[ { "description": "Ability to view or act on access approval requests and view configuration.", "etag": "AA==", "name": "roles/accessapproval.approver", "stage": "GA", "title": "Access Approval Approver" }, { "description": "Ability to update the Access Approval configuration", "etag": "AA==", "name": "roles/accessapproval.configEditor", "stage": "GA", "title": "Access Approval Config Editor" }, { "description": "Ability to invalidate existing approved approval requests", "etag": "AA==", "name": "roles/accessapproval.invalidator", "stage": "GA", "title": "Access Approval Invalidator" }, { "description": "Ability to view access approval requests and configuration", "etag": "AA==", "name": "roles/accessapproval.viewer", "stage": "GA", "title": "Access Approval Viewer" }, { "description": "Create, edit, and change Cloud access bindings.", "etag": "AA==", "name": "roles/accesscontextmanager.gcpAccessAdmin", "stage": "GA", "title": "Cloud Access Binding Admin" }, { "description": "Read access to Cloud access bindings.", "etag": "AA==", "name": "roles/accesscontextmanager.gcpAccessReader", "stage": "GA", "title": "Cloud Access Binding Reader" }, { "description": "Full access to policies, access levels, access zones and authorized orgs descs.", "etag": "AA==", "name": "roles/accesscontextmanager.policyAdmin", "stage": "GA", "title": "Access Context Manager Admin" }, { "description": "Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs.", "etag": "AA==", "name": "roles/accesscontextmanager.policyEditor", "stage": "GA", "title": "Access Context Manager Editor" }, { "description": "Read access to policies, access levels, access zones and authorized orgs descs.", "etag": "AA==", "name": "roles/accesscontextmanager.policyReader", "stage": "GA", "title": "Access Context Manager Reader" }, { "etag": "AA==", "name": "roles/accesscontextmanager.vpcScTroubleshooterViewer", "stage": "GA", "title": "VPC Service Controls Troubleshooter Viewer" }, { "description": "Access to edit and deploy an action", "etag": "AA==", "name": "roles/actions.Admin", "stage": "GA", "title": "Actions Admin" }, { "description": "Access to view an action", "etag": "AA==", "name": "roles/actions.Viewer", "stage": "GA", "title": "Actions Viewer" }, { "description": "Grants write access to settings in Advisory Notifications", "etag": "AA==", "name": "roles/advisorynotifications.admin", "stage": "GA", "title": "Advisory Notifications Admin" }, { "description": "Grants view access in Advisory Notifications", "etag": "AA==", "name": "roles/advisorynotifications.viewer", "stage": "GA", "title": "Advisory Notifications Viewer" }, { "description": "Grants full access to all resources in Vertex AI", "etag": "AA==", "name": "roles/aiplatform.admin", "stage": "GA", "title": "Vertex AI Administrator" }, { "description": "Admin role of using colab enterprise.", "etag": "AA==", "name": "roles/aiplatform.colabEnterpriseAdmin", "stage": "GA", "title": "Colab Enterprise Admin" }, { "description": "User role of using colab enterprise.", "etag": "AA==", "name": "roles/aiplatform.colabEnterpriseUser", "stage": "GA", "title": "Colab Enterprise User" }, { "description": "Gives Vertex AI Colab the proper permissions to function.", "etag": "AA==", "has_credentialexposure": true, "has_privesc": true, "name": "roles/aiplatform.colabServiceAgent", "stage": "GA", "title": "Vertex AI Colab Service Agent" }, { "description": "Gives Vertex AI Custom Code the proper permissions.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/aiplatform.customCodeServiceAgent", "stage": "GA", "title": "Vertex AI Custom Code Service Agent" }, { "description": "Provides full access to all permissions for a particular entity type resource.", "etag": "AA==", "name": "roles/aiplatform.entityTypeOwner", "stage": "GA", "title": "Vertex AI Feature Store EntityType owner" }, { "description": "Gives Vertex AI Extension that executes custom code the permissions it needs to function.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/aiplatform.extensionCustomCodeServiceAgent", "stage": "GA", "title": "Vertex AI Extension Custom Code Service Agent" }, { "description": "Gives Vertex AI Extension the permissions it needs to function.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/aiplatform.extensionServiceAgent", "stage": "GA", "title": "Vertex AI Extension Service Agent" }, { "description": "Grants full access to all resources in Vertex AI Feature Store", "etag": "AA==", "name": "roles/aiplatform.featurestoreAdmin", "stage": "GA", "title": "Vertex AI Feature Store Admin" }, { "description": "This role provides permissions to read Feature data.", "etag": "AA==", "name": "roles/aiplatform.featurestoreDataViewer", "stage": "GA", "title": "Vertex AI Feature Store Data Viewer" }, { "description": "This role provides permissions to read and write Feature data.", "etag": "AA==", "name": "roles/aiplatform.featurestoreDataWriter", "stage": "GA", "title": "Vertex AI Feature Store Data Writer" }, { "description": "Administrator of Featurestore resources, but not the child resources under Featurestores.", "etag": "AA==", "name": "roles/aiplatform.featurestoreInstanceCreator", "stage": "GA", "title": "Vertex AI Feature Store Instance Creator" }, { "description": "Viewer of all resources in Vertex AI Feature Store but cannot make changes.", "etag": "AA==", "name": "roles/aiplatform.featurestoreResourceViewer", "stage": "GA", "title": "Vertex AI Feature Store Resource Viewer" }, { "description": "Deprecated. Use featurestoreAdmin instead.", "etag": "AA==", "name": "roles/aiplatform.featurestoreUser", "stage": "BETA", "title": "Vertex AI Feature Store User" }, { "description": "Grants access to use migration service in Vertex AI", "etag": "AA==", "name": "roles/aiplatform.migrator", "stage": "GA", "title": "Vertex AI Migration Service User" }, { "description": "Gives Vertex AI Model Monitoring the permissions it needs to function.", "etag": "AA==", "has_dataaccess": true, "name": "roles/aiplatform.modelMonitoringServiceAgent", "title": "Vertex AI Model Monitoring Service Agent" }, { "description": "Grants users full access to schedules and notebook execution jobs.", "etag": "AA==", "name": "roles/aiplatform.notebookExecutorUser", "stage": "BETA", "title": "Notebook Executor User" }, { "description": "Grants full access to all runtime templates and runtimes in Notebook Service.", "etag": "AA==", "name": "roles/aiplatform.notebookRuntimeAdmin", "stage": "GA", "title": "Notebook Runtime Admin" }, { "description": "Grants users permissions to create runtime resources using a runtime template and manage the runtime resources they created.", "etag": "AA==", "name": "roles/aiplatform.notebookRuntimeUser", "stage": "GA", "title": "Notebook Runtime User" }, { "description": "Vertex AI Service Agent used to run Notebook managed resources in user project with restricted permissions.", "etag": "AA==", "name": "roles/aiplatform.notebookServiceAgent", "stage": "GA", "title": "Vertex AI Notebook Service Agent" }, { "description": "Vertex AI Service Agent used by Vertex RAG to access user imported data and Vertex AI in the project", "etag": "AA==", "has_dataaccess": true, "name": "roles/aiplatform.ragServiceAgent", "stage": "GA", "title": "Vertex AI RAG Data Service Agent" }, { "description": "Vertex AI Service Agent used by GenAI Rapid Evaluation Service to access publisher model endpoints in the user project", "etag": "AA==", "name": "roles/aiplatform.rapidevalServiceAgent", "stage": "GA", "title": "Vertex AI Rapid Eval Service Agent" }, { "description": "Gives Vertex AI Reasoning Engine the proper permissions to function.", "etag": "AA==", "has_dataaccess": true, "name": "roles/aiplatform.reasoningEngineServiceAgent", "stage": "GA", "title": "Vertex AI Reasoning Engine Service Agent" }, { "description": "Gives Vertex AI the permissions it needs to function.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/aiplatform.serviceAgent", "stage": "GA", "title": "Vertex AI Service Agent" }, { "description": "Grants access to the Vertex AI Tensorboard web app. Using the web app will incur charges.", "etag": "AA==", "name": "roles/aiplatform.tensorboardWebAppUser", "stage": "BETA", "title": "Vertex AI Tensorboard Web App User" }, { "description": "Vertex AI Service Agent used for tuning in user project.", "etag": "AA==", "has_dataaccess": true, "name": "roles/aiplatform.tuningServiceAgent", "stage": "GA", "title": "Vertex AI Tuning Service Agent" }, { "description": "Grants access to use all resource in Vertex AI", "etag": "AA==", "name": "roles/aiplatform.user", "stage": "GA", "title": "Vertex AI User" }, { "description": "Grants access to view all resource in Vertex AI", "etag": "AA==", "name": "roles/aiplatform.viewer", "stage": "GA", "title": "Vertex AI Viewer" }, { "description": "Full access to Cloud AlloyDB all resources.", "etag": "AA==", "name": "roles/alloydb.admin", "stage": "BETA", "title": "Cloud AlloyDB Admin" }, { "description": "Connectivity access to Cloud AlloyDB instances.", "etag": "AA==", "name": "roles/alloydb.client", "stage": "BETA", "title": "Cloud AlloyDB Client" }, { "description": "Role allowing access to login as a database user.", "etag": "AA==", "name": "roles/alloydb.databaseUser", "stage": "BETA", "title": "Cloud AlloyDB Database User" }, { "description": "Gives the AlloyDB service account permission to manage customer resources", "etag": "AA==", "name": "roles/alloydb.serviceAgent", "stage": "GA", "title": "AlloyDB Service Agent" }, { "description": "Read-only access to Cloud AlloyDB all resources.", "etag": "AA==", "name": "roles/alloydb.viewer", "stage": "BETA", "title": "Cloud AlloyDB Viewer" }, { "description": "Administer Data Exchanges and Listings", "etag": "AA==", "name": "roles/analyticshub.admin", "stage": "GA", "title": "Analytics Hub Admin" }, { "description": "Grants full control over the Listing, including updating, deleting and setting ACLs", "etag": "AA==", "name": "roles/analyticshub.listingAdmin", "stage": "GA", "title": "Analytics Hub Listing Admin" }, { "description": "Can publish to Data Exchanges thus creating Listings", "etag": "AA==", "name": "roles/analyticshub.publisher", "stage": "GA", "title": "Analytics Hub Publisher" }, { "description": "Can browse Data Exchanges and subscribe to Listings", "etag": "AA==", "name": "roles/analyticshub.subscriber", "stage": "GA", "title": "Analytics Hub Subscriber" }, { "description": "Grants full control over the Subscription, including updating and deleting", "etag": "AA==", "name": "roles/analyticshub.subscriptionOwner", "stage": "GA", "title": "Analytics Hub Subscription Owner" }, { "description": "Can browse Data Exchanges and Listings", "etag": "AA==", "name": "roles/analyticshub.viewer", "stage": "GA", "title": "Analytics Hub Viewer" }, { "description": "Full access to manage devices.", "etag": "AA==", "name": "roles/androidmanagement.user", "stage": "GA", "title": "Android Management User" }, { "description": "Gives the Anthos service agent access to Cloud Platformresources.", "etag": "AA==", "name": "roles/anthos.serviceAgent", "stage": "GA", "title": "Anthos Service Agent" }, { "description": "Gives the Anthos Audit service agent access toCloud Platform resources.", "etag": "AA==", "name": "roles/anthosaudit.serviceAgent", "stage": "GA", "title": "Anthos Audit Service Agent" }, { "description": "Gives the Anthos Config Management service agent access toCloud Platform resources.", "etag": "AA==", "name": "roles/anthosconfigmanagement.serviceAgent", "stage": "GA", "title": "Anthos Config Management Service Agent" }, { "description": "Gives the Anthos Identity service agent access to Cloud Platform resources.", "etag": "AA==", "name": "roles/anthosidentityservice.serviceAgent", "stage": "GA", "title": "Anthos Identity Service Agent" }, { "description": "Gives the Anthos Policy Controller service agent access toCloud Platform resources.", "etag": "AA==", "name": "roles/anthospolicycontroller.serviceAgent", "stage": "GA", "title": "Anthos Policy Controller Service Agent" }, { "description": "Gives the Anthos Service Mesh service agent access to Cloud Platform resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/anthosservicemesh.serviceAgent", "stage": "GA", "title": "Anthos Service Mesh Service Agent" }, { "description": " Gives the Anthos Support Service Agent access to Cloud Platform resource.", "etag": "AA==", "name": "roles/anthossupport.serviceAgent", "stage": "GA", "title": "Anthos Support Service Agent" }, { "description": "Full access to ApiGateway and related resources.", "etag": "AA==", "name": "roles/apigateway.admin", "stage": "GA", "title": "ApiGateway Admin" }, { "description": "Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts.", "etag": "AA==", "has_privesc": true, "name": "roles/apigateway.serviceAgent", "stage": "GA", "title": "Cloud API Gateway Service Agent" }, { "description": "Read-only access to ApiGateway and related resources.", "etag": "AA==", "name": "roles/apigateway.viewer", "stage": "GA", "title": "ApiGateway Viewer" }, { "description": "Gives Cloud API Gateway service account access to retrieve aService configuration.", "etag": "AA==", "name": "roles/apigateway_management.serviceAgent", "stage": "GA", "title": "Cloud API Gateway Management Service Agent" }, { "description": "Full access to all apigee resource features", "etag": "AA==", "name": "roles/apigee.admin", "stage": "GA", "title": "Apigee Organization Admin" }, { "description": "Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization", "etag": "AA==", "name": "roles/apigee.analyticsAgent", "stage": "GA", "title": "Apigee Analytics Agent" }, { "description": "Analytics editor for an Apigee Organization", "etag": "AA==", "name": "roles/apigee.analyticsEditor", "stage": "GA", "title": "Apigee Analytics Editor" }, { "description": "Analytics viewer for an Apigee Organization", "etag": "AA==", "name": "roles/apigee.analyticsViewer", "stage": "GA", "title": "Apigee Analytics Viewer" }, { "description": "Full read/write access to all apigee API resources", "etag": "AA==", "name": "roles/apigee.apiAdminV2", "stage": "GA", "title": "Apigee API Admin" }, { "description": "Reader of apigee resources", "etag": "AA==", "name": "roles/apigee.apiReaderV2", "stage": "GA", "title": "Apigee API Reader" }, { "description": "Developer admin of apigee resources", "etag": "AA==", "name": "roles/apigee.developerAdmin", "stage": "GA", "title": "Apigee Developer Admin" }, { "description": "Full read/write access to apigee environment resources, including deployments.", "etag": "AA==", "name": "roles/apigee.environmentAdmin", "stage": "GA", "title": "Apigee Environment Admin" }, { "description": "All permissions related to monetization", "etag": "AA==", "name": "roles/apigee.monetizationAdmin", "stage": "GA", "title": "Apigee Monetization Admin" }, { "description": "Portal admin for an Apigee Organization", "etag": "AA==", "name": "roles/apigee.portalAdmin", "stage": "GA", "title": "Apigee Portal Admin" }, { "description": "Viewer of all apigee resources", "etag": "AA==", "name": "roles/apigee.readOnlyAdmin", "stage": "GA", "title": "Apigee Read-only Admin" }, { "description": "Curated set of permissions for a runtime agent to access Apigee Organization resources", "etag": "AA==", "name": "roles/apigee.runtimeAgent", "stage": "GA", "title": "Apigee Runtime Agent" }, { "description": "Security admin for an Apigee Organization", "etag": "AA==", "name": "roles/apigee.securityAdmin", "stage": "GA", "title": "Apigee Security Admin" }, { "description": "Security viewer for an Apigee Organization", "etag": "AA==", "name": "roles/apigee.securityViewer", "stage": "GA", "title": "Apigee Security Viewer" }, { "description": "Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys.", "etag": "AA==", "has_privesc": true, "name": "roles/apigee.serviceAgent", "stage": "GA", "title": "Apigee Service Agent" }, { "description": "Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization", "etag": "AA==", "name": "roles/apigee.synchronizerManager", "stage": "GA", "title": "Apigee Synchronizer Manager" }, { "description": "Admin of Apigee Connect", "etag": "AA==", "name": "roles/apigeeconnect.Admin", "stage": "GA", "title": "Apigee Connect Admin" }, { "description": "Ability to set up Apigee Connect agent between external clusters and Google.", "etag": "AA==", "name": "roles/apigeeconnect.Agent", "stage": "GA", "title": "Apigee Connect Agent" }, { "description": "Full access to Cloud Apigee Registry Registry and Runtime resources.", "etag": "AA==", "name": "roles/apigeeregistry.admin", "stage": "BETA", "title": "Cloud Apigee Registry Admin" }, { "description": "Edit access to Cloud Apigee Registry Registry resources.", "etag": "AA==", "name": "roles/apigeeregistry.editor", "stage": "BETA", "title": "Cloud Apigee Registry Editor" }, { "description": "Read-only access to Cloud Apigee Registry Registry resources.", "etag": "AA==", "name": "roles/apigeeregistry.viewer", "stage": "BETA", "title": "Cloud Apigee Registry Viewer" }, { "description": "The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.", "etag": "AA==", "name": "roles/apigeeregistry.worker", "stage": "BETA", "title": "Cloud Apigee Registry Worker" }, { "description": "Full access to Cloud API Hub Registry and Runtime resources.", "etag": "AA==", "name": "roles/apihub.admin", "stage": "BETA", "title": "Cloud API Hub Admin" }, { "description": "API hub attribute admin", "etag": "AA==", "name": "roles/apihub.attributeAdmin", "stage": "BETA", "title": "API hub attribute admin" }, { "description": "Edit access to Cloud API Hub Registry resources.", "etag": "AA==", "name": "roles/apihub.editor", "stage": "BETA", "title": "Cloud API Hub Editor" }, { "description": "API hub plugin admin", "etag": "AA==", "name": "roles/apihub.pluginAdmin", "stage": "BETA", "title": "API hub plugin admin" }, { "description": "API hub all permissions related to provisioning", "etag": "AA==", "name": "roles/apihub.provisioningAdmin", "stage": "BETA", "title": "API hub all permissions related to provisioning" }, { "description": "Gives API-Hub Service Account access to runtime project resources.", "etag": "AA==", "name": "roles/apihub.runtimeProjectServiceAgent", "title": "API-Hub Runtime Project Service Agent" }, { "description": "This role can view all resources in API hub", "etag": "AA==", "name": "roles/apihub.viewer", "stage": "BETA", "title": "API hub all resource viewer" }, { "description": "Full access to API Management resources.", "etag": "AA==", "name": "roles/apim.admin", "title": "API Management Admin" }, { "description": "Readonly access to API Management resources.", "etag": "AA==", "name": "roles/apim.viewer", "title": "API Management Viewer" }, { "description": "Give the App Development Experience service agent access toCloud Platform resources.", "etag": "AA==", "name": "roles/appdevelopmentexperience.serviceAgent", "stage": "GA", "title": "App Development Experience Service Agent" }, { "description": "Full management of App Engine apps (but not storage).", "etag": "AA==", "has_dataaccess": true, "name": "roles/appengine.appAdmin", "stage": "GA", "title": "App Engine Admin" }, { "description": "Ability to create the App Engine resource for the project.", "etag": "AA==", "name": "roles/appengine.appCreator", "stage": "GA", "title": "App Engine Creator" }, { "description": "Ability to view App Engine app status.", "etag": "AA==", "name": "roles/appengine.appViewer", "stage": "GA", "title": "App Engine Viewer" }, { "description": "Ability to view App Engine app status and deployed source code.", "etag": "AA==", "name": "roles/appengine.codeViewer", "stage": "GA", "title": "App Engine Code Viewer" }, { "description": "Ability to read or manage v2 instances.", "etag": "AA==", "has_dataaccess": true, "name": "roles/appengine.debugger", "stage": "GA", "title": "App Engine Managed VM Debug Access" }, { "description": "Necessary permissions to deploy new code to App Engine, and remove old versions.", "etag": "AA==", "name": "roles/appengine.deployer", "stage": "GA", "title": "App Engine Deployer" }, { "description": "Can get, set, delete, and flush App Engine Memcache items.", "etag": "AA==", "has_dataaccess": true, "name": "roles/appengine.memcacheDataAdmin", "stage": "GA", "title": "App Engine Memcache Data Admin" }, { "description": "Can view and change traffic splits, scaling settings, and delete old versions; can't create new versions.", "etag": "AA==", "name": "roles/appengine.serviceAdmin", "stage": "GA", "title": "App Engine Service Admin" }, { "description": "Give App Engine Standard Enviroment service account access to managed resources. Includes access to service accounts.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/appengine.serviceAgent", "stage": "GA", "title": "App Engine Standard Environment Service Agent" }, { "description": "Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/appengineflex.serviceAgent", "stage": "GA", "title": "App Engine flexible environment Service Agent" }, { "description": "Full access to App Hub resources.", "etag": "AA==", "name": "roles/apphub.admin", "stage": "GA", "title": "App Hub Admin" }, { "description": "Edit access to App Hub resources.", "etag": "AA==", "name": "roles/apphub.editor", "stage": "GA", "title": "App Hub Editor" }, { "description": "View access to App Hub resources.", "etag": "AA==", "name": "roles/apphub.viewer", "stage": "GA", "title": "App Hub Viewer" }, { "description": "Grants access to approve commands to run on appliances", "etag": "AA==", "name": "roles/applianceactivation.approver", "stage": "BETA", "title": "Appliance troubleshooting commands approver" }, { "description": "Grants access to read commands for an appliance and send its result.", "etag": "AA==", "name": "roles/applianceactivation.client", "stage": "BETA", "title": "On-appliance troubleshooting client" }, { "description": "Grants access to send new commands to run on appliances and view the outputs", "etag": "AA==", "name": "roles/applianceactivation.troubleshooter", "stage": "BETA", "title": "Appliance troubleshooter" }, { "description": "Administrator access to create and manage repositories.", "etag": "AA==", "name": "roles/artifactregistry.admin", "stage": "GA", "title": "Artifact Registry Administrator" }, { "description": "Access to manage artifacts in repositories, as well as create new repositories on push", "etag": "AA==", "name": "roles/artifactregistry.createOnPushRepoAdmin", "stage": "GA", "title": "Artifact Registry Create-on-Push Repository Administrator" }, { "description": "Access to read and write repository items, as well as create new repositories on push", "etag": "AA==", "name": "roles/artifactregistry.createOnPushWriter", "stage": "GA", "title": "Artifact Registry Create-on-Push Writer" }, { "description": "Access to read repository items.", "etag": "AA==", "name": "roles/artifactregistry.reader", "stage": "GA", "title": "Artifact Registry Reader" }, { "description": "Access to manage artifacts in repositories.", "etag": "AA==", "name": "roles/artifactregistry.repoAdmin", "stage": "GA", "title": "Artifact Registry Repository Administrator" }, { "description": "Gives the Artifact Registry service account access to managed resources.", "etag": "AA==", "name": "roles/artifactregistry.serviceAgent", "stage": "GA", "title": "Artifact Registry Service Agent" }, { "description": "Access to read and write repository items.", "etag": "AA==", "name": "roles/artifactregistry.writer", "stage": "GA", "title": "Artifact Registry Writer" }, { "description": "Access to use Assured OSS and manage configuration.", "etag": "AA==", "name": "roles/assuredoss.admin", "stage": "GA", "title": "Assured OSS Admin" }, { "description": "Access to use Assured OSS and manage configuration.", "etag": "AA==", "name": "roles/assuredoss.projectAdmin", "stage": "BETA", "title": "Assured OSS Project Admin" }, { "description": "Access to use Assured OSS and view Assured OSS configuration.", "etag": "AA==", "name": "roles/assuredoss.reader", "stage": "GA", "title": "Assured OSS Reader" }, { "description": "Access to use Assured OSS.", "etag": "AA==", "name": "roles/assuredoss.user", "stage": "GA", "title": "Assured OSS User" }, { "description": "Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration", "etag": "AA==", "name": "roles/assuredworkloads.admin", "stage": "GA", "title": "Assured Workloads Administrator" }, { "description": "Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration", "etag": "AA==", "name": "roles/assuredworkloads.editor", "stage": "GA", "title": "Assured Workloads Editor" }, { "description": "Gives the Assured Workloads service account access to create CAIS feed and monitor Assured Workloads.", "etag": "AA==", "name": "roles/assuredworkloads.monitoringServiceAgent", "stage": "GA", "title": "Assured Workloads Monitoring Service Agent" }, { "description": "Grants read access to all Assured Workloads resources and CRM resources - project/folder", "etag": "AA==", "name": "roles/assuredworkloads.reader", "stage": "GA", "title": "Assured Workloads Reader" }, { "description": "Gives the Assured Workloads service account access to create KMS keyrings and keys, and to monitor Assured Workloads.", "etag": "AA==", "name": "roles/assuredworkloads.serviceAgent", "stage": "GA", "title": "Assured Workloads Service Agent" }, { "description": "Full access to Audit Manager resources.", "etag": "AA==", "name": "roles/auditmanager.admin", "stage": "BETA", "title": "Audit Manager Admin" }, { "description": "Allows creating and viewing an audit report.", "etag": "AA==", "name": "roles/auditmanager.auditor", "stage": "BETA", "title": "Audit Manager Auditor" }, { "description": "Grants Audit Manager Service Agent access to various list/get rpcs of products to perform an audit.", "etag": "AA==", "name": "roles/auditmanager.serviceAgent", "stage": "GA", "title": "Audit Manager Auditing Service Agent" }, { "description": "Full access to all AutoML resources", "etag": "AA==", "name": "roles/automl.admin", "stage": "BETA", "title": "AutoML Admin" }, { "description": "Editor of all AutoML resources", "etag": "AA==", "name": "roles/automl.editor", "stage": "BETA", "title": "AutoML Editor" }, { "description": "Predict using models", "etag": "AA==", "name": "roles/automl.predictor", "stage": "BETA", "title": "AutoML Predictor" }, { "description": "AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.", "etag": "AA==", "has_dataaccess": true, "name": "roles/automl.serviceAgent", "stage": "GA", "title": "AutoML Service Agent" }, { "description": "Viewer of all AutoML resources", "etag": "AA==", "name": "roles/automl.viewer", "stage": "BETA", "title": "AutoML Viewer" }, { "description": "Full access to all Recommendations AI resources.", "etag": "AA==", "name": "roles/automlrecommendations.admin", "stage": "BETA", "title": "Recommendations AI Admin" }, { "description": "Viewer of all Recommendations AI resources.", "etag": "AA==", "name": "roles/automlrecommendations.adminViewer", "stage": "BETA", "title": "Recommendations AI Admin Viewer" }, { "description": "Editor of all Recommendations AI resources.", "etag": "AA==", "name": "roles/automlrecommendations.editor", "stage": "BETA", "title": "Recommendations AI Editor" }, { "description": "Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.", "etag": "AA==", "has_dataaccess": true, "name": "roles/automlrecommendations.serviceAgent", "stage": "GA", "title": "Recommendations AI Service Agent" }, { "description": "Viewer of all Recommendations AI resources except automlrecommendations.apiKeys. To have all read access use Recommendations AI Admin Viewer role instead.", "etag": "AA==", "name": "roles/automlrecommendations.viewer", "stage": "BETA", "title": "Recommendations AI Viewer" }, { "description": "Access to write metrics for autoscaling site", "etag": "AA==", "name": "roles/autoscaling.metricsWriter", "stage": "BETA", "title": "Autoscaling Metrics Writer" }, { "description": "Access to read recommendations from autoscaling site", "etag": "AA==", "name": "roles/autoscaling.recommendationsReader", "stage": "BETA", "title": "Autoscaling Recommendations Reader" }, { "description": "Full access to all autoscaling site features", "etag": "AA==", "name": "roles/autoscaling.sitesAdmin", "stage": "BETA", "title": "Autoscaling Site Admin" }, { "description": "Access to write state for autoscaling site", "etag": "AA==", "name": "roles/autoscaling.stateWriter", "stage": "BETA", "title": "Autoscaling State Writer" }, { "description": "Enable Access Transparency for Organization", "etag": "AA==", "name": "roles/axt.admin", "stage": "GA", "title": "Access Transparency Admin" }, { "description": "Provides full access to all Backup and DR resources. ", "etag": "AA==", "name": "roles/backupdr.admin", "stage": "GA", "title": "Backup and DR Admin" }, { "description": "Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.", "etag": "AA==", "name": "roles/backupdr.backupUser", "stage": "GA", "title": "Backup and DR Backup User" }, { "description": "Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.", "etag": "AA==", "has_dataaccess": true, "name": "roles/backupdr.cloudStorageOperator", "stage": "GA", "title": "Backup and DR Cloud Storage Operator" }, { "description": "Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/backupdr.computeEngineOperator", "stage": "GA", "title": "Backup and DR Compute Engine Operator" }, { "description": "Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.", "etag": "AA==", "name": "roles/backupdr.mountUser", "stage": "GA", "title": "Backup and DR Mount User" }, { "description": "Allows the user to restore or mount from a backup. This role cannot create a backup plan.", "etag": "AA==", "name": "roles/backupdr.restoreUser", "stage": "GA", "title": "Backup and DR Restore User" }, { "description": "Grants the Backup and DR Service access to protect GCE instances.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/backupdr.serviceAgent", "stage": "GA", "title": "Backup and DR Service Agent" }, { "description": "Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.", "etag": "AA==", "name": "roles/backupdr.user", "stage": "GA", "title": "Backup and DR User" }, { "description": "Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.", "etag": "AA==", "name": "roles/backupdr.userv2", "stage": "GA", "title": "Backup and DR User V2" }, { "description": "Provides read-only access to all Backup and DR resources.", "etag": "AA==", "name": "roles/backupdr.viewer", "stage": "GA", "title": "Backup and DR Viewer" }, { "description": "Administrator of Bare Metal Solution resources", "etag": "AA==", "name": "roles/baremetalsolution.admin", "stage": "GA", "title": "Bare Metal Solution Admin" }, { "description": "Editor of Bare Metal Solution resources", "etag": "AA==", "name": "roles/baremetalsolution.editor", "stage": "GA", "title": "Bare Metal Solution Editor" }, { "description": "Admin of Bare Metal Solution Instance resources", "etag": "AA==", "name": "roles/baremetalsolution.instancesadmin", "stage": "GA", "title": "Bare Metal Solution Instances Admin" }, { "description": "Viewer of Bare Metal Solution Instance resources", "etag": "AA==", "name": "roles/baremetalsolution.instancesviewer", "stage": "GA", "title": "Bare Metal Solution Instances Viewer" }, { "description": "Administrator of Bare Metal Solution Lun resources", "etag": "AA==", "name": "roles/baremetalsolution.lunsadmin", "stage": "GA", "title": "Luns Admin" }, { "description": "Viewer of Bare Metal Solution Lun resources", "etag": "AA==", "name": "roles/baremetalsolution.lunsviewer", "stage": "GA", "title": "Luns Viewer" }, { "description": "Administrator of Bare Metal Solution maintenance events resources", "etag": "AA==", "name": "roles/baremetalsolution.maintenanceeventsadmin", "stage": "GA", "title": "Maintenance Events Admin" }, { "description": "Editor of Bare Metal Solution maintenance events resources", "etag": "AA==", "name": "roles/baremetalsolution.maintenanceeventseditor", "stage": "GA", "title": "Maintenance Events Editor" }, { "description": "Viewer of Bare Metal Solution maintenance events resources", "etag": "AA==", "name": "roles/baremetalsolution.maintenanceeventsviewer", "stage": "GA", "title": "Maintenance Events Viewer" }, { "description": "Admin of Bare Metal Solution networks resources", "etag": "AA==", "name": "roles/baremetalsolution.networksadmin", "stage": "GA", "title": "Networks Admin" }, { "description": "Administrator of Bare Metal Solution NFS Share resources", "etag": "AA==", "name": "roles/baremetalsolution.nfssharesadmin", "stage": "GA", "title": "NFS Shares Admin" }, { "description": "Editor of Bare Metal Solution NFS Share resources", "etag": "AA==", "name": "roles/baremetalsolution.nfsshareseditor", "stage": "GA", "title": "NFS Shares Editor" }, { "description": "Viewer of Bare Metal Solution NFS Share resources", "etag": "AA==", "name": "roles/baremetalsolution.nfssharesviewer", "stage": "GA", "title": "NFS Shares Viewer" }, { "description": "Viewer of Bare Metal Solution OS images resources", "etag": "AA==", "name": "roles/baremetalsolution.osimagesviewer", "stage": "GA", "title": "OS Images Viewer" }, { "description": "Administrator of Bare Metal Solution Procurements", "etag": "AA==", "name": "roles/baremetalsolution.procurementsadmin", "stage": "GA", "title": "Bare Metal Solution Procurements Admin" }, { "description": "Editor of Bare Metal Solution Procurements", "etag": "AA==", "name": "roles/baremetalsolution.procurementseditor", "stage": "GA", "title": "Bare Metal Solution Procurements Editor" }, { "description": "Viewer of Bare Metal Solution Procurements", "etag": "AA==", "name": "roles/baremetalsolution.procurementsviewer", "stage": "GA", "title": "Bare Metal Solution Procurements Viewer" }, { "description": "Gives permission to manage network resources such as interconnect pairing keys, required for Bare Metal Solution.", "etag": "AA==", "name": "roles/baremetalsolution.serviceAgent", "stage": "GA", "title": "Bare Metal Solution Service Agent" }, { "description": "Administrator of Bare Metal Solution storage resources", "etag": "AA==", "name": "roles/baremetalsolution.storageadmin", "stage": "GA", "title": "Bare Metal Solution Storage Admin" }, { "description": "Viewer of Bare Metal Solution resources", "etag": "AA==", "name": "roles/baremetalsolution.viewer", "stage": "GA", "title": "Bare Metal Solution Viewer" }, { "description": "Administrator of Bare Metal Solution volume resources", "etag": "AA==", "name": "roles/baremetalsolution.volumesadmin", "stage": "GA", "title": "Volume Admin" }, { "description": "Editor of Bare Metal Solution volumes resources", "etag": "AA==", "name": "roles/baremetalsolution.volumeseditor", "stage": "GA", "title": "Volumes Editor" }, { "description": "Administrator of Bare Metal Solution snapshots resources", "etag": "AA==", "name": "roles/baremetalsolution.volumesnapshotsadmin", "stage": "GA", "title": "Snapshots Admin" }, { "description": "Editor of Bare Metal Solution snapshots resources", "etag": "AA==", "name": "roles/baremetalsolution.volumesnapshotseditor", "stage": "GA", "title": "Snapshots Editor" }, { "description": "Viewer of Bare Metal Solution snapshots resources", "etag": "AA==", "name": "roles/baremetalsolution.volumesnapshotsviewer", "stage": "GA", "title": "Snapshots Viewer" }, { "description": "Viewer of Bare Metal Solution volumes resources", "etag": "AA==", "name": "roles/baremetalsolution.volumessviewer", "stage": "GA", "title": "Volumes Viewer" }, { "description": "Reporter of Batch agent states.", "etag": "AA==", "name": "roles/batch.agentReporter", "stage": "BETA", "title": "Batch Agent Reporter" }, { "description": "Editor of Batch Jobs", "etag": "AA==", "name": "roles/batch.jobsEditor", "stage": "BETA", "title": "Batch Job Editor" }, { "description": "Viewer of Batch Jobs, Task Groups and Tasks", "etag": "AA==", "name": "roles/batch.jobsViewer", "stage": "BETA", "title": "Batch Job Viewer" }, { "description": "Gives Google Batch account access to manage customer resources.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/batch.serviceAgent", "stage": "GA", "title": "Google Batch Service Agent" }, { "description": "Full access to all Cloud BeyondCorp resources.", "etag": "AA==", "name": "roles/beyondcorp.admin", "stage": "BETA", "title": "Cloud BeyondCorp Admin" }, { "description": "Full access to all BeyondCorp Client Connector resources.", "etag": "AA==", "name": "roles/beyondcorp.clientConnectorAdmin", "stage": "BETA", "title": "Cloud BeyondCorp Client Connector Admin" }, { "description": "Access Client Connector Service", "etag": "AA==", "name": "roles/beyondcorp.clientConnectorServiceUser", "stage": "BETA", "title": "Cloud BeyondCorp Client Connector Service User" }, { "description": "Read-only access to all BeyondCorp Client Connector resources.", "etag": "AA==", "name": "roles/beyondcorp.clientConnectorViewer", "stage": "BETA", "title": "Cloud BeyondCorp Client Connector Viewer" }, { "description": "Delegates access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.", "etag": "AA==", "name": "roles/beyondcorp.partnerServiceDelegateAdmin", "stage": "BETA", "title": "Cloud BeyondCorp Partner Service Delegate Admin" }, { "description": "Delegates read-only access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.", "etag": "AA==", "name": "roles/beyondcorp.partnerServiceDelegateViewer", "stage": "BETA", "title": "Cloud BeyondCorp Partner Service Delegate Viewer" }, { "description": "Full access to all BeyondCorp Subscription resources.", "etag": "AA==", "name": "roles/beyondcorp.subscriptionAdmin", "stage": "BETA", "title": "Cloud BeyondCorp Subscription Admin" }, { "description": "Read-only access to all BeyondCorp Subscription resources.", "etag": "AA==", "name": "roles/beyondcorp.subscriptionViewer", "stage": "BETA", "title": "Cloud BeyondCorp Subscription Viewer" }, { "description": "Read-only access to all Cloud BeyondCorp resources.", "etag": "AA==", "name": "roles/beyondcorp.viewer", "stage": "BETA", "title": "Cloud BeyondCorp Viewer" }, { "description": "Provides full access to all BigLake resources.", "etag": "AA==", "name": "roles/biglake.admin", "stage": "GA", "title": "BigLake Admin" }, { "description": "Provides read-only access to all BigLake resources.", "etag": "AA==", "name": "roles/biglake.viewer", "stage": "GA", "title": "BigLake Viewer" }, { "description": "Administer all BigQuery resources and data", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/bigquery.admin", "stage": "GA", "title": "BigQuery Admin" }, { "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/bigquery.connectionAdmin", "stage": "GA", "title": "BigQuery Connection Admin" }, { "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "name": "roles/bigquery.connectionUser", "stage": "GA", "title": "BigQuery Connection User" }, { "description": "Access to edit all the contents of datasets", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/bigquery.dataEditor", "stage": "GA", "title": "BigQuery Data Editor" }, { "description": "Full access to datasets and all of their contents", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/bigquery.dataOwner", "stage": "GA", "title": "BigQuery Data Owner" }, { "description": "Access to view datasets and all of their contents", "etag": "AA==", "has_dataaccess": true, "name": "roles/bigquery.dataViewer", "stage": "GA", "title": "BigQuery Data Viewer" }, { "description": "Access to view filtered table data defined by a row access policy", "etag": "AA==", "has_dataaccess": true, "name": "roles/bigquery.filteredDataViewer", "stage": "GA", "title": "BigQuery Filtered Data Viewer" }, { "description": "Access to run jobs", "etag": "AA==", "name": "roles/bigquery.jobUser", "stage": "GA", "title": "BigQuery Job User" }, { "description": "Access to view table and dataset metadata", "etag": "AA==", "name": "roles/bigquery.metadataViewer", "stage": "GA", "title": "BigQuery Metadata Viewer" }, { "description": "Access to create and use read sessions", "etag": "AA==", "name": "roles/bigquery.readSessionUser", "stage": "GA", "title": "BigQuery Read Session User" }, { "description": "Administers BigQuery workloads, including slot assignments, commitments, and reservations.", "etag": "AA==", "name": "roles/bigquery.resourceAdmin", "stage": "GA", "title": "BigQuery Resource Admin" }, { "description": "Manages BigQuery workloads, but is unable to create or modify slot commitments.", "etag": "AA==", "name": "roles/bigquery.resourceEditor", "stage": "GA", "title": "BigQuery Resource Editor" }, { "description": "Can view BigQuery workloads, but cannot create or modify slot reservations or commitments.", "etag": "AA==", "name": "roles/bigquery.resourceViewer", "stage": "GA", "title": "BigQuery Resource Viewer" }, { "description": "Combination role of BigQuery Admin, Dataform Admin, and Notebook Runtime Admin.