使用 IAM 時,每個支援使用者都必須擁有適當權限,才能查看及管理案件和使用者。將使用者加入 IAM 角色、屬於角色的群組,或指派給角色的網域時,使用者就會取得這些權限。
下表列出 Cloud Customer Care 使用者可用的 IAM 角色、相關資源的權限,以及可套用權限的最低資源層級。
Role
Permissions
Support Account Administrator
(roles/cloudsupport.admin)
Allows management of a support account without giving access to support cases.
See the
Cloud Support documentation
for more information.
Lowest-level resources where you can grant this role:
Organization
cloudsupport.accounts.*
cloudsupport.accounts.create
cloudsupport.accounts.delete
cloudsupport.accounts.get
cloudsupport.accounts.getIamPolicy
cloudsupport.accounts.getUserRoles
cloudsupport.accounts.list
cloudsupport.accounts.purchase
cloudsupport.accounts.setIamPolicy
cloudsupport.accounts.update
cloudsupport.accounts.updateUserRoles
cloudsupport.operations.get
cloudsupport.properties.get
resourcemanager.organizations.get
Tech Support Editor
(roles/cloudsupport.techSupportEditor)
Full read-write access to technical support cases (applicable for GCP Customer Care and Maps
support). See the
Cloud Support documentation
for more information.
billing.resourceAssociations.list
cloudasset.assets.searchAllResources
cloudsupport.properties.get
cloudsupport.techCases.*
cloudsupport.techCases.create
cloudsupport.techCases.escalate
cloudsupport.techCases.get
cloudsupport.techCases.list
cloudsupport.techCases.update
resourcemanager.projects.get
resourcemanager.projects.list
Tech Support Viewer
(roles/cloudsupport.techSupportViewer)
Read-only access to technical support cases (applicable for GCP Customer Care and Maps support).
See the
Cloud Support documentation
for more information.
cloudsupport.properties.get
cloudsupport.techCases.get
cloudsupport.techCases.list
resourcemanager.projects.get
resourcemanager.projects.list
Support Account Viewer
(roles/cloudsupport.viewer)
Read-only access to details of a support account. This does not allow viewing cases.
See the
Cloud Support documentation
for more information.
Lowest-level resources where you can grant this role:
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["# Access control with IAM\n\nThis page explains how to configure access control for Cloud Customer Care's\nsupport services.\n\n### Before you begin\n\n- You must have the [Standard Support](/support/docs/standard), [Enhanced Support](/support/docs/enhanced), or [Premium Support](/support/docs/premium) service.\n- You must have the Organization Administrator role (`roles/resourcemanager.organizationAdmin`) for your Google Cloud organization.\n\nWhat is Identity and Access Management (IAM)\n--------------------------------------------\n\nGoogle Cloud offers [IAM](https://cloud.google.com/iam),\nwhich lets you give more granular access to specific\nGoogle Cloud resources and prevents unwanted access to other resources.\nIAM lets you adopt the\n[security principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege),\nso you grant only the necessary access to your resources.\n\nIAM lets you control **who** (identity) has **what access**\n(roles) to **which resource** by setting IAM policies.\nIAM policies grant specific role(s) to a principal, giving the\nprincipal certain permissions. For example, for a given resource, such as a\nproject, you can assign the Tech Support Viewer role\n(`roles/cloudsupport.techSupportViewer`) to a Google Account and that account\ncan view support cases in the project, but cannot manage support cases.\n\nAccess considerations\n---------------------\n\nIf you have transitioned from Silver, Gold, or Platinum Support, keep in\nmind that support cases are no longer accessible through the Google Cloud\nSupport Center (GCSC). After you enable Standard, Enhanced, or Premium Support, you can\nmanage access to transitioned cases by granting IAM roles\nto users, groups, or domains.\n\nOrganization-level Cases\n------------------------\n\nCustomer Care cases can be created within either organizations or\nprojects.\n\nIn order to manage organization-level cases, the user **must** have\nthe `resourcemanager.organizations.get` permission at the organization level, or\nelse they won't be able to select the organization in the Google Cloud console.\n\nThe simplest way to grant this permission is to grant the user the\n`roles/resourcemanager.organizationViewer` role on the organization. This role\nonly grants the `resourcemanager.organizations.get` permission.\n\nNOTE: Granting a user the `Organization Viewer` role is not the same as granting a\nuser the `Viewer` role at the Organization level. This is a common point of\nconfusion. The `Organization Viewer` role does not give the user access to view\nany resources within the organization, it only allows the user to see that the\norganization exists.\n\nIn addition, the user must have the relevant Technical Support IAM permissions, which\nare described in the following sections.