[ { "description": "Ability to view or act on access approval requests and view configuration.", "etag": "AA==", "name": "roles/accessapproval.approver", "stage": "GA", "title": "Access Approval Approver" }, { "description": "Ability to update the Access Approval configuration.", "etag": "AA==", "name": "roles/accessapproval.configEditor", "stage": "GA", "title": "Access Approval Config Editor" }, { "description": "Ability to invalidate existing approved approval requests", "etag": "AA==", "name": "roles/accessapproval.invalidator", "stage": "GA", "title": "Access Approval Invalidator" }, { "description": "Ability to view access approval requests and configuration", "etag": "AA==", "name": "roles/accessapproval.viewer", "stage": "GA", "title": "Access Approval Viewer" }, { "description": "Create, edit, and change Cloud access bindings.", "etag": "AA==", "name": "roles/accesscontextmanager.gcpAccessAdmin", "stage": "GA", "title": "Cloud Access Binding Admin" }, { "description": "Read access to Cloud access bindings.", "etag": "AA==", "name": "roles/accesscontextmanager.gcpAccessReader", "stage": "GA", "title": "Cloud Access Binding Reader" }, { "description": "Full access to policies, access levels, access zones and authorized orgs descs.", "etag": "AA==", "name": "roles/accesscontextmanager.policyAdmin", "stage": "GA", "title": "Access Context Manager Admin" }, { "description": "Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs.", "etag": "AA==", "name": "roles/accesscontextmanager.policyEditor", "stage": "GA", "title": "Access Context Manager Editor" }, { "description": "Read access to policies, access levels, access zones and authorized orgs descs.", "etag": "AA==", "name": "roles/accesscontextmanager.policyReader", "stage": "GA", "title": "Access Context Manager Reader" }, { "etag": "AA==", "name": "roles/accesscontextmanager.vpcScTroubleshooterViewer", "stage": "GA", "title": "VPC Service Controls Troubleshooter Viewer" }, { "description": "Access to edit and deploy an action", "etag": "AA==", "name": "roles/actions.Admin", "stage": "GA", "title": "Actions Admin" }, { "description": "Access to view an action", "etag": "AA==", "name": "roles/actions.Viewer", "stage": "GA", "title": "Actions Viewer" }, { "description": "Grants write access to settings in Advisory Notifications", "etag": "AA==", "name": "roles/advisorynotifications.admin", "stage": "GA", "title": "Advisory Notifications Admin" }, { "description": "Grants view access in Advisory Notifications", "etag": "AA==", "name": "roles/advisorynotifications.viewer", "stage": "GA", "title": "Advisory Notifications Viewer" }, { "description": "Grants AI Edge Portal Service Agent permissions required to read/write data to GCS buckets", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/aiedgeportal.serviceAgent", "stage": "GA", "title": "AI Edge Portal Service Agent" }, { "description": "Grants full access to all resources in Vertex AI", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.admin", "stage": "GA", "title": "Vertex AI Administrator" }, { "description": "Vertex AI Batch Prediction Service Agent for serving batch prediction requests.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/aiplatform.batchPredictionServiceAgent", "stage": "GA", "title": "Vertex AI Batch Prediction Service Agent" }, { "description": "Admin role of using colab enterprise.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.colabEnterpriseAdmin", "stage": "GA", "title": "Colab Enterprise Admin" }, { "description": "User role of using colab enterprise.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.colabEnterpriseUser", "stage": "GA", "title": "Colab Enterprise User" }, { "description": "Gives Vertex AI Colab the proper permissions to function.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/aiplatform.colabServiceAgent", "stage": "GA", "title": "Vertex AI Colab Service Agent" }, { "description": "Gives Vertex AI Custom Code the proper permissions.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/aiplatform.customCodeServiceAgent", "stage": "GA", "title": "Vertex AI Custom Code Service Agent" }, { "description": "Provides full access to all permissions for a particular entity type resource.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.entityTypeOwner", "stage": "GA", "title": "Vertex AI Feature Store EntityType owner" }, { "description": "Grants admin access to Vertex AI Express", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.expressAdmin", "stage": "BETA", "title": "Vertex AI Platform Express Admin" }, { "description": "Grants user access to Vertex AI Express", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.expressUser", "stage": "BETA", "title": "Vertex AI Platform Express User" }, { "description": "Gives Vertex AI Extension that executes custom code the permissions it needs to function.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/aiplatform.extensionCustomCodeServiceAgent", "stage": "GA", "title": "Vertex AI Extension Custom Code Service Agent" }, { "description": "Gives Vertex AI Extension the permissions it needs to function.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/aiplatform.extensionServiceAgent", "stage": "GA", "title": "Vertex AI Extension Service Agent" }, { "description": "Grants full access to all resources in Vertex AI Feature Store", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.featurestoreAdmin", "stage": "GA", "title": "Vertex AI Feature Store Admin" }, { "description": "This role provides permissions to read Feature data.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.featurestoreDataViewer", "stage": "GA", "title": "Vertex AI Feature Store Data Viewer" }, { "description": "This role provides permissions to read and write Feature data.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.featurestoreDataWriter", "stage": "GA", "title": "Vertex AI Feature Store Data Writer" }, { "description": "Administrator of Featurestore resources, but not the child resources under Featurestores.", "etag": "AA==", "name": "roles/aiplatform.featurestoreInstanceCreator", "stage": "GA", "title": "Vertex AI Feature Store Instance Creator" }, { "description": "Viewer of all resources in Vertex AI Feature Store but cannot make changes.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.featurestoreResourceViewer", "stage": "GA", "title": "Vertex AI Feature Store Resource Viewer" }, { "description": "Deprecated. Use featurestoreAdmin instead.", "etag": "AA==", "name": "roles/aiplatform.featurestoreUser", "stage": "BETA", "title": "Vertex AI Feature Store User" }, { "description": "Grants edit access to Memory for Agent Engine.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.memoryEditor", "stage": "GA", "title": "Vertex AI Agent Engine Memory Editor Role" }, { "description": "Grants full user access to Memory for Agent Engine.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.memoryUser", "stage": "GA", "title": "Vertex AI Agent Engine Memory User Role" }, { "description": "Grants viewer access to Memory for Agent Engine.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.memoryViewer", "stage": "GA", "title": "Vertex AI Agent Engine Memory Viewer Role" }, { "description": "Grants access to use migration service in Vertex AI", "etag": "AA==", "name": "roles/aiplatform.migrator", "stage": "GA", "title": "Vertex AI Migration Service User" }, { "description": "Gives Vertex AI Model Monitoring the permissions it needs to function.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/aiplatform.modelMonitoringServiceAgent", "stage": "GA", "title": "Vertex AI Model Monitoring Service Agent" }, { "description": "Grants users full access to schedules and notebook execution jobs.", "etag": "AA==", "name": "roles/aiplatform.notebookExecutorUser", "stage": "BETA", "title": "Notebook Executor User" }, { "description": "Grants full access to all runtime templates and runtimes in Notebook Service.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.notebookRuntimeAdmin", "stage": "GA", "title": "Notebook Runtime Admin" }, { "description": "Grants users permissions to create runtime resources using a runtime template and manage the runtime resources they created.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.notebookRuntimeUser", "stage": "GA", "title": "Notebook Runtime User" }, { "description": "Vertex AI Service Agent used to run Notebook managed resources in user project with restricted permissions.", "etag": "AA==", "name": "roles/aiplatform.notebookServiceAgent", "stage": "GA", "title": "Vertex AI Notebook Service Agent" }, { "description": "Gives Vertex AI Online Prediction the permissions it needs to function.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.onlinePredictionServiceAgent", "stage": "GA", "title": "Vertex AI Online Prediction Service Agent" }, { "description": "Grants access to use all resources related to Vertex AI Provisioned Throughput", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.provisionedThroughputAdmin", "stage": "BETA", "title": "Vertex AI Platform Provisioned Throughput Admin" }, { "description": "Grants Publisher access to use all resources related to Vertex AI Provisioned Throughput Orders", "etag": "AA==", "name": "roles/aiplatform.publisherProvisionedThroughputAdmin", "stage": "BETA", "title": "Vertex AI Platform Publisher Provisioned Throughput Admin" }, { "description": "Grants Publisher access to view all resources related to Vertex AI Provisioned Throughput Orders", "etag": "AA==", "name": "roles/aiplatform.publisherProvisionedThroughputViewer", "stage": "BETA", "title": "Vertex AI Platform Publisher Provisioned Throughput Viewer" }, { "description": "Vertex AI Service Agent used by Vertex RAG to access user imported data, Vertex AI, Document AI processors, and Vector Search in the project", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/aiplatform.ragServiceAgent", "stage": "GA", "title": "Vertex AI RAG Data Service Agent" }, { "description": "Vertex AI Service Agent used by GenAI Rapid Evaluation Service to access publisher model endpoints in the user project", "etag": "AA==", "name": "roles/aiplatform.rapidevalServiceAgent", "stage": "GA", "title": "Vertex AI Rapid Eval Service Agent" }, { "description": "Gives Vertex AI Reasoning Engine the proper permissions to function. The aiplatform.reasoningEngines.create IAM permission implies read access to the GCS objects of the consumer project through this service agent.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/aiplatform.reasoningEngineServiceAgent", "stage": "GA", "title": "Vertex AI Reasoning Engine Service Agent" }, { "description": "Gives Vertex AI the permissions it needs to function.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/aiplatform.serviceAgent", "stage": "GA", "title": "Vertex AI Service Agent" }, { "description": "Grants edit access to Session for Agent Engine.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.sessionEditor", "stage": "GA", "title": "Vertex AI Agent Engine Session Editor Role" }, { "description": "Grants full user access to Session for Agent Engine.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.sessionUser", "stage": "GA", "title": "Vertex AI Agent Engine Session User Role" }, { "description": "Grants viewer access to Session for Agent Engine.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.sessionViewer", "stage": "GA", "title": "Vertex AI Agent Engine Session Viewer Role" }, { "description": "Allows Vertex AI Telemetry Service Agent to access telemetry data.", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.telemetryServiceAgent", "stage": "GA", "title": "Vertex AI Telemetry Service Agent" }, { "description": "Grants access to the Vertex AI Tensorboard web app. Using the web app will incur charges.", "etag": "AA==", "name": "roles/aiplatform.tensorboardWebAppUser", "stage": "BETA", "title": "Vertex AI Tensorboard Web App User" }, { "description": "Vertex AI Service Agent used for tuning in user project.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/aiplatform.tuningServiceAgent", "stage": "GA", "title": "Vertex AI Tuning Service Agent" }, { "description": "Grants access to use all resource in Vertex AI", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.user", "stage": "GA", "title": "Vertex AI User" }, { "description": "Grants access to view all resource in Vertex AI", "etag": "AA==", "has_undocumented": true, "name": "roles/aiplatform.viewer", "stage": "GA", "title": "Vertex AI Viewer" }, { "description": "Full access to AlloyDB all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/alloydb.admin", "stage": "GA", "title": "AlloyDB Admin" }, { "description": "Connectivity access to AlloyDB instances.", "etag": "AA==", "has_undocumented": true, "name": "roles/alloydb.client", "stage": "GA", "title": "AlloyDB Client" }, { "description": "Role allowing access to login as a database user.", "etag": "AA==", "has_undocumented": true, "name": "roles/alloydb.databaseUser", "stage": "GA", "title": "AlloyDB Database User" }, { "description": "Gives the AlloyDB service account permission to manage customer resources", "etag": "AA==", "name": "roles/alloydb.serviceAgent", "stage": "GA", "title": "AlloyDB Service Agent" }, { "description": "Read-only access to AlloyDB all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/alloydb.viewer", "stage": "GA", "title": "AlloyDB Viewer" }, { "description": "Administer Data Exchanges and Listings", "etag": "AA==", "name": "roles/analyticshub.admin", "stage": "GA", "title": "Analytics Hub Admin" }, { "description": "Grants full control over the Listing, including updating, deleting and setting ACLs", "etag": "AA==", "name": "roles/analyticshub.listingAdmin", "stage": "GA", "title": "Analytics Hub Listing Admin" }, { "description": "Can publish to Data Exchanges thus creating Listings", "etag": "AA==", "name": "roles/analyticshub.publisher", "stage": "GA", "title": "Analytics Hub Publisher" }, { "description": "Can browse Data Exchanges and subscribe to Listings", "etag": "AA==", "name": "roles/analyticshub.subscriber", "stage": "GA", "title": "Analytics Hub Subscriber" }, { "description": "Grants full control over the Subscription, including updating and deleting", "etag": "AA==", "name": "roles/analyticshub.subscriptionOwner", "stage": "GA", "title": "Analytics Hub Subscription Owner" }, { "description": "Can browse Data Exchanges and Listings", "etag": "AA==", "name": "roles/analyticshub.viewer", "stage": "GA", "title": "Analytics Hub Viewer" }, { "description": "Full access to manage devices.", "etag": "AA==", "has_undocumented": true, "name": "roles/androidmanagement.user", "stage": "GA", "title": "Android Management User" }, { "description": "Gives the Anthos service agent access to Cloud Platformresources.", "etag": "AA==", "has_undocumented": true, "name": "roles/anthos.serviceAgent", "stage": "GA", "title": "Anthos Service Agent" }, { "description": "Gives the Anthos Audit service agent access toCloud Platform resources.", "etag": "AA==", "name": "roles/anthosaudit.serviceAgent", "stage": "GA", "title": "Anthos Audit Service Agent" }, { "description": "Gives the Anthos Config Management service agent access toCloud Platform resources.", "etag": "AA==", "name": "roles/anthosconfigmanagement.serviceAgent", "stage": "GA", "title": "Anthos Config Management Service Agent" }, { "description": "Gives the Anthos Identity service agent access to Cloud Platform resources.", "etag": "AA==", "name": "roles/anthosidentityservice.serviceAgent", "stage": "GA", "title": "Anthos Identity Service Agent" }, { "description": "Gives the Anthos Policy Controller service agent access toCloud Platform resources.", "etag": "AA==", "name": "roles/anthospolicycontroller.serviceAgent", "stage": "GA", "title": "Anthos Policy Controller Service Agent" }, { "description": "Gives the Anthos Service Mesh service agent access to Cloud Platform resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/anthosservicemesh.serviceAgent", "stage": "GA", "title": "Anthos Service Mesh Service Agent" }, { "description": " Gives the Anthos Support Service Agent access to Cloud Platform resource.", "etag": "AA==", "has_undocumented": true, "name": "roles/anthossupport.serviceAgent", "stage": "GA", "title": "Anthos Support Service Agent" }, { "description": "Full access to ApiGateway and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apigateway.admin", "stage": "GA", "title": "ApiGateway Admin" }, { "description": "Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts.", "etag": "AA==", "has_privesc": true, "name": "roles/apigateway.serviceAgent", "stage": "GA", "title": "Cloud API Gateway Service Agent" }, { "description": "Read-only access to ApiGateway and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apigateway.viewer", "stage": "GA", "title": "ApiGateway Viewer" }, { "description": "Gives Cloud API Gateway service account access to retrieve aService configuration.", "etag": "AA==", "has_undocumented": true, "name": "roles/apigateway_management.serviceAgent", "stage": "GA", "title": "Cloud API Gateway Management Service Agent" }, { "description": "Full access to all apigee resource features", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.admin", "stage": "GA", "title": "Apigee Organization Admin" }, { "description": "Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization", "etag": "AA==", "name": "roles/apigee.analyticsAgent", "stage": "GA", "title": "Apigee Analytics Agent" }, { "description": "Analytics editor for an Apigee Organization", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.analyticsEditor", "stage": "GA", "title": "Apigee Analytics Editor" }, { "description": "Analytics viewer for an Apigee Organization", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.analyticsViewer", "stage": "GA", "title": "Apigee Analytics Viewer" }, { "description": "Full read/write access to all apigee API resources", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.apiAdminV2", "stage": "GA", "title": "Apigee API Admin" }, { "description": "Reader of apigee resources", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.apiReaderV2", "stage": "GA", "title": "Apigee API Reader" }, { "description": "Service agent that grants access to the resources for managing the lifecyle for Apigee APIM Service Extensions.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/apigee.apimServiceExtensionServiceAgent", "stage": "GA", "title": "Apigee APIM Service Extension Service Agent" }, { "description": "Invoker of deployments in the apigee runtime", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.deploymentInvoker", "stage": "GA", "title": "Apigee Deployment Invoker" }, { "description": "Developer admin of apigee resources", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.developerAdmin", "stage": "GA", "title": "Apigee Developer Admin" }, { "description": "Full read/write access to apigee environment resources, including deployments.", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.environmentAdmin", "stage": "GA", "title": "Apigee Environment Admin" }, { "description": "All permissions related to monetization", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.monetizationAdmin", "stage": "GA", "title": "Apigee Monetization Admin" }, { "description": "Portal admin for an Apigee Organization", "etag": "AA==", "name": "roles/apigee.portalAdmin", "stage": "GA", "title": "Apigee Portal Admin" }, { "description": "Viewer of all apigee resources", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.readOnlyAdmin", "stage": "GA", "title": "Apigee Read-only Admin" }, { "description": "Curated set of permissions for a runtime agent to access Apigee Organization resources", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.runtimeAgent", "stage": "GA", "title": "Apigee Runtime Agent" }, { "description": "Security admin for an Apigee Organization", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.securityAdmin", "stage": "GA", "title": "Apigee Security Admin" }, { "description": "Security viewer for an Apigee Organization", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.securityViewer", "stage": "GA", "title": "Apigee Security Viewer" }, { "description": "Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/apigee.serviceAgent", "stage": "GA", "title": "Apigee Service Agent" }, { "description": "Provides users granted permissions on an Apigee space the minimum read permissions required to manage resources in that space in the UI.", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.spaceConsoleUser", "stage": "GA", "title": "Apigee Space Console User" }, { "description": "Provides full access to resources that can be associated with a space. This role is intended to be granted at the space level.", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.spaceContentEditor", "stage": "GA", "title": "Apigee Space Content Editor" }, { "description": "Provides read access to resources that can be associated with a space. This role is intended to be granted at the space level.", "etag": "AA==", "has_undocumented": true, "name": "roles/apigee.spaceContentViewer", "stage": "GA", "title": "Apigee Space Content Viewer" }, { "description": "Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization", "etag": "AA==", "name": "roles/apigee.synchronizerManager", "stage": "GA", "title": "Apigee Synchronizer Manager" }, { "description": "Admin of Apigee Connect", "etag": "AA==", "name": "roles/apigeeconnect.Admin", "stage": "GA", "title": "Apigee Connect Admin" }, { "description": "Ability to set up Apigee Connect agent between external clusters and Google.", "etag": "AA==", "name": "roles/apigeeconnect.Agent", "stage": "GA", "title": "Apigee Connect Agent" }, { "description": "Full access to Cloud Apigee Registry Registry and Runtime resources.", "etag": "AA==", "name": "roles/apigeeregistry.admin", "stage": "BETA", "title": "Cloud Apigee Registry Admin" }, { "description": "Edit access to Cloud Apigee Registry Registry resources.", "etag": "AA==", "name": "roles/apigeeregistry.editor", "stage": "BETA", "title": "Cloud Apigee Registry