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/bigquery.studioAdmin", "stage": "GA", "title": "BigQuery Studio Admin" }, { "description": "Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, and Notebook Runtime User.", "etag": "AA==", "name": "roles/bigquery.studioUser", "stage": "GA", "title": "BigQuery Studio User" }, { "description": "When applied to a project, access to run queries, create datasets, read dataset metadata, and list tables. When applied to a dataset, access to read dataset metadata and list tables within the dataset.", "etag": "AA==", "name": "roles/bigquery.user", "stage": "GA", "title": "BigQuery User" }, { "description": "Gives BigQuery Connection Service access to Cloud SQL instances in user projects.", "etag": "AA==", "name": "roles/bigqueryconnection.serviceAgent", "stage": "GA", "title": "BigQuery Connection Service Agent" }, { "description": "Gives BigQuery Continuous Query access to the service accounts in the user project.", "etag": "AA==", "has_privesc": true, "name": "roles/bigquerycontinuousquery.serviceAgent", "stage": "GA", "title": "BigQuery Continuous Query Service Agent" }, { "description": "Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns", "etag": "AA==", "name": "roles/bigquerydatapolicy.maskedReader", "stage": "GA", "title": "Masked Reader" }, { "description": "Gives BigQuery Data Transfer Service access to start bigquery jobs in consumer project. ", "etag": "AA==", "has_privesc": true, "name": "roles/bigquerydatatransfer.serviceAgent", "stage": "GA", "title": "BigQuery Data Transfer Service Agent" }, { "description": "Editor of EDW migration workflows.", "etag": "AA==", "name": "roles/bigquerymigration.editor", "stage": "GA", "title": "MigrationWorkflow Editor" }, { "description": "Orchestrator of EDW migration tasks.", "etag": "AA==", "name": "roles/bigquerymigration.orchestrator", "stage": "GA", "title": "Task Orchestrator" }, { "description": "User of EDW migration interactive SQL translation service.", "etag": "AA==", "name": "roles/bigquerymigration.translationUser", "stage": "GA", "title": "Migration Translation User" }, { "description": "Viewer of EDW migration MigrationWorkflow.", "etag": "AA==", "name": "roles/bigquerymigration.viewer", "stage": "GA", "title": "MigrationWorkflow Viewer" }, { "description": "Worker that executes EDW migration subtasks.", "etag": "AA==", "has_dataaccess": true, "name": "roles/bigquerymigration.worker", "stage": "GA", "title": "Task Worker" }, { "description": "Gives BigQuery Omni access to tables in user projects.", "etag": "AA==", "name": "roles/bigqueryomni.serviceAgent", "stage": "GA", "title": "BigQuery Omni Service Agent" }, { "description": "Gives BigQuery Spark access to the service accounts in the user project.", "etag": "AA==", "has_privesc": true, "name": "roles/bigqueryspark.serviceAgent", "stage": "GA", "title": "BigQuery Spark Service Agent" }, { "description": "Full access to all Bigtable resources and ability to assign Bigtable IAM roles.", "etag": "AA==", "name": "roles/bigtable.admin", "stage": "GA", "title": "Bigtable Administrator" }, { "description": "Read access to data in existing tables; read access to metadata for instances, clusters, and tables, including column families.", "etag": "AA==", "name": "roles/bigtable.reader", "stage": "GA", "title": "Bigtable Reader" }, { "description": "Read and write access to data in existing tables; read access to metadata for instances, clusters, and tables, including column families.", "etag": "AA==", "name": "roles/bigtable.user", "stage": "GA", "title": "Bigtable User" }, { "description": "Read access to metadata for instances, clusters, and tables, including column families.", "etag": "AA==", "name": "roles/bigtable.viewer", "stage": "GA", "title": "Bigtable Viewer" }, { "description": "Authorized to see and manage all aspects of billing accounts.", "etag": "AA==", "has_privesc": true, "name": "roles/billing.admin", "stage": "GA", "title": "Billing Account Administrator" }, { "etag": "AA==", "name": "roles/billing.carbonViewer", "stage": "GA", "title": "Carbon Footprint Viewer" }, { "description": "Can view and export cost information of billing accounts.", "etag": "AA==", "name": "roles/billing.costsManager", "stage": "GA", "title": "Billing Account Costs Manager" }, { "description": "Creator of billing accounts.", "etag": "AA==", "name": "roles/billing.creator", "stage": "GA", "title": "Billing Account Creator" }, { "description": "Can assign a project's billing account or disable its billing.", "etag": "AA==", "name": "roles/billing.projectManager", "stage": "GA", "title": "Project Billing Manager" }, { "description": "Can associate projects with billing accounts", "etag": "AA==", "name": "roles/billing.user", "stage": "GA", "title": "Billing Account User" }, { "description": "Can view information about billing accounts.", "etag": "AA==", "name": "roles/billing.viewer", "stage": "GA", "title": "Billing Account Viewer" }, { "description": "Adminstrator of Binary Authorization Attestors", "etag": "AA==", "name": "roles/binaryauthorization.attestorsAdmin", "stage": "GA", "title": "Binary Authorization Attestor Admin" }, { "description": "Editor of Binary Authorization Attestors", "etag": "AA==", "name": "roles/binaryauthorization.attestorsEditor", "stage": "GA", "title": "Binary Authorization Attestor Editor" }, { "description": "Caller of Binary Authorization Attestors VerifyImageAttested", "etag": "AA==", "name": "roles/binaryauthorization.attestorsVerifier", "stage": "GA", "title": "Binary Authorization Attestor Image Verifier" }, { "description": "Viewer of Binary Authorization Attestors", "etag": "AA==", "name": "roles/binaryauthorization.attestorsViewer", "stage": "GA", "title": "Binary Authorization Attestor Viewer" }, { "description": "Administrator of Binary Authorization Policy", "etag": "AA==", "name": "roles/binaryauthorization.policyAdmin", "stage": "GA", "title": "Binary Authorization Policy Administrator" }, { "description": "Editor of Binary Authorization Policy", "etag": "AA==", "name": "roles/binaryauthorization.policyEditor", "stage": "GA", "title": "Binary Authorization Policy Editor" }, { "description": "Evaluator of Binary Authorization Policy", "etag": "AA==", "name": "roles/binaryauthorization.policyEvaluator", "stage": "BETA", "title": "Binary Authorization Policy Evaluator" }, { "description": "Viewer of Binary Authorization Policy", "etag": "AA==", "name": "roles/binaryauthorization.policyViewer", "stage": "GA", "title": "Binary Authorization Policy Viewer" }, { "description": "Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.", "etag": "AA==", "name": "roles/binaryauthorization.serviceAgent", "stage": "GA", "title": "Binary Authorization Service Agent" }, { "description": "Full access to Blockchain Node Engine resources.", "etag": "AA==", "name": "roles/blockchainnodeengine.admin", "stage": "GA", "title": "Blockchain Node Engine Admin" }, { "description": "Grants Blockchain Node Engine access to metrics in user project", "etag": "AA==", "name": "roles/blockchainnodeengine.serviceAgent", "title": "Blockchain Node Engine Service Agent" }, { "description": "Readonly access to Blockchain Node Engine resources.", "etag": "AA==", "name": "roles/blockchainnodeengine.viewer", "stage": "GA", "title": "Blockchain Node Engine Viewer" }, { "description": "Access to browse GCP resources.", "etag": "AA==", "name": "roles/browser", "stage": "GA", "title": "Browser" }, { "description": "Read-only access to Capacity Planner usage resources", "etag": "AA==", "name": "roles/capacityplanner.viewer", "stage": "BETA", "title": "Capacity Planner Usage Viewer" }, { "description": "This role can view all properties of Patients.", "etag": "AA==", "name": "roles/carestudio.viewer", "stage": "GA", "title": "Care Studio Patients Viewer" }, { "description": "Edit access to Certificate Manager all resources.", "etag": "AA==", "name": "roles/certificatemanager.editor", "stage": "GA", "title": "Certificate Manager Editor" }, { "description": "Full access to Certificate Manager all resources.", "etag": "AA==", "name": "roles/certificatemanager.owner", "stage": "GA", "title": "Certificate Manager Owner" }, { "description": "Grants Certificate Manager access to services and APIs in the user project.", "etag": "AA==", "name": "roles/certificatemanager.serviceAgent", "stage": "GA", "title": "Certificate Manager Service Agent" }, { "description": "Read-only access to Certificate Manager all resources.", "etag": "AA==", "name": "roles/certificatemanager.viewer", "stage": "GA", "title": "Certificate Manager Viewer" }, { "description": "Can view and modify app configurations", "etag": "AA==", "name": "roles/chat.owner", "stage": "GA", "title": "Chat Apps Owner" }, { "description": "Can view app configurations", "etag": "AA==", "name": "roles/chat.reader", "stage": "GA", "title": "Chat Apps Viewer" }, { "description": "Full access to the Chronicle API services, including global settings.", "etag": "AA==", "name": "roles/chronicle.admin", "stage": "GA", "title": "Chronicle API Admin" }, { "description": "Modify Access to Chronicle API resources.", "etag": "AA==", "name": "roles/chronicle.editor", "stage": "GA", "title": "Chronicle API Editor" }, { "description": "Grants readonly access to Chronicle API resources, excluding Rules and Retrohunts.", "etag": "AA==", "name": "roles/chronicle.limitedViewer", "stage": "GA", "title": "Chronicle API Limited Viewer" }, { "description": "Grants access to data controlled by Data Access Scopes. Intended to be refined by IAM Conditions.", "etag": "AA==", "name": "roles/chronicle.restrictedDataAccess", "stage": "BETA", "title": "Chronicle API Restricted Data Access" }, { "description": "Grants readonly access to Chronicle API resources without global data access scope.", "etag": "AA==", "name": "roles/chronicle.restrictedDataAccessViewer", "stage": "BETA", "title": "Chronicle API Restricted Data Access Viewer" }, { "description": "Grants Chronicle scoped access to customer project", "etag": "AA==", "name": "roles/chronicle.serviceAgent", "stage": "GA", "title": "Chronicle Service Agent" }, { "description": "Grants admin access to Chronicle SOAR.", "etag": "AA==", "name": "roles/chronicle.soarAdmin", "stage": "BETA", "title": "Chronicle SOAR Admin" }, { "description": "Gives Chronicle SOAR the ability to perform remediation on Cloud Platform resources.", "etag": "AA==", "name": "roles/chronicle.soarServiceAgent", "stage": "GA", "title": "Chronicle SOAR Service Agent" }, { "description": "Grants threat manager access to Chronicle SOAR.", "etag": "AA==", "name": "roles/chronicle.soarThreatManager", "stage": "BETA", "title": "Chronicle SOAR Threat Manager" }, { "description": "Grants vulnerability manager access to Chronicle SOAR.", "etag": "AA==", "name": "roles/chronicle.soarVulnerabilityManager", "stage": "BETA", "title": "Chronicle SOAR Vulnerability Manager" }, { "description": "Readonly access to the Chronicle API resources.", "etag": "AA==", "name": "roles/chronicle.viewer", "stage": "GA", "title": "Chronicle API Viewer" }, { "description": "Admins can view and modify Chronicle service details.", "etag": "AA==", "name": "roles/chroniclesm.admin", "stage": "GA", "title": "Chronicle Service Admin" }, { "description": "Viewers can see Chronicle service details but not change them.", "etag": "AA==", "name": "roles/chroniclesm.viewer", "stage": "GA", "title": "Chronicle Service Viewer" }, { "description": "Read and enumerate locations available for resource creation.", "etag": "AA==", "name": "roles/cloud.locationReader", "stage": "BETA", "title": "Location reader" }, { "description": "A user who can receive assistance from Cloud AI Companion", "etag": "AA==", "name": "roles/cloudaicompanion.user", "stage": "BETA", "title": "Cloud AI Companion User" }, { "description": "Give effective policy service account access to search all resources and IAM policies.", "etag": "AA==", "name": "roles/cloudasset.effectivePolicyServiceAgent", "stage": "GA", "title": "Effective Policies Service Agent" }, { "description": "Full access to cloud assets metadata", "etag": "AA==", "name": "roles/cloudasset.owner", "stage": "GA", "title": "Cloud Asset Owner" }, { "description": "Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudasset.serviceAgent", "stage": "GA", "title": "Cloud Asset Service Agent" }, { "description": "Read only access to cloud assets metadata", "etag": "AA==", "name": "roles/cloudasset.viewer", "stage": "GA", "title": "Cloud Asset Viewer" }, { "description": "Can approve or reject pending builds.", "etag": "AA==", "name": "roles/cloudbuild.builds.approver", "stage": "GA", "title": "Cloud Build Approver" }, { "description": "Can perform builds", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/cloudbuild.builds.builder", "stage": "GA", "title": "Cloud Build Service Account" }, { "description": "Can create and cancel builds", "etag": "AA==", "has_privesc": true, "name": "roles/cloudbuild.builds.editor", "stage": "GA", "title": "Cloud Build Editor" }, { "description": "Can view builds", "etag": "AA==", "name": "roles/cloudbuild.builds.viewer", "stage": "GA", "title": "Cloud Build Viewer" }, { "description": "Can manage connections and repositories.", "etag": "AA==", "has_privesc": true, "name": "roles/cloudbuild.connectionAdmin", "stage": "GA", "title": "Cloud Build Connection Admin" }, { "description": "Can view and list connections and repositories.", "etag": "AA==", "name": "roles/cloudbuild.connectionViewer", "stage": "GA", "title": "Cloud Build Connection Viewer" }, { "description": "Can update Integrations", "etag": "AA==", "name": "roles/cloudbuild.integrationsEditor", "stage": "GA", "title": "Cloud Build Integrations Editor" }, { "description": "Can create/delete Integrations", "etag": "AA==", "name": "roles/cloudbuild.integrationsOwner", "stage": "GA", "title": "Cloud Build Integrations Owner" }, { "description": "Can view Integrations", "etag": "AA==", "name": "roles/cloudbuild.integrationsViewer", "stage": "GA", "title": "Cloud Build Integrations Viewer" }, { "description": "Gives the Cloud Build logging-specific service account access to write logs.", "etag": "AA==", "name": "roles/cloudbuild.loggingServiceAgent", "stage": "GA", "title": "Cloud Build Logging Service Agent" }, { "description": "Can view the connection and access its read-only token.", "etag": "AA==", "name": "roles/cloudbuild.readTokenAccessor", "stage": "GA", "title": "Cloud Build Read Only Token Accessor" }, { "description": "Gives Cloud Build service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/cloudbuild.serviceAgent", "stage": "GA", "title": "Cloud Build Service Agent" }, { "description": "Can view the connection and access its read/write and read-only tokens.", "etag": "AA==", "name": "roles/cloudbuild.tokenAccessor", "stage": "GA", "title": "Cloud Build Token Accessor" }, { "description": "Can update and view WorkerPools", "etag": "AA==", "name": "roles/cloudbuild.workerPoolEditor", "stage": "GA", "title": "Cloud Build WorkerPool Editor" }, { "description": "Can create, delete, update, and view WorkerPools", "etag": "AA==", "name": "roles/cloudbuild.workerPoolOwner", "stage": "GA", "title": "Cloud Build WorkerPool Owner" }, { "description": "Can run builds in the WorkerPool", "etag": "AA==", "name": "roles/cloudbuild.workerPoolUser", "stage": "GA", "title": "Cloud Build WorkerPool User" }, { "description": "Can view WorkerPools", "etag": "AA==", "name": "roles/cloudbuild.workerPoolViewer", "stage": "GA", "title": "Cloud Build WorkerPool Viewer" }, { "description": "Full access to Firebase Remote Config resources.", "etag": "AA==", "name": "roles/cloudconfig.admin", "stage": "GA", "title": "Firebase Remote Config Admin" }, { "description": "Gives Infrastructure Manager service agent access to managed resources", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/cloudconfig.serviceAgent", "stage": "GA", "title": "Infrastructure Manager Service Agent" }, { "description": "Read access to Firebase Remote Config resources.", "etag": "AA==", "name": "roles/cloudconfig.viewer", "stage": "GA", "title": "Firebase Remote Config Viewer" }, { "description": "Gives the Partner Console service account access to read Access Approval Requests for workloads associated with a partner.", "etag": "AA==", "name": "roles/cloudcontrolspartner.accessApprovalServiceAgent", "stage": "GA", "title": "Cloud Controls Partner Access Approval Service Agent" }, { "description": "Full access to Cloud Controls Partner resources.", "etag": "AA==", "name": "roles/cloudcontrolspartner.admin", "stage": "GA", "title": "Cloud Controls Partner Admin" }, { "description": "Editor access to Cloud Controls Partner resources.", "etag": "AA==", "name": "roles/cloudcontrolspartner.editor", "stage": "GA", "title": "Cloud Controls Partner Editor" }, { "description": "Gives Cloud Controls Partner service agent permission to list EKM connections, get EKM connection status, and provide EKM diagnostic information.", "etag": "AA==", "name": "roles/cloudcontrolspartner.ekmServiceAgent", "stage": "GA", "title": "Cloud Controls Partner EKM Service Agent" }, { "description": "Readonly access to Cloud Controls Partner inspectability resources.", "etag": "AA==", "name": "roles/cloudcontrolspartner.inspectabilityReader", "stage": "GA", "title": "Cloud Controls Partner Inspectability Reader" }, { "description": "Readonly access to Cloud Controls Partner monitoring resources.", "etag": "AA==", "name": "roles/cloudcontrolspartner.monitoringReader", "stage": "GA", "title": "Cloud Controls Partner Monitoring Reader" }, { "description": "Gives Cloud Controls Partner monitoring service agent permission to view and list Assured Workload violations. The role is assigned to enable partner monitoring capability.", "etag": "AA==", "name": "roles/cloudcontrolspartner.monitoringServiceAgent", "stage": "GA", "title": "Cloud Controls Partner Monitoring Service Agent" }, { "description": "Readonly access to Cloud Controls Partner resources.", "etag": "AA==", "name": "roles/cloudcontrolspartner.reader", "stage": "GA", "title": "Cloud Controls Partner Reader" }, { "description": "Cloud Debugger agents are allowed to register and provide debug snapshot data.", "etag": "AA==", "name": "roles/clouddebugger.agent", "stage": "BETA", "title": "Cloud Debugger Agent" }, { "description": "User Access to Cloud Debugger. Can create, delete and view snapshots and logpoints.", "etag": "AA==", "name": "roles/clouddebugger.user", "stage": "BETA", "title": "Cloud Debugger User" }, { "description": "Full control of Cloud Deploy resources.", "etag": "AA==", "name": "roles/clouddeploy.admin", "stage": "GA", "title": "Cloud Deploy Admin" }, { "description": "Permission to approve or reject rollouts.", "etag": "AA==", "name": "roles/clouddeploy.approver", "stage": "GA", "title": "Cloud Deploy Approver" }, { "description": "Permission to manage CustomTargetType resources", "etag": "AA==", "name": "roles/clouddeploy.customTargetTypeAdmin", "stage": "BETA", "title": "Cloud Deploy Custom Target Type Admin" }, { "description": "Permission to manage deployment configuration without permission to access operational resources, such as targets.", "etag": "AA==", "name": "roles/clouddeploy.developer", "stage": "GA", "title": "Cloud Deploy Developer" }, { "description": "Permission to execute Cloud Deploy work without permission to deliver to a target.", "etag": "AA==", "has_dataaccess": true, "name": "roles/clouddeploy.jobRunner", "stage": "GA", "title": "Cloud Deploy Runner" }, { "description": "Permission to manage deployment configuration.", "etag": "AA==", "name": "roles/clouddeploy.operator", "stage": "GA", "title": "Cloud Deploy Operator" }, { "description": "Permission to create Cloud Deploy releases and rollouts.", "etag": "AA==", "name": "roles/clouddeploy.releaser", "stage": "GA", "title": "Cloud Deploy Releaser" }, { "description": "Gives Cloud Deploy Service Account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/clouddeploy.serviceAgent", "stage": "GA", "title": "Cloud Deploy Service Agent" }, { "description": "Can view Cloud Deploy resources.", "etag": "AA==", "name": "roles/clouddeploy.viewer", "stage": "GA", "title": "Cloud Deploy Viewer" }, { "description": "Allows Deployment Manager service to actuate resources across DM projects and folders", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/clouddeploymentmanager.serviceAgent", "stage": "GA", "title": "Cloud Deployment Manager Service Agent" }, { "description": "Full access to functions, operations and locations.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/cloudfunctions.admin", "stage": "GA", "title": "Cloud Functions Admin" }, { "description": "Read and write access to all functions-related resources.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "name": "roles/cloudfunctions.developer", "stage": "GA", "title": "Cloud Functions Developer" }, { "description": "Ability to invoke 1st gen HTTP functions with restricted access. 2nd gen functions need the Cloud Run Invoker role instead.", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudfunctions.invoker", "stage": "GA", "title": "Cloud Functions Invoker" }, { "description": "Gives Cloud Functions service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/cloudfunctions.serviceAgent", "stage": "GA", "title": "Cloud Functions Service Agent" }, { "description": "Read-only access to functions and locations.", "etag": "AA==", "name": "roles/cloudfunctions.viewer", "stage": "GA", "title": "Cloud Functions Viewer" }, { "description": "Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.", "etag": "AA==", "name": "roles/cloudiot.serviceAgent", "stage": "GA", "title": "Cloud IoT Core Service Agent" }, { "description": "Access to Cloud Talent Solution Self-Service Tools.", "etag": "AA==", "name": "roles/cloudjobdiscovery.admin", "stage": "GA", "title": "Admin" }, { "description": "Write access to all job data in Cloud Talent Solution.", "etag": "AA==", "name": "roles/cloudjobdiscovery.jobsEditor", "stage": "GA", "title": "Job Editor" }, { "description": "Read access to all job data in Cloud Talent Solution.", "etag": "AA==", "name": "roles/cloudjobdiscovery.jobsViewer", "stage": "GA", "title": "Job Viewer" }, { "description": "Write access to all profile data in Cloud Talent Solution.", "etag": "AA==", "name": "roles/cloudjobdiscovery.profilesEditor", "stage": "GA", "title": "Profile Editor" }, { "description": "Read access to all profile data in Cloud Talent Solution.", "etag": "AA==", "name": "roles/cloudjobdiscovery.profilesViewer", "stage": "GA", "title": "Profile Viewer" }, { "description": "Enables management of crypto resources.", "etag": "AA==", "name": "roles/cloudkms.admin", "stage": "GA", "title": "Cloud KMS Admin" }, { "description": "Enables management of AutokeyConfig.", "etag": "AA==", "name": "roles/cloudkms.autokeyAdmin", "title": "Cloud KMS Autokey Admin" }, { "description": "Grants ability to use KeyHandle resources.", "etag": "AA==", "name": "roles/cloudkms.autokeyUser", "title": "Cloud KMS Autokey User" }, { "description": "Enables Decrypt operations", "etag": "AA==", "name": "roles/cloudkms.cryptoKeyDecrypter", "stage": "GA", "title": "Cloud KMS CryptoKey Decrypter" }, { "description": "Enables Decrypt operations via other GCP services", "etag": "AA==", "name": "roles/cloudkms.cryptoKeyDecrypterViaDelegation", "stage": "GA", "title": "Cloud KMS CryptoKey Decrypter Via Delegation" }, { "description": "Enables Encrypt operations", "etag": "AA==", "name": "roles/cloudkms.cryptoKeyEncrypter", "stage": "GA", "title": "Cloud KMS CryptoKey Encrypter" }, { "description": "Enables Encrypt and Decrypt operations", "etag": "AA==", "name": "roles/cloudkms.cryptoKeyEncrypterDecrypter", "stage": "GA", "title": "Cloud KMS CryptoKey Encrypter/Decrypter" }, { "description": "Enables Encrypt and Decrypt operations via other GCP services", "etag": "AA==", "name": "roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation", "stage": "GA", "title": "Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation" }, { "description": "Enables Encrypt operations via other GCP services", "etag": "AA==", "name": "roles/cloudkms.cryptoKeyEncrypterViaDelegation", "stage": "GA", "title": "Cloud KMS CryptoKey Encrypter Via Delegation" }, { "description": "Enables all Crypto Operations.", "etag": "AA==", "name": "roles/cloudkms.cryptoOperator", "stage": "GA", "title": "Cloud KMS Crypto Operator" }, { "description": "Enables management of EkmConnections.", "etag": "AA==", "name": "roles/cloudkms.ekmConnectionsAdmin", "stage": "GA", "title": "Cloud KMS EkmConnections Admin" }, { "description": "Enables raw AES-CBC keys management.", "etag": "AA==", "name": "roles/cloudkms.expertRawAesCbc", "stage": "GA", "title": "Cloud KMS Expert Raw AES-CBC Key Manager" }, { "description": "Enables raw AES-CTR keys management.", "etag": "AA==", "name": "roles/cloudkms.expertRawAesCtr", "stage": "GA", "title": "Cloud KMS Expert Raw AES-CTR Key Manager" }, { "description": "Enables raw PKCS#1 keys management.", "etag": "AA==", "name": "roles/cloudkms.expertRawPKCS1", "stage": "GA", "title": "Cloud KMS Expert Raw PKCS#1 Key Manager" }, { "description": "Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations", "etag": "AA==", "name": "roles/cloudkms.importer", "stage": "GA", "title": "Cloud KMS Importer" }, { "description": "Gives Cloud KMS organization-level service account access to managed resources.", "etag": "AA==", "name": "roles/cloudkms.orgServiceAgent", "stage": "GA", "title": "Cloud KMS Organization Service Agent" }, { "description": "Enables viewing protected resources.", "etag": "AA==", "name": "roles/cloudkms.protectedResourcesViewer", "stage": "GA", "title": "Cloud KMS Protected Resources Viewer" }, { "description": "Enables GetPublicKey operations", "etag": "AA==", "name": "roles/cloudkms.publicKeyViewer", "stage": "GA", "title": "Cloud KMS CryptoKey Public Key Viewer" }, { "description": "Gives Cloud KMS service account access to managed resources.", "etag": "AA==", "name": "roles/cloudkms.serviceAgent", "stage": "GA", "title": "Cloud KMS Service Agent" }, { "description": "Enables Sign operations", "etag": "AA==", "name": "roles/cloudkms.signer", "stage": "GA", "title": "Cloud KMS CryptoKey Signer" }, { "description": "Enables Sign, Verify, and GetPublicKey operations", "etag": "AA==", "name": "roles/cloudkms.signerVerifier", "stage": "GA", "title": "Cloud KMS CryptoKey Signer/Verifier" }, { "description": "Enables Verify and GetPublicKey operations", "etag": "AA==", "name": "roles/cloudkms.verifier", "stage": "GA", "title": "Cloud KMS CryptoKey Verifier" }, { "description": "Enables Get and List operations.", "etag": "AA==", "name": "roles/cloudkms.viewer", "stage": "GA", "title": "Cloud KMS Viewer" }, { "description": "Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption.", "etag": "AA==", "name": "roles/cloudkmskacls.serviceAgent", "stage": "GA", "title": "Cloud KMS KACLS Service Agent" }, { "description": "Ability to create and manage Compute VMs to run Velostrata Infrastructure", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/cloudmigration.inframanager", "stage": "BETA", "title": "Velostrata Manager" }, { "description": "Ability to access migration storage", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudmigration.storageaccess", "stage": "BETA", "title": "Velostrata Storage Access" }, { "description": "Ability to set up connection between Velostrata Manager and Google", "etag": "AA==", "name": "roles/cloudmigration.velostrataconnect", "stage": "BETA", "title": "Velostrata Manager Connection Agent" }, { "description": "Administrator of Cloud Optimization AI resources", "etag": "AA==", "name": "roles/cloudoptimization.admin", "stage": "GA", "title": "Cloud Optimization AI Admin" }, { "description": "Editor of Cloud Optimization AI resources", "etag": "AA==", "name": "roles/cloudoptimization.editor", "stage": "GA", "title": "Cloud Optimization AI Editor" }, { "description": "Grants Cloud Optimization Service Account access to read and write data in the user project.", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudoptimization.serviceAgent", "stage": "GA", "title": "Cloud Optimization Service Agent" }, { "description": "Viewer of Cloud Optimization AI resources", "etag": "AA==", "name": "roles/cloudoptimization.viewer", "stage": "GA", "title": "Cloud Optimization AI Viewer" }, { "description": "Can browse catalogs in the target resource context.", "etag": "AA==", "name": "roles/cloudprivatecatalog.consumer", "stage": "BETA", "title": "Catalog Consumer" }, { "description": "Can manage catalog and view its associations.", "etag": "AA==", "name": "roles/cloudprivatecatalogproducer.admin", "stage": "BETA", "title": "Catalog Admin" }, { "description": "Can manage associations between a catalog and a target resource.", "etag": "AA==", "name": "roles/cloudprivatecatalogproducer.manager", "stage": "BETA", "title": "Catalog Manager" }, { "description": "Can manage catalog org settings.", "etag": "AA==", "name": "roles/cloudprivatecatalogproducer.orgAdmin", "stage": "BETA", "title": "Catalog Org Admin" }, { "description": "Cloud Profiler agents are allowed to register and provide the profiling data.", "etag": "AA==", "name": "roles/cloudprofiler.agent", "stage": "GA", "title": "Cloud Profiler Agent" }, { "description": "Cloud Profiler users are allowed to query and view the profiling data.", "etag": "AA==", "name": "roles/cloudprofiler.user", "stage": "GA", "title": "Cloud Profiler User" }, { "description": "Full access to Cloud Quotas resources.", "etag": "AA==", "name": "roles/cloudquotas.admin", "stage": "BETA", "title": "Cloud Quotas Admin" }, { "description": "Readonly access to Cloud Quotas resources.", "etag": "AA==", "name": "roles/cloudquotas.viewer", "stage": "BETA", "title": "Cloud Quotas Viewer" }, { "description": "Full access to jobs and executions.", "etag": "AA==", "name": "roles/cloudscheduler.admin", "stage": "GA", "title": "Cloud Scheduler Admin" }, { "description": "Access to run jobs.", "etag": "AA==", "name": "roles/cloudscheduler.jobRunner", "stage": "GA", "title": "Cloud Scheduler Job Runner" }, { "description": "Grants Cloud Scheduler Service Account access to manage resources.", "etag": "AA==", "has_privesc": true, "name": "roles/cloudscheduler.serviceAgent", "stage": "GA", "title": "Cloud Scheduler Service Agent" }, { "description": "Get and list access to jobs, executions, and locations.", "etag": "AA==", "name": "roles/cloudscheduler.viewer", "stage": "GA", "title": "Cloud Scheduler Viewer" }, { "description": "Full access to all Web Security Scanner resources", "etag": "AA==", "name": "roles/cloudsecurityscanner.editor", "stage": "GA", "title": "Web Security Scanner Editor" }, { "description": "Read access to Scan and ScanRun, plus the ability to start scans", "etag": "AA==", "name": "roles/cloudsecurityscanner.runner", "stage": "GA", "title": "Web Security Scanner Runner" }, { "description": "Read access to all Web Security Scanner resources", "etag": "AA==", "name": "roles/cloudsecurityscanner.viewer", "stage": "GA", "title": "Web Security Scanner Viewer" }, { "description": "Full control of Cloud SQL resources.", "etag": "AA==", "name": "roles/cloudsql.admin", "stage": "GA", "title": "Cloud SQL Admin" }, { "description": "Connectivity access to Cloud SQL instances.", "etag": "AA==", "name": "roles/cloudsql.client", "stage": "GA", "title": "Cloud SQL Client" }, { "description": "Full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources.", "etag": "AA==", "name": "roles/cloudsql.editor", "stage": "GA", "title": "Cloud SQL Editor" }, { "description": "Role allowing access to a Cloud SQL instance", "etag": "AA==", "name": "roles/cloudsql.instanceUser", "stage": "GA", "title": "Cloud SQL Instance User" }, { "description": "Role allowing access to the Cloud SQL instance schema on Dataplex", "etag": "AA==", "name": "roles/cloudsql.schemaViewer", "stage": "GA", "title": "Cloud SQL Schema Viewer" }, { "description": "Grants Cloud SQL access to services and APIs in the user project", "etag": "AA==", "name": "roles/cloudsql.serviceAgent", "stage": "GA", "title": "Cloud SQL Service Agent" }, { "description": "Read-only access to Cloud SQL resources.", "etag": "AA==", "name": "roles/cloudsql.viewer", "stage": "GA", "title": "Cloud SQL Viewer" }, { "description": "Allows management of a support account without giving access to support cases.", "etag": "AA==", "name": "roles/cloudsupport.admin", "stage": "GA", "title": "Support Account Administrator" }, { "description": "Full read-write access to technical support cases (applicable for GCP Customer Care and Maps support).", "etag": "AA==", "name": "roles/cloudsupport.techSupportEditor", "stage": "GA", "title": "Tech Support Editor" }, { "description": "Read-only access to technical support cases (applicable for GCP Customer Care and Maps support).", "etag": "AA==", "name": "roles/cloudsupport.techSupportViewer", "stage": "GA", "title": "Tech Support Viewer" }, { "description": "Read-only access to details of a support account. This does not allow viewing cases.", "etag": "AA==", "name": "roles/cloudsupport.viewer", "stage": "GA", "title": "Support Account Viewer" }, { "description": "Full access to queues and tasks.", "etag": "AA==", "name": "roles/cloudtasks.admin", "stage": "BETA", "title": "Cloud Tasks Admin" }, { "description": "Access to create tasks.", "etag": "AA==", "name": "roles/cloudtasks.enqueuer", "stage": "BETA", "title": "Cloud Tasks Enqueuer" }, { "description": "Admin access to queues.", "etag": "AA==", "name": "roles/cloudtasks.queueAdmin", "stage": "BETA", "title": "Cloud Tasks Queue Admin" }, { "description": "Grants Cloud Tasks Service Account access to manage resources.", "etag": "AA==", "has_privesc": true, "name": "roles/cloudtasks.serviceAgent", "stage": "GA", "title": "Cloud Tasks Service Agent" }, { "description": "Access to delete tasks.", "etag": "AA==", "name": "roles/cloudtasks.taskDeleter", "stage": "BETA", "title": "Cloud Tasks Task Deleter" }, { "description": "Access to run tasks.", "etag": "AA==", "name": "roles/cloudtasks.taskRunner", "stage": "BETA", "title": "Cloud Tasks Task Runner" }, { "description": "Get and list access to tasks, queues, and locations.", "etag": "AA==", "name": "roles/cloudtasks.viewer", "stage": "BETA", "title": "Cloud Tasks Viewer" }, { "description": "Administrator owning access to Direct Access", "etag": "AA==", "name": "roles/cloudtestservice.directAccessAdmin", "stage": "BETA", "title": "Firebase Test Lab Direct Access Admin" }, { "description": "Viewer, able to see what direct access sessions exist", "etag": "AA==", "name": "roles/cloudtestservice.directAccessViewer", "stage": "BETA", "title": "Firebase Test Lab Direct Access Viewer" }, { "description": "Full access to all Test Lab features", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudtestservice.testAdmin", "stage": "GA", "title": "Firebase Test Lab Admin" }, { "description": "Read access to Test Lab features", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudtestservice.testViewer", "stage": "GA", "title": "Firebase Test Lab Viewer" }, { "description": "Give Cloud TPUs service account access to managed resources", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/cloudtpu.serviceAgent", "stage": "GA", "title": "Cloud TPU V2 API Service Agent" }, { "description": "Admin access to Cloud Trace.", "etag": "AA==", "name": "roles/cloudtrace.admin", "stage": "GA", "title": "Cloud Trace Admin" }, { "description": "Agent access to Cloud Trace. Can write trace data.", "etag": "AA==", "name": "roles/cloudtrace.agent", "stage": "GA", "title": "Cloud Trace Agent" }, { "description": "User access to Cloud Trace. Can view traces, insights and stats. Can create, list, view, and delete tasks.", "etag": "AA==", "name": "roles/cloudtrace.user", "stage": "GA", "title": "Cloud Trace User" }, { "description": "Full access to all Cloud Translation resources", "etag": "AA==", "name": "roles/cloudtranslate.admin", "stage": "GA", "title": "Cloud Translation API Admin" }, { "description": "Editor of all Cloud Translation resources", "etag": "AA==", "name": "roles/cloudtranslate.editor", "stage": "GA", "title": "Cloud Translation API Editor" }, { "description": "Gives Cloud Translation Service Account access to consumer resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudtranslate.serviceAgent", "stage": "GA", "title": "Cloud Translation API Service Agent" }, { "description": "User of Cloud Translation and AutoML models", "etag": "AA==", "name": "roles/cloudtranslate.user", "stage": "GA", "title": "Cloud Translation API User" }, { "description": "Viewer of all Translation resources", "etag": "AA==", "name": "roles/cloudtranslate.viewer", "stage": "GA", "title": "Cloud Translation API Viewer" }, { "description": "Admin of Commerce Agreement Publishing service", "etag": "AA==", "name": "roles/commerceagreementpublishing.admin", "stage": "BETA", "title": "Commerce Agreement Publishing Admin" }, { "description": "Viewer of Commerce Agreement Publishing service", "etag": "AA==", "name": "roles/commerceagreementpublishing.viewer", "stage": "BETA", "title": "Commerce Agreement Publishing Viewer" }, { "description": "Admin of Various Provider Configuration resources", "etag": "AA==", "name": "roles/commercebusinessenablement.admin", "stage": "BETA", "title": "Commerce Business Enablement Configuration Admin" }, { "description": "Administration of Payment Configuration resource", "etag": "AA==", "name": "roles/commercebusinessenablement.paymentConfigAdmin", "stage": "BETA", "title": "Commerce Business Enablement PaymentConfig Admin" }, { "description": "Viewer of Payment Configuration resource", "etag": "AA==", "name": "roles/commercebusinessenablement.paymentConfigViewer", "stage": "BETA", "title": "Commerce Business Enablement PaymentConfig Viewer" }, { "description": "Provides admin access to rebates", "etag": "AA==", "name": "roles/commercebusinessenablement.rebatesAdmin", "stage": "BETA", "title": "Commerce Business Enablement Rebates Admin" }, { "description": "Provides read-only access to rebates", "etag": "AA==", "name": "roles/commercebusinessenablement.rebatesViewer", "stage": "BETA", "title": "Commerce Business Enablement Rebates Viewer" }, { "description": "Provides admin access to reseller discount offers", "etag": "AA==", "name": "roles/commercebusinessenablement.resellerDiscountAdmin", "stage": "BETA", "title": "Commerce Business Enablement Reseller Discount Admin" }, { "description": "Provides read-only access to reseller discount offers", "etag": "AA==", "name": "roles/commercebusinessenablement.resellerDiscountViewer", "stage": "BETA", "title": "Commerce Business Enablement Reseller Discount Viewer" }, { "description": "Viewer of Various Provider Configuration resource", "etag": "AA==", "name": "roles/commercebusinessenablement.viewer", "stage": "BETA", "title": "Commerce Business Enablement Configuration Viewer" }, { "description": "Allows viewing offers", "etag": "AA==", "name": "roles/commerceoffercatalog.offersViewer", "stage": "BETA", "title": "Commerce Offer Catalog Offers Viewer" }, { "description": "Full access to Organization Governance APIs", "etag": "AA==", "name": "roles/commerceorggovernance.admin", "stage": "BETA", "title": "Commerce Organization Governance Admin" }, { "description": "Full access to Governed Marketplace features.", "etag": "AA==", "name": "roles/commerceorggovernance.user", "stage": "BETA", "title": "Governed Marketplace User" }, { "description": "Full access to Organization Governance read-only APIs.", "etag": "AA==", "name": "roles/commerceorggovernance.viewer", "stage": "BETA", "title": "Commerce Organization Governance Viewer" }, { "description": "Allows viewing key events for an offer", "etag": "AA==", "name": "roles/commercepricemanagement.eventsViewer", "stage": "BETA", "title": "Commerce Price Management Events Viewer" }, { "description": "Allows managing private offers", "etag": "AA==", "name": "roles/commercepricemanagement.privateOffersAdmin", "stage": "BETA", "title": "Commerce Price Management Private Offers Admin" }, { "description": "Allows viewing offers, free trials, skus", "etag": "AA==", "name": "roles/commercepricemanagement.viewer", "stage": "BETA", "title": "Commerce Price Management Viewer" }, { "description": "Grants full access to all resources in Cloud Commerce Producer API.", "etag": "AA==", "name": "roles/commerceproducer.admin", "stage": "BETA", "title": "Commerce Producer Admin" }, { "description": "Grants read access to all resources in Cloud Commerce Producer API.", "etag": "AA==", "name": "roles/commerceproducer.viewer", "stage": "BETA", "title": "Commerce Producer Viewer" }, { "description": "Gives Compliance Scanning the access it needs to analyze containers and VMs for compliance and create occurrences using the Container Analysis API", "etag": "AA==", "has_dataaccess": true, "name": "roles/compliancescanning.serviceAgent", "title": "Compliance Scanning Service Agent" }, { "description": "Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.", "etag": "AA==", "has_privesc": true, "name": "roles/composer.ServiceAgentV2Ext", "stage": "GA", "title": "Cloud Composer v2 API Service Agent Extension" }, { "description": "Full control of Composer resources.", "etag": "AA==", "name": "roles/composer.admin", "stage": "GA", "title": "Composer Administrator" }, { "description": "Full control of Cloud Composer environments and Cloud Storage objects.