Overview
Risk Manager uses Identity and Access Management (IAM) to manage access to model resources. To grant access to a model resource, assign one or more IAM roles to a user, group, or service account. Risk Manager permissions are incorporated into the IAM roles.
Risk Manager Roles
Risk Manager provides predefined roles that grant multiple permissions to specific Risk Manager resources.
The following table lists the predefined roles for Risk Manager, their description, and which permissions they include. Grant these roles at the organization level.
| Role | Title | Description | Permissions |
|---|---|---|---|
riskmanager.admin |
Risk Manager Admin | All Risk Manager permissions |
riskmanager.serviceaccount.createriskmanager.reports.getriskmanager.reports.listriskmanager.reports.createriskmanager.reports.deleteriskmanager.reports.reviewriskmanager.reports.shareriskmanager.operations.getriskmanager.operations.listriskmanager.operations.deleteriskmanager.policies.getriskmanager.policies.listriskmanager.settings.getriskmanager.settings.updateriskmanager.controlScoreBreakdowns.getriskmanager.controlScoreBreakdowns.list |
riskmanager.editor |
Risk Manager Editor | Access to edit Risk Manager resources (includes all permissions except for the ability to share or review a report) |
riskmanager.serviceaccount.createriskmanager.reports.getriskmanager.reports.listriskmanager.reports.createriskmanager.reports.deleteriskmanager.operations.getriskmanager.operations.listriskmanager.operations.deleteriskmanager.policies.getriskmanager.policies.listriskmanager.settings.getriskmanager.settings.updateriskmanager.controlScoreBreakdowns.getriskmanager.controlScoreBreakdowns.list |
riskmanager.viewer |
Risk Manager Viewer | Access to view Risk Manager resources |
riskmanager.reports.getriskmanager.reports.listriskmanager.operations.getriskmanager.operations.listriskmanager.policies.getriskmanager.policies.listriskmanager.settings.getriskmanager.controlScoreBreakdowns.getriskmanager.controlScoreBreakdowns.list |
riskmanager.reviewer |
Risk Manager Report Reviewer | Access to review/approve Risk Manager reports |
riskmanager.reports.getriskmanager.reports.listriskmanager.reports.reviewriskmanager.operations.getriskmanager.operations.list |
Risk Manager Service Agent role
When you enroll in Risk Manager, a service account is created for you in
the format of
organizations-ORGANIZATION_ID@gcp-sa-riskmanager.iam.gserviceaccount.com.
This service account is automatically granted the riskmanager.serviceAgent
role at the organization level. This role lets the Risk Manager
service account retrieve the data needed from other Google Cloud services to generate
Risk Manager reports.
This riskmanager.serviceAgent role is a role that includes the
following permissions:
| Role | Title | Description | Permissions |
|---|---|---|---|
roles/riskmanager.serviceAgent |
Risk Manager Service Agent | Access to retrieve data from other Google Cloud services needed to generate Risk Manager reports. |
Also, all permissions of the following roles are included:
|
To add the roles/riskmanager.serviceAgent role, you must have
the roles/resourcemanager.organizationAdmin role. You can add the
roles/riskmanager.serviceAgent role to a service account by running
the following command:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="serviceAccount:organizations-ORGANIZATION_ID@gcp-sa-riskmanager.iam.gserviceaccount.com" \
--role="roles/riskmanager.serviceAgent"
Replace ORGANIZATION_ID with the numeric ID of your organization.
For more information about IAM roles, see Understanding roles.
Risk Manager custom roles
In addition to predefined roles, Risk Manager supports the ability to create customized IAM roles. You can create a custom IAM role and assign that role one or more permissions. Then, you can grant the new role to your collaborators. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles offered by Google.
This document does not describe how to create a custom role. For in-depth information about custom roles and step-by-step instructions for creating a custom role, see Creating and managing custom roles in the IAM documentation.