Editor" }, { "description": "Read-only access to Cloud Apigee Registry Registry resources.", "etag": "AA==", "name": "roles/apigeeregistry.viewer", "stage": "BETA", "title": "Cloud Apigee Registry Viewer" }, { "description": "The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.", "etag": "AA==", "name": "roles/apigeeregistry.worker", "stage": "BETA", "title": "Cloud Apigee Registry Worker" }, { "description": "Full access to all Cloud API hub addon's resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apihub.addonsAdmin", "stage": "BETA", "title": "Cloud API hub Addons Admin" }, { "description": "Full access to all API hub resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apihub.admin", "stage": "BETA", "title": "Cloud API Hub Admin" }, { "description": "View API hub insights dashboards.", "etag": "AA==", "has_undocumented": true, "name": "roles/apihub.apiInsightsViewer", "stage": "BETA", "title": "Cloud API hub Insights Viewer" }, { "description": "Full access to all Cloud API hub attribute's resources.", "etag": "AA==", "name": "roles/apihub.attributeAdmin", "stage": "BETA", "title": "Cloud API hub Attributes Admin" }, { "description": "Edit access to most of Cloud API Hub resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apihub.editor", "stage": "BETA", "title": "Cloud API Hub Editor" }, { "description": "Full access to all Cloud API hub plugin's resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apihub.pluginAdmin", "stage": "BETA", "title": "Cloud API hub Plugins Admin" }, { "description": "Full access to Cloud API hub provisioning related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apihub.provisioningAdmin", "stage": "BETA", "title": "Cloud API hub Provisioning Admin" }, { "description": "Access to add/delete project as a runtime project attachment to API hub host project.", "etag": "AA==", "has_undocumented": true, "name": "roles/apihub.runTimeProjectAttachmentsEditor", "stage": "BETA", "title": "Cloud API hub Runtime Project Attachment Editor" }, { "description": "Gives API-Hub Service Account access to runtime project resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apihub.runtimeProjectServiceAgent", "stage": "GA", "title": "API-Hub Runtime Project Service Agent" }, { "description": "View access to all Cloud API hub resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apihub.viewer", "stage": "BETA", "title": "Cloud API hub Viewer" }, { "description": "Full access to API Management resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apim.admin", "stage": "BETA", "title": "API Management Admin" }, { "description": "Gives APIM the ability to manage resources in consumer project", "etag": "AA==", "has_privesc": true, "name": "roles/apim.apiDiscoveryServiceAgent", "stage": "GA", "title": "APIM API Discovery Service Agent" }, { "description": "Readonly access to API Management resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apim.viewer", "stage": "BETA", "title": "API Management Viewer" }, { "description": "Give the App Development Experience service agent access toCloud Platform resources.", "etag": "AA==", "name": "roles/appdevelopmentexperience.serviceAgent", "stage": "GA", "title": "App Development Experience Service Agent" }, { "description": "Full management of App Engine apps (but not storage).", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/appengine.appAdmin", "stage": "GA", "title": "App Engine Admin" }, { "description": "Ability to create the App Engine resource for the project.", "etag": "AA==", "name": "roles/appengine.appCreator", "stage": "GA", "title": "App Engine Creator" }, { "description": "Ability to view App Engine app status.", "etag": "AA==", "has_undocumented": true, "name": "roles/appengine.appViewer", "stage": "GA", "title": "App Engine Viewer" }, { "description": "Ability to view App Engine app status and deployed source code.", "etag": "AA==", "has_undocumented": true, "name": "roles/appengine.codeViewer", "stage": "GA", "title": "App Engine Code Viewer" }, { "description": "Ability to read or manage v2 instances.", "etag": "AA==", "has_dataaccess": true, "name": "roles/appengine.debugger", "stage": "GA", "title": "App Engine Managed VM Debug Access" }, { "description": "Necessary permissions to deploy new code to App Engine, and remove old versions.", "etag": "AA==", "has_undocumented": true, "name": "roles/appengine.deployer", "stage": "GA", "title": "App Engine Deployer" }, { "description": "Can get, set, delete, and flush App Engine Memcache items.", "etag": "AA==", "has_dataaccess": true, "name": "roles/appengine.memcacheDataAdmin", "stage": "GA", "title": "App Engine Memcache Data Admin" }, { "description": "Can view and change traffic splits, scaling settings, and delete old versions; can't create new versions.", "etag": "AA==", "has_undocumented": true, "name": "roles/appengine.serviceAdmin", "stage": "GA", "title": "App Engine Service Admin" }, { "description": "Give App Engine Standard Environment service account access to managed resources. Includes access to service accounts.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/appengine.serviceAgent", "stage": "GA", "title": "App Engine Standard Environment Service Agent" }, { "description": "Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/appengineflex.serviceAgent", "stage": "GA", "title": "App Engine flexible environment Service Agent" }, { "description": "Full access to App Hub resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apphub.admin", "stage": "GA", "title": "App Hub Admin" }, { "description": "This role, an aggregation of read permissions across multiple app centric products.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/apphub.appManagementViewer", "stage": "BETA", "title": "App Management Viewer" }, { "description": "Edit access to App Hub resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apphub.editor", "stage": "GA", "title": "App Hub Editor" }, { "description": "View access to App Hub resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apphub.viewer", "stage": "GA", "title": "App Hub Viewer" }, { "description": "Grants access to approve commands to run on appliances", "etag": "AA==", "name": "roles/applianceactivation.approver", "stage": "BETA", "title": "Appliance troubleshooting commands approver" }, { "description": "Grants access to read commands for an appliance and send its result.", "etag": "AA==", "name": "roles/applianceactivation.client", "stage": "BETA", "title": "On-appliance troubleshooting client" }, { "description": "Grants access to send new commands to run on appliances and view the outputs", "etag": "AA==", "name": "roles/applianceactivation.troubleshooter", "stage": "BETA", "title": "Appliance troubleshooter" }, { "description": "Workspace Marketplace App Configuration Admin", "etag": "AA==", "has_undocumented": true, "name": "roles/appmetadata.workspaceMarketplaceAppConfigurationAdmin", "stage": "GA", "title": "Workspace Marketplace App Configuration Admin" }, { "description": "Readonly access to App Topology resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/apptopology.viewer", "stage": "BETA", "title": "App Topology Viewer" }, { "description": "Administrator access to create and manage repositories.", "etag": "AA==", "has_undocumented": true, "name": "roles/artifactregistry.admin", "stage": "GA", "title": "Artifact Registry Administrator" }, { "description": "Access to read attachments from a repository", "etag": "AA==", "has_undocumented": true, "name": "roles/artifactregistry.attachmentReader", "stage": "GA", "title": "Artifact Registry Attachment Reader" }, { "description": "Access to write attachments to a repository", "etag": "AA==", "has_undocumented": true, "name": "roles/artifactregistry.attachmentWriter", "stage": "GA", "title": "Artifact Registry Attachment Writer" }, { "description": "Access to run migration tooling to migrate from Container Registry to Artifact Registry", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/artifactregistry.containerRegistryMigrationAdmin", "stage": "GA", "title": "Container Registry -> Artifact Registry Migration Admin" }, { "description": "Access to manage artifacts in repositories, as well as create new repositories on push", "etag": "AA==", "has_undocumented": true, "name": "roles/artifactregistry.createOnPushRepoAdmin", "stage": "GA", "title": "Artifact Registry Create-on-Push Repository Administrator" }, { "description": "Access to read and write repository items, as well as create new repositories on push", "etag": "AA==", "has_undocumented": true, "name": "roles/artifactregistry.createOnPushWriter", "stage": "GA", "title": "Artifact Registry Create-on-Push Writer" }, { "description": "Access to read repository items.", "etag": "AA==", "has_undocumented": true, "name": "roles/artifactregistry.reader", "stage": "GA", "title": "Artifact Registry Reader" }, { "description": "Access to manage artifacts in repositories.", "etag": "AA==", "has_undocumented": true, "name": "roles/artifactregistry.repoAdmin", "stage": "GA", "title": "Artifact Registry Repository Administrator" }, { "description": "Gives the Artifact Registry service account access to managed resources.", "etag": "AA==", "name": "roles/artifactregistry.serviceAgent", "stage": "GA", "title": "Artifact Registry Service Agent" }, { "description": "Access to read and write repository items.", "etag": "AA==", "has_undocumented": true, "name": "roles/artifactregistry.writer", "stage": "GA", "title": "Artifact Registry Writer" }, { "description": "Access to use Assured OSS and manage configuration.", "etag": "AA==", "has_credentialexposure": true, "has_undocumented": true, "name": "roles/assuredoss.admin", "stage": "GA", "title": "Assured OSS Admin" }, { "description": "Access to use Assured OSS and manage configuration.", "etag": "AA==", "has_undocumented": true, "name": "roles/assuredoss.projectAdmin", "stage": "BETA", "title": "Assured OSS Project Admin" }, { "description": "Access to use Assured OSS and view Assured OSS configuration.", "etag": "AA==", "has_undocumented": true, "name": "roles/assuredoss.reader", "stage": "GA", "title": "Assured OSS Reader" }, { "description": "Access to use Assured OSS.", "etag": "AA==", "has_undocumented": true, "name": "roles/assuredoss.user", "stage": "GA", "title": "Assured OSS User" }, { "description": "Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration", "etag": "AA==", "has_undocumented": true, "name": "roles/assuredworkloads.admin", "stage": "GA", "title": "Assured Workloads Administrator" }, { "description": "Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration", "etag": "AA==", "has_undocumented": true, "name": "roles/assuredworkloads.editor", "stage": "GA", "title": "Assured Workloads Editor" }, { "description": "Gives the Assured Workloads service account access to create CAIS feed and monitor Assured Workloads.", "etag": "AA==", "name": "roles/assuredworkloads.monitoringServiceAgent", "stage": "GA", "title": "Assured Workloads Monitoring Service Agent" }, { "description": "Grants read access to all Assured Workloads resources and CRM resources - project/folder", "etag": "AA==", "has_undocumented": true, "name": "roles/assuredworkloads.reader", "stage": "GA", "title": "Assured Workloads Reader" }, { "description": "Gives the Assured Workloads service account access to create KMS keyrings and keys, monitor Assured Workloads and read Organization Policies.", "etag": "AA==", "has_undocumented": true, "name": "roles/assuredworkloads.serviceAgent", "stage": "GA", "title": "Assured Workloads Service Agent" }, { "description": "Full access to Audit Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/auditmanager.admin", "stage": "BETA", "title": "Audit Manager Admin" }, { "description": "Allows creating and viewing an audit report.", "etag": "AA==", "has_undocumented": true, "name": "roles/auditmanager.auditor", "stage": "BETA", "title": "Audit Manager Auditor" }, { "description": "Full access to Custom Compliance Framework resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/auditmanager.ccfAdmin", "stage": "BETA", "title": "Custom Compliance Framework Admin" }, { "description": "Allows viewing Custom Compliance Framework resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/auditmanager.ccfViewer", "stage": "BETA", "title": "Custom Compliance Framework Viewer" }, { "description": "Grants Audit Manager Service Agent access to various list/get rpcs of products to perform an audit.", "etag": "AA==", "has_undocumented": true, "name": "roles/auditmanager.serviceAgent", "stage": "GA", "title": "Audit Manager Auditing Service Agent" }, { "description": "Full access to all AutoML resources", "etag": "AA==", "has_undocumented": true, "name": "roles/automl.admin", "stage": "BETA", "title": "AutoML Admin" }, { "description": "Editor of all AutoML resources", "etag": "AA==", "has_undocumented": true, "name": "roles/automl.editor", "stage": "BETA", "title": "AutoML Editor" }, { "description": "Predict using models", "etag": "AA==", "name": "roles/automl.predictor", "stage": "BETA", "title": "AutoML Predictor" }, { "description": "AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.", "etag": "AA==", "has_dataaccess": true, "name": "roles/automl.serviceAgent", "stage": "GA", "title": "AutoML Service Agent" }, { "description": "Viewer of all AutoML resources", "etag": "AA==", "has_undocumented": true, "name": "roles/automl.viewer", "stage": "BETA", "title": "AutoML Viewer" }, { "description": "Full access to all Recommendations AI resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/automlrecommendations.admin", "stage": "BETA", "title": "Recommendations AI Admin" }, { "description": "Viewer of all Recommendations AI resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/automlrecommendations.adminViewer", "stage": "BETA", "title": "Recommendations AI Admin Viewer" }, { "description": "Editor of all Recommendations AI resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/automlrecommendations.editor", "stage": "BETA", "title": "Recommendations AI Editor" }, { "description": "Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/automlrecommendations.serviceAgent", "stage": "GA", "title": "Recommendations AI Service Agent" }, { "description": "Viewer of all Recommendations AI resources except automlrecommendations.apiKeys. To have all read access use Recommendations AI Admin Viewer role instead.", "etag": "AA==", "has_undocumented": true, "name": "roles/automlrecommendations.viewer", "stage": "BETA", "title": "Recommendations AI Viewer" }, { "description": "Access to write metrics for autoscaling site", "etag": "AA==", "name": "roles/autoscaling.metricsWriter", "stage": "BETA", "title": "Autoscaling Metrics Writer" }, { "description": "Access to read recommendations from autoscaling site", "etag": "AA==", "name": "roles/autoscaling.recommendationsReader", "stage": "BETA", "title": "Autoscaling Recommendations Reader" }, { "description": "Full access to all autoscaling site features", "etag": "AA==", "name": "roles/autoscaling.sitesAdmin", "stage": "BETA", "title": "Autoscaling Site Admin" }, { "description": "Access to write state for autoscaling site", "etag": "AA==", "name": "roles/autoscaling.stateWriter", "stage": "BETA", "title": "Autoscaling State Writer" }, { "description": "Enable Access Transparency for Organization", "etag": "AA==", "name": "roles/axt.admin", "stage": "GA", "title": "Access Transparency Admin" }, { "description": "Provides full access to all Backup and DR resources. ", "etag": "AA==", "has_undocumented": true, "name": "roles/backupdr.admin", "stage": "GA", "title": "Backup and DR Admin" }, { "description": "Allows a Backup and DR service account to discover and backup AlloyDB clusters.", "etag": "AA==", "has_undocumented": true, "name": "roles/backupdr.alloydbOperator", "stage": "GA", "title": "Backup and DR AlloyDB Operator" }, { "description": "Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.", "etag": "AA==", "has_undocumented": true, "name": "roles/backupdr.backupConfigViewer", "stage": "BETA", "title": "Backup and DR Backup Config Viewer" }, { "description": "Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.", "etag": "AA==", "has_undocumented": true, "name": "roles/backupdr.backupUser", "stage": "GA", "title": "Backup and DR Backup User" }, { "description": "Allows the Backup Appliance permissions to create and manage backups in a backup vault.", "etag": "AA==", "name": "roles/backupdr.backupvaultAccessor", "stage": "GA", "title": "Backup and DR Backup Vault Accessor" }, { "description": "Allows the Backup Appliance full administrative control of backup vault resources.", "etag": "AA==", "name": "roles/backupdr.backupvaultAdmin", "stage": "GA", "title": "Backup and DR Backup Vault Admin" }, { "description": "Allows the Backup Appliance permission to list backup vaults in a given project.", "etag": "AA==", "name": "roles/backupdr.backupvaultLister", "stage": "GA", "title": "Backup and DR Backup Vault Lister" }, { "description": "Allows read-only permissions to access backup vault resources and backups.", "etag": "AA==", "name": "roles/backupdr.backupvaultViewer", "stage": "GA", "title": "Backup and DR Backup Vault Viewer" }, { "description": "Allows a Backup and DR service account to discover and backup Cloud SQL instances.", "etag": "AA==", "has_undocumented": true, "name": "roles/backupdr.cloudSqlOperator", "stage": "GA", "title": "Backup and DR Cloud SQL Operator" }, { "description": "Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.", "etag": "AA==", "has_dataaccess": true, "name": "roles/backupdr.cloudStorageOperator", "stage": "GA", "title": "Backup and DR Cloud Storage Operator" }, { "description": "Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/backupdr.computeEngineOperator", "stage": "GA", "title": "Backup and DR Compute Engine Operator" }, { "description": "Allows a Backup and DR service account to store and manage data (backups or metadata) in Disk.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/backupdr.diskOperator", "stage": "GA", "title": "Backup and DR Disk Operator" }, { "description": "Allows a Backup and DR service account to discover and backup Filestore instances.", "etag": "AA==", "has_undocumented": true, "name": "roles/backupdr.filestoreOperator", "stage": "BETA", "title": "Backup and DR Filestore Operator" }, { "description": "Grants the Backup and DR management server access role to Backup Appliances.", "etag": "AA==", "name": "roles/backupdr.managementServerAccessor", "stage": "GA", "title": "Backup and DR Management Server Accessor" }, { "description": "Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.", "etag": "AA==", "name": "roles/backupdr.mountUser", "stage": "GA", "title": "Backup and DR Mount User" }, { "description": "Allows the user to restore or mount from a backup. This role cannot create a backup plan.", "etag": "AA==", "has_undocumented": true, "name": "roles/backupdr.restoreUser", "stage": "GA", "title": "Backup and DR Restore User" }, { "description": "Grants the Backup and DR Service access to discover and protect GCP resources.