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/composer.environmentAndStorageObjectAdmin", "stage": "GA", "title": "Environment and Storage Object Administrator" }, { "description": "Read and use access to Cloud Composer resources and read access Cloud Storage objects.", "etag": "AA==", "has_dataaccess": true, "name": "roles/composer.environmentAndStorageObjectUser", "stage": "GA", "title": "Environment and Storage Object User" }, { "description": "Read access to Cloud Composer environments and Cloud Storage objects.", "etag": "AA==", "has_dataaccess": true, "name": "roles/composer.environmentAndStorageObjectViewer", "stage": "GA", "title": "Environment and Storage Object Viewer" }, { "description": "Cloud Composer API service agent can manage environments.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/composer.serviceAgent", "stage": "GA", "title": "Cloud Composer API Service Agent" }, { "description": "Role that should be assigned to Composer Agent service account in Shared VPC host project", "etag": "AA==", "name": "roles/composer.sharedVpcAgent", "stage": "GA", "title": "Composer Shared VPC Agent" }, { "description": "Read and use access to Composer resources.", "etag": "AA==", "name": "roles/composer.user", "stage": "GA", "title": "Composer User" }, { "description": "Worker access to Composer. Intended for service accounts.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/composer.worker", "stage": "GA", "title": "Composer Worker" }, { "description": "Full control of all Compute Engine resources.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/compute.admin", "stage": "GA", "title": "Compute Admin" }, { "etag": "AA==", "name": "roles/compute.futureReservationAdmin", "stage": "BETA", "title": "Compute Future Reservation Admin" }, { "etag": "AA==", "name": "roles/compute.futureReservationUser", "stage": "BETA", "title": "Compute Future Reservation User" }, { "etag": "AA==", "name": "roles/compute.futureReservationViewer", "stage": "BETA", "title": "Compute Future Reservation Viewer" }, { "description": "Read and use image resources.", "etag": "AA==", "name": "roles/compute.imageUser", "stage": "GA", "title": "Compute Image User" }, { "description": "Full control of Compute Engine instance resources.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/compute.instanceAdmin", "stage": "GA", "title": "Compute Instance Admin (beta)" }, { "description": "Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/compute.instanceAdmin.v1", "stage": "GA", "title": "Compute Instance Admin (v1)" }, { "description": "Role containing all permissions required by Managed Instance Groups to create and managed instances.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/compute.instanceGroupManagerServiceAgent", "stage": "GA", "title": "Instance Group Manager Service Agent" }, { "description": "Full control of Compute Engine resources related to load balancer.", "etag": "AA==", "has_privesc": true, "name": "roles/compute.loadBalancerAdmin", "stage": "GA", "title": "Compute Load Balancer Admin" }, { "description": "Permissions to use services from a load balancer in other projects.", "etag": "AA==", "name": "roles/compute.loadBalancerServiceUser", "stage": "GA", "title": "Compute Load Balancer Services User" }, { "description": "Full control of Compute Engine networking resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/compute.networkAdmin", "stage": "GA", "title": "Compute Network Admin" }, { "description": "Access to use Compute Engine networking resources.", "etag": "AA==", "name": "roles/compute.networkUser", "stage": "GA", "title": "Compute Network User" }, { "description": "Read-only access to Compute Engine networking resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/compute.networkViewer", "stage": "GA", "title": "Compute Network Viewer" }, { "description": "Full control of Compute Engine Organization Firewall Policies.", "etag": "AA==", "has_privesc": true, "name": "roles/compute.orgFirewallPolicyAdmin", "stage": "GA", "title": "Compute Organization Firewall Policy Admin" }, { "description": "View or use Compute Engine Firewall Policies to associate with the organization or folders.", "etag": "AA==", "name": "roles/compute.orgFirewallPolicyUser", "stage": "GA", "title": "Compute Organization Firewall Policy User" }, { "description": "Full control of Compute Engine Organization Security Policies.", "etag": "AA==", "has_privesc": true, "name": "roles/compute.orgSecurityPolicyAdmin", "stage": "GA", "title": "Compute Organization Security Policy Admin" }, { "description": "View or use Compute Engine Security Policies to associate with the organization or folders.", "etag": "AA==", "name": "roles/compute.orgSecurityPolicyUser", "stage": "GA", "title": "Compute Organization Security Policy User" }, { "description": "Full control of Compute Engine Firewall Policy associations to the organization or folders.", "etag": "AA==", "name": "roles/compute.orgSecurityResourceAdmin", "stage": "GA", "title": "Compute Organization Resource Admin" }, { "description": "Access to log in to a Compute Engine instance as an administrator user.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "name": "roles/compute.osAdminLogin", "stage": "GA", "title": "Compute OS Admin Login" }, { "description": "Access to log in to a Compute Engine instance as a standard (non-administrator) user.", "etag": "AA==", "has_dataaccess": true, "name": "roles/compute.osLogin", "stage": "GA", "title": "Compute OS Login" }, { "description": "Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login IAM roles (https://cloud.google.com/compute/docs/instances/managing-instance-access#configure_users) in order to allow access to instances using SSH.", "etag": "AA==", "name": "roles/compute.osLoginExternalUser", "stage": "GA", "title": "Compute OS Login External User" }, { "description": "Specify resources to be mirrored.", "etag": "AA==", "name": "roles/compute.packetMirroringAdmin", "stage": "GA", "title": "Compute packet mirroring admin" }, { "description": "Use Compute Engine packet mirrorings.", "etag": "AA==", "name": "roles/compute.packetMirroringUser", "stage": "GA", "title": "Compute packet mirroring user" }, { "description": "Full control of public IP address management for Compute Engine.", "etag": "AA==", "name": "roles/compute.publicIpAdmin", "stage": "GA", "title": "Compute Public IP Admin" }, { "description": "Full control of Compute Engine security resources.", "etag": "AA==", "has_privesc": true, "name": "roles/compute.securityAdmin", "stage": "GA", "title": "Compute Security Admin" }, { "description": "Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/compute.serviceAgent", "stage": "GA", "title": "Compute Engine Service Agent" }, { "description": "Permissions to view sole tenancy node groups", "etag": "AA==", "name": "roles/compute.soleTenantViewer", "stage": "GA", "title": "Compute Sole Tenant Viewer" }, { "description": "Full control of Compute Engine storage resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/compute.storageAdmin", "stage": "GA", "title": "Compute Storage Admin" }, { "description": "Read-only access to get and list information about all Compute Engine resources, including instances, disks, and firewalls. Allows getting and listing information about disks, images, and snapshots, but does not allow reading the data stored on them.", "etag": "AA==", "has_dataaccess": true, "name": "roles/compute.viewer", "stage": "GA", "title": "Compute Viewer" }, { "description": "Can administer shared VPC network (XPN).", "etag": "AA==", "name": "roles/compute.xpnAdmin", "stage": "GA", "title": "Compute Shared VPC Admin" }, { "description": "Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.", "etag": "AA==", "name": "roles/confidentialcomputing.workloadUser", "stage": "GA", "title": "Confidential Space Workload User" }, { "description": "Full access to Cloud Infrastructure Manager resources.", "etag": "AA==", "name": "roles/config.admin", "stage": "BETA", "title": "Cloud Infrastructure Manager Admin" }, { "description": "Required permissions to make Cloud Infrastructure Manager work with the user-specified service account", "etag": "AA==", "has_dataaccess": true, "name": "roles/config.agent", "stage": "BETA", "title": "Cloud Infrastructure Manager Agent" }, { "description": "Read-only access to Cloud Infrastructure Manager resources.", "etag": "AA==", "name": "roles/config.viewer", "stage": "BETA", "title": "Cloud Infrastructure Manager Viewer" }, { "description": "Full access to all resources of Connectors Service.", "etag": "AA==", "name": "roles/connectors.admin", "stage": "GA", "title": "Connector Admin" }, { "description": "Custom Connector is a global resource which creates custom connector within the given target project. This role grants Admin access to Custom Connector resources", "etag": "AA==", "name": "roles/connectors.customConnectorAdmin", "stage": "GA", "title": "Custom Connectors Admin" }, { "description": "Custom Connector is a global resource which creates custom connector within the given target project. This role grants Read-only access to Custom Connector & Custom Connector Version resources.", "etag": "AA==", "name": "roles/connectors.customConnectorViewer", "stage": "GA", "title": "Custom Connector Viewer" }, { "description": "Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Admin access to Connectors Endpoint Attachment resources.", "etag": "AA==", "name": "roles/connectors.endpointAttachmentAdmin", "stage": "GA", "title": "Connectors Endpoint Attachment Admin" }, { "description": "Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Read-only access to Connectors Endpoint Attachment resources", "etag": "AA==", "name": "roles/connectors.endpointAttachmentViewer", "stage": "GA", "title": "Connectors Endpoint Attachment Viewer" }, { "description": "Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Admin access to Connectors Subscription resources", "etag": "AA==", "name": "roles/connectors.eventSubscriptionAdmin", "stage": "GA", "title": "Connectors Event Subscriptions Admin" }, { "description": "Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Read-only access to Event Subscription resources.", "etag": "AA==", "name": "roles/connectors.eventSubscriptionViewer", "stage": "GA", "title": "Connectors Event Subscriptions Viewer" }, { "description": "Full Access to invoke all operations on Connections.", "etag": "AA==", "name": "roles/connectors.invoker", "stage": "GA", "title": "Connector Invoker" }, { "description": "Full Access to listen events by connections.", "etag": "AA==", "name": "roles/connectors.listener", "stage": "GA", "title": "Connector Event Listener" }, { "description": "Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Admin access to Connectors Managed Zone resources", "etag": "AA==", "name": "roles/connectors.managedZoneAdmin", "stage": "GA", "title": "Connectors Managed Zone Admin" }, { "description": "Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Read-only access to Connectors Managed Zone resources.", "etag": "AA==", "name": "roles/connectors.managedZoneViewer", "stage": "GA", "title": "Connectors Managed Zone Viewer" }, { "description": "Grants Connectors Platform service account to manage customer resources", "etag": "AA==", "has_privesc": true, "name": "roles/connectors.serviceAgent", "stage": "GA", "title": "Connectors Platform Service Agent" }, { "description": "Read-only access to Connectors all resources.", "etag": "AA==", "name": "roles/connectors.viewer", "stage": "GA", "title": "Connectors Viewer" }, { "description": "Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project", "etag": "AA==", "name": "roles/consumerprocurement.entitlementManager", "stage": "GA", "title": "Consumer Procurement Entitlement Manager" }, { "description": "Allows inspecting entitlements and service states for a consumer project", "etag": "AA==", "name": "roles/consumerprocurement.entitlementViewer", "stage": "GA", "title": "Consumer Procurement Entitlement Viewer" }, { "description": "Allows viewing key events for an offer", "etag": "AA==", "name": "roles/consumerprocurement.eventsViewer", "stage": "GA", "title": "Consumer Procurement Events Viewer" }, { "description": "Allows managing purchases", "etag": "AA==", "name": "roles/consumerprocurement.orderAdmin", "stage": "GA", "title": "Consumer Procurement Order Administrator" }, { "description": "Allows inspecting purchases", "etag": "AA==", "name": "roles/consumerprocurement.orderViewer", "stage": "GA", "title": "Consumer Procurement Order Viewer" }, { "description": "Allows managing purchases, consents at both billing account and project level.", "etag": "AA==", "name": "roles/consumerprocurement.procurementAdmin", "stage": "GA", "title": "Consumer Procurement Administrator" }, { "description": "Allows inspecting purchases, consents and entitlements and service states for a consumer project.", "etag": "AA==", "name": "roles/consumerprocurement.procurementViewer", "stage": "GA", "title": "Consumer Procurement Viewer" }, { "description": "Full access to Contact Center AI Platform resources.", "etag": "AA==", "name": "roles/contactcenteraiplatform.admin", "stage": "GA", "title": "Contact Center AI Platform Admin" }, { "description": "Readonly access to Contact Center AI Platform resources.", "etag": "AA==", "name": "roles/contactcenteraiplatform.viewer", "stage": "GA", "title": "Contact Center AI Platform Viewer" }, { "description": "Grants read and write access to all Contact Center AI Insights resources.", "etag": "AA==", "name": "roles/contactcenterinsights.editor", "stage": "GA", "title": "Contact Center AI Insights editor" }, { "description": "Allows Contact Center AI to read and write APIs including BigQuery, Dialogflow, and Storage.", "etag": "AA==", "has_dataaccess": true, "name": "roles/contactcenterinsights.serviceAgent", "stage": "GA", "title": "Contact Center AI Insights Service Agent" }, { "description": "Grants read access to all Contact Center AI Insights resources.", "etag": "AA==", "name": "roles/contactcenterinsights.viewer", "stage": "GA", "title": "Contact Center AI Insights viewer" }, { "description": "Full management of Kubernetes Clusters and their Kubernetes API objects.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/container.admin", "stage": "GA", "title": "Kubernetes Engine Admin" }, { "description": "Management of Kubernetes Clusters.", "etag": "AA==", "name": "roles/container.clusterAdmin", "stage": "GA", "title": "Kubernetes Engine Cluster Admin" }, { "description": "Get and list access to GKE Clusters.", "etag": "AA==", "name": "roles/container.clusterViewer", "stage": "GA", "title": "Kubernetes Engine Cluster Viewer" }, { "description": "Least privilege role to use as the default service account for GKE Nodes.", "etag": "AA==", "name": "roles/container.defaultNodeServiceAccount", "title": "Kubernetes Engine Default Node Service Account" }, { "description": "Full access to Kubernetes API objects inside Kubernetes Clusters.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/container.developer", "stage": "GA", "title": "Kubernetes Engine Developer" }, { "description": "Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project, and configure Cloud DNS resources.", "etag": "AA==", "name": "roles/container.hostServiceAgentUser", "stage": "GA", "title": "Kubernetes Engine Host Service Agent User" }, { "description": "Minimal set of permission required by a GKE node to support standard capabilities such as logging and monitoring export, and image pulls.", "etag": "AA==", "has_dataaccess": true, "name": "roles/container.nodeServiceAgent", "stage": "GA", "title": "Kubernetes Engine Node Service Agent" }, { "description": "Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/container.serviceAgent", "stage": "GA", "title": "Kubernetes Engine Service Agent" }, { "description": "Read-only access to Kubernetes Engine resources.", "etag": "AA==", "name": "roles/container.viewer", "stage": "GA", "title": "Kubernetes Engine Viewer" }, { "description": "Gives Container Analysis API the access it needs to function", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/containeranalysis.ServiceAgent", "stage": "GA", "title": "Container Analysis Service Agent" }, { "description": "Access to all Container Analysis resources.", "etag": "AA==", "name": "roles/containeranalysis.admin", "stage": "GA", "title": "Container Analysis Admin" }, { "description": "Can attach Container Analysis Occurrences to Notes.", "etag": "AA==", "name": "roles/containeranalysis.notes.attacher", "stage": "GA", "title": "Container Analysis Notes Attacher" }, { "description": "Can edit Container Analysis Notes.", "etag": "AA==", "name": "roles/containeranalysis.notes.editor", "stage": "GA", "title": "Container Analysis Notes Editor" }, { "description": "Can view all Container Analysis Occurrences attached to a Note.", "etag": "AA==", "name": "roles/containeranalysis.notes.occurrences.viewer", "stage": "GA", "title": "Container Analysis Occurrences for Notes Viewer" }, { "description": "Can view Container Analysis Notes.", "etag": "AA==", "name": "roles/containeranalysis.notes.viewer", "stage": "GA", "title": "Container Analysis Notes Viewer" }, { "description": "Can edit Container Analysis Occurrences.", "etag": "AA==", "name": "roles/containeranalysis.occurrences.editor", "stage": "GA", "title": "Container Analysis Occurrences Editor" }, { "description": "Can view Container Analysis Occurrences.", "etag": "AA==", "name": "roles/containeranalysis.occurrences.viewer", "stage": "GA", "title": "Container Analysis Occurrences Viewer" }, { "description": "Access for Container Registry", "etag": "AA==", "has_dataaccess": true, "name": "roles/containerregistry.ServiceAgent", "stage": "GA", "title": "Container Registry Service Agent" }, { "description": "Gives Container Scanner the access it needs to analyzecontainers for vulnerabilities and create occurrences using the Container Analysis API", "etag": "AA==", "has_dataaccess": true, "name": "roles/containerscanning.ServiceAgent", "stage": "GA", "title": "Container Scanner Service Agent" }, { "description": "Readonly access to GKE Security Posture resources.", "etag": "AA==", "name": "roles/containersecurity.viewer", "stage": "BETA", "title": "GKE Security Posture Viewer" }, { "description": "Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/containerthreatdetection.serviceAgent", "stage": "GA", "title": "Container Threat Detection Service Agent" }, { "description": "Grants full access to all the resources in Content Warehouse", "etag": "AA==", "name": "roles/contentwarehouse.admin", "stage": "GA", "title": "Content Warehouse Admin" }, { "description": "Grants full access to the document resource in Content Warehouse", "etag": "AA==", "name": "roles/contentwarehouse.documentAdmin", "stage": "GA", "title": "Content Warehouse Document Admin" }, { "description": "Grants access to create document in Content Warehouse", "etag": "AA==", "name": "roles/contentwarehouse.documentCreator", "stage": "GA", "title": "Content Warehouse document creator" }, { "description": "Grants access to update document resource in Content Warehouse", "etag": "AA==", "name": "roles/contentwarehouse.documentEditor", "stage": "GA", "title": "Content Warehouse Document Editor" }, { "description": "Grants access to view the document schemas in Content Warehouse", "etag": "AA==", "name": "roles/contentwarehouse.documentSchemaViewer", "stage": "GA", "title": "Content Warehouse document schema viewer" }, { "description": "Grants access to view all the resources in Content Warehouse", "etag": "AA==", "name": "roles/contentwarehouse.documentViewer", "stage": "GA", "title": "Content Warehouse Viewer" }, { "description": "Gives the Content Warehouse service account to manage customer resources", "etag": "AA==", "has_dataaccess": true, "name": "roles/contentwarehouse.serviceAgent", "stage": "GA", "title": "Content Warehouse Service Agent" }, { "description": "Viewer role for Database Center resource data", "etag": "AA==", "name": "roles/databasecenter.viewer", "title": "Database center viewer" }, { "description": "Viewer role for Events Service data", "etag": "AA==", "name": "roles/databaseinsights.eventsViewer", "stage": "BETA", "title": "Events Service viewer" }, { "description": "Viewer role for Database Insights monitoring data", "etag": "AA==", "name": "roles/databaseinsights.monitoringViewer", "stage": "BETA", "title": "Database Insights monitoring viewer" }, { "description": "Admin role for performing Database Insights operations", "etag": "AA==", "name": "roles/databaseinsights.operationsAdmin", "stage": "BETA", "title": "Database Insights performing operations" }, { "description": "Viewer role for Database Insights recommendation data", "etag": "AA==", "name": "roles/databaseinsights.recommendationViewer", "stage": "BETA", "title": "Database Insights recommendation viewer" }, { "description": "Viewer role for Database Insights data", "etag": "AA==", "name": "roles/databaseinsights.viewer", "stage": "BETA", "title": "Database Insights viewer" }, { "description": "Full access to all DataCatalog resources", "etag": "AA==", "has_credentialexposure": true, "has_privesc": true, "name": "roles/datacatalog.admin", "stage": "GA", "title": "Data Catalog Admin" }, { "description": "Manage taxonomies", "etag": "AA==", "name": "roles/datacatalog.categoryAdmin", "stage": "GA", "title": "Policy Tag Admin" }, { "description": "Read access to sub-resources tagged by a policy tag, for example, BigQuery columns", "etag": "AA==", "name": "roles/datacatalog.categoryFineGrainedReader", "stage": "GA", "title": "Fine-Grained Reader" }, { "description": "Can update overview and data steward fields", "etag": "AA==", "name": "roles/datacatalog.dataSteward", "stage": "BETA", "title": "DataCatalog Data Steward" }, { "description": "Can create new entryGroups", "etag": "AA==", "name": "roles/datacatalog.entryGroupCreator", "stage": "GA", "title": "DataCatalog EntryGroup Creator" }, { "description": "Full access to entryGroups", "etag": "AA==", "name": "roles/datacatalog.entryGroupOwner", "stage": "GA", "title": "DataCatalog EntryGroup Owner" }, { "description": "Full access to entries", "etag": "AA==", "name": "roles/datacatalog.entryOwner", "stage": "GA", "title": "DataCatalog Entry Owner" }, { "description": "Read access to entries", "etag": "AA==", "name": "roles/datacatalog.entryViewer", "stage": "GA", "title": "DataCatalog Entry Viewer" }, { "description": "Full access to glossaries", "etag": "AA==", "name": "roles/datacatalog.glossaryOwner", "stage": "BETA", "title": "DataCatalog Glossary Owner" }, { "description": "Can view glossaries and associate terms to entries", "etag": "AA==", "name": "roles/datacatalog.glossaryUser", "stage": "BETA", "title": "DataCatalog Glossary User" }, { "description": "Can search all metadata for a project/org in DataCatalog", "etag": "AA==", "name": "roles/datacatalog.searchAdmin", "stage": "BETA", "title": "DataCatalog Search Admin" }, { "description": "Gives permission to modify tags on a GCP assets (BigQuery, Pub/Sub etc).", "etag": "AA==", "has_privesc": true, "name": "roles/datacatalog.tagEditor", "stage": "GA", "title": "Data Catalog Tag Editor" }, { "description": "Access to create new tag templates", "etag": "AA==", "name": "roles/datacatalog.tagTemplateCreator", "stage": "GA", "title": "Data Catalog TagTemplate Creator" }, { "description": "Full acess to tag templates", "etag": "AA==", "name": "roles/datacatalog.tagTemplateOwner", "stage": "GA", "title": "Data Catalog TagTemplate Owner" }, { "description": "Access to use templates to tag resources", "etag": "AA==", "name": "roles/datacatalog.tagTemplateUser", "stage": "GA", "title": "Data Catalog TagTemplate User" }, { "description": "Read access to templates and tags created using the templates", "etag": "AA==", "name": "roles/datacatalog.tagTemplateViewer", "stage": "GA", "title": "Data Catalog TagTemplate Viewer" }, { "description": "Grants metadata read permissions to cataloged GCP assets (BigQuery, Pub/Sub etc)", "etag": "AA==", "has_credentialexposure": true, "name": "roles/datacatalog.viewer", "stage": "GA", "title": "Data Catalog Viewer" }, { "description": "Full access to Data Connectors.", "etag": "AA==", "name": "roles/dataconnectors.connectorAdmin", "stage": "BETA", "title": "Connector Admin" }, { "description": "Access to use Data Connectors.", "etag": "AA==", "name": "roles/dataconnectors.connectorUser", "stage": "BETA", "title": "Connector User" }, { "description": "Gives Data Connectors service agent permission to access the virtual private cloud", "etag": "AA==", "name": "roles/dataconnectors.serviceAgent", "stage": "GA", "title": "Data Connectors Service Agent" }, { "description": "Minimal role for creating and managing dataflow jobs.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/dataflow.admin", "stage": "GA", "title": "Dataflow Admin" }, { "description": "Full operational access to Dataflow jobs.", "etag": "AA==", "has_privesc": true, "name": "roles/dataflow.developer", "stage": "GA", "title": "Dataflow Developer" }, { "description": "Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/dataflow.serviceAgent", "stage": "GA", "title": "Cloud Dataflow Service Agent" }, { "description": "Read only access to Dataflow jobs.", "etag": "AA==", "name": "roles/dataflow.viewer", "stage": "GA", "title": "Dataflow Viewer" }, { "description": "Worker access to Dataflow. Intended for service accounts.", "etag": "AA==", "has_dataaccess": true, "name": "roles/dataflow.worker", "stage": "GA", "title": "Dataflow Worker" }, { "description": "Full access to all Dataform resources.", "etag": "AA==", "name": "roles/dataform.admin", "stage": "GA", "title": "Dataform Admin" }, { "description": "Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.", "etag": "AA==", "name": "roles/dataform.codeCreator", "stage": "BETA", "title": "Code Creator" }, { "description": "Edit access code resources.", "etag": "AA==", "name": "roles/dataform.codeEditor", "stage": "BETA", "title": "Code Editor" }, { "description": "Full access to code resources.", "etag": "AA==", "name": "roles/dataform.codeOwner", "stage": "BETA", "title": "Code Owner" }, { "description": "Read-only access to all code resources.", "etag": "AA==", "name": "roles/dataform.codeViewer", "stage": "BETA", "title": "Code Viewer" }, { "description": "Edit access to Workspaces and Read-only access to Repositories.", "etag": "AA==", "name": "roles/dataform.editor", "stage": "GA", "title": "Dataform Editor" }, { "description": "Gives permission for the Dataform API to access a secret from Secret Manager", "etag": "AA==", "name": "roles/dataform.serviceAgent", "stage": "GA", "title": "Dataform Service Agent" }, { "description": "Read-only access to all Dataform resources.", "etag": "AA==", "name": "roles/dataform.viewer", "stage": "GA", "title": "Dataform Viewer" }, { "description": "Read-only access to Cloud Data Fusion Instances. Use it on instance level along with the namespace grants to provide access to the specific namespace.", "etag": "AA==", "name": "roles/datafusion.accessor", "stage": "BETA", "title": "Cloud Data Fusion Accessor" }, { "description": "Full access to Cloud Data Fusion Instances, Namespaces and related resources.", "etag": "AA==", "name": "roles/datafusion.admin", "stage": "GA", "title": "Cloud Data Fusion Admin" }, { "description": "Access Cloud Data Fusion Instances, develop and run pipelines.", "etag": "AA==", "name": "roles/datafusion.developer", "stage": "BETA", "title": "Cloud Data Fusion Developer" }, { "description": "Access Cloud Data Fusion Instances, operate namespaces and related resources.", "etag": "AA==", "name": "roles/datafusion.operator", "stage": "BETA", "title": "Cloud Data Fusion Operator" }, { "description": "Access to Cloud Data Fusion runtime resources.", "etag": "AA==", "name": "roles/datafusion.runner", "stage": "GA", "title": "Cloud Data Fusion Runner" }, { "description": "Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/datafusion.serviceAgent", "stage": "GA", "title": "Cloud Data Fusion API Service Agent" }, { "description": "Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.", "etag": "AA==", "name": "roles/datafusion.viewer", "stage": "GA", "title": "Cloud Data Fusion Viewer" }, { "description": "Full access to all Data Labeling resources", "etag": "AA==", "name": "roles/datalabeling.admin", "stage": "BETA", "title": "Data Labeling Service Admin" }, { "description": "Editor of all Data Labeling resources", "etag": "AA==", "name": "roles/datalabeling.editor", "stage": "BETA", "title": "Data Labeling Service Editor" }, { "description": "Gives Data Labeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service.", "etag": "AA==", "has_dataaccess": true, "name": "roles/datalabeling.serviceAgent", "stage": "GA", "title": "Data Labeling Service Agent" }, { "description": "Viewer of all Data Labeling resources", "etag": "AA==", "name": "roles/datalabeling.viewer", "stage": "BETA", "title": "Data Labeling Service Viewer" }, { "description": "Grants full access to all resources in Data Lineage API", "etag": "AA==", "name": "roles/datalineage.admin", "stage": "GA", "title": "Data Lineage Administrator" }, { "description": "Grants edit access to all resources in Data Lineage API", "etag": "AA==", "name": "roles/datalineage.editor", "stage": "GA", "title": "Data Lineage Editor" }, { "description": "Grants access to creating all resources in Data Lineage API", "etag": "AA==", "name": "roles/datalineage.producer", "stage": "GA", "title": "Data Lineage Events Producer" }, { "description": "Grants read access to all resources in Data Lineage API", "etag": "AA==", "name": "roles/datalineage.viewer", "stage": "GA", "title": "Data Lineage Viewer" }, { "description": "Full access to all resources of Database Migration.", "etag": "AA==", "name": "roles/datamigration.admin", "stage": "GA", "title": "Database Migration Admin" }, { "description": "Gives Cloud Database Migration service account access to Cloud SQL resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/datamigration.serviceAgent", "stage": "GA", "title": "Database Migration Service Agent" }, { "description": "Administrator of Data pipelines resources", "etag": "AA==", "name": "roles/datapipelines.admin", "stage": "GA", "title": "Data pipelines Admin" }, { "description": "Invoker of Data pipelines jobs", "etag": "AA==", "name": "roles/datapipelines.invoker", "stage": "GA", "title": "Data pipelines Invoker" }, { "description": "Gives Datapipelines service permissions to create Dataflow & Cloud Scheduler jobs in the user project.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/datapipelines.serviceAgent", "stage": "GA", "title": "Datapipelines Service Agent" }, { "description": "Viewer of Data pipelines resources", "etag": "AA==", "name": "roles/datapipelines.viewer", "stage": "GA", "title": "Data pipelines Viewer" }, { "description": "Full access to all Dataplex resources.", "etag": "AA==", "name": "roles/dataplex.admin", "stage": "GA", "title": "Dataplex Administrator" }, { "description": "Grants access to creating and managing Aspect Types. Does not give the right to create/modify Entries.", "etag": "AA==", "name": "roles/dataplex.aspectTypeOwner", "stage": "GA", "title": "Dataplex Aspect Type Owner" }, { "description": "Grants access to use Aspect Types to create/modify Entries with the corresponding aspects.", "etag": "AA==", "name": "roles/dataplex.aspectTypeUser", "stage": "GA", "title": "Dataplex Aspect Type User" }, { "description": "Full access on DataAttribute Bindig resources.", "etag": "AA==", "name": "roles/dataplex.bindingAdmin", "stage": "GA", "title": "Dataplex Binding Administrator" }, { "description": "Has full access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries.", "etag": "AA==", "name": "roles/dataplex.catalogAdmin", "stage": "BETA", "title": "Dataplex Catalog Admin" }, { "description": "Has write access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Cannot set IAM policies on resources", "etag": "AA==", "name": "roles/dataplex.catalogEditor", "stage": "BETA", "title": "Dataplex Catalog Editor" }, { "description": "Has read access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Can view IAM policies on Catalog resources.", "etag": "AA==", "name": "roles/dataplex.catalogViewer", "stage": "BETA", "title": "Dataplex Catalog Viewer" }, { "description": "Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.", "etag": "AA==", "name": "roles/dataplex.dataOwner", "stage": "GA", "title": "Dataplex Data Owner" }, { "description": "Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.", "etag": "AA==", "name": "roles/dataplex.dataReader", "stage": "GA", "title": "Dataplex Data Reader" }, { "description": "Full access to DataScan resources.", "etag": "AA==", "name": "roles/dataplex.dataScanAdmin", "stage": "GA", "title": "Dataplex DataScan Administrator" }, { "description": "Access to create new DataScan resources.", "etag": "AA==", "name": "roles/dataplex.dataScanCreator", "stage": "GA", "title": "Dataplex DataScan Creator" }, { "description": "Read access to DataScan resources and additional contents.", "etag": "AA==", "name": "roles/dataplex.dataScanDataViewer", "stage": "GA", "title": "Dataplex DataScan DataViewer" }, { "description": "Write access to DataScan resources.", "etag": "AA==", "name": "roles/dataplex.dataScanEditor", "stage": "GA", "title": "Dataplex DataScan Editor" }, { "description": "Read access to DataScan resources.", "etag": "AA==", "name": "roles/dataplex.dataScanViewer", "stage": "GA", "title": "Dataplex DataScan Viewer" }, { "description": "Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.", "etag": "AA==", "name": "roles/dataplex.dataWriter", "stage": "GA", "title": "Dataplex Data Writer" }, { "description": "Allows running data analytics workloads in a lake.", "etag": "AA==", "name": "roles/dataplex.developer", "stage": "GA", "title": "Dataplex Developer" }, { "description": "Write access to Dataplex resources.", "etag": "AA==", "name": "roles/dataplex.editor", "stage": "GA", "title": "Dataplex Editor" }, { "description": "Owns Entry Groups and Entries inside of them.", "etag": "AA==", "name": "roles/dataplex.entryGroupOwner", "stage": "GA", "title": "Dataplex Entry Group Owner" }, { "description": "Owns Metadata Entries.", "etag": "AA==", "name": "roles/dataplex.entryOwner", "stage": "GA", "title": "Dataplex Entry Owner" }, { "description": "Grants access to creating and managing Entry Types. Does not give the right to create/modify Entries.", "etag": "AA==", "name": "roles/dataplex.entryTypeOwner", "stage": "GA", "title": "Dataplex Entry Type Owner" }, { "description": "Grants access to use Entry Types to create/modify Entries of those types.", "etag": "AA==", "name": "roles/dataplex.entryTypeUser", "stage": "GA", "title": "Dataplex Entry Type User" }, { "description": "Read only access to metadata.", "etag": "AA==", "name": "roles/dataplex.metadataReader", "stage": "GA", "title": "Dataplex Metadata Reader" }, { "description": "Write and Read access to metadata.", "etag": "AA==", "name": "roles/dataplex.metadataWriter", "stage": "GA", "title": "Dataplex Metadata Writer" }, { "description": "Permissions configure ResourceAccess and DataAccess Specs on Data Attributes.", "etag": "AA==", "name": "roles/dataplex.securityAdmin", "stage": "GA", "title": "Dataplex Security Administrator" }, { "description": "Gives the Dataplex service account access to project resources. This access will be used in data discovery, data management and data workload management.