Access Control

Service Usage uses Cloud Identity and Access Management to control access to services. This page explains the Cloud IAM roles and permissions related to Service Usage and how to use them to control access.

Resource model

For Service Usage, there are three relevant resources:

The service you are using.
The project from which you are using the service.
The operation or long-running operation returned by certain methods.

Each Service Usage method requires a permission on one or more of these resources.

Cloud IAM permissions

The following table shows the required permissions for each Service Usage API method. You can also find this information in the API Reference.

Method	Required Permission(s)
`services.batchEnable`	On the project: `serviceusage.services.enable` On the services: `servicemanagement.services.bind`
`services.enable`	On the project: `serviceusage.services.enable` On the service: `servicemanagement.services.bind`
`services.disable`	On the project: `serviceusage.services.disable`
`services.get`	On the project: `serviceusage.services.get`
`services.list`	On the project: `serviceusage.services.list`
`services.consumerQuotaMetrics.list services.consumerQuotaMetrics.get services.consumerQuotaMetrics.limits.get services.consumerQuotaMetrics.limits.consumerOverrides.list services.consumerQuotaMetrics.limits.adminOverrides.list services.consumerQuotaMetrics.limits.producerOverrides.list`	On the project: `serviceusage.quota.get` On the service: `servicemanagement.services.bind`
`services.consumerQuotaMetrics.consumerOverrides.create services.consumerQuotaMetrics.consumerOverrides.patch services.consumerQuotaMetrics.consumerOverrides.delete services.adminQuotaMetrics.adminOverrides.create services.adminQuotaMetrics.adminOverrides.patch services.adminQuotaMetrics.adminOverrides.delete`	On the project: `serviceusage.quota.update` On the service: `servicemanagement.services.bind`
To use a project for quota and billing purposes. For more information, see System Parameters.	On the project: `serviceusage.services.use`

Cloud IAM roles

With Cloud IAM, permissions are granted by binding users to roles. See Understanding Roles for details.

The following table lists the predefined roles that apply to Service Usage.

Role	Permissions
`roles/viewer`	serviceusage.services.get serviceusage.services.list serviceusage.quotas.get
`roles/editor` and `roles/owner`	serviceusage.services.get serviceusage.services.list serviceusage.services.disable serviceusage.services.enable serviceusage.services.use serviceusage.quotas.get serviceusage.quotas.update
`roles/serviceusage.serviceUsageViewer`	serviceusage.services.get serviceusage.services.list serviceusage.quotas.get
`roles/serviceusage.serviceUsageConsumer`	serviceusage.services.get serviceusage.services.list serviceusage.services.use serviceusage.quotas.get
`roles/serviceusage.serviceUsageAdmin`	serviceusage.services.get serviceusage.services.list serviceusage.services.use serviceusage.services.enable serviceusage.services.disable serviceusage.quotas.get serviceusage.quotas.update
`roles/servicemanagement.serviceConsumer`	servicemanagement.services.bind