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/backupdr.serviceAgent", "stage": "GA", "title": "Backup and DR Service Agent" }, { "description": "Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.", "etag": "AA==", "has_undocumented": true, "name": "roles/backupdr.user", "stage": "GA", "title": "Backup and DR User" }, { "description": "Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.", "etag": "AA==", "has_undocumented": true, "name": "roles/backupdr.userv2", "stage": "GA", "title": "Backup and DR User V2" }, { "description": "Provides read-only access to all Backup and DR resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/backupdr.viewer", "stage": "GA", "title": "Backup and DR Viewer" }, { "description": "Administrator of Bare Metal Solution resources", "etag": "AA==", "name": "roles/baremetalsolution.admin", "stage": "GA", "title": "Bare Metal Solution Admin" }, { "description": "Editor of Bare Metal Solution resources", "etag": "AA==", "name": "roles/baremetalsolution.editor", "stage": "GA", "title": "Bare Metal Solution Editor" }, { "description": "Admin of Bare Metal Solution Instance resources", "etag": "AA==", "name": "roles/baremetalsolution.instancesadmin", "stage": "GA", "title": "Bare Metal Solution Instances Admin" }, { "description": "Viewer of Bare Metal Solution Instance resources", "etag": "AA==", "name": "roles/baremetalsolution.instancesviewer", "stage": "GA", "title": "Bare Metal Solution Instances Viewer" }, { "description": "Administrator of Bare Metal Solution Lun resources", "etag": "AA==", "name": "roles/baremetalsolution.lunsadmin", "stage": "GA", "title": "Luns Admin" }, { "description": "Viewer of Bare Metal Solution Lun resources", "etag": "AA==", "name": "roles/baremetalsolution.lunsviewer", "stage": "GA", "title": "Luns Viewer" }, { "description": "Administrator of Bare Metal Solution maintenance events resources", "etag": "AA==", "name": "roles/baremetalsolution.maintenanceeventsadmin", "stage": "GA", "title": "Maintenance Events Admin" }, { "description": "Editor of Bare Metal Solution maintenance events resources", "etag": "AA==", "name": "roles/baremetalsolution.maintenanceeventseditor", "stage": "GA", "title": "Maintenance Events Editor" }, { "description": "Viewer of Bare Metal Solution maintenance events resources", "etag": "AA==", "name": "roles/baremetalsolution.maintenanceeventsviewer", "stage": "GA", "title": "Maintenance Events Viewer" }, { "description": "Admin of Bare Metal Solution networks resources", "etag": "AA==", "name": "roles/baremetalsolution.networksadmin", "stage": "GA", "title": "Networks Admin" }, { "description": "Administrator of Bare Metal Solution NFS Share resources", "etag": "AA==", "name": "roles/baremetalsolution.nfssharesadmin", "stage": "GA", "title": "NFS Shares Admin" }, { "description": "Editor of Bare Metal Solution NFS Share resources", "etag": "AA==", "name": "roles/baremetalsolution.nfsshareseditor", "stage": "GA", "title": "NFS Shares Editor" }, { "description": "Viewer of Bare Metal Solution NFS Share resources", "etag": "AA==", "name": "roles/baremetalsolution.nfssharesviewer", "stage": "GA", "title": "NFS Shares Viewer" }, { "description": "Viewer of Bare Metal Solution OS images resources", "etag": "AA==", "name": "roles/baremetalsolution.osimagesviewer", "stage": "GA", "title": "OS Images Viewer" }, { "description": "Administrator of Bare Metal Solution Procurements", "etag": "AA==", "name": "roles/baremetalsolution.procurementsadmin", "stage": "GA", "title": "Bare Metal Solution Procurements Admin" }, { "description": "Editor of Bare Metal Solution Procurements", "etag": "AA==", "name": "roles/baremetalsolution.procurementseditor", "stage": "GA", "title": "Bare Metal Solution Procurements Editor" }, { "description": "Viewer of Bare Metal Solution Procurements", "etag": "AA==", "name": "roles/baremetalsolution.procurementsviewer", "stage": "GA", "title": "Bare Metal Solution Procurements Viewer" }, { "description": "Gives permission to manage network resources such as interconnect pairing keys, required for Bare Metal Solution.", "etag": "AA==", "name": "roles/baremetalsolution.serviceAgent", "stage": "GA", "title": "Bare Metal Solution Service Agent" }, { "description": "Administrator of Bare Metal Solution storage resources", "etag": "AA==", "name": "roles/baremetalsolution.storageadmin", "stage": "GA", "title": "Bare Metal Solution Storage Admin" }, { "description": "Viewer of Bare Metal Solution resources", "etag": "AA==", "name": "roles/baremetalsolution.viewer", "stage": "GA", "title": "Bare Metal Solution Viewer" }, { "description": "Administrator of Bare Metal Solution volume resources", "etag": "AA==", "name": "roles/baremetalsolution.volumesadmin", "stage": "GA", "title": "Volume Admin" }, { "description": "Editor of Bare Metal Solution volumes resources", "etag": "AA==", "name": "roles/baremetalsolution.volumeseditor", "stage": "GA", "title": "Volumes Editor" }, { "description": "Administrator of Bare Metal Solution snapshots resources", "etag": "AA==", "name": "roles/baremetalsolution.volumesnapshotsadmin", "stage": "GA", "title": "Snapshots Admin" }, { "description": "Editor of Bare Metal Solution snapshots resources", "etag": "AA==", "name": "roles/baremetalsolution.volumesnapshotseditor", "stage": "GA", "title": "Snapshots Editor" }, { "description": "Viewer of Bare Metal Solution snapshots resources", "etag": "AA==", "name": "roles/baremetalsolution.volumesnapshotsviewer", "stage": "GA", "title": "Snapshots Viewer" }, { "description": "Viewer of Bare Metal Solution volumes resources", "etag": "AA==", "name": "roles/baremetalsolution.volumessviewer", "stage": "GA", "title": "Volumes Viewer" }, { "description": "Administrator of Batch resources", "etag": "AA==", "name": "roles/batch.admin", "stage": "GA", "title": "Batch Administrator" }, { "description": "Reporter of Batch agent states.", "etag": "AA==", "name": "roles/batch.agentReporter", "stage": "GA", "title": "Batch Agent Reporter" }, { "description": "Editor of Batch Jobs", "etag": "AA==", "name": "roles/batch.jobsEditor", "stage": "GA", "title": "Batch Job Editor" }, { "description": "Viewer of Batch Jobs, Task Groups and Tasks", "etag": "AA==", "name": "roles/batch.jobsViewer", "stage": "GA", "title": "Batch Job Viewer" }, { "description": "Editor of Batch ResourceAllowances", "etag": "AA==", "name": "roles/batch.resourceAllowancesEditor", "stage": "GA", "title": "Batch ResourceAllowance Editor" }, { "description": "Viewer of Batch ResourceAllowances", "etag": "AA==", "name": "roles/batch.resourceAllowancesViewer", "stage": "GA", "title": "Batch ResourceAllowance Viewer" }, { "description": "Gives Google Batch account access to manage customer resources.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/batch.serviceAgent", "stage": "GA", "title": "Google Batch Service Agent" }, { "description": "Full access to all Cloud BeyondCorp resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/beyondcorp.admin", "stage": "BETA", "title": "Cloud BeyondCorp Admin" }, { "description": "Delegates access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.", "etag": "AA==", "name": "roles/beyondcorp.partnerServiceDelegateAdmin", "stage": "BETA", "title": "Cloud BeyondCorp Partner Service Delegate Admin" }, { "description": "Delegates read-only access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.", "etag": "AA==", "name": "roles/beyondcorp.partnerServiceDelegateViewer", "stage": "BETA", "title": "Cloud BeyondCorp Partner Service Delegate Viewer" }, { "description": "Full access to all BeyondCorp Subscription resources.", "etag": "AA==", "name": "roles/beyondcorp.subscriptionAdmin", "stage": "BETA", "title": "Cloud BeyondCorp Subscription Admin" }, { "description": "Read-only access to all BeyondCorp Subscription resources.", "etag": "AA==", "name": "roles/beyondcorp.subscriptionViewer", "stage": "BETA", "title": "Cloud BeyondCorp Subscription Viewer" }, { "description": "Read-only access to all Cloud BeyondCorp resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/beyondcorp.viewer", "stage": "BETA", "title": "Cloud BeyondCorp Viewer" }, { "description": "Provides full access to all BigLake resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/biglake.admin", "stage": "GA", "title": "BigLake Admin" }, { "description": "Provides read and write access to all BigLake resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/biglake.editor", "stage": "BETA", "title": "BigLake Editor" }, { "description": "Provides read-only metadata access to all BigLake resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/biglake.metadataViewer", "stage": "BETA", "title": "BigLake Metadata Viewer" }, { "description": "Provides read-only access to all BigLake resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/biglake.viewer", "stage": "GA", "title": "BigLake Viewer" }, { "description": "Administer all BigQuery resources and data", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/bigquery.admin", "stage": "GA", "title": "BigQuery Admin" }, { "description": "Grants Connected Sheets Service Account access to create and manage BigQuery jobs on the customers resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/bigquery.connectedSheetsServiceAgent", "stage": "GA", "title": "Connected Sheets Service Agent" }, { "description": "Grants full control over BigQuery connections.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/bigquery.connectionAdmin", "stage": "GA", "title": "BigQuery Connection Admin" }, { "description": "Allows users to use BigQuery connections.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "name": "roles/bigquery.connectionUser", "stage": "GA", "title": "BigQuery Connection User" }, { "description": "Access to edit all the contents of datasets", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/bigquery.dataEditor", "stage": "GA", "title": "BigQuery Data Editor" }, { "description": "Full access to datasets and all of their contents", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/bigquery.dataOwner", "stage": "GA", "title": "BigQuery Data Owner" }, { "description": "Access to view datasets and all of their contents", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/bigquery.dataViewer", "stage": "GA", "title": "BigQuery Data Viewer" }, { "description": "Access to view filtered table data defined by a row access policy", "etag": "AA==", "has_dataaccess": true, "name": "roles/bigquery.filteredDataViewer", "stage": "GA", "title": "BigQuery Filtered Data Viewer" }, { "description": "Access to run jobs", "etag": "AA==", "has_undocumented": true, "name": "roles/bigquery.jobUser", "stage": "GA", "title": "BigQuery Job User" }, { "description": "Access to view metadata of dataset, table, model, routine, and property graph", "etag": "AA==", "name": "roles/bigquery.metadataViewer", "stage": "GA", "title": "BigQuery Metadata Viewer" }, { "description": "Administer ObjectRef resources that includes read and write permissions", "etag": "AA==", "has_undocumented": true, "name": "roles/bigquery.objectRefAdmin", "stage": "GA", "title": "BigQuery ObjectRef Admin" }, { "description": "Role for reading referenced objects via ObjectRefs in BigQuery", "etag": "AA==", "has_undocumented": true, "name": "roles/bigquery.objectRefReader", "stage": "GA", "title": "BigQuery ObjectRef Reader" }, { "description": "Access to create and use read sessions", "etag": "AA==", "name": "roles/bigquery.readSessionUser", "stage": "GA", "title": "BigQuery Read Session User" }, { "description": "Administers BigQuery workloads, including slot assignments, commitments, and reservations.", "etag": "AA==", "has_undocumented": true, "name": "roles/bigquery.resourceAdmin", "stage": "GA", "title": "BigQuery Resource Admin" }, { "description": "Manages BigQuery workloads, but is unable to create or modify slot commitments.", "etag": "AA==", "has_undocumented": true, "name": "roles/bigquery.resourceEditor", "stage": "GA", "title": "BigQuery Resource Editor" }, { "description": "Can view BigQuery workloads, but cannot create or modify slot reservations or commitments.", "etag": "AA==", "has_undocumented": true, "name": "roles/bigquery.resourceViewer", "stage": "GA", "title": "BigQuery Resource Viewer" }, { "description": " Role for Authorized Routine to administer supported resources", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/bigquery.routineAdmin", "stage": "BETA", "title": "BigQuery Authorized Routine Admin" }, { "description": " Role for Authorized Routine to edit contents of supported resources", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/bigquery.routineDataEditor", "stage": "BETA", "title": "BigQuery Authorized Routine Data Editor" }, { "description": " Role for Authorized Routine to view data and contents of supported resources", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/bigquery.routineDataViewer", "stage": "BETA", "title": "BigQuery Authorized Routine Data Viewer" }, { "description": " Role for Authorized Routine to view metadata of supported resources", "etag": "AA==", "has_undocumented": true, "name": "roles/bigquery.routineMetadataViewer", "stage": "BETA", "title": "BigQuery Authorized Routine Metadata Viewer" }, { "description": "Administer all BigQuery security controls", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/bigquery.securityAdmin", "stage": "BETA", "title": "BigQuery Security Admin" }, { "description": "Combination role of BigQuery Admin, Dataform Admin, Notebook Runtime Admin and Dataproc Serverless Editor.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/bigquery.studioAdmin", "stage": "GA", "title": "BigQuery Studio Admin" }, { "description": "Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, Notebook Runtime User and Dataproc Serverless Editor.", "etag": "AA==", "has_undocumented": true, "name": "roles/bigquery.studioUser", "stage": "GA", "title": "BigQuery Studio User" }, { "description": "When applied to a project, access to run queries, create datasets, read dataset metadata, and list tables, models and property graphs. When applied to a dataset, access to read dataset metadata and list tables, models, routines and property graphs within the dataset.", "etag": "AA==", "has_undocumented": true, "name": "roles/bigquery.user", "stage": "GA", "title": "BigQuery User" }, { "description": "Gives BigQuery Connection Service access to Cloud SQL instances in user projects.", "etag": "AA==", "has_undocumented": true, "name": "roles/bigqueryconnection.serviceAgent", "stage": "GA", "title": "BigQuery Connection Service Agent" }, { "description": "Gives BigQuery Continuous Query access to the service accounts in the user project.", "etag": "AA==", "has_privesc": true, "name": "roles/bigquerycontinuousquery.serviceAgent", "stage": "GA", "title": "BigQuery Continuous Query Service Agent" }, { "description": "Role for managing Data Policies in BigQuery", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/bigquerydatapolicy.admin", "stage": "GA", "title": "BigQuery Data Policy Admin" }, { "description": "Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns", "etag": "AA==", "name": "roles/bigquerydatapolicy.maskedReader", "stage": "GA", "title": "Masked Reader" }, { "description": "Raw read access to sub-resources associated with a data policy, for example, BigQuery columns", "etag": "AA==", "name": "roles/bigquerydatapolicy.rawDataReader", "stage": "BETA", "title": "Raw Data Reader" }, { "description": "Role for viewing Data Policies in BigQuery", "etag": "AA==", "has_undocumented": true, "name": "roles/bigquerydatapolicy.viewer", "stage": "GA", "title": "BigQuery Data Policy Viewer" }, { "description": "Gives BigQuery Data Transfer Service access to start bigquery jobs in consumer project. ", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/bigquerydatatransfer.serviceAgent", "stage": "GA", "title": "BigQuery Data Transfer Service Agent" }, { "description": "Editor of EDW migration workflows.", "etag": "AA==", "has_undocumented": true, "name": "roles/bigquerymigration.editor", "stage": "GA", "title": "MigrationWorkflow Editor" }, { "description": "Orchestrator of EDW migration tasks.", "etag": "AA==", "name": "roles/bigquerymigration.orchestrator", "stage": "GA", "title": "Task Orchestrator" }, { "description": "User of EDW migration interactive SQL translation service.", "etag": "AA==", "name": "roles/bigquerymigration.translationUser", "stage": "GA", "title": "Migration Translation User" }, { "description": "Viewer of EDW migration MigrationWorkflow.", "etag": "AA==", "name": "roles/bigquerymigration.viewer", "stage": "GA", "title": "MigrationWorkflow Viewer" }, { "description": "Worker that executes EDW migration subtasks.", "etag": "AA==", "has_dataaccess": true, "name": "roles/bigquerymigration.worker", "stage": "GA", "title": "Task Worker" }, { "description": "Gives BigQuery Omni access to tables in user projects.", "etag": "AA==", "name": "roles/bigqueryomni.serviceAgent", "stage": "GA", "title": "BigQuery Omni Service Agent" }, { "description": "Gives BigQuery Spark access to the service accounts in the user project.", "etag": "AA==", "has_privesc": true, "name": "roles/bigqueryspark.serviceAgent", "stage": "GA", "title": "BigQuery Spark Service Agent" }, { "description": "Full access to all Bigtable resources and ability to assign Bigtable IAM roles.", "etag": "AA==", "has_undocumented": true, "name": "roles/bigtable.admin", "stage": "GA", "title": "Bigtable Administrator" }, { "description": "Read access to data in existing tables; read access to metadata for instances, clusters, and tables, including column families.", "etag": "AA==", "has_undocumented": true, "name": "roles/bigtable.reader", "stage": "GA", "title": "Bigtable Reader" }, { "description": "Read and write access to data in existing tables; read access to metadata for instances, clusters, and tables, including column families.", "etag": "AA==", "has_undocumented": true, "name": "roles/bigtable.user", "stage": "GA", "title": "Bigtable User" }, { "description": "Read access to metadata for instances, clusters, and tables, including column families.", "etag": "AA==", "has_undocumented": true, "name": "roles/bigtable.viewer", "stage": "GA", "title": "Bigtable Viewer" }, { "description": "Authorized to see and manage all aspects of billing accounts.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/billing.admin", "stage": "GA", "title": "Billing Account Administrator" }, { "etag": "AA==", "name": "roles/billing.carbonViewer", "stage": "GA", "title": "Carbon Footprint Viewer" }, { "description": "Can view and export cost information of billing accounts.", "etag": "AA==", "has_undocumented": true, "name": "roles/billing.costsManager", "stage": "GA", "title": "Billing Account Costs Manager" }, { "description": "Creator of billing accounts.", "etag": "AA==", "name": "roles/billing.creator", "stage": "GA", "title": "Billing Account Creator" }, { "description": "Authorized to manage billing account hierarchy", "etag": "AA==", "has_undocumented": true, "name": "roles/billing.linkAdmin", "stage": "GA", "title": "Account Hierarchy Manager" }, { "description": "Can interact with billing information scoped to the projects to which the user has cost access.", "etag": "AA==", "has_undocumented": true, "name": "roles/billing.projectCostsManager", "stage": "GA", "title": "Project Billing Costs Manager" }, { "description": "Can assign a project's billing account or disable its billing.", "etag": "AA==", "name": "roles/billing.projectManager", "stage": "GA", "title": "Project Billing Manager" }, { "description": "Can associate projects with billing accounts", "etag": "AA==", "name": "roles/billing.user", "stage": "GA", "title": "Billing Account User" }, { "description": "Can view information about billing accounts.", "etag": "AA==", "has_undocumented": true, "name": "roles/billing.viewer", "stage": "GA", "title": "Billing Account Viewer" }, { "description": "Adminstrator of Binary Authorization Attestors", "etag": "AA==", "name": "roles/binaryauthorization.attestorsAdmin", "stage": "GA", "title": "Binary Authorization Attestor Admin" }, { "description": "Editor of Binary Authorization Attestors", "etag": "AA==", "name": "roles/binaryauthorization.attestorsEditor", "stage": "GA", "title": "Binary Authorization Attestor Editor" }, { "description": "Caller of Binary Authorization Attestors VerifyImageAttested", "etag": "AA==", "name": "roles/binaryauthorization.attestorsVerifier", "stage": "GA", "title": "Binary Authorization Attestor Image Verifier" }, { "description": "Viewer of Binary Authorization Attestors", "etag": "AA==", "name": "roles/binaryauthorization.attestorsViewer", "stage": "GA", "title": "Binary Authorization Attestor Viewer" }, { "description": "Administrator of Binary Authorization Policy", "etag": "AA==", "name": "roles/binaryauthorization.policyAdmin", "stage": "GA", "title": "Binary Authorization Policy Administrator" }, { "description": "Editor of Binary Authorization Policy", "etag": "AA==", "name": "roles/binaryauthorization.policyEditor", "stage": "GA", "title": "Binary Authorization Policy Editor" }, { "description": "Evaluator of Binary Authorization Policy", "etag": "AA==", "name": "roles/binaryauthorization.policyEvaluator", "stage": "GA", "title": "Binary Authorization Policy Evaluator" }, { "description": "Viewer of Binary Authorization Policy", "etag": "AA==", "name": "roles/binaryauthorization.policyViewer", "stage": "GA", "title": "Binary Authorization Policy Viewer" }, { "description": "Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.", "etag": "AA==", "name": "roles/binaryauthorization.serviceAgent", "stage": "GA", "title": "Binary Authorization Service Agent" }, { "description": "Full access to Blockchain Node Engine resources.", "etag": "AA==", "name": "roles/blockchainnodeengine.admin", "stage": "GA", "title": "Blockchain Node Engine Admin" }, { "description": "Grants Blockchain Node Engine access to metrics in user project", "etag": "AA==", "name": "roles/blockchainnodeengine.serviceAgent", "stage": "GA", "title": "Blockchain Node Engine Service Agent" }, { "description": "Readonly access to Blockchain Node Engine resources.", "etag": "AA==", "name": "roles/blockchainnodeengine.viewer", "stage": "GA", "title": "Blockchain Node Engine Viewer" }, { "description": "Full access to Blockchain Validator Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/blockchainvalidatormanager.admin", "stage": "BETA", "title": "Blockchain Validator Manager Admin" }, { "description": "Readonly access to Blockchain Validator Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/blockchainvalidatormanager.viewer", "stage": "BETA", "title": "Blockchain Validator Viewer" }, { "description": "Access to browse GCP resources.", "etag": "AA==", "name": "roles/browser", "stage": "GA", "title": "Browser" }, { "description": "A user who can use Business AI Code API", "etag": "AA==", "has_undocumented": true, "name": "roles/businessaicode.user", "stage": "BETA", "title": "User role for Business AI Code API" }, { "description": "Role that enables capacity planning", "etag": "AA==", "has_undocumented": true, "name": "roles/capacityplanner.planner", "stage": "BETA", "title": "Capacity Planner Usage Planner" }, { "description": "Read-only access to Capacity Planner resources", "etag": "AA==", "has_undocumented": true, "name": "roles/capacityplanner.viewer", "stage": "BETA", "title": "Capacity Planner Usage Viewer" }, { "description": "This role can view all properties of Patients.", "etag": "AA==", "name": "roles/carestudio.viewer", "stage": "GA", "title": "Care Studio Patients Viewer" }, { "description": "Edit access to Certificate Manager all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/certificatemanager.editor", "stage": "GA", "title": "Certificate Manager Editor" }, { "description": "Full access to Certificate Manager all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/certificatemanager.owner", "stage": "GA", "title": "Certificate Manager Owner" }, { "description": "Grants Certificate Manager access to services and APIs in the user project.", "etag": "AA==", "name": "roles/certificatemanager.serviceAgent", "stage": "GA", "title": "Certificate Manager Service Agent" }, { "description": "Read-only access to Certificate Manager all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/certificatemanager.viewer", "stage": "GA", "title": "Certificate Manager Viewer" }, { "description": "Full access to Gemini Enterprise for Customer Experience resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/ces.admin", "stage": "BETA", "title": "Gemini Enterprise for Customer Experience Admin" }, { "description": "Full control over agent node structures, including instructions, tools, guardrails, callbacks, etc.", "etag": "AA==", "has_undocumented": true, "name": "roles/ces.agentEditor", "stage": "BETA", "title": "Gemini Enterprise for Customer Experience Agent Editor" }, { "description": "Full control over app-level settings, such as logging settings, audio/voice