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/dataplex.serviceAgent", "stage": "GA", "title": "Cloud Dataplex Service Agent" }, { "description": "Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like GCS buckets, BigQuery datasets etc.", "etag": "AA==", "has_dataaccess": true, "name": "roles/dataplex.storageDataOwner", "stage": "GA", "title": "Dataplex Storage Data Owner" }, { "description": "Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like GCS buckets, BigQuery datasets etc.", "etag": "AA==", "has_dataaccess": true, "name": "roles/dataplex.storageDataReader", "stage": "GA", "title": "Dataplex Storage Data Reader" }, { "description": "Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like GCS buckets, BigQuery datasets etc.", "etag": "AA==", "name": "roles/dataplex.storageDataWriter", "stage": "GA", "title": "Dataplex Storage Data Writer" }, { "description": "Full access to DataTaxonomy, DataAttribute resources.", "etag": "AA==", "name": "roles/dataplex.taxonomyAdmin", "stage": "GA", "title": "Dataplex Taxonomy Administrator" }, { "description": "Read access on DataTaxonomy, DataAttribute resources.", "etag": "AA==", "name": "roles/dataplex.taxonomyViewer", "stage": "GA", "title": "Dataplex Taxonomy Viewer" }, { "description": "Read access to Dataplex resources.", "etag": "AA==", "name": "roles/dataplex.viewer", "stage": "GA", "title": "Dataplex Viewer" }, { "description": "Use of Dataprep.", "etag": "AA==", "name": "roles/dataprep.projects.user", "stage": "BETA", "title": "Dataprep User" }, { "description": "Dataprep service identity. Includes access to service accounts.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/dataprep.serviceAgent", "stage": "GA", "title": "Dataprep Service Agent" }, { "description": "Full control of Dataproc resources.", "etag": "AA==", "name": "roles/dataproc.admin", "stage": "GA", "title": "Dataproc Administrator" }, { "description": "Full control of Dataproc resources. Allows viewing all networks.", "etag": "AA==", "name": "roles/dataproc.editor", "stage": "GA", "title": "Dataproc Editor" }, { "description": "Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/dataproc.hubAgent", "stage": "GA", "title": "Dataproc Hub Agent" }, { "description": "Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/dataproc.serviceAgent", "stage": "GA", "title": "Dataproc Service Agent" }, { "description": "Read-only access to Dataproc resources.", "etag": "AA==", "name": "roles/dataproc.viewer", "stage": "GA", "title": "Dataproc Viewer" }, { "description": "Worker access to Dataproc. Intended for service accounts.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/dataproc.worker", "stage": "GA", "title": "Dataproc Worker" }, { "description": "Data processing controls admin who can fully manage data processing controls settings and view all datasource data.", "etag": "AA==", "name": "roles/dataprocessing.admin", "stage": "GA", "title": "Data Processing Controls Resource Admin" }, { "description": "Data processing controls data source manager who can get, list, and update the underlying data.", "etag": "AA==", "name": "roles/dataprocessing.dataSourceManager", "stage": "GA", "title": "Data Processing Controls Data Source Manager" }, { "description": "Manage backup schedules in Cloud Datastore.", "etag": "AA==", "name": "roles/datastore.backupSchedulesAdmin", "stage": "GA", "title": "Cloud Datastore Backup Schedules Admin" }, { "description": "Read access to backup schedules in Cloud Datastore.", "etag": "AA==", "name": "roles/datastore.backupSchedulesViewer", "stage": "GA", "title": "Cloud Datastore Backup Schedules Viewer" }, { "description": "Read/Write access to metadata about backups in Cloud Datastore but restore is not allowed.", "etag": "AA==", "name": "roles/datastore.backupsAdmin", "stage": "GA", "title": "Cloud Datastore Backups Admin" }, { "description": "Read access to metadata about backups in Cloud Datastore.", "etag": "AA==", "name": "roles/datastore.backupsViewer", "stage": "GA", "title": "Cloud Datastore Backups Viewer" }, { "description": "Full access to manage imports and exports.", "etag": "AA==", "name": "roles/datastore.importExportAdmin", "stage": "GA", "title": "Cloud Datastore Import Export Admin" }, { "description": "Full access to manage index definitions.", "etag": "AA==", "name": "roles/datastore.indexAdmin", "stage": "GA", "title": "Cloud Datastore Index Admin" }, { "description": "Full access to Key Visualizer scans.", "etag": "AA==", "name": "roles/datastore.keyVisualizerViewer", "stage": "GA", "title": "Cloud Datastore Key Visualizer Viewer" }, { "description": "Full access to Cloud Datastore.", "etag": "AA==", "has_dataaccess": true, "name": "roles/datastore.owner", "stage": "GA", "title": "Cloud Datastore Owner" }, { "description": "Restore into Cloud Datastore Databases from Cloud Datastore Backups.", "etag": "AA==", "name": "roles/datastore.restoreAdmin", "stage": "GA", "title": "Cloud Datastore Restore Admin" }, { "description": "Provides read/write access to data in a Cloud Datastore database. Intended for application developers and service accounts.", "etag": "AA==", "has_dataaccess": true, "name": "roles/datastore.user", "stage": "GA", "title": "Cloud Datastore User" }, { "description": "Read access to all Cloud Datastore resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/datastore.viewer", "stage": "GA", "title": "Cloud Datastore Viewer" }, { "description": "Full access to all Datastream resources.", "etag": "AA==", "name": "roles/datastream.admin", "stage": "GA", "title": "Datastream Admin" }, { "description": "Grants Cloud Datastream permissions to write data in the user project.", "etag": "AA==", "has_dataaccess": true, "name": "roles/datastream.serviceAgent", "stage": "GA", "title": "Datastream Service Agent" }, { "description": "Read-only access to all Datastream resources.", "etag": "AA==", "name": "roles/datastream.viewer", "stage": "GA", "title": "Datastream Viewer" }, { "description": "Data Studio Admin", "etag": "AA==", "name": "roles/datastudio.admin", "stage": "BETA", "title": "Data Studio Admin" }, { "description": "Content Manager of a Data Studio resource", "etag": "AA==", "name": "roles/datastudio.contentManager", "stage": "BETA", "title": "Data Studio Workspace Content Manager" }, { "description": "Contributor of a Data Studio resource", "etag": "AA==", "name": "roles/datastudio.contributor", "stage": "BETA", "title": "Data Studio Workspace Contributor" }, { "description": "Editor of a Data Studio resource", "etag": "AA==", "name": "roles/datastudio.editor", "stage": "BETA", "title": "Data Studio Asset Editor" }, { "description": "Manager of a Data Studio resource", "etag": "AA==", "name": "roles/datastudio.manager", "stage": "BETA", "title": "Data Studio Workspace Manager" }, { "description": "Grants Data Studio Service Account access to manage resources.", "etag": "AA==", "name": "roles/datastudio.serviceAgent", "stage": "GA", "title": "Data Studio Service Agent" }, { "description": "Viewer of a Data Studio resource", "etag": "AA==", "name": "roles/datastudio.viewer", "stage": "BETA", "title": "Data Studio Asset Viewer" }, { "description": "Viewer of a Data Studio Workspace", "etag": "AA==", "name": "roles/datastudio.workspaceViewer", "title": "Data Studio Workspace Viewer" }, { "description": "This role is managed by Dell EMC, not Google.", "etag": "AA==", "name": "roles/dellemccloudonefs.admin", "stage": "BETA", "title": "Dell EMC Cloud OneFS Admin" }, { "description": "This role is managed by Dell EMC, not Google.", "etag": "AA==", "name": "roles/dellemccloudonefs.user", "stage": "BETA", "title": "Dell EMC Cloud OneFS User" }, { "description": "This role is managed by Dell EMC, not Google.", "etag": "AA==", "name": "roles/dellemccloudonefs.viewer", "stage": "BETA", "title": "Dell EMC Cloud OneFS Viewer" }, { "description": "Read and Write access to all Deployment Manager resources.", "etag": "AA==", "name": "roles/deploymentmanager.editor", "stage": "GA", "title": "Deployment Manager Editor" }, { "description": "Read and Write access to all Type Registry resources.", "etag": "AA==", "name": "roles/deploymentmanager.typeEditor", "stage": "GA", "title": "Deployment Manager Type Editor" }, { "description": "Read-only access to all Type Registry resources.", "etag": "AA==", "name": "roles/deploymentmanager.typeViewer", "stage": "GA", "title": "Deployment Manager Type Viewer" }, { "description": "Read-only access to all Deployment Manager resources.", "etag": "AA==", "name": "roles/deploymentmanager.viewer", "stage": "GA", "title": "Deployment Manager Viewer" }, { "description": "An admin has access to all resources and can perform all administrative actions in an AAM project.", "etag": "AA==", "name": "roles/dialogflow.aamAdmin", "stage": "GA", "title": "CX Premium Admin" }, { "description": "A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases.", "etag": "AA==", "name": "roles/dialogflow.aamConversationalArchitect", "stage": "GA", "title": "CX Premium Conversational Architect" }, { "description": "A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling.", "etag": "AA==", "name": "roles/dialogflow.aamDialogDesigner", "stage": "GA", "title": "CX Premium Dialog Designer" }, { "description": "A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling.", "etag": "AA==", "name": "roles/dialogflow.aamLeadDialogDesigner", "stage": "GA", "title": "CX Premium Lead Dialog Designer" }, { "description": "A user can view the taxonomy and data reports in an AAM project.", "etag": "AA==", "name": "roles/dialogflow.aamViewer", "stage": "GA", "title": "CX Premium Viewer" }, { "description": "Can query for intent; read & write session properties; read & write agent properties.", "etag": "AA==", "name": "roles/dialogflow.admin", "stage": "GA", "title": "Dialogflow API Admin" }, { "description": "Can create and handle live conversations using Agent Assist features.", "etag": "AA==", "name": "roles/dialogflow.agentAssistClient", "stage": "GA", "title": "Dialogflow Agent Assist Client" }, { "description": "Can call all methods on sessions and conversations resources as well as their descendants.", "etag": "AA==", "name": "roles/dialogflow.client", "stage": "GA", "title": "Dialogflow API Client" }, { "description": "Can edit agent in Dialogflow Console", "etag": "AA==", "name": "roles/dialogflow.consoleAgentEditor", "stage": "GA", "title": "Dialogflow Console Agent Editor" }, { "description": "Can perform query of dialogflow suggestions in the simulator in web console.", "etag": "AA==", "name": "roles/dialogflow.consoleSimulatorUser", "stage": "GA", "title": "Dialogflow Console Simulator User" }, { "description": "Can edit allowlist for smart messaging associated with conversation model in the agent assist console", "etag": "AA==", "name": "roles/dialogflow.consoleSmartMessagingAllowlistEditor", "stage": "GA", "title": "Dialogflow Console Smart Messaging Allowlist Editor" }, { "description": "Can manage all the resources related to Dialogflow Conversations.", "etag": "AA==", "name": "roles/dialogflow.conversationManager", "stage": "GA", "title": "Dialogflow Conversation Manager" }, { "description": "Can read & write entity types.", "etag": "AA==", "name": "roles/dialogflow.entityTypeAdmin", "stage": "GA", "title": "Dialogflow Entity Type Admin" }, { "description": "Can read & update environment and its sub-resources.", "etag": "AA==", "name": "roles/dialogflow.environmentEditor", "stage": "GA", "title": "Dialogflow Environment editor" }, { "description": "Can read & update flow and its sub-resources.", "etag": "AA==", "name": "roles/dialogflow.flowEditor", "stage": "GA", "title": "Dialogflow Flow editor" }, { "description": "Can add, remove, enable and disable Dialogflow integrations.", "etag": "AA==", "name": "roles/dialogflow.integrationManager", "stage": "GA", "title": "Dialogflow Integration Manager" }, { "description": "Can read & write intents.", "etag": "AA==", "name": "roles/dialogflow.intentAdmin", "stage": "GA", "title": "Dialogflow Intent Admin" }, { "description": "Can read agent and session properties; cannot query for intent.", "etag": "AA==", "name": "roles/dialogflow.reader", "stage": "GA", "title": "Dialogflow API Reader" }, { "description": "Gives Dialogflow Service Account access to resources on behalf of user project for Integrations (Facebook Messenger, Slack, Telephony, etc.), BigQuery, Discovery Engine, and Vertex.", "etag": "AA==", "has_dataaccess": true, "name": "roles/dialogflow.serviceAgent", "stage": "GA", "title": "Dialogflow Service Agent" }, { "description": "Can read & write test cases.", "etag": "AA==", "name": "roles/dialogflow.testCaseAdmin", "stage": "GA", "title": "Dialogflow Test Case Admin" }, { "description": "Can read & write webhooks.", "etag": "AA==", "name": "roles/dialogflow.webhookAdmin", "stage": "GA", "title": "Dialogflow Webhook Admin" }, { "description": "Grants full access to all discoveryengine resources.", "etag": "AA==", "name": "roles/discoveryengine.admin", "stage": "GA", "title": "Discovery Engine Admin" }, { "description": "Grants read and write access to all discovery engine resources.", "etag": "AA==", "name": "roles/discoveryengine.editor", "stage": "GA", "title": "Discovery Engine Editor" }, { "description": "Discovery Engine service uploads documents and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects using Cloud Logging, and writes and reads metrics for customer using Cloud Monitoring.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/discoveryengine.serviceAgent", "stage": "GA", "title": "Discovery Engine Service Agent" }, { "description": "Grants read access to all discovery engine resources.", "etag": "AA==", "name": "roles/discoveryengine.viewer", "stage": "GA", "title": "Discovery Engine Viewer" }, { "description": "Administer DLP including jobs and templates.", "etag": "AA==", "name": "roles/dlp.admin", "stage": "GA", "title": "DLP Administrator" }, { "description": "Edit DLP analyze risk templates.", "etag": "AA==", "name": "roles/dlp.analyzeRiskTemplatesEditor", "stage": "GA", "title": "DLP Analyze Risk Templates Editor" }, { "description": "Read DLP analyze risk templates.", "etag": "AA==", "name": "roles/dlp.analyzeRiskTemplatesReader", "stage": "GA", "title": "DLP Analyze Risk Templates Reader" }, { "description": "Read DLP column profiles.", "etag": "AA==", "name": "roles/dlp.columnDataProfilesReader", "stage": "GA", "title": "DLP Column Data Profiles Reader" }, { "description": "Manage DLP Connections.", "etag": "AA==", "name": "roles/dlp.connectionsAdmin", "stage": "GA", "title": "DLP Connections Admin" }, { "description": "View DLP Connections.", "etag": "AA==", "name": "roles/dlp.connectionsReader", "stage": "GA", "title": "DLP Connections Viewer" }, { "description": "Manage DLP profiles.", "etag": "AA==", "name": "roles/dlp.dataProfilesAdmin", "stage": "GA", "title": "DLP Data Profiles Admin" }, { "description": "Read DLP profiles.", "etag": "AA==", "name": "roles/dlp.dataProfilesReader", "stage": "GA", "title": "DLP Data Profiles Reader" }, { "description": "Edit DLP de-identify templates.", "etag": "AA==", "name": "roles/dlp.deidentifyTemplatesEditor", "stage": "GA", "title": "DLP De-identify Templates Editor" }, { "description": "Read DLP de-identify templates.", "etag": "AA==", "name": "roles/dlp.deidentifyTemplatesReader", "stage": "GA", "title": "DLP De-identify Templates Reader" }, { "description": "Manage DLP Cost Estimates.", "etag": "AA==", "name": "roles/dlp.estimatesAdmin", "stage": "GA", "title": "DLP Cost Estimation" }, { "description": "Read DLP stored findings.", "etag": "AA==", "name": "roles/dlp.inspectFindingsReader", "stage": "GA", "title": "DLP Inspect Findings Reader" }, { "description": "Edit DLP inspect templates.", "etag": "AA==", "name": "roles/dlp.inspectTemplatesEditor", "stage": "GA", "title": "DLP Inspect Templates Editor" }, { "description": "Read DLP inspect templates.", "etag": "AA==", "name": "roles/dlp.inspectTemplatesReader", "stage": "GA", "title": "DLP Inspect Templates Reader" }, { "description": "Edit job triggers configurations.", "etag": "AA==", "name": "roles/dlp.jobTriggersEditor", "stage": "GA", "title": "DLP Job Triggers Editor" }, { "description": "Read job triggers.", "etag": "AA==", "name": "roles/dlp.jobTriggersReader", "stage": "GA", "title": "DLP Job Triggers Reader" }, { "description": "Edit and create jobs", "etag": "AA==", "name": "roles/dlp.jobsEditor", "stage": "GA", "title": "DLP Jobs Editor" }, { "description": "Read jobs", "etag": "AA==", "name": "roles/dlp.jobsReader", "stage": "GA", "title": "DLP Jobs Reader" }, { "description": "Permissions needed by the DLP service account to generate data profiles within an organization or folder.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/dlp.orgdriver", "stage": "GA", "title": "DLP Organization Data Profiles Driver" }, { "description": "Read DLP project profiles.", "etag": "AA==", "name": "roles/dlp.projectDataProfilesReader", "stage": "GA", "title": "DLP Project Data Profiles Reader" }, { "description": "Permissions needed by the DLP service account to generate data profiles within a project.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/dlp.projectdriver", "stage": "GA", "title": "DLP Project Data Profiles Driver" }, { "description": "Read DLP entities, such as jobs and templates.", "etag": "AA==", "name": "roles/dlp.reader", "stage": "GA", "title": "DLP Reader" }, { "description": "Gives Cloud DLP service agent permissions for BigQuery, Cloud Storage, Datastore, Pub/Sub and Cloud KMS.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/dlp.serviceAgent", "stage": "GA", "title": "DLP API Service Agent" }, { "description": "Edit DLP stored info types.", "etag": "AA==", "name": "roles/dlp.storedInfoTypesEditor", "stage": "GA", "title": "DLP Stored InfoTypes Editor" }, { "description": "Read DLP stored info types.", "etag": "AA==", "name": "roles/dlp.storedInfoTypesReader", "stage": "GA", "title": "DLP Stored InfoTypes Reader" }, { "description": "Manage DLP subscriptions.", "etag": "AA==", "name": "roles/dlp.subscriptionsAdmin", "stage": "GA", "title": "DLP Subscription Admin" }, { "description": "View DLP subscriptions.", "etag": "AA==", "name": "roles/dlp.subscriptionsReader", "stage": "GA", "title": "DLP Subscription Viewer" }, { "description": "Manage DLP table profiles.", "etag": "AA==", "name": "roles/dlp.tableDataProfilesAdmin", "stage": "GA", "title": "DLP Table Data Profiles Admin" }, { "description": "Read DLP table profiles.", "etag": "AA==", "name": "roles/dlp.tableDataProfilesReader", "stage": "GA", "title": "DLP Table Data Profiles Reader" }, { "description": "Inspect, Redact, and De-identify Content", "etag": "AA==", "name": "roles/dlp.user", "stage": "GA", "title": "DLP User" }, { "description": "Full read-write access to DNS resources.", "etag": "AA==", "name": "roles/dns.admin", "stage": "GA", "title": "DNS Administrator" }, { "description": "Access to target networks with DNS peering zones", "etag": "AA==", "name": "roles/dns.peer", "stage": "GA", "title": "DNS Peer" }, { "description": "Read-only access to DNS resources.", "etag": "AA==", "name": "roles/dns.reader", "stage": "GA", "title": "DNS Reader" }, { "description": "Gives Cloud DNS Service Agent access to Cloud Platform resources.", "etag": "AA==", "name": "roles/dns.serviceAgent", "title": "Cloud DNS Service Agent" }, { "description": "Grants full access to all resources in Document AI", "etag": "AA==", "name": "roles/documentai.admin", "stage": "BETA", "title": "Document AI Administrator" }, { "description": "Grants access to process documents in Document AI", "etag": "AA==", "name": "roles/documentai.apiUser", "stage": "BETA", "title": "Document AI API User" }, { "description": "Grants access to use all resources in Document AI", "etag": "AA==", "name": "roles/documentai.editor", "stage": "BETA", "title": "Document AI Editor" }, { "description": "Grants access to view all resources and process documents in Document AI", "etag": "AA==", "name": "roles/documentai.viewer", "stage": "BETA", "title": "Document AI Viewer" }, { "description": "Gives DocumentAI Core Service Account access to consumer resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/documentaicore.serviceAgent", "stage": "GA", "title": "DocumentAI Core Service Agent" }, { "description": "Full access to Cloud Domains Registrations and related resources.", "etag": "AA==", "has_privesc": true, "name": "roles/domains.admin", "stage": "GA", "title": "Cloud Domains Admin" }, { "description": "Read-only access to Cloud Domains Registrations and related resources.", "etag": "AA==", "name": "roles/domains.viewer", "stage": "GA", "title": "Cloud Domains Viewer" }, { "description": "Full access to all Earth Engine resource features", "etag": "AA==", "name": "roles/earthengine.admin", "stage": "BETA", "title": "Earth Engine Resource Admin" }, { "description": "Publisher of Earth Engine Apps", "etag": "AA==", "has_privesc": true, "name": "roles/earthengine.appsPublisher", "stage": "BETA", "title": "Earth Engine Apps Publisher" }, { "description": "Viewer of all Earth Engine resources", "etag": "AA==", "name": "roles/earthengine.viewer", "stage": "BETA", "title": "Earth Engine Resource Viewer" }, { "description": "Writer of all Earth Engine resources", "etag": "AA==", "name": "roles/earthengine.writer", "stage": "BETA", "title": "Earth Engine Resource Writer" }, { "description": "Full access to Edge Container all resources.", "etag": "AA==", "name": "roles/edgecontainer.admin", "stage": "GA", "title": "Edge Container Admin" }, { "description": "Grants the Edge Container Cluster Service Account access to manage resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/edgecontainer.clusterServiceAgent", "stage": "GA", "title": "Edge Container Cluster Service Agent" }, { "description": "Access to use Edge Container Machine resources.", "etag": "AA==", "name": "roles/edgecontainer.machineUser", "stage": "GA", "title": "Edge Container Machine User" }, { "description": "Access to get Edge Container cluster offline credentials", "etag": "AA==", "name": "roles/edgecontainer.offlineCredentialUser", "stage": "GA", "title": "Edge Container Cluster offline Credential User" }, { "description": "Grants the Edge Container Service Account access to manage resources.", "etag": "AA==", "name": "roles/edgecontainer.serviceAgent", "stage": "GA", "title": "Edge Container Service Agent" }, { "description": "Read-only access to Edge Container all resources.", "etag": "AA==", "name": "roles/edgecontainer.viewer", "stage": "GA", "title": "Edge Container Viewer" }, { "description": "Full access to Edge Network all resources.", "etag": "AA==", "name": "roles/edgenetwork.admin", "stage": "GA", "title": "Edge Network Admin" }, { "description": "Read-only access to Edge Network all resources.", "etag": "AA==", "name": "roles/edgenetwork.viewer", "stage": "GA", "title": "Edge Network Viewer" }, { "description": "View, create, update, and delete most Google Cloud resources. See the list of included permissions.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/editor", "stage": "GA", "title": "Editor" }, { "description": "Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller.", "etag": "AA==", "name": "roles/endpoints.serviceAgent", "stage": "GA", "title": "Cloud Endpoints Service Agent" }, { "description": "Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content.", "etag": "AA==", "name": "roles/endpointsportal.serviceAgent", "stage": "GA", "title": "Endpoints Portal Service Agent" }, { "description": "Administrator of Enterprise Knowledge Graph resources", "etag": "AA==", "name": "roles/enterpriseknowledgegraph.admin", "stage": "BETA", "title": "Enterprise Knowledge Graph Admin" }, { "description": "Editor of Enterprise Knowledge Graph resources", "etag": "AA==", "name": "roles/enterpriseknowledgegraph.editor", "stage": "BETA", "title": "Enterprise Knowledge Graph Editor" }, { "description": "Gives Enterprise Knowledge Graph Service Account access to consumer resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/enterpriseknowledgegraph.serviceAgent", "stage": "GA", "title": "Enterprise Knowledge Graph Service Agent" }, { "description": "Viewer of Enterprise Knowledge Graph resources", "etag": "AA==", "name": "roles/enterpriseknowledgegraph.viewer", "stage": "BETA", "title": "Enterprise Knowledge Graph Viewer" }, { "description": "Full access to Enterprise Purchasing resources.", "etag": "AA==", "name": "roles/enterprisepurchasing.admin", "stage": "BETA", "title": "Enterprise Purchasing Admin" }, { "description": "Edit access to Enterprise Purchasing resources.", "etag": "AA==", "name": "roles/enterprisepurchasing.editor", "stage": "BETA", "title": "Enterprise Purchasing Editor" }, { "description": "Readonly access to Enterprise Purchasing resources.", "etag": "AA==", "name": "roles/enterprisepurchasing.viewer", "stage": "BETA", "title": "Enterprise Purchasing Viewer" }, { "description": "Administrative access to Error Reporting.", "etag": "AA==", "name": "roles/errorreporting.admin", "stage": "BETA", "title": "Error Reporting Admin" }, { "description": "User access to Error Reporting. Can list all errors and update their metadata. Can delete error events.", "etag": "AA==", "name": "roles/errorreporting.user", "stage": "BETA", "title": "Error Reporting User" }, { "description": "Read-only access to all Error Reporting data.", "etag": "AA==", "name": "roles/errorreporting.viewer", "stage": "BETA", "title": "Error Reporting Viewer" }, { "description": "Can send error events to Error Reporting. Intended for service accounts.", "etag": "AA==", "name": "roles/errorreporting.writer", "stage": "BETA", "title": "Error Reporting Writer" }, { "description": "Full access to all essential contacts", "etag": "AA==", "name": "roles/essentialcontacts.admin", "stage": "GA", "title": "Essential Contacts Admin" }, { "description": "Viewer for all essential contacts", "etag": "AA==", "name": "roles/essentialcontacts.viewer", "stage": "GA", "title": "Essential Contacts Viewer" }, { "description": "Full control over all Eventarc resources.", "etag": "AA==", "name": "roles/eventarc.admin", "stage": "GA", "title": "Eventarc Admin" }, { "description": "Can publish events to Eventarc Channel Connections.", "etag": "AA==", "name": "roles/eventarc.connectionPublisher", "stage": "BETA", "title": "Eventarc Connection Publisher" }, { "description": "Access to read and write Eventarc resources.", "etag": "AA==", "name": "roles/eventarc.developer", "stage": "GA", "title": "Eventarc Developer" }, { "description": "Can receive events from all event providers.", "etag": "AA==", "name": "roles/eventarc.eventReceiver", "stage": "GA", "title": "Eventarc Event Receiver" }, { "description": "Can publish events to Eventarc channels.", "etag": "AA==", "name": "roles/eventarc.publisher", "stage": "BETA", "title": "Eventarc Publisher" }, { "description": "Gives Eventarc service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/eventarc.serviceAgent", "stage": "GA", "title": "Eventarc Service Agent" }, { "description": "Can view the state of all Eventarc resources, including IAM policies.", "etag": "AA==", "name": "roles/eventarc.viewer", "stage": "GA", "title": "Eventarc Viewer" }, { "description": "Read-write access to Filestore instances and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/file.editor", "stage": "BETA", "title": "Cloud Filestore Editor" }, { "description": "Gives Cloud Filestore service account access to managed resources.", "etag": "AA==", "name": "roles/file.serviceAgent", "stage": "GA", "title": "Cloud Filestore Service Agent" }, { "description": "Read-only access to Filestore instances and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/file.viewer", "stage": "BETA", "title": "Cloud Filestore Viewer" }, { "description": "Full access to all Financial Services API resources.", "etag": "AA==", "name": "roles/financialservices.admin", "stage": "GA", "title": "Financial Services Admin" }, { "description": "View access to all Financial Services API resources.", "etag": "AA==", "name": "roles/financialservices.viewer", "stage": "GA", "title": "Financial Services Viewer" }, { "description": "Full access to Firebase products.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/firebase.admin", "stage": "GA", "title": "Firebase Admin" }, { "description": "Full access to Google Analytics for Firebase.", "etag": "AA==", "name": "roles/firebase.analyticsAdmin", "stage": "GA", "title": "Firebase Analytics Admin" }, { "description": "Read access to Google Analytics for Firebase.", "etag": "AA==", "name": "roles/firebase.analyticsViewer", "stage": "GA", "title": "Firebase Analytics Viewer" }, { "description": "Read and write access to Firebase App Distribution with the Admin SDK", "etag": "AA==", "name": "roles/firebase.appDistributionSdkServiceAgent", "stage": "GA", "title": "Firebase App Distribution Admin SDK Service Agent" }, { "description": "Full access to Firebase Develop products and Analytics.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/firebase.developAdmin", "stage": "GA", "title": "Firebase Develop Admin" }, { "description": "Read access to Firebase Develop products and Analytics.", "etag": "AA==", "has_dataaccess": true, "name": "roles/firebase.developViewer", "stage": "GA", "title": "Firebase Develop Viewer" }, { "description": "Full access to Firebase Grow products and Analytics.", "etag": "AA==", "name": "roles/firebase.growthAdmin", "stage": "GA", "title": "Firebase Grow Admin" }, { "description": "Read access to Firebase Grow products and Analytics.", "etag": "AA==", "name": "roles/firebase.growthViewer", "stage": "GA", "title": "Firebase Grow Viewer" }, { "description": "Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services.", "etag": "AA==", "has_privesc": true, "name": "roles/firebase.managementServiceAgent", "stage": "GA", "title": "Firebase Service Management Service Agent" }, { "description": "Full access to Firebase Quality products and Analytics.", "etag": "AA==", "name": "roles/firebase.qualityAdmin", "stage": "GA", "title": "Firebase Quality Admin" }, { "description": "Read access to Firebase Quality products and Analytics.", "etag": "AA==", "name": "roles/firebase.qualityViewer", "stage": "GA", "title": "Firebase Quality Viewer" }, { "description": "Read and write access to Firebase products available in the Admin SDK", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/firebase.sdkAdminServiceAgent", "stage": "GA", "title": "Firebase Admin SDK Administrator Service Agent" }, { "description": "Access to provision apps with the Admin SDK.", "etag": "AA==", "name": "roles/firebase.sdkProvisioningServiceAgent", "stage": "GA", "title": "Firebase SDK Provisioning Service Agent" }, { "description": "Read-only access to Firebase products.", "etag": "AA==", "has_dataaccess": true, "name": "roles/firebase.viewer", "stage": "GA", "title": "Firebase Viewer" }, { "description": "Full read/write access to Firebase A/B Testing resources.", "etag": "AA==", "name": "roles/firebaseabt.admin", "stage": "BETA", "title": "Firebase A/B Testing Admin" }, { "description": "Read-only access to Firebase A/B Testing resources.", "etag": "AA==", "name": "roles/firebaseabt.viewer", "stage": "BETA", "title": "Firebase A/B Testing Viewer" }, { "description": "Full management of Firebase App Check.", "etag": "AA==", "name": "roles/firebaseappcheck.admin", "stage": "GA", "title": "Firebase App Check Admin" }, { "description": "Grants Firebase App Check Service Account access to consumer app attestation resources, such as reCAPTCHA Enterprise and Play Integrity API.", "etag": "AA==", "name": "roles/firebaseappcheck.serviceAgent", "stage": "GA", "title": "Firebase App Check Service Agent" }, { "description": "Access to token verification capabilities for Firebase App Check.", "etag": "AA==", "name": "roles/firebaseappcheck.tokenVerifier", "stage": "GA", "title": "Firebase App Check Token Verifier" }, { "description": "Read-only access for Firebase App Check.", "etag": "AA==", "name": "roles/firebaseappcheck.viewer", "stage": "GA", "title": "Firebase App Check Viewer" }, { "description": "Full read/write access to Firebase App Distribution resources.", "etag": "AA==", "name": "roles/firebaseappdistro.admin", "stage": "GA", "title": "Firebase App Distribution Admin" }, { "description": "Read-only access to Firebase App Distribution resources.", "etag": "AA==", "name": "roles/firebaseappdistro.viewer", "stage": "GA", "title": "Firebase App Distribution Viewer" }, { "description": "Full read/write access to Firebase Authentication resources.", "etag": "AA==", "name": "roles/firebaseauth.admin", "stage": "GA", "title": "Firebase Authentication Admin" }, { "description": "Read-only access to Firebase Authentication resources.", "etag": "AA==", "name": "roles/firebaseauth.viewer", "stage": "GA", "title": "Firebase Authentication Viewer" }, { "description": "Full read/write access to Firebase Cloud Messaging API resources.", "etag": "AA==", "name": "roles/firebasecloudmessaging.admin", "stage": "BETA", "title": "Firebase Cloud Messaging API Admin" }, { "description": "Full read/write access to symbol mapping file resources for Firebase Crash Reporting.", "etag": "AA==", "name": "roles/firebasecrash.symbolMappingsAdmin", "stage": "GA", "title": "Firebase Crash Symbol Uploader" }, { "description": "Full read/write access to Firebase Crashlytics resources.", "etag": "AA==", "name": "roles/firebasecrashlytics.admin", "stage": "GA", "title": "Firebase Crashlytics Admin" }, { "description": "Read-only access to Firebase Crashlytics resources.", "etag": "AA==", "name": "roles/firebasecrashlytics.viewer", "stage": "GA", "title": "Firebase Crashlytics Viewer" }, { "description": "Full read/write access to Firebase Realtime Database resources.", "etag": "AA==", "name": "roles/firebasedatabase.admin", "stage": "GA", "title": "Firebase Realtime Database Admin" }, { "description": "Access to publish triggers", "etag": "AA==", "name": "roles/firebasedatabase.serviceAgent", "stage": "GA", "title": "Firebase Realtime Database Service Agent" }, { "description": "Read-only access to Firebase Realtime Database resources.", "etag": "AA==", "name": "roles/firebasedatabase.viewer", "stage": "GA", "title": "Firebase Realtime Database Viewer" }, { "description": "Gives Firebase Data Connect access to Cloud SQL databases.", "etag": "AA==", "name": "roles/firebasedataconnect.serviceAgent", "title": "Firebase Data Connect Service Agent" }, { "description": "Full read/write access to Firebase Dynamic Links resources.", "etag": "AA==", "name": "roles/firebasedynamiclinks.admin", "stage": "GA", "title": "Firebase Dynamic Links Admin" }, { "description": "Read-only access to Firebase Dynamic Links resources.", "etag": "AA==", "name": "roles/firebasedynamiclinks.viewer", "stage": "GA", "title": "Firebase Dynamic Links Viewer" }, { "description": "View, create, and delete Firebase Extensions Instances and Extensions Versions, and update Extensions Instances", "etag": "AA==", "name": "roles/firebaseextensions.developer", "stage": "BETA", "title": "Firebase Extensions Developer" }, { "description": "Viewer of Firebase Extensions Instances", "etag": "AA==", "name": "roles/firebaseextensions.viewer", "stage": "BETA", "title": "Firebase Extensions Viewer" }, { "description": "Fully manage Firebase Extensions", "etag": "AA==", "name": "roles/firebaseextensionspublisher.extensionsAdmin", "stage": "BETA", "title": "Firebase Extensions Publisher - Extensions Admin" }, { "description": "View Firebase Extensions", "etag": "AA==", "name": "roles/firebaseextensionspublisher.extensionsViewer", "stage": "BETA", "title": "Firebase Extensions Publisher - Extensions Viewer" }, { "description": "Full read/write access to Firebase Hosting resources.", "etag": "AA==", "name": "roles/firebasehosting.admin", "stage": "GA", "title": "Firebase Hosting Admin" }, { "description": "Read-only access to Firebase Hosting resources.", "etag": "AA==", "name": "roles/firebasehosting.viewer", "stage": "GA", "title": "Firebase Hosting Viewer" }, { "description": "Full read/write access to Firebase In-App Messaging resources.", "etag": "AA==", "name": "roles/firebaseinappmessaging.admin", "stage": "BETA", "title": "Firebase In-App Messaging Admin" }, { "description": "Read-only access to Firebase In-App Messaging resources.", "etag": "AA==", "name": "roles/firebaseinappmessaging.viewer", "stage": "BETA", "title": "Firebase In-App Messaging Viewer" }, { "description": "Full management of Firebase Messaging Campaigns.", "etag": "AA==", "name": "roles/firebasemessagingcampaigns.admin", "stage": "BETA", "title": "Firebase Messaging Campaigns Admin" }, { "description": "Read-only access for Firebase Messaging Campaigns.", "etag": "AA==", "name": "roles/firebasemessagingcampaigns.viewer", "stage": "BETA", "title": "Firebase Messaging Campaigns Viewer" }, { "description": "Full read/write access to Firebase ML Kit resources.", "etag": "AA==", "name": "roles/firebaseml.admin", "stage": "BETA", "title": "Firebase ML Kit Admin" }, { "description": "Access to Cloud ML and AI resources used by Firebase ML", "etag": "AA==", "name": "roles/firebaseml.serviceAgent", "title": "Firebase Machine Learning Service Agent" }, { "description": "Read-only access to Firebase ML Kit resources.", "etag": "AA==", "name": "roles/firebaseml.viewer", "stage": "BETA", "title": "Firebase ML Kit Viewer" }, { "description": "Grants Firebase Extensions API Service Account access to manage resources.", "etag": "AA==", "has_privesc": true, "name": "roles/firebasemods.serviceAgent", "stage": "GA", "title": "Firebase Extensions API Service Agent" }, { "description": "Full read/write access to Firebase Cloud Messaging resources.", "etag": "AA==", "name": "roles/firebasenotifications.admin", "stage": "GA", "title": "Firebase Cloud Messaging Admin" }, { "description": "Read-only access to Firebase Cloud Messaging