Esta página foi traduzida pela API Cloud Translation.

Papéis e permissões

Nesta página, descrevemos os papéis e as permissões do Identity and Access Management (IAM, na sigla em inglês) necessários para usar o Network Connectivity Center.

Em geral, você precisa de:

permissões predefinidas do Network Connectivity Center, descritas em Papéis predefinidos;
Permissões adicionais da seguinte maneira:
- Para criar spokes, é necessário ter permissão para ler os tipos de recursos de spoke relevantes, conforme descrito em Permissão para criar um spoke.
- Para trabalhar com o Network Connectivity Center no Google Cloud console, é preciso ter permissão para acessar determinados recursos de rede da nuvem privada virtual (VPC), conforme descrito em Permissão para usar o Network Connectivity Center no Google Cloud console.

Se precisar trabalhar com o Network Connectivity Center em uma rede VPC compartilhada, você precisará ter todas as permissões necessárias no projeto host. Um hub, os spokes dele e todos os recursos relacionados precisam estar no projeto host.

Para mais informações sobre como conceder permissões, consulte a visão geral do IAM.

Papéis predefinidos

A tabela a seguir descreve os papéis predefinidos do Network Connectivity Center.

Role Permissions

Role	Permissions
Service Automation Consumer Network Admin (`roles/networkconnectivity.consumerNetworkAdmin`) Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.	`networkconnectivity.serviceConnectionPolicies.*` `networkconnectivity.serviceConnectionPolicies.create` `networkconnectivity.serviceConnectionPolicies.delete` `networkconnectivity.serviceConnectionPolicies.get` `networkconnectivity.serviceConnectionPolicies.list` `networkconnectivity.serviceConnectionPolicies.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Group Admin (`roles/networkconnectivity.groupAdmin`) Enables full access to group resources and read-only access to hub and spoke resources	`networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.groups.` `networkconnectivity.groups.acceptSpoke` `networkconnectivity.groups.acceptSpokeUpdate` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.groups.rejectSpoke` `networkconnectivity.groups.rejectSpokeUpdate` `networkconnectivity.groups.setIamPolicy` `networkconnectivity.groups.use` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Group User (`roles/networkconnectivity.groupUser`) Enables use access on group resources	`networkconnectivity.groups.use`
Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Enables full access to hub and spoke resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.gatewayAdvertisedRoutes.` `networkconnectivity.gatewayAdvertisedRoutes.create` `networkconnectivity.gatewayAdvertisedRoutes.delete` `networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.gatewayAdvertisedRoutes.update` `networkconnectivity.groups.` `networkconnectivity.groups.acceptSpoke` `networkconnectivity.groups.acceptSpokeUpdate` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.groups.rejectSpoke` `networkconnectivity.groups.rejectSpokeUpdate` `networkconnectivity.groups.setIamPolicy` `networkconnectivity.groups.use` `networkconnectivity.hubRouteTables.` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRouteTables.setIamPolicy` `networkconnectivity.hubRoutes.` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubRoutes.setIamPolicy` `networkconnectivity.hubs.` `networkconnectivity.hubs.create` `networkconnectivity.hubs.delete` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.hubs.listSpokes` `networkconnectivity.hubs.queryStatus` `networkconnectivity.hubs.setIamPolicy` `networkconnectivity.hubs.update` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.` `networkconnectivity.operations.cancel` `networkconnectivity.operations.delete` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.` `networkconnectivity.spokes.create` `networkconnectivity.spokes.delete` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `networkconnectivity.spokes.setIamPolicy` `networkconnectivity.spokes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Enables read-only access to hub and spoke resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.hubs.listSpokes` `networkconnectivity.hubs.queryStatus` `networkconnectivity.locations.*` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Full access to all Multicloud Data Transfer Config resources.	`networkconnectivity.multicloudDataTransferConfigs.` `networkconnectivity.multicloudDataTransferConfigs.create` `networkconnectivity.multicloudDataTransferConfigs.delete` `networkconnectivity.multicloudDataTransferConfigs.get` `networkconnectivity.multicloudDataTransferConfigs.list` `networkconnectivity.multicloudDataTransferConfigs.update` `networkconnectivity.multicloudDataTransferDestinations.` `networkconnectivity.multicloudDataTransferDestinations.create` `networkconnectivity.multicloudDataTransferDestinations.delete` `networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferDestinations.update` `networkconnectivity.multicloudDataTransferSupportedServices.*` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Multicloud Data Transfer Config Viewer (`roles/networkconnectivity.multicloudDataTransferConfigViewer`) Read-only access to all Multicloud Data Transfer Config resources.	`networkconnectivity.multicloudDataTransferConfigs.get` `networkconnectivity.multicloudDataTransferConfigs.list` `networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferSupportedServices.*` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Destination Admin (`roles/networkconnectivity.multicloudDataTransferDestinationAdmin`) Access to all Destination resources.	`networkconnectivity.multicloudDataTransferDestinations.` `networkconnectivity.multicloudDataTransferDestinations.create` `networkconnectivity.multicloudDataTransferDestinations.delete` `networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferDestinations.update` `networkconnectivity.multicloudDataTransferSupportedServices.` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Destination Viewer (`roles/networkconnectivity.multicloudDataTransferDestinationViewer`) Read-only access to all Destination resources.	`networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferSupportedServices.*` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Regional Endpoint Admin (`roles/networkconnectivity.regionalEndpointAdmin`) Full access to all Regional Endpoint resources.	`networkconnectivity.regionalEndpoints.*` `networkconnectivity.regionalEndpoints.create` `networkconnectivity.regionalEndpoints.delete` `networkconnectivity.regionalEndpoints.get` `networkconnectivity.regionalEndpoints.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Regional Endpoint Viewer (`roles/networkconnectivity.regionalEndpointViewer`) Read-only access to all Regional Endpoint resources.	`networkconnectivity.regionalEndpoints.get` `networkconnectivity.regionalEndpoints.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`) Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources. Warning: Do not grant service agent roles to any principals except service agents.	`compute.addresses.create` `compute.addresses.createInternal` `compute.addresses.delete` `compute.addresses.deleteInternal` `compute.addresses.get` `compute.addresses.setLabels` `compute.addresses.use` `compute.forwardingRules.create` `compute.forwardingRules.delete` `compute.forwardingRules.get` `compute.forwardingRules.pscCreate` `compute.forwardingRules.pscDelete` `compute.forwardingRules.pscSetLabels` `compute.forwardingRules.pscUpdate` `compute.forwardingRules.setLabels` `compute.instances.get` `compute.interconnectAttachments.get` `compute.networks.get` `compute.networks.use` `compute.projects.get` `compute.regionOperations.get` `compute.routers.get` `compute.subnetworks.create` `compute.subnetworks.delete` `compute.subnetworks.get` `compute.subnetworks.getIamPolicy` `compute.subnetworks.list` `compute.subnetworks.setIamPolicy` `compute.subnetworks.use` `compute.vpnTunnels.get` `dns.managedZones.create` `dns.networks.bindPrivateDNSZone` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.list` `networkconnectivity.internalRanges.create` `networkconnectivity.internalRanges.delete` `networkconnectivity.internalRanges.get` `networkconnectivity.internalRanges.list` `networkconnectivity.operations.get` `servicedirectory.namespaces.associatePrivateZone` `servicedirectory.namespaces.create` `servicedirectory.namespaces.delete` `servicedirectory.services.create` `servicedirectory.services.delete`
Service Class User (`roles/networkconnectivity.serviceClassUser`) Service Class User uses a ServiceClass	`networkconnectivity.serviceClasses.get` `networkconnectivity.serviceClasses.list` `networkconnectivity.serviceClasses.use` `resourcemanager.projects.get` `resourcemanager.projects.list`
Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps	`networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.serviceClasses.` `networkconnectivity.serviceClasses.create` `networkconnectivity.serviceClasses.delete` `networkconnectivity.serviceClasses.get` `networkconnectivity.serviceClasses.list` `networkconnectivity.serviceClasses.update` `networkconnectivity.serviceClasses.use` `networkconnectivity.serviceConnectionMaps.` `networkconnectivity.serviceConnectionMaps.create` `networkconnectivity.serviceConnectionMaps.delete` `networkconnectivity.serviceConnectionMaps.get` `networkconnectivity.serviceConnectionMaps.list` `networkconnectivity.serviceConnectionMaps.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Enables full access to spoke resources and read-only access to hub resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.gatewayAdvertisedRoutes.` `networkconnectivity.gatewayAdvertisedRoutes.create` `networkconnectivity.gatewayAdvertisedRoutes.delete` `networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.gatewayAdvertisedRoutes.update` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.*` `networkconnectivity.spokes.create` `networkconnectivity.spokes.delete` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `networkconnectivity.spokes.setIamPolicy` `networkconnectivity.spokes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Automation Consumer Network Admin