configurations, etc.", "etag": "AA==", "has_undocumented": true, "name": "roles/ces.appEditor", "stage": "BETA", "title": "Gemini Enterprise for Customer Experience App Editor" }, { "description": "Query access to Gemini Enterprise for Customer Experience agents.", "etag": "AA==", "has_undocumented": true, "name": "roles/ces.client", "stage": "BETA", "title": "Gemini Enterprise for Customer Experience Client" }, { "description": "Ability to manage deployments and configure specific app versions.", "etag": "AA==", "has_undocumented": true, "name": "roles/ces.deploymentEditor", "stage": "BETA", "title": "Gemini Enterprise for Customer Experience Deployment Editor" }, { "description": "Full control over evaluation datasets, runs, and results.", "etag": "AA==", "has_undocumented": true, "name": "roles/ces.evalsEditor", "stage": "BETA", "title": "Gemini Enterprise for Customer Experience Evals Editor" }, { "description": "Full control over safety settings and guardrails.", "etag": "AA==", "has_undocumented": true, "name": "roles/ces.guardrailsEditor", "stage": "BETA", "title": "Gemini Enterprise for Customer Experience Guardrails Editor" }, { "description": "Full control over security settings.", "etag": "AA==", "has_undocumented": true, "name": "roles/ces.securitySettingsEditor", "stage": "BETA", "title": "Gemini Enterprise for Customer Experience Security Settings Editor" }, { "description": "Allows Customer Engagement Suite Service Account to access to dependent resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/ces.serviceAgent", "stage": "GA", "title": "Customer Engagement Suite Service Agent" }, { "description": "Full control over tools and toolsets.", "etag": "AA==", "has_undocumented": true, "name": "roles/ces.toolsEditor", "stage": "BETA", "title": "Gemini Enterprise for Customer Experience Tools Editor" }, { "description": "Read only access to Gemini Enterprise for Customer Experience resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/ces.viewer", "stage": "BETA", "title": "Gemini Enterprise for Customer Experience Viewer" }, { "description": "Can view and modify app configurations", "etag": "AA==", "name": "roles/chat.owner", "stage": "GA", "title": "Chat Apps Owner" }, { "description": "Can view app configurations", "etag": "AA==", "name": "roles/chat.reader", "stage": "GA", "title": "Chat Apps Viewer" }, { "description": "Full access to the Chronicle API services, including global settings.", "etag": "AA==", "has_undocumented": true, "name": "roles/chronicle.admin", "stage": "GA", "title": "Chronicle API Admin" }, { "description": "Grants elevated access to control the lifecycle of the Chronicle instance and its data.", "etag": "AA==", "has_undocumented": true, "name": "roles/chronicle.dataGovernor", "stage": "BETA", "title": "Chronicle API Data Governor" }, { "description": "Modify Access to Chronicle API resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/chronicle.editor", "stage": "GA", "title": "Chronicle API Editor" }, { "description": "Full access to Chronicle Federation features.", "etag": "AA==", "has_undocumented": true, "name": "roles/chronicle.federationAdmin", "stage": "BETA", "title": "Chronicle API Federation Admin" }, { "description": "Readonly access to Chronicle Federation Features.", "etag": "AA==", "has_undocumented": true, "name": "roles/chronicle.federationViewer", "stage": "BETA", "title": "Chronicle API Federation Viewer" }, { "description": "Grants global access to data i.e. all data can be accessed.", "etag": "AA==", "has_undocumented": true, "name": "roles/chronicle.globalDataAccess", "stage": "BETA", "title": "Chronicle API Global Data Access" }, { "description": "Grants readonly access to Chronicle API resources, excluding Rules and Retrohunts.", "etag": "AA==", "has_undocumented": true, "name": "roles/chronicle.limitedViewer", "stage": "GA", "title": "Chronicle API Limited Viewer" }, { "description": "Grants access to data controlled by Data Access Scopes. Intended to be refined by IAM Conditions.", "etag": "AA==", "name": "roles/chronicle.restrictedDataAccess", "stage": "BETA", "title": "Chronicle API Restricted Data Access" }, { "description": "Grants readonly access to Chronicle API resources without global data access scope.", "etag": "AA==", "has_undocumented": true, "name": "roles/chronicle.restrictedDataAccessViewer", "stage": "BETA", "title": "Chronicle API Restricted Data Access Viewer" }, { "description": "Grants Chronicle global data access to customer project", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/chronicle.serviceAgent", "stage": "GA", "title": "Chronicle Service Agent" }, { "description": "Grants admin access to Chronicle SOAR.", "etag": "AA==", "has_undocumented": true, "name": "roles/chronicle.soarAdmin", "stage": "BETA", "title": "Chronicle SOAR Admin" }, { "description": "Grants Remote Agent access to Chronicle SOAR.", "etag": "AA==", "has_undocumented": true, "name": "roles/chronicle.soarRemoteAgent", "stage": "BETA", "title": "Chronicle SOAR Remote Agent" }, { "description": "Gives Chronicle SOAR the ability to perform remediation on Cloud Platform resources.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/chronicle.soarServiceAgent", "stage": "GA", "title": "Chronicle SOAR Service Agent" }, { "description": "Grants threat manager access to Chronicle SOAR.", "etag": "AA==", "name": "roles/chronicle.soarThreatManager", "stage": "BETA", "title": "Chronicle SOAR Threat Manager" }, { "description": "Grants vulnerability manager access to Chronicle SOAR.", "etag": "AA==", "name": "roles/chronicle.soarVulnerabilityManager", "stage": "BETA", "title": "Chronicle SOAR Vulnerability Manager" }, { "description": "Readonly access to the Chronicle API resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/chronicle.viewer", "stage": "GA", "title": "Chronicle API Viewer" }, { "description": "Admins can view and modify Chronicle service details.", "etag": "AA==", "has_undocumented": true, "name": "roles/chroniclesm.admin", "stage": "GA", "title": "Chronicle Service Admin" }, { "description": "Viewers can see Chronicle service details but not change them.", "etag": "AA==", "has_undocumented": true, "name": "roles/chroniclesm.viewer", "stage": "GA", "title": "Chronicle Service Viewer" }, { "description": "Gives CIEM Service Account permission to access GCP resources", "etag": "AA==", "name": "roles/ciem.serviceAgent", "stage": "GA", "title": "CIEM Service Agent" }, { "description": "Read and enumerate locations available for resource creation.", "etag": "AA==", "name": "roles/cloud.locationReader", "stage": "BETA", "title": "Location reader" }, { "description": "Grants full access to Code Repository Indexes resources.", "etag": "AA==", "name": "roles/cloudaicompanion.codeRepositoryIndexesAdmin", "stage": "GA", "title": "Code Repository Indexes Admin" }, { "description": "Grants readonly access to Code Repository Indexes resources.", "etag": "AA==", "name": "roles/cloudaicompanion.codeRepositoryIndexesViewer", "stage": "GA", "title": "Code Repository Indexes Viewer" }, { "description": "Grants full access to Gemini Code Assist Tools resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudaicompanion.codeToolsAdmin", "stage": "BETA", "title": "Gemini Code Assist Tools Admin" }, { "description": "Grants read access to Gemini Code Assist Tools resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudaicompanion.codeToolsUser", "stage": "BETA", "title": "Gemini Code Assist Tools User" }, { "description": "An individual user who can use Gemini for Google Cloud", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudaicompanion.individualUser", "stage": "GA", "title": "Gemini for Google Cloud individual User" }, { "description": "Grants Read/Use access to the Code Repository Indexes Repository Group.", "etag": "AA==", "name": "roles/cloudaicompanion.repositoryGroupsUser", "stage": "GA", "title": "Repository Groups User" }, { "description": "Gives Gemini for Google Cloud components the proper permissions to function.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudaicompanion.serviceAgent", "stage": "GA", "title": "Gemini for Google Cloud Service Agent" }, { "description": "Grants read and write access to the Gemini for Cloud setting and their bindings.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudaicompanion.settingsAdmin", "stage": "GA", "title": "Gemini for Google Cloud Settings Admin" }, { "description": "Grants read access to the Gemini for Cloud setting and their bindings.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudaicompanion.settingsUser", "stage": "GA", "title": "Gemini for Google Cloud Settings User" }, { "description": "Grants read, write and permission management access to the Topic resource.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudaicompanion.topicAdmin", "stage": "BETA", "title": "Topic Admin" }, { "description": "Grants read-only access to topic resource.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudaicompanion.topicReader", "stage": "BETA", "title": "Topic Reader" }, { "description": "A user who can use Gemini for Google Cloud", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudaicompanion.user", "stage": "GA", "title": "Gemini for Google Cloud User" }, { "description": "Read/write access to Cloud API Registry resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudapiregistry.admin", "stage": "BETA", "title": "Cloud API Registry Admin" }, { "description": "Read-only access to Cloud API Registry resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudapiregistry.viewer", "stage": "BETA", "title": "Cloud API Registry Viewer" }, { "description": "Give effective policy service account access to search all resources and IAM policies.", "etag": "AA==", "name": "roles/cloudasset.effectivePolicyServiceAgent", "stage": "GA", "title": "Effective Policies Service Agent" }, { "description": "Full access to cloud assets metadata", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudasset.owner", "stage": "GA", "title": "Cloud Asset Owner" }, { "description": "Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudasset.serviceAgent", "stage": "GA", "title": "Cloud Asset Service Agent" }, { "description": "Read only access to cloud assets metadata", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudasset.viewer", "stage": "GA", "title": "Cloud Asset Viewer" }, { "description": "Can approve or reject pending builds.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudbuild.builds.approver", "stage": "GA", "title": "Cloud Build Approver" }, { "description": "Can perform builds", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/cloudbuild.builds.builder", "stage": "GA", "title": "Cloud Build Service Account" }, { "description": "Can create and cancel builds", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/cloudbuild.builds.editor", "stage": "GA", "title": "Cloud Build Editor" }, { "description": "Can view builds", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudbuild.builds.viewer", "stage": "GA", "title": "Cloud Build Viewer" }, { "description": "Can manage connections and repositories.", "etag": "AA==", "has_privesc": true, "name": "roles/cloudbuild.connectionAdmin", "stage": "GA", "title": "Cloud Build Connection Admin" }, { "description": "Can view and list connections and repositories.", "etag": "AA==", "name": "roles/cloudbuild.connectionViewer", "stage": "GA", "title": "Cloud Build Connection Viewer" }, { "description": "Can update Integrations", "etag": "AA==", "name": "roles/cloudbuild.integrationsEditor", "stage": "GA", "title": "Cloud Build Integrations Editor" }, { "description": "Can create/delete Integrations", "etag": "AA==", "name": "roles/cloudbuild.integrationsOwner", "stage": "GA", "title": "Cloud Build Integrations Owner" }, { "description": "Can view Integrations", "etag": "AA==", "name": "roles/cloudbuild.integrationsViewer", "stage": "GA", "title": "Cloud Build Integrations Viewer" }, { "description": "Gives the Cloud Build logging-specific service account access to write logs.", "etag": "AA==", "name": "roles/cloudbuild.loggingServiceAgent", "stage": "GA", "title": "Cloud Build Logging Service Agent" }, { "description": "Can view the connection and access its read-only token.", "etag": "AA==", "name": "roles/cloudbuild.readTokenAccessor", "stage": "GA", "title": "Cloud Build Read Only Token Accessor" }, { "description": "Gives Cloud Build service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/cloudbuild.serviceAgent", "stage": "GA", "title": "Cloud Build Service Agent" }, { "description": "Can view the connection and access its read/write and read-only tokens.", "etag": "AA==", "name": "roles/cloudbuild.tokenAccessor", "stage": "GA", "title": "Cloud Build Token Accessor" }, { "description": "Can update and view WorkerPools", "etag": "AA==", "name": "roles/cloudbuild.workerPoolEditor", "stage": "GA", "title": "Cloud Build WorkerPool Editor" }, { "description": "Can create, delete, update, and view WorkerPools", "etag": "AA==", "name": "roles/cloudbuild.workerPoolOwner", "stage": "GA", "title": "Cloud Build WorkerPool Owner" }, { "description": "Can run builds in the WorkerPool", "etag": "AA==", "name": "roles/cloudbuild.workerPoolUser", "stage": "GA", "title": "Cloud Build WorkerPool User" }, { "description": "Can view WorkerPools", "etag": "AA==", "name": "roles/cloudbuild.workerPoolViewer", "stage": "GA", "title": "Cloud Build WorkerPool Viewer" }, { "description": "Full access to Firebase Remote Config resources.", "etag": "AA==", "name": "roles/cloudconfig.admin", "stage": "GA", "title": "Firebase Remote Config Admin" }, { "description": "Gives Infrastructure Manager service agent access to managed resources", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/cloudconfig.serviceAgent", "stage": "GA", "title": "Infrastructure Manager Service Agent" }, { "description": "Read access to Firebase Remote Config resources.", "etag": "AA==", "name": "roles/cloudconfig.viewer", "stage": "GA", "title": "Firebase Remote Config Viewer" }, { "description": "Gives the Partner Console service account access to read Access Approval Requests for workloads associated with a partner.", "etag": "AA==", "name": "roles/cloudcontrolspartner.accessApprovalServiceAgent", "stage": "GA", "title": "Cloud Controls Partner Access Approval Service Agent" }, { "description": "Full access to Cloud Controls Partner resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudcontrolspartner.admin", "stage": "GA", "title": "Cloud Controls Partner Admin" }, { "description": "Editor access to Cloud Controls Partner resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudcontrolspartner.editor", "stage": "GA", "title": "Cloud Controls Partner Editor" }, { "description": "Gives Cloud Controls Partner service agent permission to list EKM connections, get EKM connection status, and provide EKM diagnostic information.", "etag": "AA==", "name": "roles/cloudcontrolspartner.ekmServiceAgent", "stage": "GA", "title": "Cloud Controls Partner EKM Service Agent" }, { "description": "Readonly access to Cloud Controls Partner inspectability resources.", "etag": "AA==", "name": "roles/cloudcontrolspartner.inspectabilityReader", "stage": "GA", "title": "Cloud Controls Partner Inspectability Reader" }, { "description": "Readonly access to Cloud Controls Partner monitoring resources.", "etag": "AA==", "name": "roles/cloudcontrolspartner.monitoringReader", "stage": "GA", "title": "Cloud Controls Partner Monitoring Reader" }, { "description": "Gives Cloud Controls Partner monitoring service agent permission to view and list Assured Workload violations. The role is assigned to enable partner monitoring capability.", "etag": "AA==", "name": "roles/cloudcontrolspartner.monitoringServiceAgent", "stage": "GA", "title": "Cloud Controls Partner Monitoring Service Agent" }, { "description": "Readonly access to Cloud Controls Partner resources.", "etag": "AA==", "name": "roles/cloudcontrolspartner.reader", "stage": "GA", "title": "Cloud Controls Partner Reader" }, { "description": "Gives the Partner Console service account access to support cases for workloads associated with a partner.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudcontrolspartner.supportCaseServiceAgent", "stage": "GA", "title": "Cloud Controls Partner Support Case Service Agent" }, { "description": "Cloud Debugger agents are allowed to register and provide debug snapshot data.", "etag": "AA==", "name": "roles/clouddebugger.agent", "stage": "BETA", "title": "Cloud Debugger Agent" }, { "description": "User Access to Cloud Debugger. Can create, delete and view snapshots and logpoints.", "etag": "AA==", "name": "roles/clouddebugger.user", "stage": "BETA", "title": "Cloud Debugger User" }, { "description": "Full control of Cloud Deploy resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/clouddeploy.admin", "stage": "GA", "title": "Cloud Deploy Admin" }, { "description": "Permission to approve or reject rollouts.", "etag": "AA==", "name": "roles/clouddeploy.approver", "stage": "GA", "title": "Cloud Deploy Approver" }, { "description": "Permission to manage CustomTargetType resources", "etag": "AA==", "name": "roles/clouddeploy.customTargetTypeAdmin", "stage": "GA", "title": "Cloud Deploy Custom Target Type Admin" }, { "description": "Permission to manage deployment configuration without permission to access operational resources, such as targets.", "etag": "AA==", "name": "roles/clouddeploy.developer", "stage": "GA", "title": "Cloud Deploy Developer" }, { "description": "Permission to execute Cloud Deploy work without permission to deliver to a target.", "etag": "AA==", "has_dataaccess": true, "name": "roles/clouddeploy.jobRunner", "stage": "GA", "title": "Cloud Deploy Runner" }, { "description": "Permission to manage deployment configuration.", "etag": "AA==", "has_undocumented": true, "name": "roles/clouddeploy.operator", "stage": "GA", "title": "Cloud Deploy Operator" }, { "description": "Permission to manage Deploy Policies.", "etag": "AA==", "has_undocumented": true, "name": "roles/clouddeploy.policyAdmin", "stage": "GA", "title": "Cloud Deploy Policy Admin" }, { "description": "Permission to override Deploy Policies.", "etag": "AA==", "name": "roles/clouddeploy.policyOverrider", "stage": "GA", "title": "Cloud Deploy Policy Overrider" }, { "description": "Permission to create Cloud Deploy releases and rollouts.", "etag": "AA==", "name": "roles/clouddeploy.releaser", "stage": "GA", "title": "Cloud Deploy Releaser" }, { "description": "Gives Cloud Deploy Service Account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/clouddeploy.serviceAgent", "stage": "GA", "title": "Cloud Deploy Service Agent" }, { "description": "Can view Cloud Deploy resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/clouddeploy.viewer", "stage": "GA", "title": "Cloud Deploy Viewer" }, { "description": "Allows Deployment Manager service to actuate resources across DM projects and folders", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/clouddeploymentmanager.serviceAgent", "stage": "GA", "title": "Cloud Deployment Manager Service Agent" }, { "description": "Full access to functions, operations and locations.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/cloudfunctions.admin", "stage": "GA", "title": "Cloud Functions Admin" }, { "description": "Read and write access to all functions-related resources.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_undocumented": true, "name": "roles/cloudfunctions.developer", "stage": "GA", "title": "Cloud Functions Developer" }, { "description": "Ability to invoke 1st gen HTTP functions with restricted access. 2nd gen functions need the Cloud Run Invoker role instead.", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudfunctions.invoker", "stage": "GA", "title": "Cloud Functions Invoker" }, { "description": "Gives Cloud Functions service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/cloudfunctions.serviceAgent", "stage": "GA", "title": "Cloud Functions Service Agent" }, { "description": "Read-only access to functions and locations.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudfunctions.viewer", "stage": "GA", "title": "Cloud Functions Viewer" }, { "description": "Allows users to view and interact with Cloud Hub.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/cloudhub.operator", "stage": "BETA", "title": "Cloud Hub Operator" }, { "description": "Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.", "etag": "AA==", "name": "roles/cloudiot.serviceAgent", "stage": "GA", "title": "Cloud IoT Core Service Agent" }, { "description": "Access to Cloud Talent Solution Self-Service Tools.", "etag": "AA==", "name": "roles/cloudjobdiscovery.admin", "stage": "GA", "title": "Cloud Talent Solution Admin" }, { "description": "Write access to all job data in Cloud Talent Solution.", "etag": "AA==", "name": "roles/cloudjobdiscovery.jobsEditor", "stage": "GA", "title": "Cloud Talent Solution Job Editor" }, { "description": "Read access to all job data in Cloud Talent Solution.", "etag": "AA==", "name": "roles/cloudjobdiscovery.jobsViewer", "stage": "GA", "title": "Cloud Talent Solution Job Viewer" }, { "description": "Write access to all profile data in Cloud Talent Solution.", "etag": "AA==", "name": "roles/cloudjobdiscovery.profilesEditor", "stage": "GA", "title": "Cloud Talent Solution Profile Editor" }, { "description": "Read access to all profile data in Cloud Talent Solution.", "etag": "AA==", "name": "roles/cloudjobdiscovery.profilesViewer", "stage": "GA", "title": "Cloud Talent Solution Profile Viewer" }, { "description": "Enables management of crypto resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.admin", "stage": "GA", "title": "Cloud KMS Admin" }, { "description": "Enables management of AutokeyConfig.", "etag": "AA==", "name": "roles/cloudkms.autokeyAdmin", "stage": "GA", "title": "Cloud KMS Autokey Admin" }, { "description": "Grants ability to use KeyHandle resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.autokeyUser", "stage": "GA", "title": "Cloud KMS Autokey User" }, { "description": "Enables Decrypt operations", "etag": "AA==", "name": "roles/cloudkms.cryptoKeyDecrypter", "stage": "GA", "title": "Cloud KMS CryptoKey Decrypter" }, { "description": "Enables Decrypt operations via other GCP services", "etag": "AA==", "name": "roles/cloudkms.cryptoKeyDecrypterViaDelegation", "stage": "GA", "title": "Cloud KMS CryptoKey Decrypter Via Delegation" }, { "description": "Enables Encrypt operations", "etag": "AA==", "name": "roles/cloudkms.cryptoKeyEncrypter", "stage": "GA", "title": "Cloud KMS CryptoKey Encrypter" }, { "description": "Enables Encrypt and Decrypt operations", "etag": "AA==", "name": "roles/cloudkms.cryptoKeyEncrypterDecrypter", "stage": "GA", "title": "Cloud KMS CryptoKey Encrypter/Decrypter" }, { "description": "Enables Encrypt and Decrypt operations via other GCP services", "etag": "AA==", "name": "roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation", "stage": "GA", "title": "Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation" }, { "description": "Enables Encrypt operations via other GCP services", "etag": "AA==", "name": "roles/cloudkms.cryptoKeyEncrypterViaDelegation", "stage": "GA", "title": "Cloud KMS CryptoKey Encrypter Via Delegation" }, { "description": "Enables all Crypto Operations.