisos adicionales:
- Para crear radios, necesitas permiso para leer los tipos de recursos de radio pertinentes, tal como se describe en Permiso para crear un radio.
- Para trabajar con Network Connectivity Center en la consola de Google Cloud , necesitas permiso para ver determinados recursos de red de nube privada virtual (VPC), tal como se describe en Permiso para usar Network Connectivity Center en la consola de Google Cloud .

Ten en cuenta que, si necesitas trabajar con Network Connectivity Center en una red de VPC compartida, debes tener todos los permisos necesarios en el proyecto host. Un centro, sus radios y todos los recursos relacionados deben estar en el proyecto host.

Para obtener información sobre cómo conceder permisos, consulta la descripción general de gestión de identidades y accesos.

Funciones predefinidas

En la siguiente tabla se describen los roles predefinidos de Network Connectivity Center.

Role Permissions

Role	Permissions
Service Automation Consumer Network Admin (`roles/networkconnectivity.consumerNetworkAdmin`) Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.	`networkconnectivity.serviceConnectionPolicies.*` `networkconnectivity.serviceConnectionPolicies.create` `networkconnectivity.serviceConnectionPolicies.delete` `networkconnectivity.serviceConnectionPolicies.get` `networkconnectivity.serviceConnectionPolicies.list` `networkconnectivity.serviceConnectionPolicies.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Group Admin (`roles/networkconnectivity.groupAdmin`) Enables full access to group resources and read-only access to hub and spoke resources	`networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.groups.` `networkconnectivity.groups.acceptSpoke` `networkconnectivity.groups.acceptSpokeUpdate` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.groups.rejectSpoke` `networkconnectivity.groups.rejectSpokeUpdate` `networkconnectivity.groups.setIamPolicy` `networkconnectivity.groups.use` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Group User (`roles/networkconnectivity.groupUser`) Enables use access on group resources	`networkconnectivity.groups.use`
Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Enables full access to hub and spoke resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.gatewayAdvertisedRoutes.` `networkconnectivity.gatewayAdvertisedRoutes.create` `networkconnectivity.gatewayAdvertisedRoutes.delete` `networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.gatewayAdvertisedRoutes.update` `networkconnectivity.groups.` `networkconnectivity.groups.acceptSpoke` `networkconnectivity.groups.acceptSpokeUpdate` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.groups.rejectSpoke` `networkconnectivity.groups.rejectSpokeUpdate` `networkconnectivity.groups.setIamPolicy` `networkconnectivity.groups.use` `networkconnectivity.hubRouteTables.` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRouteTables.setIamPolicy` `networkconnectivity.hubRoutes.` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubRoutes.setIamPolicy` `networkconnectivity.hubs.` `networkconnectivity.hubs.create` `networkconnectivity.hubs.delete` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.hubs.listSpokes` `networkconnectivity.hubs.queryStatus` `networkconnectivity.hubs.setIamPolicy` `networkconnectivity.hubs.update` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.` `networkconnectivity.operations.cancel` `networkconnectivity.operations.delete` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.` `networkconnectivity.spokes.create` `networkconnectivity.spokes.delete` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `networkconnectivity.spokes.setIamPolicy` `networkconnectivity.spokes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Enables read-only access to hub and spoke resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.hubs.listSpokes` `networkconnectivity.hubs.queryStatus` `networkconnectivity.locations.*` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Full access to all Multicloud Data Transfer Config resources.	`networkconnectivity.multicloudDataTransferConfigs.` `networkconnectivity.multicloudDataTransferConfigs.create` `networkconnectivity.multicloudDataTransferConfigs.delete` `networkconnectivity.multicloudDataTransferConfigs.get` `networkconnectivity.multicloudDataTransferConfigs.list` `networkconnectivity.multicloudDataTransferConfigs.update` `networkconnectivity.multicloudDataTransferDestinations.` `networkconnectivity.multicloudDataTransferDestinations.create` `networkconnectivity.multicloudDataTransferDestinations.delete` `networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferDestinations.update` `networkconnectivity.multicloudDataTransferSupportedServices.*` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Multicloud Data Transfer Config Viewer (`roles/networkconnectivity.multicloudDataTransferConfigViewer`) Read-only access to all Multicloud Data Transfer Config resources.	`networkconnectivity.multicloudDataTransferConfigs.get` `networkconnectivity.multicloudDataTransferConfigs.list` `networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferSupportedServices.*` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Destination Admin (`roles/networkconnectivity.multicloudDataTransferDestinationAdmin`) Access to all Destination resources.	`networkconnectivity.multicloudDataTransferDestinations.