(roles/networkconnectivity.consumerNetworkAdmin)

Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.

networkconnectivity.serviceConnectionPolicies.*

networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

Group Admin

(roles/networkconnectivity.groupAdmin)

Enables full access to group resources and read-only access to hub and spoke resources

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.*

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.acceptSpokeUpdate
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.rejectSpokeUpdate
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

Group User

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

Hub & Spoke Admin

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.gatewayAdvertisedRoutes.*

networkconnectivity.gatewayAdvertisedRoutes.create
networkconnectivity.gatewayAdvertisedRoutes.delete
networkconnectivity.gatewayAdvertisedRoutes.get
networkconnectivity.gatewayAdvertisedRoutes.list
networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.groups.*

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.acceptSpokeUpdate
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.rejectSpokeUpdate
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use

networkconnectivity.hubRouteTables.*

networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.*

networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.*

networkconnectivity.hubs.create
networkconnectivity.hubs.delete
networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.hubs.listSpokes
networkconnectivity.hubs.queryStatus
networkconnectivity.hubs.setIamPolicy
networkconnectivity.hubs.update

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.*

networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list

networkconnectivity.spokes.*

networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Hub & Spoke Viewer

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.hubs.queryStatus

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

Multicloud Data Transfer Config Admin

(roles/networkconnectivity.multicloudDataTransferConfigAdmin)

Full access to all Multicloud Data Transfer Config resources.

networkconnectivity.multicloudDataTransferConfigs.*

networkconnectivity.multicloudDataTransferConfigs.create
networkconnectivity.multicloudDataTransferConfigs.delete
networkconnectivity.multicloudDataTransferConfigs.get
networkconnectivity.multicloudDataTransferConfigs.list
networkconnectivity.multicloudDataTransferConfigs.update

networkconnectivity.multicloudDataTransferDestinations.*

networkconnectivity.multicloudDataTransferDestinations.create
networkconnectivity.multicloudDataTransferDestinations.delete
networkconnectivity.multicloudDataTransferDestinations.get
networkconnectivity.multicloudDataTransferDestinations.list
networkconnectivity.multicloudDataTransferDestinations.update

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

resourcemanager.projects.get

resourcemanager.projects.list

Multicloud Data Transfer Config Viewer

(roles/networkconnectivity.multicloudDataTransferConfigViewer)

Read-only access to all Multicloud Data Transfer Config resources.

networkconnectivity.multicloudDataTransferConfigs.get

networkconnectivity.multicloudDataTransferConfigs.list

networkconnectivity.multicloudDataTransferDestinations.get

networkconnectivity.multicloudDataTransferDestinations.list

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

resourcemanager.projects.get

resourcemanager.projects.list

Destination Admin

(roles/networkconnectivity.multicloudDataTransferDestinationAdmin)

Access to all Destination resources.

networkconnectivity.multicloudDataTransferDestinations.*

networkconnectivity.multicloudDataTransferDestinations.create
networkconnectivity.multicloudDataTransferDestinations.delete
networkconnectivity.multicloudDataTransferDestinations.get
networkconnectivity.multicloudDataTransferDestinations.list
networkconnectivity.multicloudDataTransferDestinations.update

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

resourcemanager.projects.get

resourcemanager.projects.list

Destination Viewer

(roles/networkconnectivity.multicloudDataTransferDestinationViewer)

Read-only access to all Destination resources.

networkconnectivity.multicloudDataTransferDestinations.get

networkconnectivity.multicloudDataTransferDestinations.list

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

resourcemanager.projects.get

resourcemanager.projects.list

Regional Endpoint Admin

(roles/networkconnectivity.regionalEndpointAdmin)

Full access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.*

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

Regional Endpoint Viewer

(roles/networkconnectivity.regionalEndpointViewer)

Read-only access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.get

networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

Network Connectivity Service Agent

(roles/networkconnectivity.serviceAgent)

Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.setLabels

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.forwardingRules.pscSetLabels

compute.forwardingRules.pscUpdate

compute.forwardingRules.setLabels

compute.instances.get

compute.interconnectAttachments.get

compute.networks.get

compute.networks.use

compute.projects.get

compute.regionOperations.get

compute.routers.get

compute.subnetworks.create

compute.subnetworks.delete

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.setIamPolicy

compute.subnetworks.use

compute.vpnTunnels.get

dns.managedZones.create

dns.networks.bindPrivateDNSZone

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.list

networkconnectivity.internalRanges.create

networkconnectivity.internalRanges.delete

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.operations.get

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

Service Class User

(roles/networkconnectivity.serviceClassUser)