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.cryptoOperator", "stage": "GA", "title": "Cloud KMS Crypto Operator" }, { "description": "Enables Decapsulate and GetPublicKey operations", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.decapsulator", "stage": "BETA", "title": "Cloud KMS CryptoKey Decapsulator" }, { "description": "Enables management of EkmConnections.", "etag": "AA==", "name": "roles/cloudkms.ekmConnectionsAdmin", "stage": "GA", "title": "Cloud KMS EkmConnections Admin" }, { "description": "Enables raw AES-CBC keys management.", "etag": "AA==", "name": "roles/cloudkms.expertRawAesCbc", "stage": "GA", "title": "Cloud KMS Expert Raw AES-CBC Key Manager" }, { "description": "Enables raw AES-CTR keys management.", "etag": "AA==", "name": "roles/cloudkms.expertRawAesCtr", "stage": "GA", "title": "Cloud KMS Expert Raw AES-CTR Key Manager" }, { "description": "Enables raw PKCS#1 keys management.", "etag": "AA==", "name": "roles/cloudkms.expertRawPKCS1", "stage": "GA", "title": "Cloud KMS Expert Raw PKCS#1 Key Manager" }, { "description": "Grants ability to execute SingleTenantHsmInstanceProposal resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.hsmSingleTenantExecutor", "stage": "GA", "title": "Cloud KMS single-tenant HSM Executor" }, { "description": "Grants ability to use single-tenant HSM instances to create keys. This role must be combined with another role that grants the ability to create cryptoKeys.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.hsmSingleTenantKeyCreator", "stage": "GA", "title": "Cloud KMS single-tenant HSM Key Creator" }, { "description": "Grants ability to create SingleTenantHsmInstances and SingleTenantHsmInstanceProposals.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.hsmSingleTenantProposer", "stage": "GA", "title": "Cloud KMS single-tenant HSM Proposer" }, { "description": "Grants ability to approve SingleTenantHsmInstanceProposal resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.hsmSingleTenantQuorumMember", "stage": "GA", "title": "Cloud KMS single-tenant HSM Quorum Member" }, { "description": "Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations", "etag": "AA==", "name": "roles/cloudkms.importer", "stage": "GA", "title": "Cloud KMS Importer" }, { "description": "Grant ability to view Key Access Justification enrollment configs of a project.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.keyAccessJustificationsEnrollmentConfigViewer", "stage": "BETA", "title": "Key Access Justifications Enrollment Viewer" }, { "description": "Grant ability to manage Key Access Justifications Policy at parent resource level.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.keyAccessJustificationsPolicyConfigAdmin", "stage": "BETA", "title": "Key Access Justifications Policy Config Admin" }, { "description": "Gives Cloud KMS organization-level service account access to managed resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.orgServiceAgent", "stage": "GA", "title": "Cloud KMS Organization Service Agent" }, { "description": "Enables viewing protected resources.", "etag": "AA==", "name": "roles/cloudkms.protectedResourcesViewer", "stage": "GA", "title": "Cloud KMS Protected Resources Viewer" }, { "description": "Enables GetPublicKey operations", "etag": "AA==", "name": "roles/cloudkms.publicKeyViewer", "stage": "GA", "title": "Cloud KMS CryptoKey Public Key Viewer" }, { "description": "Gives Cloud KMS service account access to managed resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.serviceAgent", "stage": "GA", "title": "Cloud KMS Service Agent" }, { "description": "Enables Sign operations", "etag": "AA==", "name": "roles/cloudkms.signer", "stage": "GA", "title": "Cloud KMS CryptoKey Signer" }, { "description": "Enables Sign, Verify, and GetPublicKey operations", "etag": "AA==", "name": "roles/cloudkms.signerVerifier", "stage": "GA", "title": "Cloud KMS CryptoKey Signer/Verifier" }, { "description": "Enables Verify and GetPublicKey operations", "etag": "AA==", "name": "roles/cloudkms.verifier", "stage": "GA", "title": "Cloud KMS CryptoKey Verifier" }, { "description": "Enables Get and List operations.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudkms.viewer", "stage": "GA", "title": "Cloud KMS Viewer" }, { "description": "Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption.", "etag": "AA==", "name": "roles/cloudkmskacls.serviceAgent", "stage": "GA", "title": "Cloud KMS KACLS Service Agent" }, { "description": "Full access to Cloud Location Finder resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudlocationfinder.admin", "stage": "BETA", "title": "Cloud Location Finder Admin" }, { "description": "Readonly access to Cloud Location Finder resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudlocationfinder.viewer", "stage": "BETA", "title": "Cloud Location Finder Viewer" }, { "description": "Ability to create and manage Compute VMs to run Velostrata Infrastructure", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/cloudmigration.inframanager", "stage": "BETA", "title": "Velostrata Manager" }, { "description": "Ability to access migration storage", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudmigration.storageaccess", "stage": "BETA", "title": "Velostrata Storage Access" }, { "description": "Ability to set up connection between Velostrata Manager and Google", "etag": "AA==", "name": "roles/cloudmigration.velostrataconnect", "stage": "BETA", "title": "Velostrata Manager Connection Agent" }, { "description": "Administrator of Cloud Optimization AI resources", "etag": "AA==", "name": "roles/cloudoptimization.admin", "stage": "GA", "title": "Cloud Optimization AI Admin" }, { "description": "Editor of Cloud Optimization AI resources", "etag": "AA==", "name": "roles/cloudoptimization.editor", "stage": "GA", "title": "Cloud Optimization AI Editor" }, { "description": "Grants Cloud Optimization Service Account access to read and write data in the user project.", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudoptimization.serviceAgent", "stage": "GA", "title": "Cloud Optimization Service Agent" }, { "description": "Viewer of Cloud Optimization AI resources", "etag": "AA==", "name": "roles/cloudoptimization.viewer", "stage": "GA", "title": "Cloud Optimization AI Viewer" }, { "description": "Can browse catalogs in the target resource context.", "etag": "AA==", "name": "roles/cloudprivatecatalog.consumer", "stage": "BETA", "title": "Catalog Consumer" }, { "description": "Can manage catalog and view its associations.", "etag": "AA==", "name": "roles/cloudprivatecatalogproducer.admin", "stage": "BETA", "title": "Catalog Admin" }, { "description": "Can manage associations between a catalog and a target resource.", "etag": "AA==", "name": "roles/cloudprivatecatalogproducer.manager", "stage": "BETA", "title": "Catalog Manager" }, { "description": "Can manage catalog org settings.", "etag": "AA==", "name": "roles/cloudprivatecatalogproducer.orgAdmin", "stage": "BETA", "title": "Catalog Org Admin" }, { "description": "Cloud Profiler agents are allowed to register and provide the profiling data.", "etag": "AA==", "name": "roles/cloudprofiler.agent", "stage": "GA", "title": "Cloud Profiler Agent" }, { "description": "Cloud Profiler users are allowed to query and view the profiling data.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudprofiler.user", "stage": "GA", "title": "Cloud Profiler User" }, { "description": "Full access to Cloud Quotas resources.", "etag": "AA==", "name": "roles/cloudquotas.admin", "stage": "GA", "title": "Cloud Quotas Admin" }, { "description": "Readonly access to Cloud Quotas resources.", "etag": "AA==", "name": "roles/cloudquotas.viewer", "stage": "GA", "title": "Cloud Quotas Viewer" }, { "description": "Full access to jobs and executions.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudscheduler.admin", "stage": "GA", "title": "Cloud Scheduler Admin" }, { "description": "Access to run jobs.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudscheduler.jobRunner", "stage": "GA", "title": "Cloud Scheduler Job Runner" }, { "description": "Grants Cloud Scheduler Service Account access to manage resources.", "etag": "AA==", "has_privesc": true, "name": "roles/cloudscheduler.serviceAgent", "stage": "GA", "title": "Cloud Scheduler Service Agent" }, { "description": "Get and list access to jobs, executions, and locations.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudscheduler.viewer", "stage": "GA", "title": "Cloud Scheduler Viewer" }, { "description": "Full access to Compliance Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudsecuritycompliance.admin", "stage": "GA", "title": "Compliance Manager Admin" }, { "description": "Gives CSC Service Account access to consumer resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudsecuritycompliance.serviceAgent", "stage": "GA", "title": "Cloud Security Compliance Service Agent" }, { "description": "Readonly access to Compliance Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudsecuritycompliance.viewer", "stage": "GA", "title": "Compliance Manager Viewer" }, { "description": "Full access to all Web Security Scanner resources", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudsecurityscanner.editor", "stage": "GA", "title": "Web Security Scanner Editor" }, { "description": "Read access to Scan and ScanRun, plus the ability to start scans", "etag": "AA==", "name": "roles/cloudsecurityscanner.runner", "stage": "GA", "title": "Web Security Scanner Runner" }, { "description": "Read access to all Web Security Scanner resources", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudsecurityscanner.viewer", "stage": "GA", "title": "Web Security Scanner Viewer" }, { "description": "Full control of Cloud SQL resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudsql.admin", "stage": "GA", "title": "Cloud SQL Admin" }, { "description": "Connectivity access to Cloud SQL instances.", "etag": "AA==", "name": "roles/cloudsql.client", "stage": "GA", "title": "Cloud SQL Client" }, { "description": "Full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudsql.editor", "stage": "GA", "title": "Cloud SQL Editor" }, { "description": "Role allowing access to a Cloud SQL instance", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudsql.instanceUser", "stage": "GA", "title": "Cloud SQL Instance User" }, { "description": "Role allowing access to the Cloud SQL instance schema on Dataplex", "etag": "AA==", "name": "roles/cloudsql.schemaViewer", "stage": "GA", "title": "Cloud SQL Schema Viewer" }, { "description": "Grants Cloud SQL access to services and APIs in the user project", "etag": "AA==", "name": "roles/cloudsql.serviceAgent", "stage": "GA", "title": "Cloud SQL Service Agent" }, { "description": "Role allowing access to Cloud SQL Studio", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudsql.studioUser", "stage": "GA", "title": "Cloud SQL Studio User" }, { "description": "Read-only access to Cloud SQL resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudsql.viewer", "stage": "GA", "title": "Cloud SQL Viewer" }, { "description": "Allows management of a support account without giving access to support cases.", "etag": "AA==", "name": "roles/cloudsupport.admin", "stage": "GA", "title": "Support Account Administrator" }, { "description": "Full read-write access to advisory support cases applicable for GCP Customer Care.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudsupport.advisorySupportEditor", "stage": "GA", "title": "Advisory Support Editor" }, { "description": "Read-only access to advisory support cases applicable for GCP Customer Care.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudsupport.advisorySupportViewer", "stage": "GA", "title": "Advisory Support Viewer" }, { "description": "Full read-write access to technical support cases (applicable for GCP Customer Care and Maps support).", "etag": "AA==", "name": "roles/cloudsupport.techSupportEditor", "stage": "GA", "title": "Tech Support Editor" }, { "description": "Read-only access to technical support cases (applicable for GCP Customer Care and Maps support).", "etag": "AA==", "name": "roles/cloudsupport.techSupportViewer", "stage": "GA", "title": "Tech Support Viewer" }, { "description": "Read-only access to details of a support account. This does not allow viewing cases.", "etag": "AA==", "name": "roles/cloudsupport.viewer", "stage": "GA", "title": "Support Account Viewer" }, { "description": "Full access to queues and tasks.", "etag": "AA==", "name": "roles/cloudtasks.admin", "stage": "BETA", "title": "Cloud Tasks Admin" }, { "description": "Access to create tasks.", "etag": "AA==", "name": "roles/cloudtasks.enqueuer", "stage": "BETA", "title": "Cloud Tasks Enqueuer" }, { "description": "Admin access to queues.", "etag": "AA==", "name": "roles/cloudtasks.queueAdmin", "stage": "BETA", "title": "Cloud Tasks Queue Admin" }, { "description": "Grants Cloud Tasks Service Account access to manage resources.", "etag": "AA==", "has_privesc": true, "name": "roles/cloudtasks.serviceAgent", "stage": "GA", "title": "Cloud Tasks Service Agent" }, { "description": "Access to delete tasks.", "etag": "AA==", "name": "roles/cloudtasks.taskDeleter", "stage": "BETA", "title": "Cloud Tasks Task Deleter" }, { "description": "Access to run tasks.", "etag": "AA==", "name": "roles/cloudtasks.taskRunner", "stage": "BETA", "title": "Cloud Tasks Task Runner" }, { "description": "Get and list access to tasks, queues, and locations.", "etag": "AA==", "name": "roles/cloudtasks.viewer", "stage": "BETA", "title": "Cloud Tasks Viewer" }, { "description": "Administrator owning access to Direct Access", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudtestservice.directAccessAdmin", "stage": "BETA", "title": "Firebase Test Lab Direct Access Admin" }, { "description": "Viewer, able to see what direct access sessions exist", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudtestservice.directAccessViewer", "stage": "BETA", "title": "Firebase Test Lab Direct Access Viewer" }, { "description": "Full access to all Test Lab features", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudtestservice.testAdmin", "stage": "GA", "title": "Firebase Test Lab Admin" }, { "description": "Read access to Test Lab features", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudtestservice.testViewer", "stage": "GA", "title": "Firebase Test Lab Viewer" }, { "description": "Give Cloud TPUs service account access to managed resources", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/cloudtpu.serviceAgent", "stage": "GA", "title": "Cloud TPU V2 API Service Agent" }, { "description": "Admin access to Cloud Trace.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudtrace.admin", "stage": "GA", "title": "Cloud Trace Admin" }, { "description": "Agent access to Cloud Trace. Can write trace data.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudtrace.agent", "stage": "GA", "title": "Cloud Trace Agent" }, { "description": "User access to Cloud Trace. Can view traces, insights and stats. Can create, list, view, and delete tasks.", "etag": "AA==", "has_undocumented": true, "name": "roles/cloudtrace.user", "stage": "GA", "title": "Cloud Trace User" }, { "description": "Full access to all Cloud Translation resources", "etag": "AA==", "name": "roles/cloudtranslate.admin", "stage": "GA", "title": "Cloud Translation API Admin" }, { "description": "Editor of all Cloud Translation resources", "etag": "AA==", "name": "roles/cloudtranslate.editor", "stage": "GA", "title": "Cloud Translation API Editor" }, { "description": "Gives Cloud Translation Service Account access to consumer resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/cloudtranslate.serviceAgent", "stage": "GA", "title": "Cloud Translation API Service Agent" }, { "description": "User of Cloud Translation and AutoML models", "etag": "AA==", "name": "roles/cloudtranslate.user", "stage": "GA", "title": "Cloud Translation API User" }, { "description": "Viewer of all Translation resources", "etag": "AA==", "name": "roles/cloudtranslate.viewer", "stage": "GA", "title": "Cloud Translation API Viewer" }, { "description": "Admin of Commerce Agreement Publishing service", "etag": "AA==", "name": "roles/commerceagreementpublishing.admin", "stage": "BETA", "title": "Commerce Agreement Publishing Admin" }, { "description": "Viewer of Commerce Agreement Publishing service", "etag": "AA==", "name": "roles/commerceagreementpublishing.viewer", "stage": "BETA", "title": "Commerce Agreement Publishing Viewer" }, { "description": "Admin of Various Provider Configuration resources", "etag": "AA==", "has_undocumented": true, "name": "roles/commercebusinessenablement.admin", "stage": "BETA", "title": "Commerce Business Enablement Configuration Admin" }, { "description": "Administration of Payment Configuration resource", "etag": "AA==", "name": "roles/commercebusinessenablement.paymentConfigAdmin", "stage": "BETA", "title": "Commerce Business Enablement PaymentConfig Admin" }, { "description": "Viewer of Payment Configuration resource", "etag": "AA==", "name": "roles/commercebusinessenablement.paymentConfigViewer", "stage": "BETA", "title": "Commerce Business Enablement PaymentConfig Viewer" }, { "description": "Provides admin access to rebates", "etag": "AA==", "name": "roles/commercebusinessenablement.rebatesAdmin", "stage": "BETA", "title": "Commerce Business Enablement Rebates Admin" }, { "description": "Provides read-only access to rebates", "etag": "AA==", "name": "roles/commercebusinessenablement.rebatesViewer", "stage": "BETA", "title": "Commerce Business Enablement Rebates Viewer" }, { "description": "Provides admin access to reseller discount offers", "etag": "AA==", "name": "roles/commercebusinessenablement.resellerDiscountAdmin", "stage": "BETA", "title": "Commerce Business Enablement Reseller Discount Admin" }, { "description": "Provides read-only access to reseller discount offers", "etag": "AA==", "name": "roles/commercebusinessenablement.resellerDiscountViewer", "stage": "BETA", "title": "Commerce Business Enablement Reseller Discount Viewer" }, { "description": "Viewer of Various Provider Configuration resource", "etag": "AA==", "name": "roles/commercebusinessenablement.viewer", "stage": "BETA", "title": "Commerce Business Enablement Configuration Viewer" }, { "description": "Allows viewing offers", "etag": "AA==", "name": "roles/commerceoffercatalog.offersViewer", "stage": "BETA", "title": "Commerce Offer Catalog Offers Viewer" }, { "description": "Full access to Organization Governance APIs", "etag": "AA==", "has_undocumented": true, "name": "roles/commerceorggovernance.admin", "stage": "BETA", "title": "Commerce Organization Governance Admin" }, { "description": "Full access to Governed Marketplace features.", "etag": "AA==", "has_undocumented": true, "name": "roles/commerceorggovernance.user", "stage": "BETA", "title": "Governed Marketplace User" }, { "description": "Full access to Organization Governance read-only APIs.", "etag": "AA==", "has_undocumented": true, "name": "roles/commerceorggovernance.viewer", "stage": "BETA", "title": "Commerce Organization Governance Viewer" }, { "description": "Allows viewing key events for an offer", "etag": "AA==", "name": "roles/commercepricemanagement.eventsViewer", "stage": "BETA", "title": "Commerce Price Management Events Viewer" }, { "description": "Allows managing private offers", "etag": "AA==", "has_undocumented": true, "name": "roles/commercepricemanagement.privateOffersAdmin", "stage": "BETA", "title": "Commerce Price Management Private Offers Admin" }, { "description": "Allows viewing offers, free trials, skus", "etag": "AA==", "has_undocumented": true, "name": "roles/commercepricemanagement.viewer", "stage": "BETA", "title": "Commerce Price Management Viewer" }, { "description": "Grants full access to all resources in Cloud Commerce Producer API.", "etag": "AA==", "name": "roles/commerceproducer.admin", "stage": "BETA", "title": "Commerce Producer Admin" }, { "description": "Grants read access to all resources in Cloud Commerce Producer API.", "etag": "AA==", "name": "roles/commerceproducer.viewer", "stage": "BETA", "title": "Commerce Producer Viewer" }, { "description": "Gives Compliance Scanning the access it needs to analyze containers and VMs for compliance and create occurrences using the Container Analysis API", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/compliancescanning.serviceAgent", "stage": "GA", "title": "Compliance Scanning Service Agent" }, { "description": "Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.", "etag": "AA==", "has_privesc": true, "name": "roles/composer.ServiceAgentV2Ext", "stage": "GA", "title": "Cloud Composer v2 API Service Agent Extension" }, { "description": "Full control of Composer resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/composer.admin", "stage": "GA", "title": "Composer Administrator" }, { "description": "Full control of Cloud Composer environments and Cloud Storage objects.