resources.", "etag": "AA==", "name": "roles/firebasenotifications.viewer", "stage": "GA", "title": "Firebase Cloud Messaging Viewer" }, { "description": "Full access to firebaseperformance resources.", "etag": "AA==", "name": "roles/firebaseperformance.admin", "stage": "GA", "title": "Firebase Performance Reporting Admin" }, { "description": "Read-only access to firebaseperformance resources.", "etag": "AA==", "name": "roles/firebaseperformance.viewer", "stage": "GA", "title": "Firebase Performance Reporting Viewer" }, { "description": "Full management of Firebase Rules.", "etag": "AA==", "name": "roles/firebaserules.admin", "stage": "GA", "title": "Firebase Rules Admin" }, { "description": "Grants Firebase Security Rules access to Firestore for providing cross-service Rules.", "etag": "AA==", "has_dataaccess": true, "name": "roles/firebaserules.firestoreServiceAgent", "stage": "GA", "title": "Firebase Rules Firestore Service Agent" }, { "description": "Read/write/list access for Datastore entities and Cloud Storage objects, as well as get/list/publish access for PubSub topics.", "etag": "AA==", "has_dataaccess": true, "name": "roles/firebaserules.system", "stage": "GA", "title": "Firebase Rules System" }, { "description": "Read-only access on all resources with the ability to test Rulesets.", "etag": "AA==", "name": "roles/firebaserules.viewer", "stage": "GA", "title": "Firebase Rules Viewer" }, { "description": "Full management of Cloud Storage for Firebase.", "etag": "AA==", "name": "roles/firebasestorage.admin", "stage": "BETA", "title": "Cloud Storage for Firebase Admin" }, { "description": "Access to Cloud Storage for Firebase through API and SDK.", "etag": "AA==", "has_dataaccess": true, "name": "roles/firebasestorage.serviceAgent", "stage": "GA", "title": "Cloud Storage for Firebase Service Agent" }, { "description": "Read-only access for Cloud Storage for Firebase.", "etag": "AA==", "name": "roles/firebasestorage.viewer", "stage": "BETA", "title": "Cloud Storage for Firebase Viewer" }, { "description": "Gives Firestore service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/firestore.serviceAgent", "stage": "GA", "title": "Firestore Service Agent" }, { "description": "Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf.", "etag": "AA==", "name": "roles/firewallinsights.serviceAgent", "stage": "GA", "title": "Cloud Firewall Insights Service Agent" }, { "description": "Limited read access to Fleet Engine resources", "etag": "AA==", "name": "roles/fleetengine.consumerSdkUser", "stage": "GA", "title": "Fleet Engine Consumer SDK User" }, { "description": "Full access to Fleet Engine Delivery resources.", "etag": "AA==", "name": "roles/fleetengine.deliveryAdmin", "stage": "GA", "title": "Fleet Engine Delivery Admin" }, { "description": "Limited read access to Fleet Engine Delivery resources", "etag": "AA==", "name": "roles/fleetengine.deliveryConsumer", "stage": "GA", "title": "Fleet Engine Delivery Consumer User" }, { "description": "Grants read access to all Fleet Engine Delivery resources", "etag": "AA==", "name": "roles/fleetengine.deliveryFleetReader", "stage": "GA", "title": "Fleet Engine Delivery Fleet Reader User" }, { "description": "Full access to Fleet Engine DeliveryVehicles and Tasks resources.", "etag": "AA==", "name": "roles/fleetengine.deliverySuperUser", "stage": "GA", "title": "Fleet Engine Delivery Super User" }, { "description": "Read and write access to Fleet Engine Delivery resources", "etag": "AA==", "name": "roles/fleetengine.deliveryTrustedDriver", "stage": "GA", "title": "Fleet Engine Delivery Trusted Driver User" }, { "description": "Limited write access to Fleet Engine Delivery Vehicle resources", "etag": "AA==", "name": "roles/fleetengine.deliveryUntrustedDriver", "stage": "GA", "title": "Fleet Engine Delivery Untrusted Driver User" }, { "description": "Read and limited update access to Fleet Engine resources", "etag": "AA==", "name": "roles/fleetengine.driverSdkUser", "stage": "GA", "title": "Fleet Engine Driver SDK User" }, { "description": "Full access to Vehicle and Trip resources.", "etag": "AA==", "name": "roles/fleetengine.ondemandAdmin", "stage": "GA", "title": "Fleet Engine On-Demand Admin" }, { "description": "Grants the FleetEngine Service Account access to manage resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/fleetengine.serviceAgent", "stage": "GA", "title": "FleetEngine Service Agent" }, { "description": "Full access to all Fleet Engine resources.", "etag": "AA==", "name": "roles/fleetengine.serviceSuperUser", "stage": "GA", "title": "Fleet Engine Service Super User" }, { "description": "Gives Game Services Service Account access to GCP resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/gameservices.serviceAgent", "stage": "GA", "title": "Game Services Service Agent" }, { "description": "Full access to GDC Hardware Management resources.", "etag": "AA==", "name": "roles/gdchardwaremanagement.admin", "stage": "BETA", "title": "GDC Hardware Management Admin" }, { "description": "Create, read, and update access to GDC Hardware Management resources that support those operations. Also grants delete access to HardwareGroup resource.", "etag": "AA==", "name": "roles/gdchardwaremanagement.operator", "stage": "BETA", "title": "GDC Hardware Management Operator" }, { "description": "Readonly access to GDC Hardware Management resources.", "etag": "AA==", "name": "roles/gdchardwaremanagement.reader", "stage": "BETA", "title": "GDC Hardware Management Reader" }, { "description": "Full access to genomics datasets and operations.", "etag": "AA==", "name": "roles/genomics.admin", "stage": "GA", "title": "Genomics Admin" }, { "description": "Access to read and edit genomics datasets and operations.", "etag": "AA==", "name": "roles/genomics.editor", "stage": "GA", "title": "Genomics Editor" }, { "description": "Full access to operate on genomics pipelines.", "etag": "AA==", "name": "roles/genomics.pipelinesRunner", "stage": "GA", "title": "Genomics Pipelines Runner" }, { "description": "Gives Genomics Service Account access to compute resources. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/genomics.serviceAgent", "stage": "GA", "title": "Genomics Service Agent" }, { "description": "Access to view genomics datasets and operations.", "etag": "AA==", "name": "roles/genomics.viewer", "stage": "GA", "title": "Genomics Viewer" }, { "description": "Full access to all Backup for GKE resources.", "etag": "AA==", "name": "roles/gkebackup.admin", "stage": "GA", "title": "Backup for GKE Admin" }, { "description": "Allows administrators to manage all BackupPlan and Backup resources.", "etag": "AA==", "name": "roles/gkebackup.backupAdmin", "stage": "GA", "title": "Backup for GKE Backup Admin" }, { "description": "Allows administrators to manage Backup resources for specific BackupPlans", "etag": "AA==", "name": "roles/gkebackup.delegatedBackupAdmin", "stage": "GA", "title": "Backup for GKE Delegated Backup Admin" }, { "description": "Allows administrators to manage Restore resources for specific RestorePlans", "etag": "AA==", "name": "roles/gkebackup.delegatedRestoreAdmin", "stage": "GA", "title": "Backup for GKE Delegated Restore Admin" }, { "description": "Allows administrators to manage all RestorePlan and Restore resources.", "etag": "AA==", "name": "roles/gkebackup.restoreAdmin", "stage": "GA", "title": "Backup for GKE Restore Admin" }, { "description": "Grants the Backup for GKE Service Account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/gkebackup.serviceAgent", "stage": "GA", "title": "Backup for GKE Service Agent" }, { "description": "Read-only access to all Backup for GKE resources.", "etag": "AA==", "name": "roles/gkebackup.viewer", "stage": "GA", "title": "Backup for GKE Viewer" }, { "description": "Gives the Warp Run service agent access to Cloud Platform resources.", "etag": "AA==", "name": "roles/gkedataplanemanagement.warpRunServiceAgent", "stage": "GA", "title": "Warp Run Service Agent" }, { "description": "Full access to Fleet resources.", "etag": "AA==", "name": "roles/gkehub.admin", "stage": "GA", "title": "Fleet Admin (formerly GKE Hub Admin)" }, { "description": "Ability to set up GKE Connect between external clusters and Google.", "etag": "AA==", "name": "roles/gkehub.connect", "stage": "GA", "title": "GKE Connect Agent" }, { "description": "Gives the GKE Hub service agent permission to manage the project for cross-project fleet registration.", "etag": "AA==", "has_privesc": true, "name": "roles/gkehub.crossProjectServiceAgent", "stage": "GA", "title": "GKE Hub Cross Project Service Agent" }, { "description": "Edit access to Fleet resources.", "etag": "AA==", "name": "roles/gkehub.editor", "stage": "GA", "title": "Fleet Editor (formerly GKE Hub Editor)" }, { "description": "Full access to Connect Gateway.", "etag": "AA==", "name": "roles/gkehub.gatewayAdmin", "stage": "GA", "title": "Connect Gateway Admin" }, { "description": "Edit access to Connect Gateway.", "etag": "AA==", "name": "roles/gkehub.gatewayEditor", "stage": "GA", "title": "Connect Gateway Editor" }, { "description": "Read-only access to Connect Gateway.", "etag": "AA==", "name": "roles/gkehub.gatewayReader", "stage": "GA", "title": "Connect Gateway Reader" }, { "description": "Viewer of Fleet Scopes and associated resources.", "etag": "AA==", "name": "roles/gkehub.scopeViewer", "title": "Fleet Scope Viewer" }, { "description": "Gives the GKE Hub service agent access to Cloud Platform resources.", "etag": "AA==", "has_privesc": true, "name": "roles/gkehub.serviceAgent", "stage": "GA", "title": "GKE Hub Service Agent" }, { "description": "Read-only access to Fleets and related resources.", "etag": "AA==", "name": "roles/gkehub.viewer", "stage": "GA", "title": "Fleet Viewer (formerly GKE Hub Viewer)" }, { "description": "Admin access to Anthos Multi-cloud resources.", "etag": "AA==", "name": "roles/gkemulticloud.admin", "stage": "GA", "title": "Anthos Multi-cloud Admin" }, { "description": "Grants the Anthos Multi-Cloud Container Service Account access to manage resources.", "etag": "AA==", "name": "roles/gkemulticloud.containerServiceAgent", "stage": "GA", "title": "Anthos Multi-Cloud Container Service Agent" }, { "description": "Grants the Anthos Multi-Cloud Control Plane Machine Service Account access to manage resources.", "etag": "AA==", "name": "roles/gkemulticloud.controlPlaneMachineServiceAgent", "stage": "GA", "title": "Anthos Multi-Cloud Control Plane Machine Service Agent" }, { "description": "Grants the Anthos Multi-Cloud Node Pool Machine Service Account access to manage resources.", "etag": "AA==", "name": "roles/gkemulticloud.nodePoolMachineServiceAgent", "stage": "GA", "title": "Anthos Multi-Cloud Node Pool Machine Service Agent" }, { "description": "Grants the Anthos Multi-Cloud Service Account access to manage resources.", "etag": "AA==", "name": "roles/gkemulticloud.serviceAgent", "stage": "GA", "title": "Anthos Multi-Cloud Service Agent" }, { "description": "Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.", "etag": "AA==", "name": "roles/gkemulticloud.telemetryWriter", "stage": "GA", "title": "Anthos Multi-cloud Telemetry Writer" }, { "description": "Viewer access to Anthos Multi-cloud resources.", "etag": "AA==", "name": "roles/gkemulticloud.viewer", "stage": "GA", "title": "Anthos Multi-cloud Viewer" }, { "description": "Full access to GKE on-prem all resources.", "etag": "AA==", "name": "roles/gkeonprem.admin", "stage": "GA", "title": "GKE on-prem Admin" }, { "description": "Gives the GKE On-Prem service agent access to Cloud Platform resources.", "etag": "AA==", "name": "roles/gkeonprem.serviceAgent", "stage": "GA", "title": "GKE On-Prem Service Agent" }, { "description": "Read-only access to GKE on-prem all resources.", "etag": "AA==", "name": "roles/gkeonprem.viewer", "stage": "GA", "title": "GKE on-prem Viewer" }, { "description": "Full access to Google Workspace Add-ons resources", "etag": "AA==", "name": "roles/gsuiteaddons.developer", "stage": "GA", "title": "Google Workspace Add-ons Developer" }, { "description": "Read-only access to Google Workspace Add-ons resources", "etag": "AA==", "name": "roles/gsuiteaddons.reader", "stage": "GA", "title": "Google Workspace Add-ons Reader" }, { "description": "Testing execution access to Google Workspace Add-ons resources", "etag": "AA==", "name": "roles/gsuiteaddons.tester", "stage": "GA", "title": "Google Workspace Add-ons Tester" }, { "description": "Create, delete, update, read and list annotations.", "etag": "AA==", "name": "roles/healthcare.annotationEditor", "stage": "GA", "title": "Healthcare Annotation Editor" }, { "description": "Read and list annotations in an Annotation store.", "etag": "AA==", "name": "roles/healthcare.annotationReader", "stage": "GA", "title": "Healthcare Annotation Reader" }, { "description": "Administer Annotation stores.", "etag": "AA==", "name": "roles/healthcare.annotationStoreAdmin", "stage": "GA", "title": "Healthcare Annotation Administrator" }, { "description": "List Annotation Stores in a dataset.", "etag": "AA==", "name": "roles/healthcare.annotationStoreViewer", "stage": "GA", "title": "Healthcare Annotation Store Viewer" }, { "description": "Edit AttributeDefinition objects.", "etag": "AA==", "name": "roles/healthcare.attributeDefinitionEditor", "stage": "GA", "title": "Healthcare Attribute Definition Editor" }, { "description": "Read AttributeDefinition objects in a consent store.", "etag": "AA==", "name": "roles/healthcare.attributeDefinitionReader", "stage": "GA", "title": "Healthcare Attribute Definition Reader" }, { "description": "Administer ConsentArtifact objects.", "etag": "AA==", "name": "roles/healthcare.consentArtifactAdmin", "stage": "GA", "title": "Healthcare Consent Artifact Administrator" }, { "description": "Edit ConsentArtifact objects.", "etag": "AA==", "name": "roles/healthcare.consentArtifactEditor", "stage": "GA", "title": "Healthcare Consent Artifact Editor" }, { "description": "Read ConsentArtifact objects in a consent store.", "etag": "AA==", "name": "roles/healthcare.consentArtifactReader", "stage": "GA", "title": "Healthcare Consent Artifact Reader" }, { "description": "Edit Consent objects.", "etag": "AA==", "name": "roles/healthcare.consentEditor", "stage": "GA", "title": "Healthcare Consent Editor" }, { "description": "Read Consent objects in a consent store.", "etag": "AA==", "name": "roles/healthcare.consentReader", "stage": "GA", "title": "Healthcare Consent Reader" }, { "description": "Administer Consent stores.", "etag": "AA==", "name": "roles/healthcare.consentStoreAdmin", "stage": "GA", "title": "Healthcare Consent Store Administrator" }, { "description": "List Consent Stores in a dataset.", "etag": "AA==", "name": "roles/healthcare.consentStoreViewer", "stage": "GA", "title": "Healthcare Consent Store Viewer" }, { "description": "Administer Healthcare Datasets.", "etag": "AA==", "name": "roles/healthcare.datasetAdmin", "stage": "GA", "title": "Healthcare Dataset Administrator" }, { "description": "List the Healthcare Datasets in a project.", "etag": "AA==", "name": "roles/healthcare.datasetViewer", "stage": "GA", "title": "Healthcare Dataset Viewer" }, { "description": "Edit DICOM images individually and in bulk.", "etag": "AA==", "name": "roles/healthcare.dicomEditor", "stage": "GA", "title": "Healthcare DICOM Editor" }, { "description": "Administer DICOM stores.", "etag": "AA==", "name": "roles/healthcare.dicomStoreAdmin", "stage": "GA", "title": "Healthcare DICOM Store Administrator" }, { "description": "List DICOM Stores in a dataset.", "etag": "AA==", "name": "roles/healthcare.dicomStoreViewer", "stage": "GA", "title": "Healthcare DICOM Store Viewer" }, { "description": "Retrieve DICOM images from a DICOM store.", "etag": "AA==", "name": "roles/healthcare.dicomViewer", "stage": "GA", "title": "Healthcare DICOM Viewer" }, { "description": "Create, delete, update, read and search FHIR resources.", "etag": "AA==", "name": "roles/healthcare.fhirResourceEditor", "stage": "GA", "title": "Healthcare FHIR Resource Editor" }, { "description": "Read and search FHIR resources.", "etag": "AA==", "name": "roles/healthcare.fhirResourceReader", "stage": "GA", "title": "Healthcare FHIR Resource Reader" }, { "description": "Administer FHIR resource stores.", "etag": "AA==", "name": "roles/healthcare.fhirStoreAdmin", "stage": "GA", "title": "Healthcare FHIR Store Administrator" }, { "description": "List FHIR Stores in a dataset.", "etag": "AA==", "name": "roles/healthcare.fhirStoreViewer", "stage": "GA", "title": "Healthcare FHIR Store Viewer" }, { "description": "List and read HL7v2 messages, update message labels, and publish new messages.", "etag": "AA==", "name": "roles/healthcare.hl7V2Consumer", "stage": "GA", "title": "Healthcare HL7v2 Message Consumer" }, { "description": "Read, write, and delete access to HL7v2 messages.", "etag": "AA==", "name": "roles/healthcare.hl7V2Editor", "stage": "GA", "title": "Healthcare HL7v2 Message Editor" }, { "description": "Ingest HL7v2 messages received from a source network.", "etag": "AA==", "name": "roles/healthcare.hl7V2Ingest", "stage": "GA", "title": "Healthcare HL7v2 Message Ingest" }, { "description": "Administer HL7v2 Stores.", "etag": "AA==", "name": "roles/healthcare.hl7V2StoreAdmin", "stage": "GA", "title": "Healthcare HL7v2 Store Administrator" }, { "description": "View HL7v2 Stores in a dataset.", "etag": "AA==", "name": "roles/healthcare.hl7V2StoreViewer", "stage": "GA", "title": "Healthcare HL7v2 Store Viewer" }, { "description": "Extract and analyze medical entities from a given text.", "etag": "AA==", "name": "roles/healthcare.nlpServiceViewer", "stage": "BETA", "title": "Healthcare NLP Service Viewer" }, { "description": "Gives the Healthcare Service Account access to networks,Kubernetes engine, and pubsub resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/healthcare.serviceAgent", "stage": "GA", "title": "Healthcare Service Agent" }, { "description": "Edit UserDataMapping objects.", "etag": "AA==", "name": "roles/healthcare.userDataMappingEditor", "stage": "GA", "title": "Healthcare User Data Mapping Editor" }, { "description": "Read UserDataMapping objects in a consent store.", "etag": "AA==", "name": "roles/healthcare.userDataMappingReader", "stage": "GA", "title": "Healthcare User Data Mapping Reader" }, { "description": "Deny admin role, with permissions to read and modify deny policies", "etag": "AA==", "name": "roles/iam.denyAdmin", "stage": "GA", "title": "Deny Admin" }, { "description": "Deny Reviewer role, with permissions to read deny policies", "etag": "AA==", "name": "roles/iam.denyReviewer", "stage": "GA", "title": "Deny Reviewer" }, { "description": "Full rights to create and manage OAuth clients.", "etag": "AA==", "name": "roles/iam.oauthClientAdmin", "title": "IAM OAuth Client Admin" }, { "description": "Read access to a particular instance of an OAuth client.", "etag": "AA==", "name": "roles/iam.oauthClientViewer", "title": "IAM OAuth Client Viewer" }, { "description": "Access to administer all custom roles in the organization and the projects below it.", "etag": "AA==", "has_privesc": true, "name": "roles/iam.organizationRoleAdmin", "stage": "GA", "title": "Organization Role Administrator" }, { "description": "Read access to all custom roles in the organization and the projects below it.", "etag": "AA==", "name": "roles/iam.organizationRoleViewer", "stage": "GA", "title": "Organization Role Viewer" }, { "description": "Access to administer all custom roles in the project.", "etag": "AA==", "has_privesc": true, "name": "roles/iam.roleAdmin", "stage": "GA", "title": "Role Administrator" }, { "description": "Read access to all custom roles in the project.", "etag": "AA==", "name": "roles/iam.roleViewer", "stage": "GA", "title": "Role Viewer" }, { "description": "Security admin role, with permissions to get and set any IAM policy.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/iam.securityAdmin", "stage": "GA", "title": "Security Admin" }, { "description": "Security reviewer role, with permissions to get any IAM policy.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/iam.securityReviewer", "stage": "GA", "title": "Security Reviewer" }, { "description": "Create and manage service accounts.", "etag": "AA==", "has_privesc": true, "name": "roles/iam.serviceAccountAdmin", "stage": "GA", "title": "Service Account Admin" }, { "description": "Access to create service accounts.", "etag": "AA==", "name": "roles/iam.serviceAccountCreator", "stage": "GA", "title": "Create Service Accounts" }, { "description": "Access to delete service accounts.", "etag": "AA==", "name": "roles/iam.serviceAccountDeleter", "stage": "GA", "title": "Delete Service Accounts" }, { "description": "Create and manage (and rotate) service account keys.", "etag": "AA==", "has_credentialexposure": true, "has_privesc": true, "name": "roles/iam.serviceAccountKeyAdmin", "stage": "GA", "title": "Service Account Key Admin" }, { "description": "Create OpenID Connect (OIDC) identity tokens", "etag": "AA==", "has_privesc": true, "name": "roles/iam.serviceAccountOpenIdTokenCreator", "stage": "GA", "title": "Service Account OpenID Connect Identity Token Creator" }, { "description": "Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).", "etag": "AA==", "has_privesc": true, "name": "roles/iam.serviceAccountTokenCreator", "stage": "GA", "title": "Service Account Token Creator" }, { "description": "Run operations as the service account.", "etag": "AA==", "has_privesc": true, "name": "roles/iam.serviceAccountUser", "stage": "GA", "title": "Service Account User" }, { "description": "Read access to service accounts, metadata, and keys.", "etag": "AA==", "name": "roles/iam.serviceAccountViewer", "stage": "GA", "title": "View Service Accounts" }, { "description": "Full rights to create and manage all workforce pools in the org, along with the ability to delegate permissions to other admins.", "etag": "AA==", "name": "roles/iam.workforcePoolAdmin", "stage": "GA", "title": "IAM Workforce Pool Admin" }, { "description": "Rights to edit a particular instance of a workforce pool.", "etag": "AA==", "name": "roles/iam.workforcePoolEditor", "stage": "GA", "title": "IAM Workforce Pool Editor" }, { "description": "Rights to read workforce pool.", "etag": "AA==", "name": "roles/iam.workforcePoolViewer", "stage": "GA", "title": "IAM Workforce Pool Viewer" }, { "description": "Full rights to create and manage workload identity pools.", "etag": "AA==", "name": "roles/iam.workloadIdentityPoolAdmin", "stage": "BETA", "title": "IAM Workload Identity Pool Admin" }, { "description": "Read access to workload identity pools.", "etag": "AA==", "name": "roles/iam.workloadIdentityPoolViewer", "stage": "BETA", "title": "IAM Workload Identity Pool Viewer" }, { "description": "Impersonate service accounts from federated workloads.", "etag": "AA==", "has_privesc": true, "name": "roles/iam.workloadIdentityUser", "stage": "GA", "title": "Workload Identity User" }, { "description": "Administrator of IAP Permissions", "etag": "AA==", "name": "roles/iap.admin", "stage": "GA", "title": "IAP Policy Admin" }, { "description": "Access HTTPS resources which use Identity-Aware Proxy", "etag": "AA==", "name": "roles/iap.httpsResourceAccessor", "stage": "GA", "title": "IAP-secured Web App User" }, { "description": "Remediate IAP resource", "etag": "AA==", "name": "roles/iap.remediatorUser", "stage": "BETA", "title": "IAP-secured Resource Remediator User" }, { "description": "Administrator of IAP Settings.", "etag": "AA==", "name": "roles/iap.settingsAdmin", "stage": "GA", "title": "IAP Settings Admin" }, { "description": "Edit Tunnel Destination Group resources which use Identity-Aware Proxy", "etag": "AA==", "name": "roles/iap.tunnelDestGroupEditor", "stage": "GA", "title": "IAP-secured Tunnel Destination Group Editor" }, { "description": "View Tunnel Destination Group resources which use Identity-Aware Proxy", "etag": "AA==", "name": "roles/iap.tunnelDestGroupViewer", "stage": "GA", "title": "IAP-secured Tunnel Destination Group Viewer" }, { "description": "Access Tunnel resources which use Identity-Aware Proxy", "etag": "AA==", "name": "roles/iap.tunnelResourceAccessor", "stage": "GA", "title": "IAP-secured Tunnel User" }, { "description": "Full access to Identity Platform resources.", "etag": "AA==", "name": "roles/identityplatform.admin", "stage": "BETA", "title": "Identity Platform Admin" }, { "description": "Read access to Identity Platform resources.", "etag": "AA==", "name": "roles/identityplatform.viewer", "stage": "BETA", "title": "Identity Platform Viewer" }, { "description": "Full access to Identity Toolkit resources.", "etag": "AA==", "name": "roles/identitytoolkit.admin", "stage": "GA", "title": "Identity Toolkit Admin" }, { "description": "Gives Identity Platform service account access to customer project resources.", "etag": "AA==", "name": "roles/identitytoolkit.serviceAgent", "stage": "GA", "title": "Identity Platform Service Agent" }, { "description": "Read access to Identity Toolkit resources.", "etag": "AA==", "name": "roles/identitytoolkit.viewer", "stage": "GA", "title": "Identity Toolkit Viewer" }, { "description": "Full access to Cloud IDS all resources.", "etag": "AA==", "name": "roles/ids.admin", "stage": "BETA", "title": "Cloud IDS Admin" }, { "description": "Read-only access to Cloud IDS all resources.", "etag": "AA==", "name": "roles/ids.viewer", "stage": "BETA", "title": "Cloud IDS Viewer" }, { "description": "A user that has full access to all Apigee integrations.", "etag": "AA==", "name": "roles/integrations.apigeeIntegrationAdminRole", "stage": "GA", "title": "Apigee Integration Admin" }, { "description": "A developer that can deploy/undeploy Apigee integrations to the integration runtime.", "etag": "AA==", "name": "roles/integrations.apigeeIntegrationDeployerRole", "stage": "GA", "title": "Apigee Integration Deployer" }, { "description": "A developer that can list, create and update Apigee integrations.", "etag": "AA==", "name": "roles/integrations.apigeeIntegrationEditorRole", "stage": "GA", "title": "Apigee Integration Editor" }, { "description": "A role that can invoke Apigee integrations.", "etag": "AA==", "name": "roles/integrations.apigeeIntegrationInvokerRole", "stage": "GA", "title": "Apigee Integration Invoker" }, { "description": "A developer that can list and view Apigee integrations.", "etag": "AA==", "name": "roles/integrations.apigeeIntegrationsViewer", "stage": "GA", "title": "Apigee Integration Viewer" }, { "description": "A role that can approve / reject Apigee integrations that contain a suspension/wait task.", "etag": "AA==", "name": "roles/integrations.apigeeSuspensionResolver", "stage": "GA", "title": "Apigee Integration Approver" }, { "description": "A developer that can list and view Certificates.", "etag": "AA==", "name": "roles/integrations.certificateViewer", "stage": "GA", "title": "Certificate Viewer" }, { "description": "A user that has full access (CRUD) to all integrations.", "etag": "AA==", "name": "roles/integrations.integrationAdmin", "stage": "GA", "title": "Application Integration Admin" }, { "description": "A developer that can deploy/undeploy integrations to the integration runtime.", "etag": "AA==", "name": "roles/integrations.integrationDeployer", "stage": "GA", "title": "Application Integration Deployer" }, { "description": "A developer that can list, create and update integrations.", "etag": "AA==", "name": "roles/integrations.integrationEditor", "stage": "GA", "title": "Application Integration Editor" }, { "description": "A role that can invoke integrations.", "etag": "AA==", "name": "roles/integrations.integrationInvoker", "stage": "GA", "title": "Application Integration Invoker" }, { "description": "A developer that can list and view integrations.", "etag": "AA==", "name": "roles/integrations.integrationViewer", "stage": "GA", "title": "Application Integration Viewer" }, { "description": "A user that has full access to all Security integrations.", "etag": "AA==", "name": "roles/integrations.securityIntegrationAdmin", "stage": "BETA", "title": "Security Integration Admin" }, { "description": "Service agent that grants access to execute an integration.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/integrations.serviceAgent", "stage": "GA", "title": "Application Integration Service Agent" }, { "description": "A user that has full access (CRUD) to all SFDC instances.", "etag": "AA==", "name": "roles/integrations.sfdcInstanceAdmin", "stage": "GA", "title": "Application Integration SFDC Instance Admin" }, { "description": "A developer that can list, create and update integrations.", "etag": "AA==", "name": "roles/integrations.sfdcInstanceEditor", "stage": "GA", "title": "Application Integration SFDC Instance Editor" }, { "description": "A developer that can list and view SFDC instances.", "etag": "AA==", "name": "roles/integrations.sfdcInstanceViewer", "stage": "GA", "title": "Application Integration SFDC Instance Viewer" }, { "description": "A role that can resolve suspended integrations.", "etag": "AA==", "name": "roles/integrations.suspensionResolver", "stage": "GA", "title": "Application Integration Approver" }, { "description": "This role can perform all account manager related operations", "etag": "AA==", "name": "roles/issuerswitch.accountManagerAdmin", "stage": "BETA", "title": "Issuerswitch Account Manager Admin" }, { "description": "This role can perform all account manager transactions related operations", "etag": "AA==", "name": "roles/issuerswitch.accountManagerTransactionsAdmin", "stage": "BETA", "title": "Issuerswitch Account Manager Transactions Admin" }, { "description": "This role can view all account manager transactions", "etag": "AA==", "name": "roles/issuerswitch.accountManagerTransactionsViewer", "stage": "BETA", "title": "Issuerswitch Account Manager Transactions Viewer" }, { "description": "Access to all issuer switch roles", "etag": "AA==", "name": "roles/issuerswitch.admin", "stage": "BETA", "title": "Issuerswitch Admin" }, { "description": "Full access to issuer switch participants", "etag": "AA==", "name": "roles/issuerswitch.issuerParticipantsAdmin", "stage": "BETA", "title": "Issuerswitch Participants Admin" }, { "description": "Full access to issuer switch resolutions", "etag": "AA==", "name": "roles/issuerswitch.resolutionsAdmin", "stage": "BETA", "title": "Issuerswitch Resolutions Admin" }, { "description": "Full access to issuer switch rules", "etag": "AA==", "name": "roles/issuerswitch.rulesAdmin", "stage": "BETA", "title": "Issuerswitch Rules Admin" }, { "description": "This role can view rules and related metadata.", "etag": "AA==", "name": "roles/issuerswitch.rulesViewer", "stage": "BETA", "title": "Issuerswitch Rules Viewer" }, { "description": "This role can view all transactions", "etag": "AA==", "name": "roles/issuerswitch.transactionsViewer", "stage": "BETA", "title": "Issuerswitch Transactions Viewer" }, { "description": "Full access to all Config Controller resources.", "etag": "AA==", "name": "roles/krmapihosting.admin", "stage": "GA", "title": "Config Controller Admin" }, { "description": "Grants permissions to resources managed by AnthosApiEndpoint.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/krmapihosting.anthosApiEndpointServiceAgent", "stage": "GA", "title": "KRM API Hosting AnthosApiEndpoint Service Agent" }, { "description": "Gives KRM API Hosting service account access to managed resource.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/krmapihosting.serviceAgent", "stage": "GA", "title": "KRM API Hosting Service Agent" }, { "description": "Read-only access to all Config Controller resources.", "etag": "AA==", "name": "roles/krmapihosting.viewer", "stage": "GA", "title": "Config Controller Viewer" }, { "description": "Publisher of Kubernetes clusters metadata", "etag": "AA==", "name": "roles/kubernetesmetadata.publisher", "stage": "BETA", "title": "Metadata Publisher" }, { "description": "Service account role used to setup authentication for the control plane used by KubeRun Events.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/kuberun.eventsControlPlaneServiceAgent", "stage": "GA", "title": "KubeRun Events Control Plane Service Agent" }, { "description": "Service account role used to setup authentication for the data plane used by KubeRun Events.", "etag": "AA==", "has_dataaccess": true, "name": "roles/kuberun.eventsDataPlaneServiceAgent", "stage": "GA", "title": "KubeRun Events Data Plane Service Agent" }, { "description": "Full control of Cloud Life Sciences resources.", "etag": "AA==", "name": "roles/lifesciences.admin", "stage": "BETA", "title": "Cloud Life Sciences Admin" }, { "description": "Access to read and edit Cloud Life Sciences resources.", "etag": "AA==", "name": "roles/lifesciences.editor", "stage": "BETA", "title": "Cloud Life Sciences Editor" }, { "description": "Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/lifesciences.serviceAgent", "stage": "GA", "title": "Cloud Life Sciences Service Agent" }, { "description": "Access to read Cloud Life Sciences resources.", "etag": "AA==", "name": "roles/lifesciences.viewer", "stage": "BETA", "title": "Cloud Life Sciences Viewer" }, { "description": "Full access to operate on Cloud Life Sciences workflows.", "etag": "AA==", "name": "roles/lifesciences.workflowsRunner", "stage": "BETA", "title": "Cloud Life Sciences Workflows Runner" }, { "description": "Full access to Live Stream resources.", "etag": "AA==", "name": "roles/livestream.editor", "stage": "GA", "title": "Live Stream Editor" }, { "description": "Uploads media files to customer GCS buckets.", "etag": "AA==", "has_dataaccess": true, "name": "roles/livestream.serviceAgent", "stage": "GA", "title": "Live Stream Service Agent" }, { "description": "Read access to Live Stream resources.", "etag": "AA==", "name": "roles/livestream.viewer", "stage": "GA", "title": "Live Stream Viewer" }, { "description": "Access to all logging permissions, and dependent permissions.", "etag": "AA==", "name": "roles/logging.admin", "stage": "GA", "title": "Logging Admin" }, { "description": "Ability to write logs to a log bucket.", "etag": "AA==", "name": "roles/logging.bucketWriter", "stage": "GA", "title": "Logs Bucket Writer" }, { "description": "Access to configure log exporting and metrics.", "etag": "AA==", "name": "roles/logging.configWriter", "stage": "GA", "title": "Logs Configuration Writer" }, { "description": "Ability to read restricted fields in a log bucket.", "etag": "AA==", "name": "roles/logging.fieldAccessor", "stage": "GA", "title": "Log Field Accessor" }, { "description": "Ability to see links for a bucket.", "etag": "AA==", "name": "roles/logging.linkViewer", "stage": "GA", "title": "Log Link Accessor" }, { "description": "Access to write logs.", "etag": "AA==", "name": "roles/logging.logWriter", "stage": "GA", "title": "Logs Writer" }, { "description": "Access to view all logs, including logs with private contents.", "etag": "AA==", "name": "roles/logging.privateLogViewer", "stage": "GA", "title": "Private Logs Viewer" }, { "description": "Grants a Cloud Logging Service Account the ability to create and link datasets.", "etag": "AA==", "name": "roles/logging.serviceAgent", "stage": "GA", "title": "Cloud Logging Service Agent" }, { "description": "Ability to read logs in a view.", "etag": "AA==", "name": "roles/logging.viewAccessor", "stage": "GA", "title": "Logs View Accessor" }, { "description": "Access to view logs, except for logs with private contents.", "etag": "AA==", "name": "roles/logging.viewer", "stage": "GA", "title": "Logs Viewer" }, { "description": "Full access to all Looker resources.", "etag": "AA==", "name": "roles/looker.admin", "stage": "GA", "title": "Looker Admin" }, { "description": "Access to log in to a Looker instance.", "etag": "AA==", "name": "roles/looker.instanceUser", "stage": "GA", "title": "Looker Instance User" }, { "description": "Gives the Looker service account permission to manage customer resources", "etag": "AA==", "has_dataaccess": true, "name": "roles/looker.serviceAgent", "stage": "GA", "title": "Looker Service Agent" }, { "description": "Read-only access to all Looker resources.", "etag": "AA==", "name": "roles/looker.viewer", "stage": "GA", "title": "Looker Viewer" }, { "description": "Looker Studio Pro Manager", "etag": "AA==", "name": "roles/lookerstudio.proManager", "stage": "BETA", "title": "Looker Studio Pro Manager" }, { "description": "Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.", "etag": "AA==", "name": "roles/managedidentities.admin", "stage": "GA", "title": "Google Cloud Managed Identities Admin" }, { "description": "Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level", "etag": "AA==", "name": "roles/managedidentities.backupAdmin", "stage": "GA", "title": "Google Cloud Managed Identities Backup Admin" }, { "description": "Read-only access to Google Cloud Managed Identities Backup and related resources.", "etag": "AA==", "name": "roles/managedidentities.backupViewer", "stage": "GA", "title": "Google Cloud Managed Identities Backup Viewer" }, { "description": "Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.", "etag": "AA==", "name": "roles/managedidentities.domainAdmin", "stage": "GA", "title": "Google Cloud Managed Identities Domain Admin" }, { "description": "Access to domain join VMs with Cloud AD", "etag": "AA==", "name": "roles/managedidentities.domainJoin", "stage": "BETA", "title": "Google Cloud Managed Identities Domain Join" }, { "description": "Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level", "etag": "AA==", "name": "roles/managedidentities.peeringAdmin", "stage": "GA", "title": "Google Cloud Managed Identities Peering Admin" }, { "description": "Read-only access to Google Cloud Managed Identities Peering and related resources.", "etag": "AA==", "name": "roles/managedidentities.peeringViewer", "stage": "GA", "title": "Google Cloud Managed Identities Peering Viewer" }, { "description": "Gives Managed Identities service account access to managed resources.", "etag": "AA==", "name": "roles/managedidentities.serviceAgent", "stage": "GA", "title": "Cloud Managed Identities Service Agent" }, { "description": "Read-only access to Google Cloud Managed Identities Domains and related resources.", "etag": "AA==", "name": "roles/managedidentities.viewer", "stage": "GA", "title": "Google Cloud Managed Identities Viewer" }, { "description": "Access to write Attack Surface Management", "etag": "AA==", "name": "roles/mandiant.attackSurfaceManagementEditor", "stage": "BETA", "title": "Mandiant Attack Surface Management Editor" }, { "description": "Access to read Attack Surface Management", "etag": "AA==", "name": "roles/mandiant.attackSurfaceManagementViewer", "stage": "BETA", "title": "Mandiant Attack Surface Management Viewer" }, { "description": "Access to write Digital Threat Monitoring", "etag": "AA==", "name": "roles/mandiant.digitalThreatMonitoringEditor", "stage": "BETA", "title": "Mandiant