Controllo dell'accesso con IAM

Identity and Access Management (IAM) ti consente di concedere l'accesso a risorse specifiche. Per concedere l'accesso a una risorsa, devi assegnare un ruolo specifico a un utente, che gli conferirà determinate autorizzazioni.

Ruoli obbligatori

Ogni metodo dell'API Workload Manager richiede le autorizzazioni IAM necessarie. Le autorizzazioni vengono assegnate concedendo i ruoli a un utente, un gruppo o un account di servizio. Per informazioni su come concedere l'accesso alle risorse, consulta Gestire l'accesso.

La tabella seguente mostra i ruoli IAM di Workload Manager e le autorizzazioni concesse da questi ruoli.

Autorizzazioni

(roles/workloadmanager.admin)

Accesso completo a tutte le risorse del Gestore workload.

compute.acceleratorTypes.list

compute.diskTypes.list

compute.machineTypes.list

compute.networks.list

compute.projects.get

compute.regions.list

compute.subnetworks.list

compute.zones.list

dns.managedZones.list

iam.serviceAccounts.list

monitoring.timeSeries.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

storage.buckets.list

storage.objects.list

workloadmanager.*

(roles/workloadmanager.deploymentAdmin)

Accesso completo alle risorse di deployment di Workload Manager.

compute.acceleratorTypes.list

compute.diskTypes.list

compute.machineTypes.list

compute.networks.list

compute.projects.get

compute.regions.list

compute.subnetworks.list

compute.zones.list

dns.managedZones.list

iam.serviceAccounts.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

storage.buckets.list

storage.objects.list

workloadmanager.actuations.*

workloadmanager.deployments.*

workloadmanager.locations.*

workloadmanager.operations.*

(roles/workloadmanager.deploymentViewer)

Accesso in sola lettura alle risorse di deployment di Workload Manager.

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.actuations.get

workloadmanager.actuations.list

workloadmanager.deployments.get

workloadmanager.deployments.list

(roles/workloadmanager.evaluationAdmin)

Accesso completo alle risorse di valutazione del Gestore workload.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.evaluations.*

workloadmanager.executions.*

workloadmanager.locations.*

workloadmanager.operations.*

workloadmanager.results.list

workloadmanager.rules.list

(roles/workloadmanager.evaluationViewer)

Accesso in sola lettura alle risorse di valutazione del Gestore workload.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.evaluations.get

workloadmanager.evaluations.list

workloadmanager.executions.get

workloadmanager.executions.list

workloadmanager.results.list

workloadmanager.rules.list

(roles/workloadmanager.insightWriter)

Ruolo utilizzato per scrivere dati nel data warehouse del gestore workload.

workloadmanager.insights.write

(roles/workloadmanager.viewer)

Accesso in sola lettura a tutte le risorse del gestore workload.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.actuations.get

workloadmanager.actuations.list

workloadmanager.deployments.get

workloadmanager.deployments.list

workloadmanager.discoveredprofiles.*

workloadmanager.evaluations.get

workloadmanager.evaluations.list

workloadmanager.executions.get

workloadmanager.executions.list

workloadmanager.results.list

workloadmanager.rules.list

(roles/workloadmanager.worker)

Il ruolo utilizzato dai runner dell'applicazione Gestore workload per leggere e aggiornare i workload.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.actuations.*

workloadmanager.deployments.*

workloadmanager.discoveredprofiles.*

workloadmanager.evaluations.*

workloadmanager.executions.*

workloadmanager.insights.write

workloadmanager.results.list

workloadmanager.rules.list

(roles/workloadmanager.workloadViewer)

Ruolo utilizzato per visualizzare i dati relativi ai workload.

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.discoveredprofiles.*

(roles/workloadmanager.serviceAgent)

Concede all'agente di servizio Gestore workload l'accesso alle funzioni di esportazione CAI e a Cloud Monitoring.

cloudasset.assets.exportAccessPolicy

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportOrgPolicy

cloudasset.assets.exportResource

cloudasset.assets.listAccessPolicy

cloudasset.assets.listIamPolicy

cloudasset.assets.listOSInventories

cloudasset.assets.listOrgPolicy

cloudasset.assets.listResource

cloudasset.assets.searchAllResources

config.deployments.create

config.deployments.delete

config.deployments.get

config.deployments.list

config.deployments.update

config.locations.*

  • config.locations.get
  • config.locations.list

config.operations.*

  • config.operations.cancel
  • config.operations.delete
  • config.operations.get
  • config.operations.list

config.resources.list

config.revisions.get

config.revisions.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.list

serviceusage.services.use

workloadmanager.insights.export

workloadmanager.insights.listSapSystems

Per ulteriori informazioni sull'API Workload Manager, consulta il riferimento all'API Workload Manager.

Passaggi successivi