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/composer.environmentAndStorageObjectAdmin", "stage": "GA", "title": "Environment and Storage Object Administrator" }, { "description": "Read and use access to Cloud Composer resources and read access Cloud Storage objects.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/composer.environmentAndStorageObjectUser", "stage": "GA", "title": "Environment and Storage Object User" }, { "description": "Read access to Cloud Composer environments and Cloud Storage objects.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/composer.environmentAndStorageObjectViewer", "stage": "GA", "title": "Environment and Storage Object Viewer" }, { "description": "Cloud Composer API service agent can manage environments.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/composer.serviceAgent", "stage": "GA", "title": "Cloud Composer API Service Agent" }, { "description": "Role that should be assigned to Composer Agent service account in Shared VPC host project", "etag": "AA==", "name": "roles/composer.sharedVpcAgent", "stage": "GA", "title": "Composer Shared VPC Agent" }, { "description": "Read and use access to Composer resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/composer.user", "stage": "GA", "title": "Composer User" }, { "description": "Worker access to Composer. Intended for service accounts.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/composer.worker", "stage": "GA", "title": "Composer Worker" }, { "description": "Full control of all Compute Engine resources.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/compute.admin", "stage": "GA", "title": "Compute Admin" }, { "etag": "AA==", "has_undocumented": true, "name": "roles/compute.futureReservationAdmin", "stage": "BETA", "title": "Compute Future Reservation Admin" }, { "etag": "AA==", "has_undocumented": true, "name": "roles/compute.futureReservationUser", "stage": "BETA", "title": "Compute Future Reservation User" }, { "etag": "AA==", "name": "roles/compute.futureReservationViewer", "stage": "BETA", "title": "Compute Future Reservation Viewer" }, { "description": "Read and use image resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.imageUser", "stage": "GA", "title": "Compute Image User" }, { "description": "Full control of Compute Engine instance resources.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/compute.instanceAdmin", "stage": "GA", "title": "Compute Instance Admin (beta)" }, { "description": "Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/compute.instanceAdmin.v1", "stage": "GA", "title": "Compute Instance Admin (v1)" }, { "description": "Role containing all permissions required by Managed Instance Groups to create and managed instances.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/compute.instanceGroupManagerServiceAgent", "stage": "GA", "title": "Instance Group Manager Service Agent" }, { "description": "Analyze Interconnect Attachment Groups via their GetOperationalStatus method.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.interconnectAttachmentGroupAnalyzer", "stage": "GA", "title": "Interconnect Attachment Group Analyzer" }, { "description": "Analyze Interconnect Groups via their GetOperationalStatus method.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.interconnectGroupAnalyzer", "stage": "GA", "title": "Interconnect Group Analyzer" }, { "description": "Full control of Compute Engine resources related to load balancer.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/compute.loadBalancerAdmin", "stage": "GA", "title": "Compute Load Balancer Admin" }, { "description": "Permissions to use services from a load balancer in other projects.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.loadBalancerServiceUser", "stage": "GA", "title": "Compute Load Balancer Services User" }, { "description": "Full control of Compute Engine networking resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/compute.networkAdmin", "stage": "GA", "title": "Compute Network Admin" }, { "description": "Access to use Compute Engine networking resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.networkUser", "stage": "GA", "title": "Compute Network User" }, { "description": "Read-only access to Compute Engine networking resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/compute.networkViewer", "stage": "GA", "title": "Compute Network Viewer" }, { "description": "Full control of Compute Engine Organization Firewall Policies.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/compute.orgFirewallPolicyAdmin", "stage": "GA", "title": "Compute Organization Firewall Policy Admin" }, { "description": "View or use Compute Engine Firewall Policies to associate with the organization or folders.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.orgFirewallPolicyUser", "stage": "GA", "title": "Compute Organization Firewall Policy User" }, { "description": "Full control of Compute Engine Organization Security Policies.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/compute.orgSecurityPolicyAdmin", "stage": "GA", "title": "Compute Organization Security Policy Admin" }, { "description": "View or use Compute Engine Security Policies to associate with the organization or folders.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.orgSecurityPolicyUser", "stage": "GA", "title": "Compute Organization Security Policy User" }, { "description": "Full control of Compute Engine Firewall Policy associations to the organization or folders.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.orgSecurityResourceAdmin", "stage": "GA", "title": "Compute Organization Resource Admin" }, { "description": "Access to log in to a Compute Engine instance as an administrator user.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_undocumented": true, "name": "roles/compute.osAdminLogin", "stage": "GA", "title": "Compute OS Admin Login" }, { "description": "Access to log in to a Compute Engine instance as a standard (non-administrator) user.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/compute.osLogin", "stage": "GA", "title": "Compute OS Login" }, { "description": "Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login IAM roles (https://cloud.google.com/compute/docs/instances/managing-instance-access#configure_users) in order to allow access to instances using SSH.", "etag": "AA==", "name": "roles/compute.osLoginExternalUser", "stage": "GA", "title": "Compute OS Login External User" }, { "description": "Specify resources to be mirrored.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.packetMirroringAdmin", "stage": "GA", "title": "Compute packet mirroring admin" }, { "description": "Use Compute Engine packet mirrorings.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.packetMirroringUser", "stage": "GA", "title": "Compute packet mirroring user" }, { "description": "Use subnetwork whose PURPOSE is \"PEER_MIGRATION\"", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.peerSubnetMigrationAdmin", "stage": "GA", "title": "Compute Peer Subnet Migration Admin" }, { "description": "Full control of public IP address management for Compute Engine.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.publicIpAdmin", "stage": "GA", "title": "Compute Public IP Admin" }, { "description": "Full control of Compute Engine security resources.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/compute.securityAdmin", "stage": "GA", "title": "Compute Security Admin" }, { "description": "Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/compute.serviceAgent", "stage": "GA", "title": "Compute Engine Service Agent" }, { "description": "Permissions to view sole tenancy node groups", "etag": "AA==", "name": "roles/compute.soleTenantViewer", "stage": "GA", "title": "Compute Sole Tenant Viewer" }, { "description": "Full control of Compute Engine storage resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/compute.storageAdmin", "stage": "GA", "title": "Compute Storage Admin" }, { "description": "Read-only access to get and list information about all Compute Engine resources, including instances, disks, and firewalls. Allows getting and listing information about disks, images, and snapshots, but does not allow reading the data stored on them.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/compute.viewer", "stage": "GA", "title": "Compute Viewer" }, { "description": "Administer zone/global VM extension policies.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.vmExtensionPolicyAdmin", "stage": "BETA", "title": "Compute VM extension policy admin" }, { "description": "View zone/global VM extension policies.", "etag": "AA==", "has_undocumented": true, "name": "roles/compute.vmExtensionPolicyViewer", "stage": "BETA", "title": "Compute VM extension policy viewer" }, { "description": "Can administer shared VPC network (XPN).", "etag": "AA==", "name": "roles/compute.xpnAdmin", "stage": "GA", "title": "Compute Shared VPC Admin" }, { "description": "Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.", "etag": "AA==", "name": "roles/confidentialcomputing.workloadUser", "stage": "GA", "title": "Confidential Space Workload User" }, { "description": "Full access to Cloud Infrastructure Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/config.admin", "stage": "GA", "title": "Cloud Infrastructure Manager Admin" }, { "description": "Required permissions to make Cloud Infrastructure Manager work with the user-specified service account", "etag": "AA==", "has_dataaccess": true, "name": "roles/config.agent", "stage": "GA", "title": "Cloud Infrastructure Manager Agent" }, { "description": "Read-only access to Cloud Infrastructure Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/config.viewer", "stage": "GA", "title": "Cloud Infrastructure Manager Viewer" }, { "description": "Grants full access to all Config Delivery resources. Lets users create, remove and manage fleet packages and resource bundles.", "etag": "AA==", "name": "roles/configdelivery.configDeliveryAdmin", "stage": "BETA", "title": "ConfigDelivery Admin" }, { "description": "Grants read access to all Config Delivery resources. Lets users view existing fleet packages and resource bundles, but they will not be able to make any changes.", "etag": "AA==", "name": "roles/configdelivery.configDeliveryViewer", "stage": "BETA", "title": "ConfigDelivery Viewer" }, { "description": "Grants read and write permissions to Config Delivery ResourceBundles and Releases.", "etag": "AA==", "name": "roles/configdelivery.resourceBundlePublisher", "stage": "BETA", "title": "Config Delivery Resource Bundle Publisher" }, { "description": "Gives the Config Delivery service account permission to manage resources ", "etag": "AA==", "has_privesc": true, "name": "roles/configdelivery.serviceAgent", "stage": "GA", "title": "Config Delivery Service Agent" }, { "description": "Full access to all resources of Connectors Service.", "etag": "AA==", "has_undocumented": true, "name": "roles/connectors.admin", "stage": "GA", "title": "Connector Admin" }, { "description": "Custom Connector is a global resource which creates custom connector within the given target project. This role grants Admin access to Custom Connector resources", "etag": "AA==", "name": "roles/connectors.customConnectorAdmin", "stage": "GA", "title": "Custom Connectors Admin" }, { "description": "Custom Connector is a global resource which creates custom connector within the given target project. This role grants Read-only access to Custom Connector & Custom Connector Version resources.", "etag": "AA==", "name": "roles/connectors.customConnectorViewer", "stage": "GA", "title": "Custom Connector Viewer" }, { "description": "Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Admin access to Connectors Endpoint Attachment resources.", "etag": "AA==", "name": "roles/connectors.endpointAttachmentAdmin", "stage": "GA", "title": "Connectors Endpoint Attachment Admin" }, { "description": "Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Read-only access to Connectors Endpoint Attachment resources", "etag": "AA==", "name": "roles/connectors.endpointAttachmentViewer", "stage": "GA", "title": "Connectors Endpoint Attachment Viewer" }, { "description": "Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Admin access to Connectors Subscription resources", "etag": "AA==", "name": "roles/connectors.eventSubscriptionAdmin", "stage": "GA", "title": "Connectors Event Subscriptions Admin" }, { "description": "Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Read-only access to Event Subscription resources.", "etag": "AA==", "name": "roles/connectors.eventSubscriptionViewer", "stage": "GA", "title": "Connectors Event Subscriptions Viewer" }, { "description": "Full Access to invoke all operations on Connections.", "etag": "AA==", "name": "roles/connectors.invoker", "stage": "GA", "title": "Connector Invoker" }, { "description": "Full Access to listen events by connections.", "etag": "AA==", "name": "roles/connectors.listener", "stage": "GA", "title": "Connector Event Listener" }, { "description": "Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Admin access to Connectors Managed Zone resources", "etag": "AA==", "name": "roles/connectors.managedZoneAdmin", "stage": "GA", "title": "Connectors Managed Zone Admin" }, { "description": "Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Read-only access to Connectors Managed Zone resources.", "etag": "AA==", "name": "roles/connectors.managedZoneViewer", "stage": "GA", "title": "Connectors Managed Zone Viewer" }, { "description": "Grants Connectors Platform service account to manage customer resources", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/connectors.serviceAgent", "stage": "GA", "title": "Connectors Platform Service Agent" }, { "description": "Read-only access to Connectors all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/connectors.viewer", "stage": "GA", "title": "Connectors Viewer" }, { "description": "Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project", "etag": "AA==", "has_undocumented": true, "name": "roles/consumerprocurement.entitlementManager", "stage": "GA", "title": "Consumer Procurement Entitlement Manager" }, { "description": "Allows inspecting entitlements and service states for a consumer project", "etag": "AA==", "has_undocumented": true, "name": "roles/consumerprocurement.entitlementViewer", "stage": "GA", "title": "Consumer Procurement Entitlement Viewer" }, { "description": "Allows viewing key events for an offer", "etag": "AA==", "name": "roles/consumerprocurement.eventsViewer", "stage": "GA", "title": "Consumer Procurement Events Viewer" }, { "description": "Allows managing license pools and license assignments.", "etag": "AA==", "has_undocumented": true, "name": "roles/consumerprocurement.licensePoolEditor", "stage": "GA", "title": "Consumer Procurement License Pool Editor" }, { "description": "Allows viewing license pools and license assignments.", "etag": "AA==", "has_undocumented": true, "name": "roles/consumerprocurement.licensePoolViewer", "stage": "GA", "title": "Consumer Procurement License Pool Viewer" }, { "description": "Allows managing purchases", "etag": "AA==", "has_undocumented": true, "name": "roles/consumerprocurement.orderAdmin", "stage": "GA", "title": "Consumer Procurement Order Administrator" }, { "description": "Allows inspecting purchases", "etag": "AA==", "has_undocumented": true, "name": "roles/consumerprocurement.orderViewer", "stage": "GA", "title": "Consumer Procurement Order Viewer" }, { "description": "Allows managing purchases, consents at both billing account and project level.", "etag": "AA==", "has_undocumented": true, "name": "roles/consumerprocurement.procurementAdmin", "stage": "GA", "title": "Consumer Procurement Administrator" }, { "description": "Allows inspecting purchases, consents and entitlements and service states for a consumer project.", "etag": "AA==", "has_undocumented": true, "name": "roles/consumerprocurement.procurementViewer", "stage": "GA", "title": "Consumer Procurement Viewer" }, { "description": "Full access to Contact Center AI Platform resources.", "etag": "AA==", "name": "roles/contactcenteraiplatform.admin", "stage": "GA", "title": "Contact Center AI Platform Admin" }, { "description": "Readonly access to Contact Center AI Platform resources.", "etag": "AA==", "name": "roles/contactcenteraiplatform.viewer", "stage": "GA", "title": "Contact Center AI Platform Viewer" }, { "description": "Access to generating shifts using Workforce Scheduling.", "etag": "AA==", "has_undocumented": true, "name": "roles/contactcenteraiplatform.workforceSchedulingShiftGenerator", "stage": "BETA", "title": "Workforce Scheduling Shift Generator" }, { "description": "Grants full access to all Contact Center AI Insights resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/contactcenterinsights.admin", "stage": "GA", "title": "Contact Center AI Insights Admin" }, { "description": "Grants read and write access to Authorized resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/contactcenterinsights.authorizedEditor", "stage": "BETA", "title": "Contact Center AI Insights authorized editor" }, { "description": "Grants read access to Authorized resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/contactcenterinsights.authorizedViewer", "stage": "BETA", "title": "Contact Center AI Insights authorized viewer" }, { "description": "Grants read and write access to all Contact Center AI Insights resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/contactcenterinsights.editor", "stage": "GA", "title": "Contact Center AI Insights editor" }, { "description": "Allows Contact Center AI to read and write APIs including BigQuery, Dialogflow, and Storage.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/contactcenterinsights.serviceAgent", "stage": "GA", "title": "Contact Center AI Insights Service Agent" }, { "description": "Grants read access to all Contact Center AI Insights resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/contactcenterinsights.viewer", "stage": "GA", "title": "Contact Center AI Insights viewer" }, { "description": "Full management of Kubernetes Clusters and their Kubernetes API objects.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/container.admin", "stage": "GA", "title": "Kubernetes Engine Admin" }, { "description": "Allow the Kubernetes Engine service agent in the cluster project to call KMS with user provided crypto keys to sign payloads.", "etag": "AA==", "has_undocumented": true, "name": "roles/container.cloudKmsKeyUser", "stage": "GA", "title": "Kubernetes Engine KMS Crypto Key User" }, { "description": "Management of Kubernetes Clusters.", "etag": "AA==", "has_undocumented": true, "name": "roles/container.clusterAdmin", "stage": "GA", "title": "Kubernetes Engine Cluster Admin" }, { "description": "Get and list access to GKE Clusters.", "etag": "AA==", "has_undocumented": true, "name": "roles/container.clusterViewer", "stage": "GA", "title": "Kubernetes Engine Cluster Viewer" }, { "description": "Least privilege role to use as the default service account for GKE Nodes.", "etag": "AA==", "name": "roles/container.defaultNodeServiceAccount", "stage": "GA", "title": "Kubernetes Engine Default Node Service Account" }, { "description": "Minimal set of permissions required by a GKE node to support standard capabilities such as logging and monitoring. Replaces the container.nodeServiceAgent role with a reduced permission set.", "etag": "AA==", "has_undocumented": true, "name": "roles/container.defaultNodeServiceAgent", "stage": "GA", "title": "Kubernetes Engine Default Node Service Agent" }, { "description": "Full access to Kubernetes API objects inside Kubernetes Clusters.