Digital Threat Monitoring Editor" }, { "description": "Access to read Digital Threat Monitoring", "etag": "AA==", "name": "roles/mandiant.digitalThreatMonitoringViewer", "stage": "BETA", "title": "Mandiant Digital Threat Monitoring Viewer" }, { "description": "Access to write Expertise On Demand", "etag": "AA==", "name": "roles/mandiant.expertiseOnDemandEditor", "stage": "BETA", "title": "Mandiant Expertise On Demand Editor" }, { "description": "Access to read Expertise On Demand", "etag": "AA==", "name": "roles/mandiant.expertiseOnDemandViewer", "stage": "BETA", "title": "Mandiant Expertise On Demand Viewer" }, { "description": "Access to write Threat Intel", "etag": "AA==", "name": "roles/mandiant.threatIntelEditor", "stage": "BETA", "title": "Mandiant Threat Intel Editor" }, { "description": "Access to read Threat Intel", "etag": "AA==", "name": "roles/mandiant.threatIntelViewer", "stage": "BETA", "title": "Mandiant Threat Intel Viewer" }, { "description": "Access to write Validation", "etag": "AA==", "name": "roles/mandiant.validationEditor", "stage": "BETA", "title": "Mandiant Validation Editor" }, { "description": "Access to read Validation", "etag": "AA==", "name": "roles/mandiant.validationViewer", "stage": "BETA", "title": "Mandiant Validation Viewer" }, { "description": "Grants permission to read and write everything", "etag": "AA==", "name": "roles/mapsadmin.admin", "stage": "GA", "title": "Maps API Admin" }, { "description": "Grants permission to read everything", "etag": "AA==", "name": "roles/mapsadmin.viewer", "stage": "GA", "title": "Maps API Viewer" }, { "description": "Grants read-only access to all of the Maps Analytics resources.", "etag": "AA==", "name": "roles/mapsanalytics.viewer", "stage": "BETA", "title": "Maps Analytics Viewer" }, { "description": "Grants read and write access to all the Maps Platform Datasets API resources", "etag": "AA==", "name": "roles/mapsplatformdatasets.admin", "stage": "BETA", "title": "Maps Platform Datasets Admin" }, { "description": "Grants readonly access to all the Maps Platform Datasets API resources", "etag": "AA==", "name": "roles/mapsplatformdatasets.viewer", "stage": "BETA", "title": "Maps Platform Datasets Viewer" }, { "description": "Full access to Marketplace Solutions resources.", "etag": "AA==", "name": "roles/marketplacesolutions.admin", "stage": "BETA", "title": "Marketplace Solutions Admin" }, { "description": "Edit access to Marketplace Solutions resources.", "etag": "AA==", "name": "roles/marketplacesolutions.editor", "stage": "BETA", "title": "Marketplace Solutions Editor" }, { "description": "Readonly access to Marketplace Solutions resources.", "etag": "AA==", "name": "roles/marketplacesolutions.viewer", "stage": "BETA", "title": "Marketplace Solutions Viewer" }, { "description": "Downloads and uploads media files from and to customer GCS buckets.", "etag": "AA==", "has_dataaccess": true, "name": "roles/mediaasset.serviceAgent", "stage": "GA", "title": "Media Asset Service Agent" }, { "description": "Full access to Memcached instances and related resources.", "etag": "AA==", "name": "roles/memcache.admin", "stage": "GA", "title": "Cloud Memorystore Memcached Admin" }, { "description": "Read-Write access to Memcached instances and related resources.", "etag": "AA==", "name": "roles/memcache.editor", "stage": "GA", "title": "Cloud Memorystore Memcached Editor" }, { "description": "Gives Cloud Memorystore Memcached service account access to managed resource", "etag": "AA==", "name": "roles/memcache.serviceAgent", "stage": "GA", "title": "Cloud Memorystore Memcached Service Agent" }, { "description": "Read-only access to Memcached instances and related resources.", "etag": "AA==", "name": "roles/memcache.viewer", "stage": "GA", "title": "Cloud Memorystore Memcached Viewer" }, { "description": "Full access to all mesh configuration resources", "etag": "AA==", "name": "roles/meshconfig.admin", "stage": "BETA", "title": "Mesh Config Admin" }, { "description": "Apply mesh configuration", "etag": "AA==", "has_privesc": true, "name": "roles/meshconfig.serviceAgent", "stage": "GA", "title": "Mesh Config Service Agent" }, { "description": "Read access to mesh configuration", "etag": "AA==", "name": "roles/meshconfig.viewer", "stage": "BETA", "title": "Mesh Config Viewer" }, { "description": "Anthos Service Mesh Managed Control Plane Agent", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/meshcontrolplane.serviceAgent", "stage": "GA", "title": "Mesh Managed Control Plane Service Agent" }, { "description": "Run user-space Istio components", "etag": "AA==", "name": "roles/meshdataplane.serviceAgent", "stage": "GA", "title": "Mesh Data Plane Service Agent" }, { "description": "Full access to all Dataproc Metastore resources.", "etag": "AA==", "name": "roles/metastore.admin", "stage": "GA", "title": "Dataproc Metastore Admin" }, { "description": "Read and write access to all Dataproc Metastore resources.", "etag": "AA==", "name": "roles/metastore.editor", "stage": "GA", "title": "Dataproc Metastore Editor" }, { "description": "Access to the Metastore Federation resource.", "etag": "AA==", "name": "roles/metastore.federationAccessor", "stage": "GA", "title": "Metastore Federation Accessor" }, { "description": "Access to read and modify the metadata of databases and tables under those databases.", "etag": "AA==", "name": "roles/metastore.metadataEditor", "stage": "GA", "title": "Dataproc Metastore Metadata Editor" }, { "description": "Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.", "etag": "AA==", "name": "roles/metastore.metadataMutateAdmin", "stage": "GA", "title": "Dataproc Metastore Metadata Mutate Admin" }, { "description": "Read-only access to Dataproc Metastore resources with additional metadata operations permission.", "etag": "AA==", "name": "roles/metastore.metadataOperator", "stage": "GA", "title": "Dataproc Metastore Metadata Operator" }, { "description": "Full access to the metadata of databases and tables under those databases.", "etag": "AA==", "name": "roles/metastore.metadataOwner", "stage": "GA", "title": "Dataproc Metastore Data Owner" }, { "description": "Access to query metadata from a Dataproc Metastore service's underlying metadata store. ", "etag": "AA==", "name": "roles/metastore.metadataQueryAdmin", "stage": "GA", "title": "Dataproc Metastore Metadata Query Admin" }, { "description": "Access to the Dataproc Metastore gRPC endpoint", "etag": "AA==", "name": "roles/metastore.metadataUser", "stage": "GA", "title": "Dataproc Metastore Metadata User" }, { "description": "Access to read the metadata of databases and tables under those databases", "etag": "AA==", "name": "roles/metastore.metadataViewer", "stage": "GA", "title": "Dataproc Metastore Metadata Viewer" }, { "description": "Access to Dataproc Metastore Managed Migration resources and workflow.", "etag": "AA==", "has_credentialexposure": true, "name": "roles/metastore.migrationAdmin", "stage": "BETA", "title": "Dataproc Metastore Managed Migration Admin" }, { "description": "Gives the Dataproc Metastore service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/metastore.serviceAgent", "stage": "GA", "title": "Dataproc Metastore Service Agent" }, { "description": "Read-only access to all Dataproc Metastore resources.", "etag": "AA==", "name": "roles/metastore.user", "stage": "GA", "title": "Dataproc Metastore Viewer" }, { "description": "Full access to Migration Center all resources.", "etag": "AA==", "name": "roles/migrationcenter.admin", "stage": "BETA", "title": "Migration Center Admin" }, { "description": "Migration Center Discover Client role", "etag": "AA==", "name": "roles/migrationcenter.discoveryClient", "stage": "BETA", "title": "Migration Center Discovery Client" }, { "description": "Registrator of Migration Center Discover Clients", "etag": "AA==", "name": "roles/migrationcenter.discoveryClientRegistrator", "stage": "BETA", "title": "Migration Center Discovery Client Registrator" }, { "description": "Gives Migration Center Service Account access to objects storedin object store and Cloud Migration products.", "etag": "AA==", "has_dataaccess": true, "name": "roles/migrationcenter.serviceAgent", "stage": "GA", "title": "Migration Center Service Agent" }, { "description": "Read-only access to Migration Center all resources.", "etag": "AA==", "name": "roles/migrationcenter.viewer", "stage": "BETA", "title": "Migration Center Viewer" }, { "description": "Full access to AI Platform.", "etag": "AA==", "name": "roles/ml.admin", "stage": "GA", "title": "AI Platform Admin" }, { "description": "Access to create training and prediction jobs, models and versions, send online prediction requests.", "etag": "AA==", "name": "roles/ml.developer", "stage": "GA", "title": "AI Platform Developer" }, { "description": "Full access to the job.", "etag": "AA==", "name": "roles/ml.jobOwner", "stage": "GA", "title": "AI Platform Job Owner" }, { "description": "Full access to the model and its versions.", "etag": "AA==", "name": "roles/ml.modelOwner", "stage": "GA", "title": "AI Platform Model Owner" }, { "description": "Permissions to read the model and its versions, and use them for prediction.", "etag": "AA==", "name": "roles/ml.modelUser", "stage": "GA", "title": "AI Platform Model User" }, { "description": "Full access to the operation.", "etag": "AA==", "name": "roles/ml.operationOwner", "stage": "GA", "title": "AI Platform Operation Owner" }, { "description": "AI Platform service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/ml.serviceAgent", "stage": "GA", "title": "AI Platform Service Agent" }, { "description": "Read-only access to AI Platform resources.", "etag": "AA==", "name": "roles/ml.viewer", "stage": "GA", "title": "AI Platform Viewer" }, { "description": "All current and future monitoring permissions.", "etag": "AA==", "name": "roles/monitoring.admin", "stage": "GA", "title": "Monitoring Admin" }, { "description": "Read/write access to alerting policies.", "etag": "AA==", "name": "roles/monitoring.alertPolicyEditor", "stage": "GA", "title": "Monitoring AlertPolicy Editor" }, { "description": "Read-only access to alerting policies.", "etag": "AA==", "name": "roles/monitoring.alertPolicyViewer", "stage": "GA", "title": "Monitoring AlertPolicy Viewer" }, { "description": "Read/write access to incidents from Cloud Console.", "etag": "AA==", "name": "roles/monitoring.cloudConsoleIncidentEditor", "stage": "BETA", "title": "Monitoring Cloud Console Incident Editor" }, { "description": "Read access to incidents from Cloud Console.", "etag": "AA==", "name": "roles/monitoring.cloudConsoleIncidentViewer", "stage": "BETA", "title": "Monitoring Cloud Console Incident Viewer" }, { "description": "Read/write access to dashboard configurations.", "etag": "AA==", "name": "roles/monitoring.dashboardEditor", "stage": "GA", "title": "Monitoring Dashboard Configuration Editor" }, { "description": "Read-only access to dashboard configurations.", "etag": "AA==", "name": "roles/monitoring.dashboardViewer", "stage": "GA", "title": "Monitoring Dashboard Configuration Viewer" }, { "description": "Read/write access to all monitoring data and configuration.", "etag": "AA==", "name": "roles/monitoring.editor", "stage": "GA", "title": "Monitoring Editor" }, { "description": "Write-only access to metrics. This provides exactly the permissions needed by the Stackdriver agent and other systems that send metrics.", "etag": "AA==", "name": "roles/monitoring.metricWriter", "stage": "GA", "title": "Monitoring Metric Writer" }, { "description": "Access to add and remove monitored projects from metrics scopes.", "etag": "AA==", "name": "roles/monitoring.metricsScopesAdmin", "stage": "BETA", "title": "Monitoring Metrics Scopes Admin" }, { "description": "Read-only access to metrics scopes and their monitored projects.", "etag": "AA==", "name": "roles/monitoring.metricsScopesViewer", "stage": "BETA", "title": "Monitoring Metrics Scopes Viewer" }, { "description": "Read/write access to notification channels.", "etag": "AA==", "name": "roles/monitoring.notificationChannelEditor", "stage": "BETA", "title": "Monitoring NotificationChannel Editor" }, { "description": "Read-only access to notification channels.", "etag": "AA==", "name": "roles/monitoring.notificationChannelViewer", "stage": "BETA", "title": "Monitoring NotificationChannel Viewer" }, { "description": "Grants Cloud Monitoring and Cloud Alerting permission to access consumer resources and track usage.", "etag": "AA==", "name": "roles/monitoring.notificationServiceAgent", "stage": "GA", "title": "Monitoring Service Agent" }, { "description": "Read/write access to services.", "etag": "AA==", "name": "roles/monitoring.servicesEditor", "stage": "GA", "title": "Monitoring Services Editor" }, { "description": "Read-only access to services.", "etag": "AA==", "name": "roles/monitoring.servicesViewer", "stage": "GA", "title": "Monitoring Services Viewer" }, { "etag": "AA==", "name": "roles/monitoring.snoozeEditor", "stage": "GA", "title": "Monitoring Snooze Editor" }, { "etag": "AA==", "name": "roles/monitoring.snoozeViewer", "stage": "GA", "title": "Monitoring Snooze Viewer" }, { "description": "Read/write access to uptime check configurations.", "etag": "AA==", "name": "roles/monitoring.uptimeCheckConfigEditor", "stage": "BETA", "title": "Monitoring Uptime Check Configuration Editor" }, { "description": "Read-only access to uptime check configurations.", "etag": "AA==", "name": "roles/monitoring.uptimeCheckConfigViewer", "stage": "BETA", "title": "Monitoring Uptime Check Configuration Viewer" }, { "description": "Read-only access to get and list information about all monitoring data and configuration.", "etag": "AA==", "name": "roles/monitoring.viewer", "stage": "GA", "title": "Monitoring Viewer" }, { "description": "Gives the Multi Cluster Ingress service agent access to CloudPlatform resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/multiclusteringress.serviceAgent", "stage": "GA", "title": "Multi Cluster Ingress Service Agent" }, { "description": "Gives the Multi-cluster metering service agent access to CloudPlatform resources.", "etag": "AA==", "name": "roles/multiclustermetering.serviceAgent", "stage": "GA", "title": "Multi-cluster metering Service Agent" }, { "description": "Gives the Multi-Cluster Service Discovery service access to Cloud Platform resources.", "etag": "AA==", "has_privesc": true, "name": "roles/multiclusterservicediscovery.serviceAgent", "stage": "GA", "title": "Multi-Cluster Service Discovery Service Agent" }, { "description": "Admin access to Google Home Developer Console resources", "etag": "AA==", "name": "roles/nestconsole.homeDeveloperAdmin", "stage": "GA", "title": "Google Home Developer Console Admin" }, { "description": "Read-Write access to Google Home Developer Console resources", "etag": "AA==", "name": "roles/nestconsole.homeDeveloperEditor", "stage": "GA", "title": "Google Home Developer Console Editor" }, { "description": "Read-only access to Google Home Developer Console resources", "etag": "AA==", "name": "roles/nestconsole.homeDeveloperViewer", "stage": "GA", "title": "Google Home Developer Console Reader" }, { "description": "Full access to Google Cloud NetApp Volumes resources.", "etag": "AA==", "name": "roles/netapp.admin", "stage": "BETA", "title": "Google Cloud NetApp Volumes Admin" }, { "description": "Readonly access to Google Cloud NetApp Volumes resources.", "etag": "AA==", "name": "roles/netapp.viewer", "stage": "BETA", "title": "Google Cloud NetApp Volumes Viewer" }, { "description": "This role is managed by NetApp, not Google.", "etag": "AA==", "name": "roles/netappcloudvolumes.admin", "stage": "BETA", "title": "NetApp Cloud Volumes Admin" }, { "description": "This role is managed by NetApp, not Google.", "etag": "AA==", "name": "roles/netappcloudvolumes.viewer", "stage": "BETA", "title": "NetApp Cloud Volumes Viewer" }, { "description": "Gives Network Actions service account access to read required resources.", "etag": "AA==", "name": "roles/networkactions.serviceAgent", "stage": "GA", "title": "Network Actions Service Agent" }, { "description": "Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.", "etag": "AA==", "name": "roles/networkconnectivity.consumerNetworkAdmin", "stage": "GA", "title": "Service Automation Consumer Network Admin" }, { "description": "Enables use access on group resources", "etag": "AA==", "name": "roles/networkconnectivity.groupUser", "stage": "GA", "title": "Group User" }, { "description": "Enables full access to hub and spoke resources", "etag": "AA==", "name": "roles/networkconnectivity.hubAdmin", "stage": "GA", "title": "Hub & Spoke Admin" }, { "description": "Enables read-only access to hub and spoke resources", "etag": "AA==", "name": "roles/networkconnectivity.hubViewer", "stage": "GA", "title": "Hub & Spoke Viewer" }, { "description": "Full access to all Regional Endpoint resources.", "etag": "AA==", "name": "roles/networkconnectivity.regionalEndpointAdmin", "stage": "BETA", "title": "Regional Endpoint Admin" }, { "description": "Read-only access to all Regional Endpoint resources.", "etag": "AA==", "name": "roles/networkconnectivity.regionalEndpointViewer", "stage": "BETA", "title": "Regional Endpoint Viewer" }, { "description": "Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources.", "etag": "AA==", "name": "roles/networkconnectivity.serviceAgent", "stage": "GA", "title": "Network Connectivity Service Agent" }, { "description": "Service Class User uses a ServiceClass", "etag": "AA==", "name": "roles/networkconnectivity.serviceClassUser", "stage": "GA", "title": "Service Class User" }, { "description": "Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps", "etag": "AA==", "name": "roles/networkconnectivity.serviceProducerAdmin", "stage": "GA", "title": "Service Automation Service Producer Admin" }, { "description": "Enables full access to spoke resources and read-only access to hub resources", "etag": "AA==", "name": "roles/networkconnectivity.spokeAdmin", "stage": "GA", "title": "Spoke Admin" }, { "description": "Full access to Network Management resources.", "etag": "AA==", "name": "roles/networkmanagement.admin", "stage": "GA", "title": "Network Management Admin" }, { "description": "Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine.", "etag": "AA==", "name": "roles/networkmanagement.serviceAgent", "stage": "GA", "title": "GCP Network Management Service Agent" }, { "description": "Read-only access to Network Management resources.", "etag": "AA==", "name": "roles/networkmanagement.viewer", "stage": "GA", "title": "Network Management Viewer" }, { "description": "Full access to Notebooks all resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/notebooks.admin", "stage": "GA", "title": "Notebooks Admin" }, { "description": "Full access to Notebooks all resources through compute API.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/notebooks.legacyAdmin", "stage": "GA", "title": "Notebooks Legacy Admin" }, { "description": "Read-only access to Notebooks all resources through compute API.", "etag": "AA==", "has_dataaccess": true, "name": "roles/notebooks.legacyViewer", "stage": "GA", "title": "Notebooks Legacy Viewer" }, { "description": "Restricted access for running scheduled Notebooks.", "etag": "AA==", "has_dataaccess": true, "name": "roles/notebooks.runner", "stage": "GA", "title": "Notebooks Runner" }, { "description": "Provide access for notebooks service agent to manage notebook instances in user projects", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/notebooks.serviceAgent", "stage": "GA", "title": "AI Platform Notebooks Service Agent" }, { "description": "Read-only access to Notebooks all resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/notebooks.viewer", "stage": "GA", "title": "Notebooks Viewer" }, { "description": "Read/write access to OAuth config resources", "etag": "AA==", "name": "roles/oauthconfig.editor", "stage": "BETA", "title": "OAuth Config Editor" }, { "description": "Read-only access to OAuth config resources", "etag": "AA==", "name": "roles/oauthconfig.viewer", "stage": "BETA", "title": "OAuth Config Viewer" }, { "description": "All permissions for On-Demand Scanning", "etag": "AA==", "name": "roles/ondemandscanning.admin", "stage": "BETA", "title": "On-Demand Scanning Admin" }, { "description": "Gives the On-Demand Scanning API the access it needs to function.", "etag": "AA==", "has_dataaccess": true, "name": "roles/ondemandscanning.serviceAgent", "stage": "GA", "title": "On-Demand Scanning Service Agent" }, { "description": "Read-only access to resource metadata.", "etag": "AA==", "name": "roles/opsconfigmonitoring.resourceMetadata.viewer", "stage": "BETA", "title": "Ops Config Monitoring Resource Metadata Viewer" }, { "description": "Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.", "etag": "AA==", "name": "roles/opsconfigmonitoring.resourceMetadata.writer", "stage": "BETA", "title": "Ops Config Monitoring Resource Metadata Writer" }, { "description": "The permission to set Organization Policies on resources.", "etag": "AA==", "name": "roles/orgpolicy.policyAdmin", "stage": "GA", "title": "Organization Policy Administrator" }, { "description": "Access to view Organization Policies on resources.", "etag": "AA==", "name": "roles/orgpolicy.policyViewer", "stage": "GA", "title": "Organization Policy Viewer" }, { "description": "Full admin access to GuestPolicies", "etag": "AA==", "name": "roles/osconfig.guestPolicyAdmin", "stage": "BETA", "title": "GuestPolicy Admin" }, { "description": "Editor of GuestPolicy resources", "etag": "AA==", "name": "roles/osconfig.guestPolicyEditor", "stage": "BETA", "title": "GuestPolicy Editor" }, { "description": "Viewer of GuestPolicy resources", "etag": "AA==", "name": "roles/osconfig.guestPolicyViewer", "stage": "BETA", "title": "GuestPolicy Viewer" }, { "description": "Viewer of OS Policies Compliance of VM instances", "etag": "AA==", "name": "roles/osconfig.instanceOSPoliciesComplianceViewer", "stage": "BETA", "title": "InstanceOSPoliciesCompliance Viewer" }, { "description": "Viewer of OS Inventories", "etag": "AA==", "name": "roles/osconfig.inventoryViewer", "stage": "GA", "title": "OS Inventory Viewer" }, { "description": "Full admin access to OS Policy Assignments", "etag": "AA==", "name": "roles/osconfig.osPolicyAssignmentAdmin", "stage": "GA", "title": "OSPolicyAssignment Admin" }, { "description": "Editor of OS Policy Assignments", "etag": "AA==", "name": "roles/osconfig.osPolicyAssignmentEditor", "stage": "GA", "title": "OSPolicyAssignment Editor" }, { "description": "Viewer of OS policy assignment reports for VM instances", "etag": "AA==", "name": "roles/osconfig.osPolicyAssignmentReportViewer", "stage": "GA", "title": "OSPolicyAssignmentReport Viewer" }, { "description": "Viewer of OS Policy Assignments", "etag": "AA==", "name": "roles/osconfig.osPolicyAssignmentViewer", "stage": "GA", "title": "OSPolicyAssignment Viewer" }, { "description": "Full admin access to PatchDeployments", "etag": "AA==", "name": "roles/osconfig.patchDeploymentAdmin", "stage": "GA", "title": "PatchDeployment Admin" }, { "description": "Viewer of PatchDeployment resources", "etag": "AA==", "name": "roles/osconfig.patchDeploymentViewer", "stage": "GA", "title": "PatchDeployment Viewer" }, { "description": "Access to execute Patch Jobs.", "etag": "AA==", "name": "roles/osconfig.patchJobExecutor", "stage": "GA", "title": "Patch Job Executor" }, { "description": "Get and list Patch Jobs.", "etag": "AA==", "name": "roles/osconfig.patchJobViewer", "stage": "GA", "title": "Patch Job Viewer" }, { "description": "Read/write access to project feature settings", "etag": "AA==", "name": "roles/osconfig.projectFeatureSettingsEditor", "title": "Project Feature Settings Editor" }, { "description": "Read access to project feature settings", "etag": "AA==", "name": "roles/osconfig.projectFeatureSettingsViewer", "title": "Project Feature Settings Viewer" }, { "description": "Grants OS Config Service Account access to Google Compute Engine instances.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/osconfig.serviceAgent", "stage": "GA", "title": "Cloud OS Config Service Agent" }, { "description": "Provides read-only access to VM Manager Upgrade Reports", "etag": "AA==", "name": "roles/osconfig.upgradeReportViewer", "stage": "BETA", "title": "Upgrade Report Viewer" }, { "description": "Viewer of OS VulnerabilityReports", "etag": "AA==", "name": "roles/osconfig.vulnerabilityReportViewer", "stage": "GA", "title": "OS VulnerabilityReport Viewer" }, { "description": "Full access to most Google Cloud resources. See the list of included permissions.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/owner", "stage": "GA", "title": "Owner" }, { "description": "Gives the Parallelstore service agent ability to access customer resources.", "etag": "AA==", "name": "roles/parallelstore.serviceAgent", "stage": "GA", "title": "Parallelstore Service Agent" }, { "description": "Full access to all Payments Reseller resources, including subscriptions, products and promotions", "etag": "AA==", "name": "roles/paymentsresellersubscription.partnerAdmin", "stage": "BETA", "title": "Payments Reseller Admin" }, { "description": "Read access to all Payments Reseller resources, including subscriptions, products and promotions", "etag": "AA==", "name": "roles/paymentsresellersubscription.partnerViewer", "stage": "BETA", "title": "Payments Reseller Viewer" }, { "description": "Read access to Payments Reseller Product resource", "etag": "AA==", "name": "roles/paymentsresellersubscription.productViewer", "stage": "BETA", "title": "Payments Reseller Products Viewer" }, { "description": "Read access to Payments Reseller Promotion resource", "etag": "AA==", "name": "roles/paymentsresellersubscription.promotionViewer", "stage": "BETA", "title": "Payments Reseller Promotions Viewer" }, { "description": "Write access to Payments Reseller Subscription resource", "etag": "AA==", "name": "roles/paymentsresellersubscription.subscriptionEditor", "stage": "BETA", "title": "Payments Reseller Subscriptions Editor" }, { "description": "Read access to Payments Reseller Subscription resource", "etag": "AA==", "name": "roles/paymentsresellersubscription.subscriptionViewer", "stage": "BETA", "title": "Payments Reseller Subscriptions Viewer" }, { "description": "Viewer user that can read all activity analysis.", "etag": "AA==", "name": "roles/policyanalyzer.activityAnalysisViewer", "stage": "BETA", "title": "Activity Analysis Viewer" }, { "description": "Grants the ability to enable and disable the usage of the policy remediator for the organization", "etag": "AA==", "name": "roles/policyremediatormanager.policyRemediatorAdmin", "stage": "BETA", "title": "Policy Remediator Admin" }, { "description": "Grants the ability to read/view the state of the policy remediator for the organization", "etag": "AA==", "name": "roles/policyremediatormanager.policyRemediatorReader", "stage": "BETA", "title": "Policy Remediator Reader" }, { "description": "Admin user that can run and access replays.", "etag": "AA==", "name": "roles/policysimulator.admin", "stage": "BETA", "title": "Simulator Admin" }, { "description": "OrgPolicy Admin that can run and access simulations.", "etag": "AA==", "name": "roles/policysimulator.orgPolicyAdmin", "stage": "BETA", "title": "OrgPolicy Simulator Admin" }, { "description": "Full access to all CA Service resources.", "etag": "AA==", "name": "roles/privateca.admin", "stage": "GA", "title": "CA Service Admin" }, { "description": "Read-only access to all CA Service resources.", "etag": "AA==", "name": "roles/privateca.auditor", "stage": "GA", "title": "CA Service Auditor" }, { "description": "Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.", "etag": "AA==", "name": "roles/privateca.caManager", "stage": "GA", "title": "CA Service Operation Manager" }, { "description": "Create certificates and read-only access for CA Service resources.", "etag": "AA==", "name": "roles/privateca.certificateManager", "stage": "GA", "title": "CA Service Certificate Manager" }, { "description": "Request certificates from CA Service.", "etag": "AA==", "name": "roles/privateca.certificateRequester", "stage": "GA", "title": "CA Service Certificate Requester" }, { "description": "Read CA Pools in CA Service.", "etag": "AA==", "name": "roles/privateca.poolReader", "stage": "GA", "title": "CA Service Pool Reader" }, { "description": "Read, list and use certificate templates.", "etag": "AA==", "name": "roles/privateca.templateUser", "stage": "GA", "title": "CA Service Certificate Template User" }, { "description": "Request certificates from CA Service with caller's identity.", "etag": "AA==", "name": "roles/privateca.workloadCertificateRequester", "stage": "GA", "title": "CA Service Workload Certificate Requester" }, { "description": "Full access to Privileged Access Manager resources.", "etag": "AA==", "name": "roles/privilegedaccessmanager.admin", "stage": "BETA", "title": "Privileged Access Manager Admin" }, { "description": "Gives privileged access manager service account access to modify IAM policies on GCP folders", "etag": "AA==", "name": "roles/privilegedaccessmanager.folderServiceAgent", "stage": "GA", "title": "Privileged Access Manager Folder Service Agent" }, { "description": "Gives privileged access manager service account access to modify IAM policies on GCP organizations", "etag": "AA==", "name": "roles/privilegedaccessmanager.organizationServiceAgent", "stage": "GA", "title": "Privileged Access Manager Organization Service Agent" }, { "description": "Gives privileged access manager service account access to modify IAM policies on GCP projects", "etag": "AA==", "has_privesc": true, "name": "roles/privilegedaccessmanager.projectServiceAgent", "stage": "GA", "title": "Privileged Access Manager Project Service Agent" }, { "description": "Gives privileged access manager service account access to modify IAM policies on GCP resources", "etag": "AA==", "has_privesc": true, "name": "roles/privilegedaccessmanager.serviceAgent", "stage": "GA", "title": "Privileged Access Manager Service Agent" }, { "description": "Readonly access to Privileged Access Manager resources.", "etag": "AA==", "name": "roles/privilegedaccessmanager.viewer", "stage": "BETA", "title": "Privileged Access Manager Viewer" }, { "description": "Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.", "etag": "AA==", "name": "roles/proximitybeacon.attachmentEditor", "stage": "GA", "title": "Beacon Attachment Editor" }, { "description": "Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.", "etag": "AA==", "name": "roles/proximitybeacon.attachmentPublisher", "stage": "GA", "title": "Beacon Attachment Publisher" }, { "description": "Can view all attachments under a namespace; no beacon or namespace permissions.", "etag": "AA==", "name": "roles/proximitybeacon.attachmentViewer", "stage": "GA", "title": "Beacon Attachment Viewer" }, { "description": "Necessary access to register, modify, and view beacons; no attachment or namespace permissions.", "etag": "AA==", "name": "roles/proximitybeacon.beaconEditor", "stage": "GA", "title": "Beacon Editor" }, { "description": "This role can create a new externalAccountKey resource.", "etag": "AA==", "name": "roles/publicca.externalAccountKeyCreator", "stage": "BETA", "title": "External Account Key Creator" }, { "description": "Full access to topics, subscriptions, and snapshots.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/pubsub.admin", "stage": "GA", "title": "Pub/Sub Admin" }, { "description": "Modify topics and subscriptions, publish and consume messages.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/pubsub.editor", "stage": "GA", "title": "Pub/Sub Editor" }, { "description": "Publish messages to a topic.", "etag": "AA==", "name": "roles/pubsub.publisher", "stage": "GA", "title": "Pub/Sub Publisher" }, { "description": "Grants Cloud Pub/Sub Service Account access to manage resources.", "etag": "AA==", "has_privesc": true, "name": "roles/pubsub.serviceAgent", "stage": "GA", "title": "Cloud Pub/Sub Service Agent" }, { "description": "Consume messages from a subscription, attach subscriptions to a topic, and seek to a snapshot.", "etag": "AA==", "has_dataaccess": true, "name": "roles/pubsub.subscriber", "stage": "GA", "title": "Pub/Sub Subscriber" }, { "description": "View topics, subscriptions, and snapshots.", "etag": "AA==", "name": "roles/pubsub.viewer", "stage": "GA", "title": "Pub/Sub Viewer" }, { "description": "Full access to topics, subscriptions and reservations.", "etag": "AA==", "name": "roles/pubsublite.admin", "stage": "GA", "title": "Pub/Sub Lite Admin" }, { "description": "Modify topics, subscriptions and reservations, publish and consume messages.", "etag": "AA==", "name": "roles/pubsublite.editor", "stage": "GA", "title": "Pub/Sub Lite Editor" }, { "description": "Publish messages to a topic.", "etag": "AA==", "name": "roles/pubsublite.publisher", "stage": "GA", "title": "Pub/Sub Lite Publisher" }, { "description": "Grants Pub/Sub Lite Service Agent access to project resources.", "etag": "AA==", "name": "roles/pubsublite.serviceAgent", "stage": "GA", "title": "Pub/Sub Lite Service Agent" }, { "description": "Subscribe to and read messages from a topic.", "etag": "AA==", "name": "roles/pubsublite.subscriber", "stage": "GA", "title": "Pub/Sub Lite Subscriber" }, { "description": "View topics, subscriptions and reservations.", "etag": "AA==", "name": "roles/pubsublite.viewer", "stage": "GA", "title": "Pub/Sub Lite Viewer" }, { "description": "Gives RMA service account access to MC resources.", "etag": "AA==", "name": "roles/rapidmigrationassessment.serviceAgent", "stage": "GA", "title": "RMA Service Agent" }, { "description": "Full access to publication reader resources", "etag": "AA==", "name": "roles/readerrevenuesubscriptionlinking.admin", "stage": "GA", "title": "Subscription Linking Admin" }, { "description": "This role can view all publication reader entitlements", "etag": "AA==", "name": "roles/readerrevenuesubscriptionlinking.entitlementsViewer", "stage": "GA", "title": "Subscription Linking Entitlements Viewer" }, { "description": "This role can view all publication reader resources", "etag": "AA==", "name": "roles/readerrevenuesubscriptionlinking.viewer", "stage": "GA", "title": "Subscription Linking Viewer" }, { "description": "Access to view and modify reCAPTCHA Enterprise keys", "etag": "AA==", "name": "roles/recaptchaenterprise.admin", "stage": "BETA", "title": "reCAPTCHA Enterprise Admin" }, { "description": "Access to create and annotate reCAPTCHA Enterprise assessments", "etag": "AA==", "name": "roles/recaptchaenterprise.agent", "stage": "BETA", "title": "reCAPTCHA Enterprise Agent" }, { "description": "Access to view reCAPTCHA Enterprise keys and metrics", "etag": "AA==", "name": "roles/recaptchaenterprise.viewer", "stage": "BETA", "title": "reCAPTCHA Enterprise Viewer" }, { "description": "Admin of AlloyDB insights and recommendations.", "etag": "AA==", "name": "roles/recommender.alloydbAdmin", "title": "AlloyDB Recommender Admin" }, { "description": "Viewer of AlloyDB insights and recommendations.", "etag": "AA==", "name": "roles/recommender.alloydbViewer", "title": "AlloyDB Recommender Viewer" }, { "description": "Admin of BigQuery Capacity Commitments insights and recommendations.", "etag": "AA==", "name": "roles/recommender.bigQueryCapacityCommitmentsAdmin", "stage": "BETA", "title": "BigQuery Slot Recommender Admin" }, { "description": "Billing Account Admin of BigQuery Capacity Commitments insights and recommendations.", "etag": "AA==", "name": "roles/recommender.bigQueryCapacityCommitmentsBillingAccountAdmin", "stage": "BETA", "title": "BigQuery Recommender Billing Account Admin" }, { "description": "Billing Account Viewer of BigQuery Capacity Commitments insights and recommendations.", "etag": "AA==", "name": "roles/recommender.bigQueryCapacityCommitmentsBillingAccountViewer", "stage": "BETA", "title": "BigQuery Recommender Billing Account Viewer" }, { "description": "Project Admin of BigQuery Capacity Commitments insights and recommendations.", "etag": "AA==", "name": "roles/recommender.bigQueryCapacityCommitmentsProjectAdmin", "stage": "BETA", "title": "BigQuery Recommender Project Admin" }, { "description": "Project Viewer of BigQuery Capacity Commitments insights and recommendations.", "etag": "AA==", "name": "roles/recommender.bigQueryCapacityCommitmentsProjectViewer", "stage": "BETA", "title": "BigQuery Recommender Project Viewer" }, { "description": "Viewer of BigQuery Capacity Commitments insights and recommendations.", "etag": "AA==", "name": "roles/recommender.bigQueryCapacityCommitmentsViewer", "stage": "BETA", "title": "BigQuery Slot Recommender Viewer" }, { "description": "Admin of BigQuery Materialized View Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.bigqueryMaterializedViewAdmin", "stage": "BETA", "title": "BigQuery Materialized View Recommender Admin" }, { "description": "Viewer of BigQuery Materialized View Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.bigqueryMaterializedViewViewer", "stage": "BETA", "title": "BigQuery Materialized View Recommender Viewer" }, { "description": "Admin of BigQuery Partitioning Clustering recommendations.", "etag": "AA==", "name": "roles/recommender.bigqueryPartitionClusterAdmin", "stage": "BETA", "title": "BigQuery Partitioning Clustering Recommender Admin" }, { "description": "Viewer of BigQuery Partitioning Clustering recommendations.", "etag": "AA==", "name": "roles/recommender.bigqueryPartitionClusterViewer", "stage": "BETA", "title": "BigQuery Partitioning Clustering Recommender Viewer" }, { "description": "Admin of Billing Account Usage Commitment Recommender.", "etag": "AA==", "name": "roles/recommender.billingAccountCudAdmin", "stage": "BETA", "title": "Billing Account Usage Commitment Recommender Admin" }, { "description": "Viewer of Billing Account Usage Commitment Recommender.", "etag": "AA==", "name": "roles/recommender.billingAccountCudViewer", "stage": "BETA", "title": "Billing Account Usage Commitment Recommender Viewer" }, { "description": "Admin of all Cloud Asset insights.", "etag": "AA==", "name": "roles/recommender.cloudAssetInsightsAdmin", "stage": "GA", "title": "Cloud Asset Insights Admin" }, { "description": "Viewer of all Cloud Asset insights.", "etag": "AA==", "name": "roles/recommender.cloudAssetInsightsViewer", "stage": "GA", "title": "Cloud Asset Insights Viewer" }, { "description": "Admin of Cloud Cost General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudCostRecommendationAdmin", "stage": "BETA", "title": "Cloud Cost General Recommendations Recommender Admin" }, { "description": "Viewer of Cloud Cost General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudCostRecommendationViewer", "stage": "BETA", "title": "Cloud Cost General Recommendations Recommender Viewer" }, { "description": "Admin of Cloud Deprecation General