Service Class User uses a ServiceClass

networkconnectivity.serviceClasses.get

networkconnectivity.serviceClasses.list

networkconnectivity.serviceClasses.use

resourcemanager.projects.get

resourcemanager.projects.list

Service Automation Service Producer Admin

(roles/networkconnectivity.serviceProducerAdmin)

Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.serviceClasses.*

networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update

resourcemanager.projects.get

resourcemanager.projects.list

Spoke Admin

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.gatewayAdvertisedRoutes.*

networkconnectivity.gatewayAdvertisedRoutes.create
networkconnectivity.gatewayAdvertisedRoutes.delete
networkconnectivity.gatewayAdvertisedRoutes.get
networkconnectivity.gatewayAdvertisedRoutes.list
networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Outras permissões obrigatórias

Dependendo do que você precisa fazer no Network Connectivity Center, talvez precise das permissões descritas nas seções a seguir.

Permissão para criar um spoke

Para criar um spoke, você precisa ter permissão para ler o tipo de recurso do spoke. Exemplo:

Para spokes de túnel VPN, anexos de VLAN e spokes do dispositivo roteador, você precisa de compute.routers.get.
Para criar spokes do dispositivo do Router, você precisa de compute.instances.get. Além disso, antes de usar um spoke do dispositivo do Router, você precisa configurar o peering entre o Cloud Router e a instância do appliance do roteador. Para estabelecer o peering, você precisa das seguintes permissões:
- compute.instances.use
- compute.routers.update
Para criar spokes de anexos da VLAN, você precisa de compute.interconnectAttachments.get.
Para criar spokes de túnel de VPN, você precisa de compute.vpnTunnels.get.
Para criar spokes de VPC, você precisa das seguintes permissões:
- compute.networks.use
- compute.networks.get
Para criar spokes de VPC em um projeto diferente do hub ao qual ele está associado, você precisa de networkconnectivity.groups.use.

Permissão para usar o Network Connectivity Center no console Google Cloud

Para usar o Network Connectivity Center no console Google Cloud , você precisa de um papel, como Leitor da rede do Compute (roles/compute.networkViewer), que inclui as permissões descritas na tabela a seguir. Para usar essas permissões, é necessário primeiro criar um papel personalizado.

Tarefa	Permissões necessárias
Acessar a página Network Connectivity Center	`compute.projects.get` `compute.networks.get`
Acessar e usar a página Adicionar spokes	`compute.networks.list` `compute.regions.list` `compute.routers.list` `compute.zones.list` `compute.networks.get`
Adicionar um spoke de anexo da VLAN	`compute.interconnectAttachments.list` `compute.interconnectAttachments.get` `compute.networks.get` `compute.routers.list` `compute.routers.get`
Adicionar um spoke do túnel VPN	`compute.forwardingRules.list` `compute.networks.get` `compute.routers.get` `compute.routers.list` `compute.targetVpnGateways.list` `compute.vpnGateways.list` `compute.vpnTunnels.get` `compute.vpnTunnels.list`
Adicionar um spoke do dispositivo roteador	`compute.instances.list` `compute.instances.get` `compute.networks.get`
Adicionar um spoke VPC	`compute.networks.use` `compute.networks.get` `compute.subnetworks.list`

Como proteger recursos com o VPC Service Controls

Para proteger ainda mais os recursos do Network Connectivity Center, use o VPC Service Controls.

O VPC Service Controls oferece mais segurança aos recursos para ajudar a reduzir o risco de exfiltração de dados. Ao usar o VPC Service Controls, é possível colocar os recursos do Network Connectivity Center dentro dos perímetros de serviço. O VPC Service Controls protege esses recursos de solicitações originadas fora do perímetro.

Para mais informações sobre perímetros de serviço, consulte a página de configuração do perímetro de serviço na documentação do VPC Service Controls.

A seguir

Para mais informações sobre papéis e Google Cloud recursos do projeto, consulte a seguinte documentação:

Para entender os papéis e as permissões do IAM, consulte Controle de acesso para projetos que usam o IAM.
Para entender os tipos de papéis, consulte Referência dos papéis básicos e predefinidos do Identity and Access Management.
Para saber mais sobre papéis predefinidos, consulte Papéis e permissões de IAM do Compute Engine.
Para saber mais sobre o Network Connectivity Center, consulte Visão geral do Network Connectivity Center.
Para saber como gerenciar hubs e spokes, consulte Trabalhar com hubs e spokes.