` `networkconnectivity.multicloudDataTransferDestinations.create` `networkconnectivity.multicloudDataTransferDestinations.delete` `networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferDestinations.update` `networkconnectivity.multicloudDataTransferSupportedServices.` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Destination Viewer (`roles/networkconnectivity.multicloudDataTransferDestinationViewer`) Read-only access to all Destination resources.	`networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferSupportedServices.*` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Regional Endpoint Admin (`roles/networkconnectivity.regionalEndpointAdmin`) Full access to all Regional Endpoint resources.	`networkconnectivity.regionalEndpoints.*` `networkconnectivity.regionalEndpoints.create` `networkconnectivity.regionalEndpoints.delete` `networkconnectivity.regionalEndpoints.get` `networkconnectivity.regionalEndpoints.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Regional Endpoint Viewer (`roles/networkconnectivity.regionalEndpointViewer`) Read-only access to all Regional Endpoint resources.	`networkconnectivity.regionalEndpoints.get` `networkconnectivity.regionalEndpoints.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`) Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources. Warning: Do not grant service agent roles to any principals except service agents.	`compute.addresses.create` `compute.addresses.createInternal` `compute.addresses.delete` `compute.addresses.deleteInternal` `compute.addresses.get` `compute.addresses.setLabels` `compute.addresses.use` `compute.forwardingRules.create` `compute.forwardingRules.delete` `compute.forwardingRules.get` `compute.forwardingRules.pscCreate` `compute.forwardingRules.pscDelete` `compute.forwardingRules.pscSetLabels` `compute.forwardingRules.pscUpdate` `compute.forwardingRules.setLabels` `compute.instances.get` `compute.interconnectAttachments.get` `compute.networks.get` `compute.networks.use` `compute.projects.get` `compute.regionOperations.get` `compute.routers.get` `compute.subnetworks.create` `compute.subnetworks.delete` `compute.subnetworks.get` `compute.subnetworks.getIamPolicy` `compute.subnetworks.list` `compute.subnetworks.setIamPolicy` `compute.subnetworks.use` `compute.vpnTunnels.get` `dns.managedZones.create` `dns.networks.bindPrivateDNSZone` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.list` `networkconnectivity.internalRanges.create` `networkconnectivity.internalRanges.delete` `networkconnectivity.internalRanges.get` `networkconnectivity.internalRanges.list` `networkconnectivity.operations.get` `servicedirectory.namespaces.associatePrivateZone` `servicedirectory.namespaces.create` `servicedirectory.namespaces.delete` `servicedirectory.services.create` `servicedirectory.services.delete`
Service Class User (`roles/networkconnectivity.serviceClassUser`) Service Class User uses a ServiceClass	`networkconnectivity.serviceClasses.get` `networkconnectivity.serviceClasses.list` `networkconnectivity.serviceClasses.use` `resourcemanager.projects.get` `resourcemanager.projects.list`
Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps	`networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.serviceClasses.` `networkconnectivity.serviceClasses.create` `networkconnectivity.serviceClasses.delete` `networkconnectivity.serviceClasses.get` `networkconnectivity.serviceClasses.list` `networkconnectivity.serviceClasses.update` `networkconnectivity.serviceClasses.use` `networkconnectivity.serviceConnectionMaps.` `networkconnectivity.serviceConnectionMaps.create` `networkconnectivity.serviceConnectionMaps.delete` `networkconnectivity.serviceConnectionMaps.get` `networkconnectivity.serviceConnectionMaps.list` `networkconnectivity.serviceConnectionMaps.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Enables full access to spoke resources and read-only access to hub resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.gatewayAdvertisedRoutes.` `networkconnectivity.gatewayAdvertisedRoutes.create` `networkconnectivity.gatewayAdvertisedRoutes.delete` `networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.gatewayAdvertisedRoutes.update` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.*` `networkconnectivity.spokes.create` `networkconnectivity.spokes.delete` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `networkconnectivity.spokes.setIamPolicy` `networkconnectivity.spokes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Automation Consumer Network Admin

(roles/networkconnectivity.consumerNetworkAdmin)

Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.

networkconnectivity.serviceConnectionPolicies.*

networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

Group Admin

(roles/networkconnectivity.groupAdmin)

Enables full access to group resources and read-only access to hub and spoke resources

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.*

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.acceptSpokeUpdate
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.rejectSpokeUpdate
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

Group User

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

Hub & Spoke Admin

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.gatewayAdvertisedRoutes.*

networkconnectivity.gatewayAdvertisedRoutes.create
networkconnectivity.gatewayAdvertisedRoutes.delete
networkconnectivity.gatewayAdvertisedRoutes.get
networkconnectivity.gatewayAdvertisedRoutes.list
networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.groups.*

