Access Control with IAM

Service Usage uses Identity and Access Management (IAM) to control access to services. This page explains the IAM roles and permissions related to Service Usage and how to use them to control access.

Resource model

For Service Usage, there are three relevant resources:

The service you are using.
The project from which you are using the service.
The operation or long-running operation returned by certain methods.

Each Service Usage method requires a permission on one or more of these resources.

IAM permissions

The following table shows the required permissions for each Service Usage API method. You can also find this information in the API reference.

Method	Required permissions
`services.batchEnable`	On the project: `serviceusage.services.enable` On the services: `servicemanagement.services.bind`
`services.enable`	On the project: `serviceusage.services.enable` On the service: `servicemanagement.services.bind`
`services.disable`	On the project: `serviceusage.services.disable`
`services.get`	On the project: `serviceusage.services.get`
`services.list`	On the project: `serviceusage.services.list`
`services.consumerQuotaMetrics.list services.consumerQuotaMetrics.get services.consumerQuotaMetrics.limits.get services.consumerQuotaMetrics.limits.consumerOverrides.list services.consumerQuotaMetrics.limits.adminOverrides.list services.consumerQuotaMetrics.limits.producerOverrides.list`	On the project: `serviceusage.quota.get` On the service: `servicemanagement.services.bind`
`services.consumerQuotaMetrics.consumerOverrides.create services.consumerQuotaMetrics.consumerOverrides.patch services.consumerQuotaMetrics.consumerOverrides.delete services.adminQuotaMetrics.adminOverrides.create services.adminQuotaMetrics.adminOverrides.patch services.adminQuotaMetrics.adminOverrides.delete`	On the project: `serviceusage.quota.update` On the service: `servicemanagement.services.bind`
To use a project for quota and billing purposes. For more information, see System parameters.	On the project: `serviceusage.services.use`

IAM roles

With IAM, you give users permission by granting them a role. The following tables list IAM basic and predefined roles, and the permissions related to Service Usage that those roles include.

For more information about roles, see Understanding roles.

Basic roles

Name Title Permissions

roles/viewer Viewer serviceusage.services.get
serviceusage.services.list
serviceusage.quotas.get

Name	Title	Permissions
`roles/viewer`	Viewer	serviceusage.services.get serviceusage.services.list serviceusage.quotas.get
`roles/editor` `roles/owner`	Editor Owner	serviceusage.services.get serviceusage.services.list serviceusage.services.disable serviceusage.services.enable serviceusage.services.use serviceusage.quotas.get serviceusage.quotas.update

roles/editor

roles/owner

Editor

Owner

serviceusage.services.get
serviceusage.services.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.use
serviceusage.quotas.get
serviceusage.quotas.update

Predefined roles

Name	Title	Permissions
`roles/serviceusage.serviceUsageViewer`	Service Usage Viewer	serviceusage.services.get serviceusage.services.list serviceusage.quotas.get
`roles/serviceusage.serviceUsageConsumer`	Service Usage Consumer	serviceusage.services.get serviceusage.services.list serviceusage.services.use serviceusage.quotas.get
`roles/serviceusage.serviceUsageAdmin`	Service Usage Admin	serviceusage.services.get serviceusage.services.list serviceusage.services.use serviceusage.services.enable serviceusage.services.disable serviceusage.quotas.get serviceusage.quotas.update
`roles/servicemanagement.serviceConsumer`	Service Consumer	servicemanagement.services.bind