Recommender Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudDeprecationRecommendationAdmin", "stage": "BETA", "title": "Cloud Deprecation General Recommender Admin" }, { "description": "Viewer of Cloud Deprecation General Recommender Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudDeprecationRecommendationViewer", "stage": "BETA", "title": "Cloud Deprecation General Recommender Viewer" }, { "description": "Admin of Cloud Manageability General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudManageabilityRecommendationAdmin", "stage": "BETA", "title": "Cloud Manageability General Recommendations Recommender Admin" }, { "description": "Viewer of Cloud Manageability General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudManageabilityRecommendationViewer", "stage": "BETA", "title": "Cloud Manageability General Recommendations Recommender Viewer" }, { "description": "Admin of Cloud Performance General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudPerformanceRecommendationAdmin", "stage": "BETA", "title": "Cloud Performance General Recommendations Recommender Admin" }, { "description": "Viewer of Cloud Performance General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudPerformanceRecommendationViewer", "stage": "BETA", "title": "Cloud Performance General Recommendations Recommender Viewer" }, { "description": "Admin of Cloud Reliability General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudReliabilityRecommendationAdmin", "stage": "BETA", "title": "Cloud Reliability General Recommendations Recommender Admin" }, { "description": "Viewer of Cloud Reliability General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudReliabilityRecommendationViewer", "stage": "BETA", "title": "Cloud Reliability General Recommendations Recommender Viewer" }, { "description": "Admin of Cloud Security General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudSecurityRecommendationAdmin", "stage": "BETA", "title": "Cloud Security General Recommendations Recommender Admin" }, { "description": "Viewer of Cloud Security General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudSecurityRecommendationViewer", "stage": "BETA", "title": "Cloud Security General Recommendations Recommender Viewer" }, { "description": "Admin of Cloud SQL insights and recommendations.", "etag": "AA==", "name": "roles/recommender.cloudsqlAdmin", "stage": "BETA", "title": "Cloud SQL Recommender Admin" }, { "description": "Viewer of Cloud SQL insights and recommendations.", "etag": "AA==", "name": "roles/recommender.cloudsqlViewer", "stage": "BETA", "title": "Cloud SQL Recommender Viewer" }, { "description": "Admin of compute recommendations.", "etag": "AA==", "name": "roles/recommender.computeAdmin", "stage": "GA", "title": "Compute Recommender Admin" }, { "description": "Viewer of compute recommendations.", "etag": "AA==", "name": "roles/recommender.computeViewer", "stage": "GA", "title": "Compute Recommender Viewer" }, { "description": "Admin of GKE Diagnosis Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.containerDiagnosisAdmin", "stage": "GA", "title": "GKE Diagnosis Recommender Admin" }, { "description": "Viewer of GKE Diagnosis Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.containerDiagnosisViewer", "stage": "GA", "title": "GKE Diagnosis Recommender Viewer" }, { "description": "Admin of Diagnostics recommendations.", "etag": "AA==", "name": "roles/recommender.dataflowDiagnosticsAdmin", "stage": "GA", "title": "Dataflow Diagnostics Admin" }, { "description": "Viewer of Diagnostics recommendations.", "etag": "AA==", "name": "roles/recommender.dataflowDiagnosticsViewer", "stage": "GA", "title": "Dataflow Diagnostics Viewer" }, { "description": "Admin of Error Reporting Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.errorReportingAdmin", "stage": "GA", "title": "Error Reporting Recommender Admin" }, { "description": "Viewer of Error Reporting Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.errorReportingViewer", "stage": "GA", "title": "Error Reporting Recommender Viewer" }, { "description": "Exporter of Recommendations", "etag": "AA==", "name": "roles/recommender.exporter", "stage": "GA", "title": "Recommendations Exporter" }, { "description": "Admin of Firewall insights and recommendations.", "etag": "AA==", "name": "roles/recommender.firewallAdmin", "stage": "GA", "title": "Firewall Recommender Admin" }, { "description": "Viewer of Firewall insights and recommendations.", "etag": "AA==", "name": "roles/recommender.firewallViewer", "stage": "GA", "title": "Firewall Recommender Viewer" }, { "description": "Admin of all Google Maps Platform insights and recommendations.", "etag": "AA==", "name": "roles/recommender.gmpAdmin", "stage": "GA", "title": "Google Maps Platform Insights/Recommendations Admin" }, { "description": "Viewer of all Google Maps Platform insights and recommendations.", "etag": "AA==", "name": "roles/recommender.gmpViewer", "stage": "GA", "title": "Google Maps Platform Insights/Recommendations Viewer" }, { "description": "Admin of IAM recommendations.", "etag": "AA==", "name": "roles/recommender.iamAdmin", "stage": "GA", "title": "IAM Recommender Admin" }, { "description": "Viewer of IAM recommendations.", "etag": "AA==", "name": "roles/recommender.iamViewer", "stage": "GA", "title": "IAM Recommender Viewer" }, { "description": "Admin of IAM Policy Change Risk Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.iampolicychangeriskAdmin", "stage": "BETA", "title": "IAM Policy Change Risk Recommender Admin" }, { "description": "Viewer of IAM Policy Change Risk Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.iampolicychangeriskViewer", "stage": "BETA", "title": "IAM Policy Change Risk Recommender Viewer" }, { "description": "Admin of Network Analyzer Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerAdmin", "stage": "GA", "title": "Network Analyzer Recommender Admin" }, { "description": "Admin of Network Analyzer Cloud SQL Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerCloudSqlAdmin", "stage": "GA", "title": "Network Analyzer Cloud SQL Recommender Admin" }, { "description": "Viewer of Network Analyzer Cloud SQL Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerCloudSqlViewer", "stage": "GA", "title": "Network Analyzer Cloud SQL Recommender Viewer" }, { "description": "Admin of Network Analyzer Dynamic Route Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerDynamicRouteAdmin", "stage": "GA", "title": "Network Analyzer Dynamic Route Recommender Admin" }, { "description": "Viewer of Network Analyzer Dynamic Route Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerDynamicRouteViewer", "stage": "GA", "title": "Network Analyzer Dynamic Route Recommender Viewer" }, { "description": "Admin of Network Analyzer GKE Connectivity Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerGkeConnectivityAdmin", "stage": "GA", "title": "Network Analyzer GKE Connectivity Recommender Admin" }, { "description": "Viewer of Network Analyzer GKE Connectivity Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerGkeConnectivityViewer", "stage": "GA", "title": "Network Analyzer GKE Connectivity Recommender Viewer" }, { "description": "Admin of Network Analyzer GKE IP Address Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerGkeIpAddressAdmin", "stage": "GA", "title": "Network Analyzer GKE IP Address Recommender Admin" }, { "description": "Viewer of Network Analyzer GKE IP Address Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerGkeIpAddressViewer", "stage": "GA", "title": "Network Analyzer GKE IP Address Recommender Viewer" }, { "description": "Admin of Network Analyzer GKE Service Account Insights Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerGkeServiceAccountAdmin", "stage": "GA", "title": "Network Analyzer GKE Service Account Insights Recommender Admin" }, { "description": "Viewer of Network Analyzer GKE Service Account Insights Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerGkeServiceAccountViewer", "stage": "GA", "title": "Network Analyzer GKE Service Account Insights Recommender Viewer" }, { "description": "Admin of Network Analyzer IP Address Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerIpAddressAdmin", "stage": "GA", "title": "Network Analyzer IP Address Recommender Admin" }, { "description": "Viewer of Network Analyzer IP Address Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerIpAddressViewer", "stage": "GA", "title": "Network Analyzer IP Address Recommender Viewer" }, { "description": "Admin of Network Analyzer Load Balancer Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerLoadBalancerAdmin", "stage": "GA", "title": "Network Analyzer Load Balancer Recommender Admin" }, { "description": "Viewer of Network Analyzer Load Balancer Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerLoadBalancerViewer", "stage": "GA", "title": "Network Analyzer Load Balancer Recommender Viewer" }, { "description": "Viewer of Network Analyzer Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerViewer", "stage": "GA", "title": "Network Analyzer Recommender Viewer" }, { "description": "Admin of Network Analyzer VPC Connectivity Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerVpcConnectivityAdmin", "stage": "GA", "title": "Network Analyzer VPC Connectivity Recommender Admin" }, { "description": "Viewer of Network Analyzer VPC Connectivity Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerVpcConnectivityViewer", "stage": "GA", "title": "Network Analyzer VPC Connectivity Recommender Viewer" }, { "description": "Admin of all Product Suggestion insights and recommendations.", "etag": "AA==", "name": "roles/recommender.productSuggestionAdmin", "stage": "BETA", "title": "Product Suggestion Recommenders Admin" }, { "description": "Viewer of all Product Suggestion insights and recommendations.", "etag": "AA==", "name": "roles/recommender.productSuggestionViewer", "stage": "BETA", "title": "Product Suggestion Recommenders Viewer" }, { "description": "Admin of Project Usage Commitment Recommender.", "etag": "AA==", "name": "roles/recommender.projectCudAdmin", "stage": "BETA", "title": "Project Usage Commitment Recommender Admin" }, { "description": "Viewer of Project Usage Commitment Recommender.", "etag": "AA==", "name": "roles/recommender.projectCudViewer", "stage": "BETA", "title": "Project Usage Commitment Recommender Viewer" }, { "description": "Admin of Project Utilization insights and recommendations.", "etag": "AA==", "name": "roles/recommender.projectUtilAdmin", "stage": "GA", "title": "Project Utilization Recommender Admin" }, { "description": "Viewer of Project Utilization insights and recommendations.", "etag": "AA==", "name": "roles/recommender.projectUtilViewer", "stage": "GA", "title": "Project Utilization Recommender Viewer" }, { "description": "Admin of RecentChange RecommenderConfigs.", "etag": "AA==", "name": "roles/recommender.recentChangeConfigAdmin", "stage": "GA", "title": "RecentChange RecommenderConfig Admin" }, { "description": "Admin of Recent Change Risk Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.recentchangeriskAdmin", "stage": "GA", "title": "Recent Change Risk Recommender Admin" }, { "description": "Viewer of Recent Change Risk Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.recentchangeriskViewer", "stage": "GA", "title": "Recent Change Risk Recommender Viewer" }, { "description": "Admin of Service Limit insights and recommendations.", "etag": "AA==", "name": "roles/recommender.serviceLimitAdmin", "stage": "BETA", "title": "Service Limit Recommender Admin" }, { "description": "Viewer of Service Limit insights and recommendations.", "etag": "AA==", "name": "roles/recommender.serviceLimitViewer", "stage": "BETA", "title": "Service Limit Recommender Viewer" }, { "description": "Admin of Service Account Change Risk Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.serviceaccntchangeriskAdmin", "stage": "BETA", "title": "Service Account Change Risk Recommender Admin" }, { "description": "Viewer of Service Account Change Risk Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.serviceaccntchangeriskViewer", "stage": "BETA", "title": "Service Account Change Risk Recommender Viewer" }, { "description": "Admin of Spend Based Commitment Recommender.", "etag": "AA==", "name": "roles/recommender.ucsAdmin", "stage": "BETA", "title": "Spend Based Commitment Recommender Admin" }, { "description": "Viewer of Spend Based Commitment Recommender.", "etag": "AA==", "name": "roles/recommender.ucsViewer", "stage": "BETA", "title": "Spend Based Commitment Recommender Viewer" }, { "description": "Enables Get and List operations.", "etag": "AA==", "name": "roles/recommender.viewer", "stage": "GA", "title": "Recommender Viewer" }, { "description": "Full access to Redis instances and related resources.", "etag": "AA==", "name": "roles/redis.admin", "stage": "GA", "title": "Cloud Memorystore Redis Admin" }, { "description": "Access to connecting to Redis Server db.", "etag": "AA==", "name": "roles/redis.dbConnectionUser", "stage": "BETA", "title": "Cloud Memorystore Redis Db Connection User" }, { "description": "Read-Write access to Redis instances and related resources.", "etag": "AA==", "name": "roles/redis.editor", "stage": "GA", "title": "Cloud Memorystore Redis Editor" }, { "description": "Gives Cloud Memorystore Redis service account access to managed resource", "etag": "AA==", "name": "roles/redis.serviceAgent", "stage": "GA", "title": "Cloud Memorystore Redis Service Agent" }, { "description": "Read-only access to Redis instances and related resources.", "etag": "AA==", "name": "roles/redis.viewer", "stage": "GA", "title": "Cloud Memorystore Redis Viewer" }, { "description": "This role is managed by Redis Labs, not Google.", "etag": "AA==", "name": "roles/redisenterprisecloud.admin", "stage": "BETA", "title": "Redis Enterprise Cloud Admin" }, { "description": "This role is managed by Redis Labs, not Google.", "etag": "AA==", "name": "roles/redisenterprisecloud.viewer", "stage": "BETA", "title": "Redis Enterprise Cloud Viewer" }, { "description": "Remote Build Execution Action Cache Writer", "etag": "AA==", "name": "roles/remotebuildexecution.actionCacheWriter", "stage": "BETA", "title": "Remote Build Execution Action Cache Writer" }, { "description": "Remote Build Execution Artifact Admin", "etag": "AA==", "name": "roles/remotebuildexecution.artifactAdmin", "stage": "BETA", "title": "Remote Build Execution Artifact Admin" }, { "description": "Remote Build Execution Artifact Creator", "etag": "AA==", "name": "roles/remotebuildexecution.artifactCreator", "stage": "BETA", "title": "Remote Build Execution Artifact Creator" }, { "description": "Remote Build Execution Artifact Viewer", "etag": "AA==", "name": "roles/remotebuildexecution.artifactViewer", "stage": "BETA", "title": "Remote Build Execution Artifact Viewer" }, { "description": "Remote Build Execution Configuration Admin", "etag": "AA==", "name": "roles/remotebuildexecution.configurationAdmin", "stage": "BETA", "title": "Remote Build Execution Configuration Admin" }, { "description": "Remote Build Execution Configuration Viewer", "etag": "AA==", "name": "roles/remotebuildexecution.configurationViewer", "stage": "BETA", "title": "Remote Build Execution Configuration Viewer" }, { "description": "Remote Build Execution Logstream Writer", "etag": "AA==", "name": "roles/remotebuildexecution.logstreamWriter", "stage": "BETA", "title": "Remote Build Execution Logstream Writer" }, { "description": "Remote Build Execution Reservation Admin", "etag": "AA==", "name": "roles/remotebuildexecution.reservationAdmin", "stage": "BETA", "title": "Remote Build Execution Reservation Admin" }, { "description": "Gives Remote Build Execution service account access to managed resources.", "etag": "AA==", "name": "roles/remotebuildexecution.serviceAgent", "stage": "GA", "title": "Remote Build Execution Service Agent" }, { "description": "Remote Build Execution Worker", "etag": "AA==", "name": "roles/remotebuildexecution.worker", "stage": "BETA", "title": "Remote Build Execution Worker" }, { "description": "Access and administer a folder and all of its sub-resources.", "etag": "AA==", "has_privesc": true, "name": "roles/resourcemanager.folderAdmin", "stage": "GA", "title": "Folder Admin" }, { "description": "Create folder and view all of its sub-resources.", "etag": "AA==", "name": "roles/resourcemanager.folderCreator", "stage": "GA", "title": "Folder Creator" }, { "description": "Edit, delete, and undelete a folder and all of its child resources.", "etag": "AA==", "name": "roles/resourcemanager.folderEditor", "stage": "GA", "title": "Folder Editor" }, { "description": "Access and administer a folder IAM policies.", "etag": "AA==", "name": "roles/resourcemanager.folderIamAdmin", "stage": "GA", "title": "Folder IAM Admin" }, { "description": "Move a folder and all of its child resources.", "etag": "AA==", "name": "roles/resourcemanager.folderMover", "stage": "GA", "title": "Folder Mover" }, { "description": "Access to view a folder and all of its child resources.", "etag": "AA==", "name": "roles/resourcemanager.folderViewer", "stage": "GA", "title": "Folder Viewer" }, { "description": "Access to modify Liens on projects.", "etag": "AA==", "name": "roles/resourcemanager.lienModifier", "stage": "GA", "title": "Project Lien Modifier" }, { "description": "Access to manage IAM policies and view organization policies for organizations, folders, and projects.", "etag": "AA==", "has_privesc": true, "name": "roles/resourcemanager.organizationAdmin", "stage": "GA", "title": "Organization Administrator" }, { "description": "Access only to view an Organization.", "etag": "AA==", "name": "roles/resourcemanager.organizationViewer", "stage": "GA", "title": "Organization Viewer" }, { "description": "Access to create new GCP projects.", "etag": "AA==", "name": "roles/resourcemanager.projectCreator", "stage": "GA", "title": "Project Creator" }, { "description": "Access to delete GCP projects.", "etag": "AA==", "name": "roles/resourcemanager.projectDeleter", "stage": "GA", "title": "Project Deleter" }, { "description": "Access and administer a project IAM policies.", "etag": "AA==", "has_privesc": true, "name": "roles/resourcemanager.projectIamAdmin", "stage": "GA", "title": "Project IAM Admin" }, { "description": "Access to update and move a project", "etag": "AA==", "name": "roles/resourcemanager.projectMover", "stage": "GA", "title": "Project Mover" }, { "description": "Access to create, delete, update, and manage access to Tags", "etag": "AA==", "name": "roles/resourcemanager.tagAdmin", "stage": "GA", "title": "Tag Administrator" }, { "description": "Access to create, delete and list TagHolds under a TagValue", "etag": "AA==", "name": "roles/resourcemanager.tagHoldAdmin", "stage": "GA", "title": "Tag Hold Administrator" }, { "description": "Access to list Tags and manage their associations with resources", "etag": "AA==", "has_privesc": true, "name": "roles/resourcemanager.tagUser", "stage": "GA", "title": "Tag User" }, { "description": "Access to list Tags and their associations with resources", "etag": "AA==", "name": "roles/resourcemanager.tagViewer", "stage": "GA", "title": "Tag Viewer" }, { "description": "Provides admin capabilities to set Resource Setting Values on resources.", "etag": "AA==", "name": "roles/resourcesettings.admin", "stage": "GA", "title": "Resource Settings Administrator" }, { "description": "Provides capabilities to view Resource Settings and Resource Setting Values on resources.", "etag": "AA==", "name": "roles/resourcesettings.viewer", "stage": "GA", "title": "Resource Settings Viewer" }, { "description": "Full access to Retail api resources.", "etag": "AA==", "name": "roles/retail.admin", "stage": "GA", "title": "Retail Admin" }, { "description": "Full access to Retail api resources except purge, rejoin, and setSponsorship.", "etag": "AA==", "name": "roles/retail.editor", "stage": "GA", "title": "Retail Editor" }, { "description": "Retail service uploads product feeds and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.", "etag": "AA==", "has_dataaccess": true, "name": "roles/retail.serviceAgent", "stage": "GA", "title": "Retail Service Agent" }, { "description": "Grants access to read all resources in Retail.", "etag": "AA==", "name": "roles/retail.viewer", "stage": "GA", "title": "Retail Viewer" }, { "description": "Read/write access to RISC config resources.", "etag": "AA==", "name": "roles/riscconfigs.admin", "stage": "BETA", "title": "RISC Configuration Admin" }, { "description": "Read-only access to RISC config resources.", "etag": "AA==", "name": "roles/riscconfigs.viewer", "stage": "BETA", "title": "RISC Configuration Viewer" }, { "description": "Grants all Risk Manager permissions", "etag": "AA==", "name": "roles/riskmanager.admin", "stage": "BETA", "title": "Risk Manager Admin" }, { "description": "Access to edit Risk Manager resources", "etag": "AA==", "name": "roles/riskmanager.editor", "stage": "BETA", "title": "Risk Manager Editor" }, { "description": "Access to review Risk Manager reports", "etag": "AA==", "name": "roles/riskmanager.reviewer", "stage": "BETA", "title": "Risk Manager Report Reviewer" }, { "description": "Service agent that grants Risk Manager service access to fetch findings for generating Reports", "etag": "AA==", "name": "roles/riskmanager.serviceAgent", "stage": "GA", "title": "Risk Manager Service Agent" }, { "description": "Access to view Risk Manager resources", "etag": "AA==", "name": "roles/riskmanager.viewer", "stage": "BETA", "title": "Risk Manager Viewer" }, { "description": "Full access to Rapid Migration Assessment all resources.", "etag": "AA==", "name": "roles/rma.admin", "stage": "GA", "title": "Rapid Migration Assessment Admin" }, { "description": "Update and Read access to Rapid Migration Assessment all resources.", "etag": "AA==", "name": "roles/rma.runner", "stage": "GA", "title": "Rapid Migration Assessment Runner" }, { "description": "Read-only access to Rapid Migration Assessment all resources.", "etag": "AA==", "name": "roles/rma.viewer", "stage": "GA", "title": "Rapid Migration Assessment Viewer" }, { "description": "Grants Route Optimization Service Account access to read and write GCS objects in the host project.", "etag": "AA==", "has_dataaccess": true, "name": "roles/routeoptimization.serviceAgent", "stage": "GA", "title": "Route Optimization Service Agent" }, { "description": "Full control over all Cloud Run resources.", "etag": "AA==", "name": "roles/run.admin", "stage": "GA", "title": "Cloud Run Admin" }, { "description": "Read and write access to all Cloud Run resources.", "etag": "AA==", "name": "roles/run.developer", "stage": "GA", "title": "Cloud Run Developer" }, { "description": "Can invoke a Cloud Run service.", "etag": "AA==", "name": "roles/run.invoker", "stage": "GA", "title": "Cloud Run Invoker" }, { "description": "Gives Cloud Run service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/run.serviceAgent", "stage": "GA", "title": "Cloud Run Service Agent" }, { "description": "Can view the state of all Cloud Run resources, including IAM policies.", "etag": "AA==", "name": "roles/run.viewer", "stage": "GA", "title": "Cloud Run Viewer" }, { "description": "Access to create and change Serverless Integrations and their configuration.", "etag": "AA==", "name": "roles/runapps.developer", "stage": "BETA", "title": "Serverless Integrations Developer" }, { "description": "Access to deploy Serverless Integrations.", "etag": "AA==", "name": "roles/runapps.operator", "stage": "BETA", "title": "Serverless Integrations Operator" }, { "description": "Gives Serverless Integrations Service Account access to customer project resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/runapps.serviceAgent", "stage": "GA", "title": "Serverless Integrations Service Agent" }, { "description": "Readonly access to Serverless Integrations resources.", "etag": "AA==", "name": "roles/runapps.viewer", "stage": "BETA", "title": "Serverless Integrations Viewer" }, { "description": "Full access to RuntimeConfig resources.", "etag": "AA==", "name": "roles/runtimeconfig.admin", "stage": "GA", "title": "Cloud RuntimeConfig Admin" }, { "description": "Full access to administer Secret Manager resources.", "etag": "AA==", "has_privesc": true, "name": "roles/secretmanager.admin", "stage": "GA", "title": "Secret Manager Admin" }, { "description": "Allows accessing the payload of secrets.", "etag": "AA==", "name": "roles/secretmanager.secretAccessor", "stage": "GA", "title": "Secret Manager Secret Accessor" }, { "description": "Allows adding versions to existing secrets.", "etag": "AA==", "name": "roles/secretmanager.secretVersionAdder", "stage": "GA", "title": "Secret Manager Secret Version Adder" }, { "description": "Allows creating and managing versions of existing secrets.", "etag": "AA==", "name": "roles/secretmanager.secretVersionManager", "stage": "GA", "title": "Secret Manager Secret Version Manager" }, { "description": "Allows viewing metadata of all Secret Manager resources", "etag": "AA==", "name": "roles/secretmanager.viewer", "stage": "GA", "title": "Secret Manager Viewer" }, { "description": "Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization.", "etag": "AA==", "name": "roles/securedlandingzone.bqdwOrgRemediator", "stage": "BETA", "title": "SLZ BQDW Blueprint Organization Level Remediator" }, { "description": "Access to modify (remediate) resources in SLZ BQDW Blueprint at Project.", "etag": "AA==", "has_privesc": true, "name": "roles/securedlandingzone.bqdwProjectRemediator", "stage": "BETA", "title": "SLZ BQDW Blueprint Project Level Remediator" }, { "description": "This role can activate or suspend Overwatches", "etag": "AA==", "name": "roles/securedlandingzone.overwatchActivator", "stage": "BETA", "title": "Overwatch Activator" }, { "description": "Full access to Overwatches", "etag": "AA==", "name": "roles/securedlandingzone.overwatchAdmin", "stage": "BETA", "title": "Overwatch Admin" }, { "description": "This role can view all properties of Overwatches", "etag": "AA==", "name": "roles/securedlandingzone.overwatchViewer", "stage": "BETA", "title": "Overwatch Viewer" }, { "description": "Grants Secured Landing Zone service account permissions to manage resources in the customer project", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/securedlandingzone.serviceAgent", "stage": "GA", "title": "Secured Landing Zone Service Agent" }, { "description": "Full access to all Secure Source Manager resources.", "etag": "AA==", "name": "roles/securesourcemanager.admin", "stage": "BETA", "title": "Secure Source Manager Admin" }, { "description": "An instance accessor can access an instance, but not necessarily create resources in the instance.", "etag": "AA==", "name": "roles/securesourcemanager.instanceAccessor", "stage": "BETA", "title": "Secure Source Manager Instance Accessor" }, { "description": "Read-write access to all Secure Source Manager resources (full control except for the ability to modify permissions).", "etag": "AA==", "name": "roles/securesourcemanager.instanceManager", "stage": "BETA", "title": "Secure Source Manager Instance Manager" }, { "description": "Full control over Secure Source Manager instances, including listing, creating, and deleting them. Also enables instance user management.", "etag": "AA==", "name": "roles/securesourcemanager.instanceOwner", "stage": "BETA", "title": "Secure Source Manager Instance Owner" }, { "description": "An instance repository creator can connect to a Cloud Git instance via IAP (HTTPS) and create repositories in the instance.", "etag": "AA==", "name": "roles/securesourcemanager.instanceRepositoryCreator", "stage": "BETA", "title": "Secure Source Manager Instance Repository Creator" }, { "description": "A repoAdmin has the ability to CRUD a repository and its children as well as assign users to a repository. They can also set, get, or check IAM policies on the repository.", "etag": "AA==", "name": "roles/securesourcemanager.repoAdmin", "stage": "BETA", "title": "Secure Source Manager Repository Admin" }, { "description": "A repoCreator has access to create repostiory in a project, the creator will then become the repoAdmin on this repository.", "etag": "AA==", "name": "roles/securesourcemanager.repoCreator", "stage": "BETA", "title": "Secure Source Manager Repository Creator" }, { "description": "A repoReader has read access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.", "etag": "AA==", "name": "roles/securesourcemanager.repoReader", "stage": "BETA", "title": "Secure Source Manager Repository Reader" }, { "description": "A repoWriter has read/write access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.", "etag": "AA==", "name": "roles/securesourcemanager.repoWriter", "stage": "BETA", "title": "Secure Source Manager Repository Writer" }, { "description": "An sshKeyUser can create SSH keys for themselves and list/delete SSH keys they own.", "etag": "AA==", "name": "roles/securesourcemanager.sshKeyUser", "stage": "BETA", "title": "Secure Source Manager SSH Key User" }, { "description": "Admin(super user) access to security center", "etag": "AA==", "name": "roles/securitycenter.admin", "stage": "GA", "title": "Security Center Admin" }, { "description": "Admin Read-write access to security center", "etag": "AA==", "name": "roles/securitycenter.adminEditor", "stage": "GA", "title": "Security Center Admin Editor" }, { "description": "Admin Read access to security center", "etag": "AA==", "name": "roles/securitycenter.adminViewer", "stage": "GA", "title": "Security Center Admin Viewer" }, { "description": "Write access to asset security marks", "etag": "AA==", "name": "roles/securitycenter.assetSecurityMarksWriter", "stage": "GA", "title": "Security Center Asset Security Marks Writer" }, { "description": "Run asset discovery access to assets", "etag": "AA==", "name": "roles/securitycenter.assetsDiscoveryRunner", "stage": "GA", "title": "Security Center Assets Discovery Runner" }, { "description": "Read access to assets", "etag": "AA==", "name": "roles/securitycenter.assetsViewer", "stage": "GA", "title": "Security Center Assets Viewer" }, { "description": "Read access to security center attack paths", "etag": "AA==", "name": "roles/securitycenter.attackPathsViewer", "stage": "GA", "title": "Security Center Attack Paths Reader" }, { "description": "Gives Mandiant Attack Surface Management the ability to scan Cloud Platform resources.", "etag": "AA==", "name": "roles/securitycenter.attackSurfaceManagementScannerServiceAgent", "stage": "GA", "title": "Attack Surface Management Scanner Service Agent" }, { "description": "Security Center automation service agent can configure GCP resources to enable security scanning.", "etag": "AA==", "name": "roles/securitycenter.automationServiceAgent", "stage": "GA", "title": "Security Center Automation Service Agent" }, { "description": "Read-Write access to security center BigQuery Exports", "etag": "AA==", "name": "roles/securitycenter.bigQueryExportsEditor", "stage": "GA", "title": "Security Center BigQuery Exports Editor" }, { "description": "Read access to security center BigQuery Exports", "etag": "AA==", "name": "roles/securitycenter.bigQueryExportsViewer", "stage": "GA", "title": "Security Center BigQuery Exports Viewer" }, { "description": "Read access to security center compliance snapshots", "etag": "AA==", "name": "roles/securitycenter.complianceSnapshotsViewer", "stage": "BETA", "title": "Security Center Compliance Snapshots Viewer" }, { "description": "Security Center Control service agent can monitor and configure GCP resources and import security findings.", "etag": "AA==", "name": "roles/securitycenter.controlServiceAgent", "stage": "GA", "title": "Security Center Control Service Agent" }, { "description": "Write access to security center external systems", "etag": "AA==", "name": "roles/securitycenter.externalSystemsEditor", "stage": "GA", "title": "Security Center External Systems Editor" }, { "description": "Write access to finding security marks", "etag": "AA==", "name": "roles/securitycenter.findingSecurityMarksWriter", "stage": "GA", "title": "Security Center Finding Security Marks Writer" }, { "description": "Ability to mute findings in bulk", "etag": "AA==", "name": "roles/securitycenter.findingsBulkMuteEditor", "stage": "GA", "title": "Security Center Findings Bulk Mute Editor" }, { "description": "Read-write access to findings", "etag": "AA==", "name": "roles/securitycenter.findingsEditor", "stage": "GA", "title": "Security Center Findings Editor" }, { "description": "Set mute access to findings", "etag": "AA==", "name": "roles/securitycenter.findingsMuteSetter", "stage": "GA", "title": "Security Center Findings Mute Setter" }, { "description": "Set state access to findings", "etag": "AA==", "name": "roles/securitycenter.findingsStateSetter", "stage": "GA", "title": "Security Center Findings State Setter" }, { "description": "Read access to findings", "etag": "AA==", "name": "roles/securitycenter.findingsViewer", "stage": "GA", "title": "Security Center Findings Viewer" }, { "description": "Set workflow state access to findings", "etag": "AA==", "name": "roles/securitycenter.findingsWorkflowStateSetter", "stage": "BETA", "title": "Security Center Findings Workflow State Setter" }, { "description": "Gives Security Center access to execute Integrations.", "etag": "AA==", "name": "roles/securitycenter.integrationExecutorServiceAgent", "stage": "GA", "title": "Security Center Integration Executor Service Agent" }, { "description": "Read-Write access to security center mute configurations", "etag": "AA==", "name": "roles/securitycenter.muteConfigsEditor", "stage": "GA", "title": "Security Center Mute Configurations Editor" }, { "description": "Read access to security center mute configurations", "etag": "AA==", "name": "roles/securitycenter.muteConfigsViewer", "stage": "GA", "title": "Security Center Mute Configurations Viewer" }, { "description": "Write access to notification configurations", "etag": "AA==", "name": "roles/securitycenter.notificationConfigEditor", "stage": "GA", "title": "Security Center Notification Configurations Editor" }, { "description": "Read access to notification configurations", "etag": "AA==", "name": "roles/securitycenter.notificationConfigViewer", "stage": "GA", "title": "Security Center Notification Configurations Viewer" }, { "description": "Security Center service agent can publish notifications to Pub/Sub topics.", "etag": "AA==", "name": "roles/securitycenter.notificationServiceAgent", "stage": "GA", "title": "Security Center Notification Service Agent" }, { "description": "Read-Write access to security center resource value configurations", "etag": "AA==", "name": "roles/securitycenter.resourceValueConfigsEditor", "stage": "GA", "title": "Security Center Resource Value Configurations Editor" }, { "description": "Read access to security center resource value configurations", "etag": "AA==", "name": "roles/securitycenter.resourceValueConfigsViewer", "stage": "GA", "title": "Security Center Resource Value Configurations Viewer" }, { "description": "Test access to Security Health Analytics Custom Modules", "etag": "AA==", "name": "roles/securitycenter.securityHealthAnalyticsCustomModulesTester", "stage": "GA", "title": "Security Health Analytics Custom Modules Tester" }, { "description": "Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities.", "etag": "AA==", "name": "roles/securitycenter.securityHealthAnalyticsServiceAgent", "stage": "GA", "title": "Security Health Analytics Service Agent" }, { "description": "Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks", "etag": "AA==", "has_privesc": true, "name": "roles/securitycenter.securityResponseServiceAgent", "stage": "GA", "title": "Google Cloud Security Response Service Agent" }, { "description": "Security Center service agent can scan GCP resources and import security scans.", "etag": "AA==", "name": "roles/securitycenter.serviceAgent", "stage": "GA", "title": "Security Center Service Agent" }, { "description": "Admin(super user) access to security center settings", "etag": "AA==", "name": "roles/securitycenter.settingsAdmin", "stage": "GA", "title": "Security Center Settings Admin" }, { "description": "Read-Write access to security center settings", "etag": "AA==", "name": "roles/securitycenter.settingsEditor", "stage": "GA", "title": "Security Center Settings Editor" }, { "description": "Read access to security center settings", "etag": "AA==", "name": "roles/securitycenter.settingsViewer", "stage": "GA", "title": "Security Center Settings Viewer" }, { "description": "Read access to security center simulations", "etag": "AA==", "name": "roles/securitycenter.simulationsViewer", "stage": "GA", "title": "Security Center Simulations Reader" }, { "description": "Admin access to sources", "etag": "AA==", "name": "roles/securitycenter.sourcesAdmin", "stage": "GA", "title": "Security Center Sources Admin" }, { "description": "Read-write access to sources", "etag": "AA==", "name": "roles/securitycenter.sourcesEditor", "stage": "GA", "title": "Security Center Sources Editor" }, { "description": "Read access to sources", "etag": "AA==", "name": "roles/securitycenter.sourcesViewer", "stage": "GA", "title": "Security Center Sources Viewer" }, { "description": "Read access to security center valued resources", "etag": "AA==", "name": "roles/securitycenter.valuedResourcesViewer", "stage": "GA", "title": "Security Center Valued Resources Reader" }, { "description": "Full access to manage Cloud Security Command Center services and custom modules configuration.", "etag": "AA==", "name": "roles/securitycentermanagement.admin", "title": "Security Center Management Admin" }, { "description": "Full access to manage Cloud Security Command Center custom modules.", "etag": "AA==", "name": "roles/securitycentermanagement.customModulesEditor", "stage": "GA", "title": "Security Center Management Custom Modules Editor" }, { "description": "Readonly access to Cloud Security Command Center custom modules.", "etag": "AA==", "name": "roles/securitycentermanagement.customModulesViewer", "stage": "GA", "title": "Security Center Management Custom Modules Viewer" }, { "description": "Full access to manage Cloud Security Command Center ETD custom modules.", "etag": "AA==", "name": "roles/securitycentermanagement.etdCustomModulesEditor", "stage": "GA", "title": "Security Center Management Custom ETD Modules Editor" }, { "description": "Readonly access to Cloud Security Command Center ETD custom modules.", "etag": "AA==", "name": "roles/securitycentermanagement.etdCustomModulesViewer", "stage": "GA", "title": "Security Center Management ETD Custom Modules Viewer" }, { "description": "Full access to manage Cloud Security Command Center settings", "etag": "AA==", "name": "roles/securitycentermanagement.settingsEditor", "title": "Security Center Management Settings Editor" }, { "description": "Readonly access to Cloud Security Command Center