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.acceptSpokeUpdate
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.rejectSpokeUpdate
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use

networkconnectivity.hubRouteTables.*

networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.*

networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.*

networkconnectivity.hubs.create
networkconnectivity.hubs.delete
networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.hubs.listSpokes
networkconnectivity.hubs.queryStatus
networkconnectivity.hubs.setIamPolicy
networkconnectivity.hubs.update

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.*

networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list

networkconnectivity.spokes.*

networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Hub & Spoke Viewer

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.hubs.queryStatus

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

Multicloud Data Transfer Config Admin

(roles/networkconnectivity.multicloudDataTransferConfigAdmin)

Full access to all Multicloud Data Transfer Config resources.

networkconnectivity.multicloudDataTransferConfigs.*

networkconnectivity.multicloudDataTransferConfigs.create
networkconnectivity.multicloudDataTransferConfigs.delete
networkconnectivity.multicloudDataTransferConfigs.get
networkconnectivity.multicloudDataTransferConfigs.list
networkconnectivity.multicloudDataTransferConfigs.update

networkconnectivity.multicloudDataTransferDestinations.*

networkconnectivity.multicloudDataTransferDestinations.create
networkconnectivity.multicloudDataTransferDestinations.delete
networkconnectivity.multicloudDataTransferDestinations.get
networkconnectivity.multicloudDataTransferDestinations.list
networkconnectivity.multicloudDataTransferDestinations.update

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

resourcemanager.projects.get

resourcemanager.projects.list

Multicloud Data Transfer Config Viewer

(roles/networkconnectivity.multicloudDataTransferConfigViewer)

Read-only access to all Multicloud Data Transfer Config resources.

networkconnectivity.multicloudDataTransferConfigs.get

networkconnectivity.multicloudDataTransferConfigs.list

networkconnectivity.multicloudDataTransferDestinations.get

networkconnectivity.multicloudDataTransferDestinations.list

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

resourcemanager.projects.get

resourcemanager.projects.list

Destination Admin

(roles/networkconnectivity.multicloudDataTransferDestinationAdmin)

Access to all Destination resources.

networkconnectivity.multicloudDataTransferDestinations.*

networkconnectivity.multicloudDataTransferDestinations.create
networkconnectivity.multicloudDataTransferDestinations.delete
networkconnectivity.multicloudDataTransferDestinations.get
networkconnectivity.multicloudDataTransferDestinations.list
networkconnectivity.multicloudDataTransferDestinations.update

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

resourcemanager.projects.get

resourcemanager.projects.list

Destination Viewer

(roles/networkconnectivity.multicloudDataTransferDestinationViewer)

Read-only access to all Destination resources.

networkconnectivity.multicloudDataTransferDestinations.get

networkconnectivity.multicloudDataTransferDestinations.list

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

resourcemanager.projects.get

resourcemanager.projects.list

Regional Endpoint Admin

(roles/networkconnectivity.regionalEndpointAdmin)

Full access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.*

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

Regional Endpoint Viewer

(roles/networkconnectivity.regionalEndpointViewer)

Read-only access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.get

networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

Network Connectivity Service Agent

(roles/networkconnectivity.serviceAgent)

Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.setLabels

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.forwardingRules.pscSetLabels

compute.forwardingRules.pscUpdate

compute.forwardingRules.setLabels

compute.instances.get

compute.interconnectAttachments.get

compute.networks.get

compute.networks.use

compute.projects.get

compute.regionOperations.get

compute.routers.get

compute.subnetworks.create

compute.subnetworks.delete

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.setIamPolicy

compute.subnetworks.use

compute.vpnTunnels.get

dns.managedZones.create

dns.networks.bindPrivateDNSZone

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.list

networkconnectivity.internalRanges.create

networkconnectivity.internalRanges.delete

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.operations.get

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

Service Class User

(roles/networkconnectivity.serviceClassUser)

Service Class User uses a ServiceClass

networkconnectivity.serviceClasses.get

networkconnectivity.serviceClasses.list

networkconnectivity.serviceClasses.use

resourcemanager.projects.get

resourcemanager.projects.list

Service Automation Service Producer Admin

(roles/networkconnectivity.serviceProducerAdmin)

Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.serviceClasses.*

networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update

resourcemanager.projects.get

resourcemanager.projects.list

Spoke Admin

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.gatewayAdvertisedRoutes.*

networkconnectivity.gatewayAdvertisedRoutes.create
networkconnectivity.gatewayAdvertisedRoutes.delete
networkconnectivity.gatewayAdvertisedRoutes.get
networkconnectivity.gatewayAdvertisedRoutes.list
networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Permisos adicionales necesarios

En función de las acciones que tengas que realizar en Network Connectivity Center, es posible que necesites los permisos que se describen en las siguientes secciones.