\n\nCustomer Care IAM roles\n-----------------------\n\nWith IAM, every support user must have the\nappropriate permissions to view and manage cases and users. Users gain these\npermissions when you add them to an IAM role, a group that\nbelongs to a role, or a domain assigned to a role.\n| **Note:** You can grant multiple roles to a principal on the same resource. For example, you can grant both the Support Admin role (`roles/cloudsupport.admin`) and the Support Viewer role (`roles/cloudsupport.viewer`) to your cloud support admin team's [Google group](/iam/docs/overview#google_group).\n\nThe following table lists the IAM roles available to\nCloud Customer Care users, the associated permissions to which resources, and\nthe lowest resource level that you can apply the permissions to. \n\nTo add a user, group, or domain to a role, see [Granting IAM\nroles](#granting_roles).\n\n### Support Account Administrator\n\nUsers with the Support Account Administrator role (`roles/cloudsupport.admin`)\ncan manage the purchased support service and how it is billed.\n\nThe Support Account Administrator is responsible for administering policies for\nthe organization's support account, including:\n\n- Assigning new support users\n- Modifying roles for existing support users\n- Managing support billing\n\nThis role can only be granted at the organization level.\n| **Note:** The Support Account Administrator doesn't automatically have access to view or edit support cases. They must be assigned a Tech Support Viewer or Editor role to view or manage cases, which they can assign to themselves. To assign the role of Support Account Administrator, see the section on [Granting\n| IAM roles](#granting_roles).\n\n### Support Account Viewer\n\nThe Support Account Viewer role (`roles/cloudsupport.viewer`) can view account\ninformation for the service. They cannot view or edit support cases; to do so\nthey must be assigned a Tech Support Viewer or Tech Support Editor role.\n\nThis role can only be granted at the organization level.\n\n### Tech Support Editor\n\nThe Tech Support Editor role (`roles/cloudsupport.techSupportEditor`) can manage\nsupport cases, including viewing, creating, updating, escalating, and closing\ncases.\n\nYou can grant this role at the organization, folder, and project levels. For\nexample, if you grant the Tech Support Editor role to a Google group on a\nspecific project, all members of the group can manage support cases for that\nproject.\n\nYou can also grant this role at multiple levels of the resource hierarchy to\nestablish different permissions for nested resources. For example, if you have\nthe Tech Support Viewer role for the organization and Tech Support Editor role\non a project, you can view support cases across the organization, but only edit\ncases for the project.\n\n### Tech Support Viewer\n\nThe Tech Support Viewer role (`roles/cloudsupport.techSupportViewer`) can view\nsupport cases and account information.\n\nThis role can be set at the organization, project, and folder\nlevels. For example, you can grant the Tech Support Viewer role to a Google\ngroup on a specific folder within a project, which enables members of that\ngroup to view the support cases in the folder.\n\nGranting IAM roles\n------------------\n\nUsers, Google Groups, or domains must have the `resourcemanager.organizations.setIamPolicy`\npermission on the organization to add users to the Customer Care\nIAM roles. You can give a user or group that permission by\ngranting them the Organization Administrator role\n(`roles/resourcemanager.organizationAdmin`).\n\nFor example, if your organization would like users granted the Support Account\nAdministrators role to *also* be able to add and remove users and groups from\nthe other Customer Care IAM roles, then an Organization\nAdministrator can do the following:\n\n- Create a Google Group for the users (MyCompanySupportAdmins).\n- Assign the Google Group (MyCompanySupportAdmins) the Organization Administrator role.\n- Assign the Google Group (MyCompanySupportAdmins) the Support Account Administrator role.\n\nIn the example, members of the Google Group (MyCompanySupportAdmins)\ncan assign users and groups to IAM roles in the organization\nbecause the group has been granted the `setIamPolicy` permission when\ngranted the Organization Administrator role. As new Support\nAccount Administrators join the organization, add them to the Google Group\n(MyCompanySupportAdmins) to grant them the desired roles.\n\nTo grant an IAM role to a user, group, or domain:\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n [Go to the IAM page](https://console.cloud.google.com/iam-admin/iam)\n\n2. From the top menu, click **Add**.\n\n3. Specify a user, Google Group, or domain.\n\n4. Select a **Support** role. For best security practices, we\n strongly recommend giving the principal the least amount of privilege needed.\n\n5. Click **Save**.\n\nWhat's next\n-----------\n\nUnderstand how to [manage support cases](/support/docs/manage-cases) in the\nGoogle Cloud console."]]