settings", "etag": "AA==", "name": "roles/securitycentermanagement.settingsViewer", "title": "Security Center Management Settings Viewer" }, { "description": "Full access to manage Cloud Security Command Center SHA custom modules.", "etag": "AA==", "name": "roles/securitycentermanagement.shaCustomModulesEditor", "stage": "GA", "title": "Security Center Management SHA Custom Modules Editor" }, { "description": "Readonly access to Cloud Security Command Center SHA custom modules.", "etag": "AA==", "name": "roles/securitycentermanagement.shaCustomModulesViewer", "stage": "GA", "title": "Security Center Management SHA Custom Modules Viewer" }, { "description": "Readonly access to Cloud Security Command Center services and custom modules configuration.", "etag": "AA==", "name": "roles/securitycentermanagement.viewer", "title": "Security Center Management Viewer" }, { "description": "Full access to Security Posture service APIs.", "etag": "AA==", "name": "roles/securityposture.admin", "stage": "GA", "title": "Security Posture Admin" }, { "description": "Mutate and read permissions to the Posture Deployment resource.", "etag": "AA==", "name": "roles/securityposture.postureDeployer", "stage": "GA", "title": "Security Posture Deployer" }, { "description": "Read only access to the Posture Deployment resource.", "etag": "AA==", "name": "roles/securityposture.postureDeploymentsViewer", "stage": "GA", "title": "Security Posture Deployments Viewer" }, { "description": "Mutate and read permissions to the Posture resource.", "etag": "AA==", "name": "roles/securityposture.postureEditor", "stage": "GA", "title": "Security Posture Resource Editor" }, { "description": "Read only access to the Posture resource.", "etag": "AA==", "name": "roles/securityposture.postureViewer", "stage": "GA", "title": "Security Posture Resource Viewer" }, { "description": "Create access for Reports, e.g. IaC Validation Report.", "etag": "AA==", "name": "roles/securityposture.reportCreator", "stage": "GA", "title": "Security Posture Shift-Left Validator" }, { "description": "Read only access to all the SecurityPosture Service resources.", "etag": "AA==", "name": "roles/securityposture.viewer", "stage": "GA", "title": "Security Posture Viewer" }, { "description": "Gives Cloud Run service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/serverless.serviceAgent", "stage": "GA", "title": "Cloud Run Service Agent" }, { "description": "Full access to ServiceBroker resources.", "etag": "AA==", "name": "roles/servicebroker.admin", "stage": "DEPRECATED", "title": "Service Broker Admin" }, { "description": "Operational access to the ServiceBroker resources.", "etag": "AA==", "name": "roles/servicebroker.operator", "stage": "DEPRECATED", "title": "Service Broker Operator" }, { "description": "Administrate tenancy units", "etag": "AA==", "name": "roles/serviceconsumermanagement.tenancyUnitsAdmin", "stage": "BETA", "title": "Admin of Tenancy Units" }, { "description": "View tenancy units", "etag": "AA==", "name": "roles/serviceconsumermanagement.tenancyUnitsViewer", "stage": "BETA", "title": "Viewer of Tenancy Units" }, { "description": "Full control of all Service Directory resources and permissions.", "etag": "AA==", "name": "roles/servicedirectory.admin", "stage": "GA", "title": "Service Directory Admin" }, { "description": "Edit Service Directory resources.", "etag": "AA==", "name": "roles/servicedirectory.editor", "stage": "GA", "title": "Service Directory Editor" }, { "description": "Gives access to attach VPC Networks to Service Directory Endpoints", "etag": "AA==", "name": "roles/servicedirectory.networkAttacher", "stage": "GA", "title": "Service Directory Network Attacher" }, { "description": "Gives access to VPC Networks via Service Directory", "etag": "AA==", "name": "roles/servicedirectory.pscAuthorizedService", "stage": "GA", "title": "Private Service Connect Authorized Service" }, { "description": "Give the Service Directory service agent access to Cloud Platform resources.", "etag": "AA==", "name": "roles/servicedirectory.serviceAgent", "stage": "GA", "title": "Service Directory Service Agent" }, { "description": "View Service Directory resources.", "etag": "AA==", "name": "roles/servicedirectory.viewer", "stage": "GA", "title": "Service Directory Viewer" }, { "description": "Readonly access to Personalized Service Health resources.", "etag": "AA==", "name": "roles/servicehealth.viewer", "stage": "BETA", "title": "Personalized Service Health Viewer" }, { "description": "Full control of Google Service Management resources.", "etag": "AA==", "name": "roles/servicemanagement.admin", "stage": "GA", "title": "Service Management Administrator" }, { "description": "Access to update the service config and create rollouts.", "etag": "AA==", "name": "roles/servicemanagement.configEditor", "stage": "GA", "title": "Service Config Editor" }, { "description": "Access to administer service quotas.", "etag": "AA==", "name": "roles/servicemanagement.quotaAdmin", "stage": "BETA", "title": "Quota Administrator" }, { "description": "Access to view service quotas.", "etag": "AA==", "name": "roles/servicemanagement.quotaViewer", "stage": "BETA", "title": "Quota Viewer" }, { "description": "Can report usage of a service during runtime.", "etag": "AA==", "name": "roles/servicemanagement.reporter", "stage": "GA", "title": "Service Reporter" }, { "description": "Can enable the service.", "etag": "AA==", "name": "roles/servicemanagement.serviceConsumer", "stage": "GA", "title": "Service Consumer" }, { "description": "Can check preconditions and report usage of a service during runtime.", "etag": "AA==", "name": "roles/servicemanagement.serviceController", "stage": "GA", "title": "Service Controller" }, { "description": "Full control of service networking with projects.", "etag": "AA==", "name": "roles/servicenetworking.networksAdmin", "stage": "BETA", "title": "Service Networking Admin" }, { "description": "Gives permission to manage network configuration, such as establishing network peering, necessary for service producers", "etag": "AA==", "name": "roles/servicenetworking.serviceAgent", "stage": "GA", "title": "Service Networking Service Agent" }, { "description": "Read-only access to Security Insights resources", "etag": "AA==", "name": "roles/servicesecurityinsights.securityInsightsViewer", "stage": "BETA", "title": "Security Insights Viewer" }, { "description": "Ability to create, delete, update, get and list API keys for a project.", "etag": "AA==", "name": "roles/serviceusage.apiKeysAdmin", "stage": "GA", "title": "API Keys Admin" }, { "description": "Ability to get and list API keys for a project.", "etag": "AA==", "name": "roles/serviceusage.apiKeysViewer", "stage": "GA", "title": "API Keys Viewer" }, { "description": "Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.", "etag": "AA==", "name": "roles/serviceusage.serviceUsageAdmin", "stage": "GA", "title": "Service Usage Admin" }, { "description": "Ability to inspect service states and operations, and consume quota and billing for a consumer project.", "etag": "AA==", "name": "roles/serviceusage.serviceUsageConsumer", "stage": "GA", "title": "Service Usage Consumer" }, { "description": "Ability to inspect service states and operations for a consumer project.", "etag": "AA==", "name": "roles/serviceusage.serviceUsageViewer", "stage": "GA", "title": "Service Usage Viewer" }, { "description": "Admin access to repositories", "etag": "AA==", "name": "roles/source.admin", "stage": "GA", "title": "Source Repository Administrator" }, { "description": "Read access to repositories", "etag": "AA==", "name": "roles/source.reader", "stage": "GA", "title": "Source Repository Reader" }, { "description": "Read / Write access to repositories", "etag": "AA==", "name": "roles/source.writer", "stage": "GA", "title": "Source Repository Writer" }, { "description": "Allow Cloud Source Repositories to integrate with other Cloud services.", "etag": "AA==", "has_privesc": true, "name": "roles/sourcerepo.serviceAgent", "stage": "GA", "title": "Cloud Source Repositories Service Agent" }, { "description": "Full control of Cloud Spanner resources.", "etag": "AA==", "name": "roles/spanner.admin", "stage": "GA", "title": "Cloud Spanner Admin" }, { "description": "Administrator role to manage Cloud Spanner backups. Does not include permissions to restore from Cloud Spanner backups.", "etag": "AA==", "name": "roles/spanner.backupAdmin", "stage": "GA", "title": "Cloud Spanner Backup Admin" }, { "description": "Role with limited permissions to create and manage Cloud Spanner backups. Does not have permission to modify backups.", "etag": "AA==", "name": "roles/spanner.backupWriter", "stage": "GA", "title": "Cloud Spanner Backup Writer" }, { "description": "Full control of Cloud Spanner databases.", "etag": "AA==", "name": "roles/spanner.databaseAdmin", "stage": "GA", "title": "Cloud Spanner Database Admin" }, { "description": "Access to read and/or query a Cloud Spanner database.", "etag": "AA==", "name": "roles/spanner.databaseReader", "stage": "GA", "title": "Cloud Spanner Database Reader" }, { "description": "In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/`.", "etag": "AA==", "name": "roles/spanner.databaseRoleUser", "stage": "GA", "title": "Cloud Spanner Database Role User" }, { "description": "Access to read, query, write and view and change the schema of Cloud Spanner databases", "etag": "AA==", "name": "roles/spanner.databaseUser", "stage": "GA", "title": "Cloud Spanner Database User" }, { "description": "Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the Cloud Spanner Database Role User IAM role and its necessary conditions.", "etag": "AA==", "name": "roles/spanner.fineGrainedAccessUser", "stage": "GA", "title": "Cloud Spanner Fine-grained Access User" }, { "description": "Administrator role to restore Cloud Spanner databases from Cloud Spanner backups.", "etag": "AA==", "name": "roles/spanner.restoreAdmin", "stage": "GA", "title": "Cloud Spanner Restore Admin" }, { "description": "Cloud Spanner API Service Agent", "etag": "AA==", "name": "roles/spanner.serviceAgent", "stage": "GA", "title": "Cloud Spanner API Service Agent" }, { "description": "Viewer access to Cloud Spanner resources.", "etag": "AA==", "name": "roles/spanner.viewer", "stage": "GA", "title": "Cloud Spanner Viewer" }, { "description": "Grants full access to all Speaker ID resources, including project settings.", "etag": "AA==", "name": "roles/speakerid.admin", "stage": "GA", "title": "Speaker ID Admin" }, { "description": "Grants access to read and write all Speaker ID resources.", "etag": "AA==", "name": "roles/speakerid.editor", "stage": "GA", "title": "Speaker ID Editor" }, { "description": "Grants read access to all Speaker ID resources, and allows verification.", "etag": "AA==", "name": "roles/speakerid.verifier", "stage": "GA", "title": "Speaker ID Verifier" }, { "description": "Grants read access to all Speaker ID resources.", "etag": "AA==", "name": "roles/speakerid.viewer", "stage": "GA", "title": "Speaker ID Viewer" }, { "description": "Grants full access to all resources in Speech-to-text", "etag": "AA==", "name": "roles/speech.admin", "stage": "GA", "title": "Cloud Speech Administrator" }, { "description": "Grants access to the recognition APIs.", "etag": "AA==", "name": "roles/speech.client", "stage": "GA", "title": "Cloud Speech Client" }, { "description": "Grants access to edit resources in Speech-to-text", "etag": "AA==", "name": "roles/speech.editor", "stage": "GA", "title": "Cloud Speech Editor" }, { "description": "Gives Speech-to-Text service account access to GCS resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/speech.serviceAgent", "stage": "GA", "title": "Cloud Speech-to-Text Service Agent" }, { "description": "Read/write access to manage Stackdriver account structure.", "etag": "AA==", "name": "roles/stackdriver.accounts.editor", "stage": "GA", "title": "Stackdriver Accounts Editor" }, { "description": "Read-only access to get and list information about Stackdriver account structure.", "etag": "AA==", "name": "roles/stackdriver.accounts.viewer", "stage": "GA", "title": "Stackdriver Accounts Viewer" }, { "description": "Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.", "etag": "AA==", "name": "roles/stackdriver.resourceMetadata.writer", "stage": "BETA", "title": "Stackdriver Resource Metadata Writer" }, { "description": "Grants full control of buckets and objects.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/storage.admin", "stage": "GA", "title": "Storage Admin" }, { "description": "Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/storage.folderAdmin", "stage": "GA", "title": "Storage Folder Admin" }, { "description": "Grants full control over HMAC keys in a project.", "etag": "AA==", "name": "roles/storage.hmacKeyAdmin", "stage": "GA", "title": "Storage HMAC Key Admin" }, { "description": "Grants read access to object metadata in inventory reports.", "etag": "AA==", "name": "roles/storage.insightsCollectorService", "stage": "GA", "title": "Storage Insights Collector Service" }, { "description": "Grants permission to create, replace, and delete objects; list objects in a bucket; create, delete, and list tag bindings; read object metadata when listing (excluding IAM policies); and read and edit bucket metadata, including IAM policies.", "etag": "AA==", "has_privesc": true, "name": "roles/storage.legacyBucketOwner", "stage": "GA", "title": "Storage Legacy Bucket Owner" }, { "description": "Grants permission to list a bucket's contents and read bucket metadata, excluding IAM policies. Also grants permission to read object metadata when listing objects (excluding IAM policies).", "etag": "AA==", "name": "roles/storage.legacyBucketReader", "stage": "GA", "title": "Storage Legacy Bucket Reader" }, { "description": "Grants permission to create, replace, and delete objects; list objects in a bucket; read object metadata when listing (excluding IAM policies); and read bucket metadata, excluding IAM policies.", "etag": "AA==", "name": "roles/storage.legacyBucketWriter", "stage": "GA", "title": "Storage Legacy Bucket Writer" }, { "description": "Grants permission to view and edit objects and their metadata, including ACLs.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/storage.legacyObjectOwner", "stage": "GA", "title": "Storage Legacy Object Owner" }, { "description": "Grants permission to view objects and their metadata, excluding ACLs.", "etag": "AA==", "has_dataaccess": true, "name": "roles/storage.legacyObjectReader", "stage": "GA", "title": "Storage Legacy Object Reader" }, { "description": "Grants full control over objects, including listing, creating, viewing, and deleting objects.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/storage.objectAdmin", "stage": "GA", "title": "Storage Object Admin" }, { "description": "Allows users to create objects. Does not give permission to view, delete, or replace objects.", "etag": "AA==", "name": "roles/storage.objectCreator", "stage": "GA", "title": "Storage Object Creator" }, { "description": "Access to create, read, update and delete objects and multipart uploads in GCS.", "etag": "AA==", "has_dataaccess": true, "name": "roles/storage.objectUser", "stage": "GA", "title": "Storage Object User" }, { "description": "Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.", "etag": "AA==", "has_dataaccess": true, "name": "roles/storage.objectViewer", "stage": "GA", "title": "Storage Object Viewer" }, { "description": "Full access to Storage Insights resources.", "etag": "AA==", "name": "roles/storageinsights.admin", "stage": "GA", "title": "Storage Insights Admin" }, { "description": "Data access to Storage Insights.", "etag": "AA==", "name": "roles/storageinsights.analyst", "stage": "GA", "title": "Storage Insights Analyst" }, { "description": "Permissions for Insights to write reports into customer project", "etag": "AA==", "name": "roles/storageinsights.serviceAgent", "stage": "GA", "title": "StorageInsights Service Agent" }, { "description": "Readonly access to Storage Insights resources.", "etag": "AA==", "name": "roles/storageinsights.viewer", "stage": "GA", "title": "Storage Insights Viewer" }, { "description": "Create, update and manage transfer jobs and operations.", "etag": "AA==", "name": "roles/storagetransfer.admin", "stage": "GA", "title": "Storage Transfer Admin" }, { "description": "Grants Storage Transfer Service Agent permissions required to run transfers", "etag": "AA==", "has_dataaccess": true, "name": "roles/storagetransfer.serviceAgent", "stage": "GA", "title": "Storage Transfer Service Agent" }, { "description": "Perform transfers from an agent.", "etag": "AA==", "has_dataaccess": true, "name": "roles/storagetransfer.transferAgent", "stage": "GA", "title": "Storage Transfer Agent" }, { "description": "Create and update storage transfer jobs and operations.", "etag": "AA==", "name": "roles/storagetransfer.user", "stage": "GA", "title": "Storage Transfer User" }, { "description": "Read access to storage transfer jobs and operations.", "etag": "AA==", "name": "roles/storagetransfer.viewer", "stage": "GA", "title": "Storage Transfer Viewer" }, { "description": "Full access to Stream all resources.", "etag": "AA==", "name": "roles/stream.admin", "stage": "GA", "title": "Stream Admin" }, { "description": "Full access to all StreamContent resources.", "etag": "AA==", "name": "roles/stream.contentAdmin", "stage": "GA", "title": "Stream Content Admin" }, { "description": "Read and build access to StreamContent resources.", "etag": "AA==", "name": "roles/stream.contentBuilder", "stage": "GA", "title": "Stream Content Builder" }, { "description": "Full access to all StreamInstance resources and Read access to all StreamContent resources.", "etag": "AA==", "name": "roles/stream.instanceAdmin", "stage": "GA", "title": "Stream Instance Admin" }, { "description": "Gives Immersive Stream for XR access to the required resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/stream.serviceAgent", "stage": "GA", "title": "Stream Service Agent" }, { "description": "Read-only access to Stream all resources.", "etag": "AA==", "name": "roles/stream.viewer", "stage": "GA", "title": "Stream Viewer" }, { "description": "Access DevTools for Subscribe with Google", "etag": "AA==", "name": "roles/subscribewithgoogledeveloper.developer", "stage": "BETA", "title": "Subscribe with Google Developer" }, { "description": "Full access to Telco Automation resources.", "etag": "AA==", "name": "roles/telcoautomation.admin", "stage": "BETA", "title": "Telco Automation Admin" }, { "description": "Ability to manage blueprints", "etag": "AA==", "name": "roles/telcoautomation.blueprintDesigner", "stage": "BETA", "title": "Telco Automation Blueprint Designer" }, { "description": "Ability to manage deployments", "etag": "AA==", "name": "roles/telcoautomation.deploymentAdmin", "stage": "BETA", "title": "Telco Automation Deployment Admin" }, { "description": "Ability to get status of deployments", "etag": "AA==", "name": "roles/telcoautomation.opsAdminTier1", "stage": "BETA", "title": "Telco Automation Tier 1 Operations Admin" }, { "description": "Ability to manage deployments and their status", "etag": "AA==", "name": "roles/telcoautomation.opsAdminTier4", "stage": "BETA", "title": "Telco Automation Tier 4 Operations Admin" }, { "description": "Ability to manage deployments", "etag": "AA==", "name": "roles/telcoautomation.serviceOrchestrator", "stage": "BETA", "title": "Telco Automation Service Orchestrator" }, { "description": "Edit access to DataSets.", "etag": "AA==", "name": "roles/timeseriesinsights.datasetsEditor", "stage": "BETA", "title": "Timeseries Insights DataSet Editor" }, { "description": "Full access to DataSets.", "etag": "AA==", "name": "roles/timeseriesinsights.datasetsOwner", "stage": "BETA", "title": "Timeseries Insights DataSet Owner" }, { "description": "Read-only access (List and Query) to DataSets.", "etag": "AA==", "name": "roles/timeseriesinsights.datasetsViewer", "stage": "BETA", "title": "Timeseries Insights DataSet Viewer" }, { "description": "Full access to TPU nodes and related resources.", "etag": "AA==", "name": "roles/tpu.admin", "stage": "GA", "title": "TPU Admin" }, { "description": "Give Cloud TPUs service account access to managed resources", "etag": "AA==", "name": "roles/tpu.serviceAgent", "stage": "GA", "title": "Cloud TPU API Service Agent" }, { "description": "Read-only access to TPU nodes and related resources.", "etag": "AA==", "name": "roles/tpu.viewer", "stage": "GA", "title": "TPU Viewer" }, { "description": "Can use shared VPC network (XPN) for the TPU VMs.", "etag": "AA==", "name": "roles/tpu.xpnAgent", "stage": "GA", "title": "TPU Shared VPC Agent" }, { "description": "Traffic Director Client to fetch service configurations and report metrics", "etag": "AA==", "name": "roles/trafficdirector.client", "stage": "BETA", "title": "Traffic Director Client" }, { "description": "Full access to all transcoder resources.", "etag": "AA==", "name": "roles/transcoder.admin", "stage": "GA", "title": "Transcoder Admin" }, { "description": "Downloads and uploads media files from and to customer GCS buckets. Publishes status updates to customer Pub/Sub.", "etag": "AA==", "has_dataaccess": true, "name": "roles/transcoder.serviceAgent", "stage": "GA", "title": "Transcoder Service Agent" }, { "description": "Viewer of all transcoder resources.", "etag": "AA==", "name": "roles/transcoder.viewer", "stage": "GA", "title": "Transcoder Viewer" }, { "description": "Full access to Transfer Appliance all resources.", "etag": "AA==", "name": "roles/transferappliance.admin", "stage": "BETA", "title": "Transfer Appliance Admin" }, { "description": "Read-only access to Transfer Appliance all resources.", "etag": "AA==", "name": "roles/transferappliance.viewer", "stage": "BETA", "title": "Transfer Appliance Viewer" }, { "description": "Admin of Translation Hub", "etag": "AA==", "name": "roles/translationhub.admin", "stage": "BETA", "title": "Translation Hub Admin" }, { "description": "Portal user of Translation Hub", "etag": "AA==", "name": "roles/translationhub.portalUser", "stage": "BETA", "title": "Translation Hub Portal User" }, { "description": "Full access to all video stitcher resources.", "etag": "AA==", "name": "roles/videostitcher.admin", "stage": "GA", "title": "Video Stitcher Admin" }, { "description": "Full access to video stitcher sessions.", "etag": "AA==", "name": "roles/videostitcher.user", "stage": "GA", "title": "Video Stitcher User" }, { "description": "Read-only access to video stitcher resources.", "etag": "AA==", "name": "roles/videostitcher.viewer", "stage": "GA", "title": "Video Stitcher Viewer" }, { "description": "View most Google Cloud resources. See the list of included permissions.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/viewer", "stage": "GA", "title": "Viewer" }, { "description": "Full access to Vision AI all resources.", "etag": "AA==", "name": "roles/visionai.admin", "stage": "BETA", "title": "VisionAI Admin" }, { "description": "Access to read and write Vision AI Analyses.", "etag": "AA==", "name": "roles/visionai.analysisEditor", "stage": "BETA", "title": "Vision AI Analysis Editor" }, { "description": "Access to read Vision AI Analyses.", "etag": "AA==", "name": "roles/visionai.analysisViewer", "stage": "BETA", "title": "Vision AI Analysis Viewer" }, { "description": "Grants access to edit media asset annotations into the Warehouse.", "etag": "AA==", "name": "roles/visionai.annotationEditor", "stage": "BETA", "title": "VisionAI Warehouse Annotation Editor" }, { "description": "Grants access to view media asset annotations into the Warehouse.", "etag": "AA==", "name": "roles/visionai.annotationViewer", "stage": "BETA", "title": "VisionAI Warehouse Annotation Viewer" }, { "description": "Access to read and write Vision AI Applications.", "etag": "AA==", "name": "roles/visionai.applicationEditor", "stage": "BETA", "title": "Vision AI Application Editor" }, { "description": "Access to read Vision AI Applications.", "etag": "AA==", "name": "roles/visionai.applicationViewer", "stage": "BETA", "title": "Vision AI Application Viewer" }, { "description": "Grants access to ingest media assets into the Warehouse.", "etag": "AA==", "name": "roles/visionai.assetCreator", "stage": "BETA", "title": "VisionAI Warehouse Asset Creator" }, { "description": "Grants access to edit media assets into the Warehouse.", "etag": "AA==", "name": "roles/visionai.assetEditor", "stage": "BETA", "title": "VisionAI Warehouse Asset Editor" }, { "description": "Grants access to view media assets into the Warehouse.", "etag": "AA==", "name": "roles/visionai.assetViewer", "stage": "BETA", "title": "VisionAI Warehouse Asset Viewer" }, { "description": "Access to read and write Vision AI Cluster.", "etag": "AA==", "name": "roles/visionai.clusterEditor", "stage": "BETA", "title": "Vision AI Cluster Editor" }, { "description": "Access to read Vision AI Clusters.", "etag": "AA==", "name": "roles/visionai.clusterViewer", "stage": "BETA", "title": "Vision AI Cluster Viewer" }, { "description": "Full control to everything in a corpus including corpus access control.", "etag": "AA==", "name": "roles/visionai.corpusAdmin", "stage": "BETA", "title": "VisionAI Warehouse Corpus Administrator" }, { "description": "Read-write access to everything in a corpus.", "etag": "AA==", "name": "roles/visionai.corpusEditor", "stage": "BETA", "title": "VisionAI Warehouse Corpus Editor" }, { "description": "Grants access to view everything in a corpus.", "etag": "AA==", "name": "roles/visionai.corpusViewer", "stage": "BETA", "title": "VisionAI Warehouse Corpus Viewer" }, { "description": "Grants access to create/update/delete everything in a corpus.", "etag": "AA==", "name": "roles/visionai.corpusWriter", "stage": "BETA", "title": "VisionAI Warehouse Corpus Writer" }, { "description": "Edit access to Vision AI all resources.", "etag": "AA==", "name": "roles/visionai.editor", "stage": "BETA", "title": "VisionAI Editor" }, { "description": "Access to read and write Vision AI Events.", "etag": "AA==", "name": "roles/visionai.eventEditor", "stage": "BETA", "title": "Vision AI Event Editor" }, { "description": "Access to read Vision AI Events.", "etag": "AA==", "name": "roles/visionai.eventViewer", "stage": "BETA", "title": "Vision AI Event Viewer" }, { "description": "Full control of all Media Warehouse resources and permissions.", "etag": "AA==", "name": "roles/visionai.indexEndpointAdmin", "stage": "BETA", "title": "VisionAI Warehouse IndexEndpoint Administrator" }, { "description": "Read, write and create access to all index endpoints level resources.", "etag": "AA==", "name": "roles/visionai.indexEndpointEditor", "stage": "BETA", "title": "VisionAI Warehouse IndexEndpoint Editor" }, { "description": "Grants access to view all index endpoint resources and be able to search on them. (ReadOnly)\n", "etag": "AA==", "name": "roles/visionai.indexEndpointViewer", "stage": "BETA", "title": "VisionAI Warehouse IndexEndpoint Viewer" }, { "description": "Grants access to perform update, delete, deploy and undeploy operations on the index endpoint.\n", "etag": "AA==", "name": "roles/visionai.indexEndpointWriter", "stage": "BETA", "title": "VisionAI Warehouse IndexEndpoint Writer" }, { "description": "Access to read and write Vision AI Operators.", "etag": "AA==", "name": "roles/visionai.operatorEditor", "stage": "BETA", "title": "Vision AI Operator Editor" }, { "description": "Access to read Vision AI Operators.", "etag": "AA==", "name": "roles/visionai.operatorViewer", "stage": "BETA", "title": "Vision AI Operator Viewer" }, { "description": "Access to read Vision AI Series.", "etag": "AA==", "name": "roles/visionai.packetReceiver", "stage": "BETA", "title": "Vision AI Packet Receiver" }, { "description": "Packet sender to the series.", "etag": "AA==", "name": "roles/visionai.packetSender", "stage": "BETA", "title": "Vision AI Packet Sender" }, { "description": "Access to read and write Vision AI Processors.", "etag": "AA==", "name": "roles/visionai.processorEditor", "stage": "BETA", "title": "Vision AI Processor Editor" }, { "description": "Access to read Vision AI Processors.", "etag": "AA==", "name": "roles/visionai.processorViewer", "stage": "BETA", "title": "Vision AI Processor Viewer" }, { "description": "Access to read and write Vision AI RetailCatalogs.", "etag": "AA==", "name": "roles/visionai.retailcatalogEditor", "stage": "BETA", "title": "Vision AI RetailCatalog Editor" }, { "description": "Access to read Vision AI RetailCatalogs.", "etag": "AA==", "name": "roles/visionai.retailcatalogViewer", "stage": "BETA", "title": "Vision AI RetailCatalog Viewer" }, { "description": "Access to read and write Vision AI RetailEndpoints.", "etag": "AA==", "name": "roles/visionai.retailendpointEditor", "stage": "BETA", "title": "Vision AI RetailEndpoint Editor" }, { "description": "Access to read Vision AI RetailEndpoints.", "etag": "AA==", "name": "roles/visionai.retailendpointViewer", "stage": "BETA", "title": "Vision AI RetailEndpoint Viewer" }, { "description": "Access to read and write Vision AI Series.", "etag": "AA==", "name": "roles/visionai.seriesEditor", "stage": "BETA", "title": "Vision AI Series Editor" }, { "description": "Access to read Vision AI Series.", "etag": "AA==", "name": "roles/visionai.seriesViewer", "stage": "BETA", "title": "Vision AI Series Viewer" }, { "description": "Grants Cloud Vision AI service account permissions to manage resources in consumer project", "etag": "AA==", "has_dataaccess": true, "name": "roles/visionai.serviceAgent", "stage": "GA", "title": "Cloud Vision AI Service Agent" }, { "description": "Access to read and write Vision AI Streams.", "etag": "AA==", "name": "roles/visionai.streamEditor", "stage": "BETA", "title": "Vision AI Stream Editor" }, { "description": "Access to read Vision AI Streams.", "etag": "AA==", "name": "roles/visionai.streamViewer", "stage": "BETA", "title": "Vision AI Stream Viewer" }, { "description": "Access to read & write Vision AI UI Streams.", "etag": "AA==", "name": "roles/visionai.uiStreamEditor", "stage": "BETA", "title": "Vision AI UI Stream Editor" }, { "description": "Access to read Vision AI UI Streams.", "etag": "AA==", "name": "roles/visionai.uiStreamViewer", "stage": "BETA", "title": "Vision AI UI Stream Viewer" }, { "description": "View access to Vision AI all resources.", "etag": "AA==", "name": "roles/visionai.viewer", "stage": "BETA", "title": "VisionAI Viewer" }, { "description": "Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics", "etag": "AA==", "name": "roles/visualinspection.editor", "stage": "GA", "title": "Visual Inspection AI Solution Editor" }, { "description": "Grants Visual Inspection AI Service Agent admin roles for accessing/exporting training data, pushing containers artifacts to GCR and ArtifactsRegistry, and Vertex AI for storing data and running training jobs.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/visualinspection.serviceAgent", "stage": "GA", "title": "Visual Inspection AI Service Agent" }, { "description": "ReportUsageMetric access to Visual Inspection AI Service", "etag": "AA==", "name": "roles/visualinspection.usageMetricsReporter", "stage": "GA", "title": "Visual Inspection AI Usage Metrics Reporter" }, { "description": "Read access to Visual Inspection AI resources", "etag": "AA==", "name": "roles/visualinspection.viewer", "stage": "GA", "title": "Visual Inspection AI Viewer" }, { "description": "Ability to view and edit all VM Migration objects", "etag": "AA==", "name": "roles/vmmigration.admin", "stage": "BETA", "title": "VM Migration Administrator" }, { "description": "Grants VM Migration Service Account access to create migrated VMs, disks and images in the user project.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "name": "roles/vmmigration.serviceAgent", "stage": "GA", "title": "VM Migration Service Agent" }, { "description": "Ability to view all VM Migration objects", "etag": "AA==", "name": "roles/vmmigration.viewer", "stage": "BETA", "title": "VM Migration Viewer" }, { "description": "Gives permission to manage network configuration, such as establishing network peering, necessary for GCVE", "etag": "AA==", "name": "roles/vmwareengine.serviceAgent", "stage": "GA", "title": "VMware Engine Service Agent" }, { "description": "Admin has full access to VMware Engine Service", "etag": "AA==", "name": "roles/vmwareengine.vmwareengineAdmin", "stage": "GA", "title": "VMware Engine Service Admin" }, { "description": "Viewer has read-only access to VMware Engine Service", "etag": "AA==", "name": "roles/vmwareengine.vmwareengineViewer", "stage": "GA", "title": "VMware Engine Service Viewer" }, { "description": "Full access to all Serverless VPC Access resources", "etag": "AA==", "name": "roles/vpcaccess.admin", "stage": "GA", "title": "Serverless VPC Access Admin" }, { "description": "Can create and manage resources to support serverless application to connect to virtual private cloud.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/vpcaccess.serviceAgent", "stage": "GA", "title": "Serverless VPC Access Service Agent" }, { "description": "User of Serverless VPC Access connectors", "etag": "AA==", "name": "roles/vpcaccess.user", "stage": "GA", "title": "Serverless VPC Access User" }, { "description": "Viewer of all Serverless VPC Access resources", "etag": "AA==", "name": "roles/vpcaccess.viewer", "stage": "GA", "title": "Serverless VPC Access Viewer" }, { "description": "Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.", "etag": "AA==", "name": "roles/websecurityscanner.serviceAgent", "stage": "GA", "title": "Cloud Web Security Scanner Service Agent" }, { "description": "Full access to workflows and related resources.", "etag": "AA==", "name": "roles/workflows.admin", "stage": "GA", "title": "Workflows Admin" }, { "description": "Read and write access to workflows and related resources, including development and debugging of workflows.", "etag": "AA==", "name": "roles/workflows.editor", "stage": "GA", "title": "Workflows Editor" }, { "description": "Access to execute workflows and manage the executions using the API. Does not provide access to develop and debug workflows.", "etag": "AA==", "name": "roles/workflows.invoker", "stage": "GA", "title": "Workflows Invoker" }, { "description": "Gives Cloud Workflows service account access to managed resources.", "etag": "AA==", "has_privesc": true, "name": "roles/workflows.serviceAgent", "stage": "GA", "title": "Cloud Workflows Service Agent" }, { "description": "Read-only access to workflows and related resources.", "etag": "AA==", "name": "roles/workflows.viewer", "stage": "GA", "title": "Workflows Viewer" }, { "description": "Full access to all Workload Certificate API resources.", "etag": "AA==", "name": "roles/workloadcertificate.admin", "stage": "BETA", "title": "Workload Certificate Admin" }, { "description": "Full access to WorkloadRegistration resources.", "etag": "AA==", "name": "roles/workloadcertificate.registrationAdmin", "stage": "BETA", "title": "Workload Certificate Registration Admin" }, { "description": "Read-only access to WorkloadRegistration resources.", "etag": "AA==", "name": "roles/workloadcertificate.registrationViewer", "stage": "BETA", "title": "Workload Certificate Registration Viewer" }, { "description": "Gives the Workload Certificate service agent access to Cloud Platform resources.", "etag": "AA==", "name": "roles/workloadcertificate.serviceAgent", "stage": "GA", "title": "Workload Certificate Service Agent" }, { "description": "Read-only access to Workload Certificate all resources.", "etag": "AA==", "name": "roles/workloadcertificate.viewer", "stage": "BETA", "title": "Workload Certificate Viewer" }, { "description": "Full access to Workload Manager all resources.", "etag": "AA==", "name": "roles/workloadmanager.admin", "stage": "BETA", "title": "Workload Manager Admin" }, { "description": "Full access to Workload Manager deployment resources.", "etag": "AA==", "name": "roles/workloadmanager.deploymentAdmin", "stage": "BETA", "title": "Workload Manager Deployment Admin" }, { "description": "Read-only access to Workload Manager deployment resources.", "etag": "AA==", "name": "roles/workloadmanager.deploymentViewer", "stage": "BETA", "title": "Workload Manager Deployment Viewer" }, { "description": "Full access to Workload Manager evaluation resources.", "etag": "AA==", "name": "roles/workloadmanager.evaluationAdmin", "stage": "BETA", "title": "Workload Manager Evaluation Admin" }, { "description": "Read-only access to Workload Manager evaluation resources.", "etag": "AA==", "name": "roles/workloadmanager.evaluationViewer", "stage": "BETA", "title": "Workload Manager Evaluation Viewer" }, { "description": "The role used by Workload Manager application runners to read and update workloads.", "etag": "AA==", "name": "roles/workloadmanager.evaluationWorker", "stage": "BETA", "title": "Workload Manager Evaluation Worker" }, { "description": "The role used to write data to WLM data warehouse.", "etag": "AA==", "name": "roles/workloadmanager.insightWriter", "stage": "BETA", "title": "Workload Manager Insights Writer" }, { "description": "Gives Workload Manager Service Agent access to CAI export functions and Cloud Monitoring.", "etag": "AA==", "name": "roles/workloadmanager.serviceAgent", "stage": "GA", "title": "Workload Manager Service Agent" }, { "description": "Read-only access to Workload Manager all resources.", "etag": "AA==", "name": "roles/workloadmanager.viewer", "stage": "BETA", "title": "Workload Manager Viewer" }, { "description": "The role used by Workload Manager application runners to read and update workloads.", "etag": "AA==", "name": "roles/workloadmanager.worker", "stage": "BETA", "title": "Workload Manager Worker" }, { "description": "Grants CRUD access to all Workstation resources.", "etag": "AA==", "name": "roles/workstations.admin", "stage": "GA", "title": "Cloud Workstations Admin" }, { "description": "Grants ability to connect a Workstation Cluster to a shared VPC network.", "etag": "AA==", "name": "roles/workstations.networkAdmin", "stage": "GA", "title": "Cloud Workstations Network Admin" }, { "description": "Grants ability to view Cloud Workstations API operations.", "etag": "AA==", "name": "roles/workstations.operationViewer", "stage": "GA", "title": "Cloud Workstations Operation Viewer" }, { "description": "Grants the Workstations Service Account access to manage resources in consumer project.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/workstations.serviceAgent", "stage": "GA", "title": "Workstations Service Agent" }, { "description": "Grants runtime access to Workstation resources.", "etag": "AA==", "name": "roles/workstations.user", "stage": "GA", "title": "Cloud Workstations User" }, { "description": "Grants ability to create Workstation resources.", "etag": "AA==", "name": "roles/workstations.workstationCreator", "stage": "GA", "title": "Cloud Workstations Creator" } ]