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/container.developer", "stage": "GA", "title": "Kubernetes Engine Developer" }, { "description": "Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project, and configure Cloud DNS resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/container.hostServiceAgentUser", "stage": "GA", "title": "Kubernetes Engine Host Service Agent User" }, { "description": "Minimal set of permission required by a GKE node to support standard capabilities such as logging and monitoring export, and image pulls.", "etag": "AA==", "has_dataaccess": true, "name": "roles/container.nodeServiceAgent", "stage": "GA", "title": "[Deprecated] Kubernetes Engine Node Service Agent" }, { "description": "Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/container.serviceAgent", "stage": "GA", "title": "Kubernetes Engine Service Agent" }, { "description": "Read-only access to Kubernetes Engine resources.", "etag": "AA==", "name": "roles/container.viewer", "stage": "GA", "title": "Kubernetes Engine Viewer" }, { "description": "Gives Container Analysis API the access it needs to function", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/containeranalysis.ServiceAgent", "stage": "GA", "title": "Container Analysis Service Agent" }, { "description": "Access to all Container Analysis resources.", "etag": "AA==", "name": "roles/containeranalysis.admin", "stage": "GA", "title": "Container Analysis Admin" }, { "description": "Can attach Container Analysis Occurrences to Notes.", "etag": "AA==", "name": "roles/containeranalysis.notes.attacher", "stage": "GA", "title": "Container Analysis Notes Attacher" }, { "description": "Can edit Container Analysis Notes.", "etag": "AA==", "name": "roles/containeranalysis.notes.editor", "stage": "GA", "title": "Container Analysis Notes Editor" }, { "description": "Can view all Container Analysis Occurrences attached to a Note.", "etag": "AA==", "name": "roles/containeranalysis.notes.occurrences.viewer", "stage": "GA", "title": "Container Analysis Occurrences for Notes Viewer" }, { "description": "Can view Container Analysis Notes.", "etag": "AA==", "name": "roles/containeranalysis.notes.viewer", "stage": "GA", "title": "Container Analysis Notes Viewer" }, { "description": "Can edit Container Analysis Occurrences.", "etag": "AA==", "name": "roles/containeranalysis.occurrences.editor", "stage": "GA", "title": "Container Analysis Occurrences Editor" }, { "description": "Can view Container Analysis Occurrences.", "etag": "AA==", "name": "roles/containeranalysis.occurrences.viewer", "stage": "GA", "title": "Container Analysis Occurrences Viewer" }, { "description": "Access for Container Registry", "etag": "AA==", "has_dataaccess": true, "name": "roles/containerregistry.ServiceAgent", "stage": "GA", "title": "Container Registry Service Agent" }, { "description": "Gives Container Scanner the access it needs to analyzecontainers for vulnerabilities and create occurrences using the Container Analysis API", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/containerscanning.ServiceAgent", "stage": "GA", "title": "Container Scanner Service Agent" }, { "description": "Readonly access to GKE Security Posture resources.", "etag": "AA==", "name": "roles/containersecurity.viewer", "stage": "BETA", "title": "GKE Security Posture Viewer" }, { "description": "Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/containerthreatdetection.serviceAgent", "stage": "GA", "title": "Container Threat Detection Service Agent" }, { "description": "Grants full access to all the resources in Content Warehouse", "etag": "AA==", "name": "roles/contentwarehouse.admin", "stage": "GA", "title": "Content Warehouse Admin" }, { "description": "Grants full access to the document resource in Content Warehouse", "etag": "AA==", "name": "roles/contentwarehouse.documentAdmin", "stage": "GA", "title": "Content Warehouse Document Admin" }, { "description": "Grants access to create document in Content Warehouse", "etag": "AA==", "name": "roles/contentwarehouse.documentCreator", "stage": "GA", "title": "Content Warehouse document creator" }, { "description": "Grants access to update document resource in Content Warehouse", "etag": "AA==", "name": "roles/contentwarehouse.documentEditor", "stage": "GA", "title": "Content Warehouse Document Editor" }, { "description": "Grants access to view the document schemas in Content Warehouse", "etag": "AA==", "name": "roles/contentwarehouse.documentSchemaViewer", "stage": "GA", "title": "Content Warehouse document schema viewer" }, { "description": "Grants access to view all the resources in Content Warehouse", "etag": "AA==", "name": "roles/contentwarehouse.documentViewer", "stage": "GA", "title": "Content Warehouse Viewer" }, { "description": "Gives the Content Warehouse service account to manage customer resources", "etag": "AA==", "has_dataaccess": true, "name": "roles/contentwarehouse.serviceAgent", "stage": "GA", "title": "Content Warehouse Service Agent" }, { "description": "Admin role for Database Center resource data", "etag": "AA==", "has_undocumented": true, "name": "roles/databasecenter.admin", "stage": "GA", "title": "Database Center Admin" }, { "description": "Viewer role for Database Center resource data", "etag": "AA==", "has_undocumented": true, "name": "roles/databasecenter.viewer", "stage": "GA", "title": "Database Center Viewer" }, { "description": "Viewer role for Database Insights assistant data", "etag": "AA==", "has_undocumented": true, "name": "roles/databaseinsights.assistantViewer", "stage": "BETA", "title": "Database Insights assistant viewer" }, { "description": "Viewer role for Events Service data", "etag": "AA==", "name": "roles/databaseinsights.eventsViewer", "stage": "GA", "title": "Events Service viewer" }, { "description": "Viewer role for Database Insights monitoring data", "etag": "AA==", "name": "roles/databaseinsights.monitoringViewer", "stage": "GA", "title": "Database Insights monitoring viewer" }, { "description": "Admin role for performing Database Insights operations", "etag": "AA==", "name": "roles/databaseinsights.operationsAdmin", "stage": "GA", "title": "Database Insights performing operations" }, { "description": "Viewer role for Database Insights recommendation data", "etag": "AA==", "name": "roles/databaseinsights.recommendationViewer", "stage": "GA", "title": "Database Insights recommendation viewer" }, { "description": "Viewer role for Database Insights data", "etag": "AA==", "has_undocumented": true, "name": "roles/databaseinsights.viewer", "stage": "GA", "title": "Database Insights viewer" }, { "description": "Full access to Studio Query resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/databasesconsole.studioQueryAdmin", "stage": "BETA", "title": "Studio Query Admin" }, { "description": "Access to create, update, search and delete studio queries.", "etag": "AA==", "has_undocumented": true, "name": "roles/databasesconsole.studioQueryUser", "stage": "BETA", "title": "Studio Query User" }, { "description": "Full access to all DataCatalog resources", "etag": "AA==", "has_credentialexposure": true, "has_privesc": true, "has_undocumented": true, "name": "roles/datacatalog.admin", "stage": "GA", "title": "Data Catalog Admin" }, { "description": "Manage taxonomies", "etag": "AA==", "name": "roles/datacatalog.categoryAdmin", "stage": "GA", "title": "Policy Tag Admin" }, { "description": "Read access to sub-resources tagged by a policy tag, for example, BigQuery columns", "etag": "AA==", "name": "roles/datacatalog.categoryFineGrainedReader", "stage": "GA", "title": "Fine-Grained Reader" }, { "description": "Can update overview and data steward fields", "etag": "AA==", "has_undocumented": true, "name": "roles/datacatalog.dataSteward", "stage": "BETA", "title": "DataCatalog Data Steward" }, { "description": "Can create new entryGroups", "etag": "AA==", "has_undocumented": true, "name": "roles/datacatalog.entryGroupCreator", "stage": "GA", "title": "DataCatalog EntryGroup Creator" }, { "description": "Full access to entryGroups", "etag": "AA==", "has_undocumented": true, "name": "roles/datacatalog.entryGroupOwner", "stage": "GA", "title": "DataCatalog EntryGroup Owner" }, { "description": "Full access to entries", "etag": "AA==", "has_undocumented": true, "name": "roles/datacatalog.entryOwner", "stage": "GA", "title": "DataCatalog Entry Owner" }, { "description": "Read access to entries", "etag": "AA==", "has_undocumented": true, "name": "roles/datacatalog.entryViewer", "stage": "GA", "title": "DataCatalog Entry Viewer" }, { "description": "Full access to glossaries", "etag": "AA==", "has_undocumented": true, "name": "roles/datacatalog.glossaryOwner", "stage": "BETA", "title": "DataCatalog Glossary Owner" }, { "description": "Can view glossaries and associate terms to entries", "etag": "AA==", "has_undocumented": true, "name": "roles/datacatalog.glossaryUser", "stage": "BETA", "title": "DataCatalog Glossary User" }, { "description": "Full access to Migration Config", "etag": "AA==", "name": "roles/datacatalog.migrationConfigAdmin", "stage": "GA", "title": "DataCatalog Migration Config Admin" }, { "description": "Can search all metadata for a project/org in DataCatalog", "etag": "AA==", "name": "roles/datacatalog.searchAdmin", "stage": "DEPRECATED", "title": "DataCatalog Search Admin" }, { "description": "Gives permission to modify tags on a GCP assets (BigQuery, Pub/Sub etc).", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/datacatalog.tagEditor", "stage": "GA", "title": "Data Catalog Tag Editor" }, { "description": "Access to create new tag templates", "etag": "AA==", "has_undocumented": true, "name": "roles/datacatalog.tagTemplateCreator", "stage": "GA", "title": "Data Catalog TagTemplate Creator" }, { "description": "Full access to tag templates", "etag": "AA==", "has_undocumented": true, "name": "roles/datacatalog.tagTemplateOwner", "stage": "GA", "title": "Data Catalog TagTemplate Owner" }, { "description": "Access to use templates to tag resources", "etag": "AA==", "has_undocumented": true, "name": "roles/datacatalog.tagTemplateUser", "stage": "GA", "title": "Data Catalog TagTemplate User" }, { "description": "Read access to templates and tags created using the templates", "etag": "AA==", "has_undocumented": true, "name": "roles/datacatalog.tagTemplateViewer", "stage": "GA", "title": "Data Catalog TagTemplate Viewer" }, { "description": "Grants metadata read permissions to cataloged GCP assets (BigQuery, Pub/Sub etc)", "etag": "AA==", "has_credentialexposure": true, "has_undocumented": true, "name": "roles/datacatalog.viewer", "stage": "GA", "title": "Data Catalog Viewer" }, { "description": "Full access to Data Connectors.", "etag": "AA==", "name": "roles/dataconnectors.connectorAdmin", "stage": "BETA", "title": "Connector Admin" }, { "description": "Access to use Data Connectors.", "etag": "AA==", "name": "roles/dataconnectors.connectorUser", "stage": "BETA", "title": "Connector User" }, { "description": "Gives Data Connectors service agent permission to access the virtual private cloud", "etag": "AA==", "name": "roles/dataconnectors.serviceAgent", "stage": "GA", "title": "Data Connectors Service Agent" }, { "description": "Minimal role for creating and managing dataflow jobs.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/dataflow.admin", "stage": "GA", "title": "Dataflow Admin" }, { "description": "Full operational access to Dataflow jobs.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/dataflow.developer", "stage": "GA", "title": "Dataflow Developer" }, { "description": "Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/dataflow.serviceAgent", "stage": "GA", "title": "Cloud Dataflow Service Agent" }, { "description": "Read only access to Dataflow jobs.", "etag": "AA==", "name": "roles/dataflow.viewer", "stage": "GA", "title": "Dataflow Viewer" }, { "description": "Worker access to Dataflow. Intended for service accounts.", "etag": "AA==", "has_dataaccess": true, "name": "roles/dataflow.worker", "stage": "GA", "title": "Dataflow Worker" }, { "description": "Full access to all Dataform resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.admin", "stage": "GA", "title": "Dataform Admin" }, { "description": "Permissions to comment, at the repository level. Grants CRUD access over commentThread and comment resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.codeCommenter", "stage": "BETA", "title": "Code Commenter" }, { "description": "Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.codeCreator", "stage": "GA", "title": "Code Creator" }, { "description": "Edit access code resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.codeEditor", "stage": "GA", "title": "Code Editor" }, { "description": "Full access to code resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.codeOwner", "stage": "GA", "title": "Code Owner" }, { "description": "Access for scheduling workflows and releases.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.codeScheduler", "stage": "BETA", "title": "Code Scheduler" }, { "description": "Read-only access to all code resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.codeViewer", "stage": "GA", "title": "Code Viewer" }, { "description": "Edit access to Workspaces and Read-only access to Repositories.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.editor", "stage": "GA", "title": "Dataform Editor" }, { "description": "Gives permission for the Dataform API to access a secret from Secret Manager", "etag": "AA==", "name": "roles/dataform.serviceAgent", "stage": "GA", "title": "Dataform Service Agent" }, { "description": "View and comment access to a team folder and its contents.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.teamFolderCommenter", "stage": "BETA", "title": "Team Folder Commenter" }, { "description": "Edit access to a team folder and its contents.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.teamFolderContributor", "stage": "BETA", "title": "Team Folder Contributor" }, { "description": "Access to create new team folders.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.teamFolderCreator", "stage": "BETA", "title": "Team Folder Creator" }, { "description": "Full access to a team folder and its contents. Can share the team folder and its contents.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.teamFolderOwner", "stage": "BETA", "title": "Team Folder Owner" }, { "description": "View access to a team folder and its contents.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.teamFolderViewer", "stage": "BETA", "title": "Team Folder Viewer" }, { "description": "Read-only access to all Dataform resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataform.viewer", "stage": "GA", "title": "Dataform Viewer" }, { "description": "Read-only access to Cloud Data Fusion Instances. Use it on instance level along with the namespace grants to provide access to the specific namespace.", "etag": "AA==", "name": "roles/datafusion.accessor", "stage": "BETA", "title": "Cloud Data Fusion Accessor" }, { "description": "Full access to Cloud Data Fusion Instances, Namespaces and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/datafusion.admin", "stage": "GA", "title": "Cloud Data Fusion Admin" }, { "description": "Access Cloud Data Fusion Instances, develop and run pipelines.", "etag": "AA==", "has_undocumented": true, "name": "roles/datafusion.developer", "stage": "BETA", "title": "Cloud Data Fusion Developer" }, { "description": "Access Cloud Data Fusion Instances, operate namespaces and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/datafusion.operator", "stage": "BETA", "title": "Cloud Data Fusion Operator" }, { "description": "Access to Cloud Data Fusion runtime resources.", "etag": "AA==", "name": "roles/datafusion.runner", "stage": "GA", "title": "Cloud Data Fusion Runner" }, { "description": "Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/datafusion.serviceAgent", "stage": "GA", "title": "Cloud Data Fusion API Service Agent" }, { "description": "Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/datafusion.viewer", "stage": "GA", "title": "Cloud Data Fusion Viewer" }, { "description": "Full access to all Data Labeling resources", "etag": "AA==", "name": "roles/datalabeling.admin", "stage": "BETA", "title": "Data Labeling Service Admin" }, { "description": "Editor of all Data Labeling resources", "etag": "AA==", "name": "roles/datalabeling.editor", "stage": "BETA", "title": "Data Labeling Service Editor" }, { "description": "Gives Data Labeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/datalabeling.serviceAgent", "stage": "GA", "title": "Data Labeling Service Agent" }, { "description": "Viewer of all Data Labeling resources", "etag": "AA==", "name": "roles/datalabeling.viewer", "stage": "BETA", "title": "Data Labeling Service Viewer" }, { "description": "Grants full access to all resources in Data Lineage API", "etag": "AA==", "has_undocumented": true, "name": "roles/datalineage.admin", "stage": "GA", "title": "Data Lineage Administrator" }, { "description": "Grants edit access to all resources in Data Lineage API", "etag": "AA==", "has_undocumented": true, "name": "roles/datalineage.editor", "stage": "GA", "title": "Data Lineage Editor" }, { "description": "Grants access to creating all resources in Data Lineage API", "etag": "AA==", "has_undocumented": true, "name": "roles/datalineage.producer", "stage": "GA", "title": "Data Lineage Events Producer" }, { "description": "Grants read access to all resources in Data Lineage API", "etag": "AA==", "has_undocumented": true, "name": "roles/datalineage.viewer", "stage": "GA", "title": "Data Lineage Viewer" }, { "description": "Full access to all resources of Database Migration.", "etag": "AA==", "has_undocumented": true, "name": "roles/datamigration.admin", "stage": "GA", "title": "Database Migration Admin" }, { "description": "Gives Cloud Database Migration service account access to Cloud SQL resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/datamigration.serviceAgent", "stage": "GA", "title": "Database Migration Service Agent" }, { "description": "Administrator of Data pipelines resources", "etag": "AA==", "name": "roles/datapipelines.admin", "stage": "GA", "title": "Data pipelines Admin" }, { "description": "Invoker of Data pipelines jobs", "etag": "AA==", "name": "roles/datapipelines.invoker", "stage": "GA", "title": "Data pipelines Invoker" }, { "description": "Gives Datapipelines service permissions to create Dataflow & Cloud Scheduler jobs in the user project.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/datapipelines.serviceAgent", "stage": "GA", "title": "Datapipelines Service Agent" }, { "description": "Viewer of Data pipelines resources", "etag": "AA==", "name": "roles/datapipelines.viewer", "stage": "GA", "title": "Data pipelines Viewer" }, { "description": "Full access to Dataplex Universal Catalog resources, except for catalog resources like entries and entry groups.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.admin", "stage": "GA", "title": "Dataplex Administrator" }, { "description": "Grants access to creating and managing Aspect Types. Does not give the right to create/modify Entries.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.aspectTypeOwner", "stage": "GA", "title": "Dataplex Aspect Type Owner" }, { "description": "Grants access to use Aspect Types to create/modify Entries with the corresponding aspects.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.aspectTypeUser", "stage": "GA", "title": "Dataplex Aspect Type User" }, { "description": "Full access on DataAttribute Binding resources.", "etag": "AA==", "name": "roles/dataplex.bindingAdmin", "stage": "GA", "title": "Dataplex Binding Administrator" }, { "description": "Full access to catalog resources, including entries, entry groups, and glossaries.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.catalogAdmin", "stage": "GA", "title": "Dataplex Catalog Admin" }, { "description": "Write access to catalog resources, including entries, entry groups, and glossaries. Cannot set IAM policies on resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.catalogEditor", "stage": "GA", "title": "Dataplex Catalog Editor" }, { "description": "Read access to catalog resources, including entries, entry groups, and glossaries. Can view IAM policies on catalog resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.catalogViewer", "stage": "GA", "title": "Dataplex Catalog Viewer" }, { "description": "Owner access to data. To be granted to Dataplex Universal Catalog resources Lake, Zone or Asset only.", "etag": "AA==", "name": "roles/dataplex.dataOwner", "stage": "GA", "title": "Dataplex Data Owner" }, { "description": "Full access to Data Products.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.dataProductsAdmin", "stage": "BETA", "title": "Dataplex Data Products Admin" }, { "description": "Restricted read access, intended for consumers of Data Products.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.dataProductsConsumer", "stage": "BETA", "title": "Dataplex Data Products Consumer" }, { "description": "Write access to Data Products.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.dataProductsEditor", "stage": "BETA", "title": "Dataplex Data Products Editor" }, { "description": "Read access to Data Products.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.dataProductsViewer", "stage": "BETA", "title": "Dataplex Data Products Viewer" }, { "description": "Read only access to data. To be granted to Dataplex Universal Catalog resources Lake, Zone or Asset only.", "etag": "AA==", "name": "roles/dataplex.dataReader", "stage": "GA", "title": "Dataplex Data Reader" }, { "description": "Full access to DataScan resources.", "etag": "AA==", "name": "roles/dataplex.dataScanAdmin", "stage": "GA", "title": "Dataplex DataScan Administrator" }, { "description": "Access to create new DataScan resources.", "etag": "AA==", "name": "roles/dataplex.dataScanCreator", "stage": "GA", "title": "Dataplex DataScan Creator" }, { "description": "Read access to DataScan resources, including the results.", "etag": "AA==", "name": "roles/dataplex.dataScanDataViewer", "stage": "GA", "title": "Dataplex DataScan DataViewer" }, { "description": "Write access to DataScan resources.", "etag": "AA==", "name": "roles/dataplex.dataScanEditor", "stage": "GA", "title": "Dataplex DataScan Editor" }, { "description": "Read access to DataScan resources, excluding the results.", "etag": "AA==", "name": "roles/dataplex.dataScanViewer", "stage": "GA", "title": "Dataplex DataScan Viewer" }, { "description": "Write access to data. To be granted to Dataplex Universal Catalog resources Lake, Zone or Asset only.", "etag": "AA==", "name": "roles/dataplex.dataWriter", "stage": "GA", "title": "Dataplex Data Writer" }, { "description": "Allows running data analytics workloads in a lake.", "etag": "AA==", "name": "roles/dataplex.developer", "stage": "GA", "title": "Dataplex Developer" }, { "description": "Gives the Dataplex Discovery Service Agent permissions to use bigquery connection.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/dataplex.discoveryBigLakePublishingServiceAgent", "stage": "GA", "title": "Dataplex Discovery BigLake Publishing Service Agent" }, { "description": "Gives the Dataplex Discovery Service Agent dataset create and get permissions.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.discoveryPublishingServiceAgent", "stage": "GA", "title": "Dataplex Discovery Publishing Service Agent" }, { "description": "Gives the Dataplex Discovery Service Agent bucket read permissions.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/dataplex.discoveryServiceAgent", "stage": "GA", "title": "Dataplex Discovery Service Agent" }, { "description": "Write access to Dataplex Universal Catalog resources, except for catalog resources like entries, entry groups, and glossaries.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.editor", "stage": "GA", "title": "Dataplex Editor" }, { "description": "Gives user permissions to manage encryption configurations.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.encryptionAdmin", "stage": "GA", "title": "Dataplex Encryption Admin" }, { "description": "Grants access to export this entry group for Metadata Job processing.