Permiso para crear un spoke

Para crear un spoke, debes tener permiso para leer el tipo de recurso del spoke. Por ejemplo:

En el caso de las ramas de túnel VPN, las ramas de vinculación de VLAN y las ramas de dispositivo Router, necesitas compute.routers.get.
Para crear radios de dispositivos router, necesitas compute.instances.get. Además, antes de poder usar un spoke de dispositivo de router, debes configurar el peering entre Cloud Router y la instancia del dispositivo de router. Para establecer el peering, necesitas los siguientes permisos:
- compute.instances.use
- compute.routers.update
Para crear spokes de vinculación de VLAN, necesitas lo siguiente: compute.interconnectAttachments.get
Para crear radios de túnel VPN, necesitas compute.vpnTunnels.get.
Para crear radios de VPC, necesitas los siguientes permisos:
- compute.networks.use
- compute.networks.get
Para crear radios de VPC en un proyecto distinto del hub al que están asociados, necesitas networkconnectivity.groups.use.

Permiso para usar Network Connectivity Center en la consola de Google Cloud

Para usar Network Connectivity Center en la consola de Google Cloud, necesitas un rol, como Lector de red de Compute (roles/compute.networkViewer), que incluya los permisos descritos en la siguiente tabla. Google Cloud Para usar estos permisos, primero debes crear un rol personalizado.

Tarea	Permisos obligatorios
Acceder a la página Network Connectivity Center	`compute.projects.get` `compute.networks.get`
Acceder a la página Añadir radios y usarla	`compute.networks.list` `compute.regions.list` `compute.routers.list` `compute.zones.list` `compute.networks.get`
Añadir un spoke de vinculación de VLAN	`compute.interconnectAttachments.list` `compute.interconnectAttachments.get` `compute.networks.get` `compute.routers.list` `compute.routers.get`
Añadir un spoke de túnel VPN	`compute.forwardingRules.list` `compute.networks.get` `compute.routers.get` `compute.routers.list` `compute.targetVpnGateways.list` `compute.vpnGateways.list` `compute.vpnTunnels.get` `compute.vpnTunnels.list`
Añadir un spoke de dispositivo router	`compute.instances.list` `compute.instances.get` `compute.networks.get`
Añadir un radio de VPC	`compute.networks.use` `compute.networks.get` `compute.subnetworks.list`

Proteger recursos con los Controles de Servicio de VPC

Para proteger aún más los recursos de Network Connectivity Center, usa Controles de Servicio de VPC.

Controles de Servicio de VPC proporciona a tus recursos medidas de seguridad adicionales para ayudarte a mitigar el riesgo de filtración externa de datos. Si usas Controles de Servicio de VPC, puedes colocar recursos de Network Connectivity Center dentro de perímetros de servicio. Controles de Servicio de VPC protege estos recursos frente a las solicitudes que se originan fuera del perímetro.

Para obtener más información sobre los perímetros de servicio, consulta la página Configuración de perímetros de servicio de la documentación de Controles de Servicio de VPC.

Siguientes pasos

Para obtener más información sobre los roles de proyecto y los Google Cloud recursos, consulta la siguiente documentación:

Para obtener información sobre los roles y permisos de gestión de identidades y accesos, consulta Control de acceso de proyectos con gestión de identidades y accesos.
Para obtener información sobre los tipos de roles, consulta la referencia de roles básicos y predefinidos de Gestión de Identidades y Accesos.
Para obtener información sobre los roles predefinidos, consulta Roles y permisos de gestión de identidades y accesos de Compute Engine.
Para obtener información sobre Network Connectivity Center, consulta la información general de Network Connectivity Center.
Para saber cómo gestionar los ejes y los radios, consulta el artículo Trabajar con ejes y radios.

Roles y permisos Organízate con las colecciones Guarda y clasifica el contenido según tus preferencias.

Funciones predefinidas

Service Automation Consumer Network Admin

Group Admin

Group User

Hub & Spoke Admin

Hub & Spoke Viewer

Multicloud Data Transfer Config Admin

Multicloud Data Transfer Config Viewer

Destination Admin

Destination Viewer

Regional Endpoint Admin

Regional Endpoint Viewer

Network Connectivity Service Agent

Service Class User

Service Automation Service Producer Admin

Spoke Admin

Permisos adicionales necesarios

Permiso para crear un spoke

Permiso para usar Network Connectivity Center en la consola de Google Cloud

Proteger recursos con los Controles de Servicio de VPC

Siguientes pasos

Roles y permisos