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.entryGroupExporter", "stage": "GA", "title": "Dataplex Entry Group Exporter" }, { "description": "Grants access to import this entry group for Metadata Job processing.", "etag": "AA==", "name": "roles/dataplex.entryGroupImporter", "stage": "GA", "title": "Dataplex Entry Group Importer" }, { "description": "Owns Entry Groups and Entries inside of them.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.entryGroupOwner", "stage": "GA", "title": "Dataplex Entry Group Owner" }, { "description": "Owns Metadata Entries and EntryLinks.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.entryOwner", "stage": "GA", "title": "Dataplex Entry and EntryLink Owner" }, { "description": "Grants access to creating and managing Entry Types. Does not give the right to create/modify Entries.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.entryTypeOwner", "stage": "GA", "title": "Dataplex Entry Type Owner" }, { "description": "Grants access to use Entry Types to create/modify Entries of those types.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.entryTypeUser", "stage": "GA", "title": "Dataplex Entry Type User" }, { "description": "Grants access to creating and managing Metadata Feeds. Does not give the right to create/modify Entry Groups.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.metadataFeedOwner", "stage": "GA", "title": "Dataplex Metadata Feed Owner" }, { "description": "Read access to Metadata Feed resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.metadataFeedViewer", "stage": "GA", "title": "Dataplex Metadata Feed Viewer" }, { "description": "Grants access to creating and managing Metadata Jobs. Does not give the right to create/modify Entry Groups.", "etag": "AA==", "name": "roles/dataplex.metadataJobOwner", "stage": "GA", "title": "Dataplex Metadata Job Owner" }, { "description": "Read access to Metadata Job resources.", "etag": "AA==", "name": "roles/dataplex.metadataJobViewer", "stage": "GA", "title": "Dataplex Metadata Job Viewer" }, { "description": "Read only access to metadata within table and fileset entities and partitions.", "etag": "AA==", "name": "roles/dataplex.metadataReader", "stage": "GA", "title": "Dataplex Metadata Reader" }, { "description": "Write and read access to metadata within table and fileset entities and partitions.", "etag": "AA==", "name": "roles/dataplex.metadataWriter", "stage": "GA", "title": "Dataplex Metadata Writer" }, { "description": "Permissions configure ResourceAccess and DataAccess Specs on Data Attributes.", "etag": "AA==", "name": "roles/dataplex.securityAdmin", "stage": "GA", "title": "Dataplex Security Administrator" }, { "description": "Gives the Dataplex service account access to project resources. This access will be used in data discovery, data management and data workload management.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/dataplex.serviceAgent", "stage": "GA", "title": "Cloud Dataplex Service Agent" }, { "description": "Owner access to data. Should not be used directly. This role is granted by Dataplex Universal Catalog to managed resources like Cloud Storage buckets, BigQuery datasets etc.", "etag": "AA==", "has_dataaccess": true, "name": "roles/dataplex.storageDataOwner", "stage": "GA", "title": "Dataplex Storage Data Owner" }, { "description": "Read only access to data. Should not be used directly. This role is granted by Dataplex Universal Catalog to managed resources like Cloud Storage buckets, BigQuery datasets etc.", "etag": "AA==", "has_dataaccess": true, "name": "roles/dataplex.storageDataReader", "stage": "GA", "title": "Dataplex Storage Data Reader" }, { "description": "Write access to data. Should not be used directly. This role is granted by Dataplex Universal Catalog to managed resources like Cloud Storage buckets, BigQuery datasets etc.", "etag": "AA==", "name": "roles/dataplex.storageDataWriter", "stage": "GA", "title": "Dataplex Storage Data Writer" }, { "description": "Full access to DataTaxonomy, DataAttribute resources.", "etag": "AA==", "name": "roles/dataplex.taxonomyAdmin", "stage": "GA", "title": "Dataplex Taxonomy Administrator" }, { "description": "Read access on DataTaxonomy, DataAttribute resources.", "etag": "AA==", "name": "roles/dataplex.taxonomyViewer", "stage": "GA", "title": "Dataplex Taxonomy Viewer" }, { "description": "Read access to Dataplex Universal Catalog resources, except for catalog resources like entries, entry groups, and glossaries.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataplex.viewer", "stage": "GA", "title": "Dataplex Viewer" }, { "description": "Use of Dataprep.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataprep.projects.user", "stage": "BETA", "title": "Dataprep User" }, { "description": "Dataprep service identity. Includes access to service accounts.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/dataprep.serviceAgent", "stage": "GA", "title": "Dataprep Service Agent" }, { "description": "Full control of Dataproc resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataproc.admin", "stage": "GA", "title": "Dataproc Administrator" }, { "description": "Full control of Dataproc resources. Allows viewing all networks.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataproc.editor", "stage": "GA", "title": "Dataproc Editor" }, { "description": "Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/dataproc.hubAgent", "stage": "GA", "title": "Dataproc Hub Agent" }, { "description": "Permissions needed to run serverless sessions and batches as a user", "etag": "AA==", "has_undocumented": true, "name": "roles/dataproc.serverlessEditor", "stage": "GA", "title": "Dataproc Serverless Editor" }, { "description": "Node access to Dataproc Serverless sessions and batches. Intended for service accounts.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataproc.serverlessNode", "stage": "GA", "title": "Dataproc Serverless Node." }, { "description": "Permissions needed to view serverless sessions and batches", "etag": "AA==", "has_undocumented": true, "name": "roles/dataproc.serverlessViewer", "stage": "GA", "title": "Dataproc Serverless Viewer" }, { "description": "Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/dataproc.serviceAgent", "stage": "GA", "title": "Dataproc Service Agent" }, { "description": "Read-only access to Dataproc resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataproc.viewer", "stage": "GA", "title": "Dataproc Viewer" }, { "description": "Worker access to Dataproc. Intended for service accounts.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/dataproc.worker", "stage": "GA", "title": "Dataproc Worker" }, { "description": "Data processing controls admin who can fully manage data processing controls settings and view all datasource data.", "etag": "AA==", "name": "roles/dataprocessing.admin", "stage": "GA", "title": "Data Processing Controls Resource Admin" }, { "description": "Data processing controls data source manager who can get, list, and update the underlying data.", "etag": "AA==", "name": "roles/dataprocessing.dataSourceManager", "stage": "GA", "title": "Data Processing Controls Data Source Manager" }, { "description": "Grants full access to all Dataproc Resource Manager resources. Intended for users that need to create and delete any Dataproc Resource Manager resources.", "etag": "AA==", "name": "roles/dataprocrm.admin", "stage": "BETA", "title": "Dataproc Resource Manager Admin" }, { "description": "Dataproc Resource Manager Node Service Agent used to run managed resources in user project with restricted permissions.", "etag": "AA==", "has_undocumented": true, "name": "roles/dataprocrm.nodeServiceAgent", "stage": "GA", "title": "Dataproc Resource Manager Node Service Agent" }, { "description": "Grants read access to all Dataproc Resource Manager resources. Intended for users that need read-only access to Dataproc Resource Manager resources.", "etag": "AA==", "name": "roles/dataprocrm.viewer", "stage": "BETA", "title": "Dataproc Resource Manager Viewer" }, { "description": "Manage backup schedules in Cloud Datastore.", "etag": "AA==", "name": "roles/datastore.backupSchedulesAdmin", "stage": "GA", "title": "Cloud Datastore Backup Schedules Admin" }, { "description": "Read access to backup schedules in Cloud Datastore.", "etag": "AA==", "name": "roles/datastore.backupSchedulesViewer", "stage": "GA", "title": "Cloud Datastore Backup Schedules Viewer" }, { "description": "Read/Write access to metadata about backups in Cloud Datastore but restore is not allowed.", "etag": "AA==", "name": "roles/datastore.backupsAdmin", "stage": "GA", "title": "Cloud Datastore Backups Admin" }, { "description": "Read access to metadata about backups in Cloud Datastore.", "etag": "AA==", "name": "roles/datastore.backupsViewer", "stage": "GA", "title": "Cloud Datastore Backups Viewer" }, { "description": "Full access to manage bulk operations.", "etag": "AA==", "name": "roles/datastore.bulkAdmin", "stage": "GA", "title": "Cloud Datastore Bulk Admin" }, { "description": "Clone Cloud Datastore Databases.", "etag": "AA==", "has_undocumented": true, "name": "roles/datastore.cloneAdmin", "stage": "GA", "title": "Cloud Datastore Clone Admin" }, { "description": "Full access to manage imports and exports.", "etag": "AA==", "name": "roles/datastore.importExportAdmin", "stage": "GA", "title": "Cloud Datastore Import Export Admin" }, { "description": "Full access to manage index definitions.", "etag": "AA==", "has_undocumented": true, "name": "roles/datastore.indexAdmin", "stage": "GA", "title": "Cloud Datastore Index Admin" }, { "description": "Full access to Key Visualizer scans.", "etag": "AA==", "name": "roles/datastore.keyVisualizerViewer", "stage": "GA", "title": "Cloud Datastore Key Visualizer Viewer" }, { "description": "Full access to Cloud Datastore.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/datastore.owner", "stage": "GA", "title": "Cloud Datastore Owner" }, { "description": "Restore into Cloud Datastore Databases from Cloud Datastore Backups.", "etag": "AA==", "name": "roles/datastore.restoreAdmin", "stage": "GA", "title": "Cloud Datastore Restore Admin" }, { "description": "Provides read/write access to data in a Cloud Datastore database. Intended for application developers and service accounts.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/datastore.user", "stage": "GA", "title": "Cloud Datastore User" }, { "description": "Manage user creds in Cloud Datastore.", "etag": "AA==", "has_undocumented": true, "name": "roles/datastore.userCredsAdmin", "stage": "GA", "title": "Cloud Datastore User Creds Admin" }, { "description": "Read access to user creds in Cloud Datastore.", "etag": "AA==", "has_undocumented": true, "name": "roles/datastore.userCredsViewer", "stage": "GA", "title": "Cloud Datastore User Creds Viewer" }, { "description": "Read access to all Cloud Datastore resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/datastore.viewer", "stage": "GA", "title": "Cloud Datastore Viewer" }, { "description": "Full access to all Datastream resources.", "etag": "AA==", "name": "roles/datastream.admin", "stage": "GA", "title": "Datastream Admin" }, { "description": "Permissions needed for datastream to write to BigQuery.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_undocumented": true, "name": "roles/datastream.bigqueryWriter", "stage": "GA", "title": "Datastream Bigquery Writer" }, { "description": "Grants Cloud Datastream permissions to write data in the user project.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_undocumented": true, "name": "roles/datastream.serviceAgent", "stage": "GA", "title": "Datastream Service Agent" }, { "description": "Read-only access to all Datastream resources.", "etag": "AA==", "name": "roles/datastream.viewer", "stage": "GA", "title": "Datastream Viewer" }, { "description": "Data Studio Admin", "etag": "AA==", "name": "roles/datastudio.admin", "stage": "BETA", "title": "Data Studio Admin" }, { "description": "Content Manager of a Data Studio resource", "etag": "AA==", "name": "roles/datastudio.contentManager", "stage": "BETA", "title": "Data Studio Workspace Content Manager" }, { "description": "Contributor of a Data Studio resource", "etag": "AA==", "name": "roles/datastudio.contributor", "stage": "BETA", "title": "Data Studio Workspace Contributor" }, { "description": "Editor of a Data Studio resource", "etag": "AA==", "name": "roles/datastudio.editor", "stage": "BETA", "title": "Data Studio Asset Editor" }, { "description": "Manager of a Data Studio resource", "etag": "AA==", "name": "roles/datastudio.manager", "stage": "BETA", "title": "Data Studio Workspace Manager" }, { "description": "Grants Data Studio Service Account access to manage resources.", "etag": "AA==", "name": "roles/datastudio.serviceAgent", "stage": "GA", "title": "Data Studio Service Agent" }, { "description": "Viewer of a Data Studio resource", "etag": "AA==", "name": "roles/datastudio.viewer", "stage": "BETA", "title": "Data Studio Asset Viewer" }, { "description": "Viewer of a Data Studio Workspace", "etag": "AA==", "name": "roles/datastudio.workspaceViewer", "stage": "BETA", "title": "Data Studio Workspace Viewer" }, { "description": "This role is managed by Dell EMC, not Google.", "etag": "AA==", "name": "roles/dellemccloudonefs.admin", "stage": "BETA", "title": "Dell EMC Cloud OneFS Admin" }, { "description": "This role is managed by Dell EMC, not Google.", "etag": "AA==", "name": "roles/dellemccloudonefs.user", "stage": "BETA", "title": "Dell EMC Cloud OneFS User" }, { "description": "This role is managed by Dell EMC, not Google.", "etag": "AA==", "name": "roles/dellemccloudonefs.viewer", "stage": "BETA", "title": "Dell EMC Cloud OneFS Viewer" }, { "description": "Read and Write access to all Deployment Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/deploymentmanager.editor", "stage": "GA", "title": "Deployment Manager Editor" }, { "description": "Read and Write access to all Type Registry resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/deploymentmanager.typeEditor", "stage": "GA", "title": "Deployment Manager Type Editor" }, { "description": "Read-only access to all Type Registry resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/deploymentmanager.typeViewer", "stage": "GA", "title": "Deployment Manager Type Viewer" }, { "description": "Read-only access to all Deployment Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/deploymentmanager.viewer", "stage": "GA", "title": "Deployment Manager Viewer" }, { "description": "Full access to Application Design Center resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/designcenter.admin", "stage": "BETA", "title": "Application Design Center Admin" }, { "description": "Admin access to Application.", "etag": "AA==", "has_undocumented": true, "name": "roles/designcenter.applicationAdmin", "stage": "BETA", "title": "Application Admin" }, { "description": "Read and Write access to Application.", "etag": "AA==", "has_undocumented": true, "name": "roles/designcenter.applicationEditor", "stage": "BETA", "title": "Application Editor" }, { "description": "Readonly access to Application.", "etag": "AA==", "has_undocumented": true, "name": "roles/designcenter.applicationViewer", "stage": "BETA", "title": "Application Viewer" }, { "description": "Gives the DesignCenter API Service Account access to necessary GCP resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/designcenter.serviceAgent", "stage": "GA", "title": "DesignCenter Service Agent" }, { "description": "Readonly access to Application Design Center resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/designcenter.user", "stage": "BETA", "title": "Application Design Center User" }, { "description": "Readonly access to Application Design Center resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/designcenter.viewer", "stage": "BETA", "title": "Application Design Center Viewer" }, { "description": "Full access to Developer Connect resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/developerconnect.admin", "stage": "BETA", "title": "Developer Connect Admin" }, { "description": "Grants read and write access to connections through the HTTP Proxy.", "etag": "AA==", "has_undocumented": true, "name": "roles/developerconnect.connectionHttpProxyWriter", "stage": "BETA", "title": "Developer Connect HTTP Proxy Writer" }, { "description": "Grants read-only access to repositories through the Git Proxy.", "etag": "AA==", "has_undocumented": true, "name": "roles/developerconnect.gitProxyReader", "stage": "BETA", "title": "Developer Connect Git Proxy Reader" }, { "description": "Grants read and write access to repositories through the Git Proxy.", "etag": "AA==", "has_undocumented": true, "name": "roles/developerconnect.gitProxyUser", "stage": "BETA", "title": "Developer Connect Git Proxy User" }, { "description": "Admin access to Developer Connect Insights resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/developerconnect.insightsAdmin", "stage": "BETA", "title": "Developer Connect Insights Admin" }, { "description": "Allow Developer Connect to access SDLC information.", "etag": "AA==", "has_undocumented": true, "name": "roles/developerconnect.insightsAgent", "stage": "BETA", "title": "Developer Connect Insights Config Agent" }, { "description": "Readonly access to Developer Connect Insights resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/developerconnect.insightsViewer", "stage": "BETA", "title": "Developer Connect Insights Viewer" }, { "description": "Grants read and write access to AccountConnector resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/developerconnect.oauthAdmin", "stage": "BETA", "title": "Developer Connect OAuth Admin" }, { "description": "Grants read and write access to User resources, and read access to AccountConnectors.", "etag": "AA==", "has_undocumented": true, "name": "roles/developerconnect.oauthUser", "stage": "BETA", "title": "Developer Connect OAuth User" }, { "description": "Grants access to Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.", "etag": "AA==", "name": "roles/developerconnect.readTokenAccessor", "stage": "BETA", "title": "Developer Connect Read Token Accessor" }, { "description": "Gives the Developer Connect API Service Account access to necessary GCP resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/developerconnect.serviceAgent", "stage": "GA", "title": "Developer Connect Service Agent" }, { "description": "Grants access to Read/Write and Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.", "etag": "AA==", "name": "roles/developerconnect.tokenAccessor", "stage": "BETA", "title": "Developer Connect Token Accessor" }, { "description": "Grants access to view the connection and to the features that interact with the actual repository such as reading content from the repository", "etag": "AA==", "name": "roles/developerconnect.user", "stage": "BETA", "title": "Developer Connect User" }, { "description": "Readonly access to Developer Connect resources.", "etag": "AA==", "name": "roles/developerconnect.viewer", "stage": "BETA", "title": "Developer Connect Viewer" }, { "description": "Administrator owning access to Direct Access", "etag": "AA==", "has_undocumented": true, "name": "roles/devicestreaming.admin", "stage": "GA", "title": "Device Streaming Admin" }, { "description": "Viewer, able to see what device streaming sessions exist", "etag": "AA==", "has_undocumented": true, "name": "roles/devicestreaming.viewer", "stage": "GA", "title": "Device Streaming Viewer" }, { "description": "An admin has access to all resources and can perform all administrative actions in an AAM project.", "etag": "AA==", "has_undocumented": true, "name": "roles/dialogflow.aamAdmin", "stage": "GA", "title": "CX Premium Admin" }, { "description": "A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases.", "etag": "AA==", "has_undocumented": true, "name": "roles/dialogflow.aamConversationalArchitect", "stage": "GA", "title": "CX Premium Conversational Architect" }, { "description": "A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling.", "etag": "AA==", "has_undocumented": true, "name": "roles/dialogflow.aamDialogDesigner", "stage": "GA", "title": "CX Premium Dialog Designer" }, { "description": "A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling.", "etag": "AA==", "has_undocumented": true, "name": "roles/dialogflow.aamLeadDialogDesigner", "stage": "GA", "title": "CX Premium Lead Dialog Designer" }, { "description": "A user can view the taxonomy and data reports in an AAM project.", "etag": "AA==", "has_undocumented": true, "name": "roles/dialogflow.aamViewer", "stage": "GA", "title": "CX Premium Viewer" }, { "description": "Can query for intent; read & write session properties; read & write agent properties.", "etag": "AA==", "has_undocumented": true, "name": "roles/dialogflow.admin", "stage": "GA", "title": "Dialogflow API Admin" }, { "description": "Can create and handle live conversations using Agent Assist features.", "etag": "AA==", "has_undocumented": true, "name": "roles/dialogflow.agentAssistClient", "stage": "GA", "title": "Dialogflow Agent Assist Client" }, { "description": "Can call all methods on sessions and conversations resources as well as their descendants.", "etag": "AA==", "name": "roles/dialogflow.client", "stage": "GA", "title": "Dialogflow API Client" }, { "description": "Can edit agent in Dialogflow Console", "etag": "AA==", "has_undocumented": true, "name": "roles/dialogflow.consoleAgentEditor", "stage": "GA", "title": "Dialogflow Console Agent Editor" }, { "description": "Can perform query of dialogflow suggestions in the simulator in web console.", "etag": "AA==", "has_undocumented": true, "name": "roles/dialogflow.consoleSimulatorUser", "stage": "GA", "title": "Dialogflow Console Simulator User" }, { "description": "Can edit allowlist for smart messaging associated with conversation model in the agent assist console", "etag": "AA==", "name": "roles/dialogflow.consoleSmartMessagingAllowlistEditor", "stage": "GA", "title": "Dialogflow Console Smart Messaging Allowlist Editor" }, { "description": "Can manage all the resources related to Dialogflow Conversations.", "etag": "AA==", "name": "roles/dialogflow.conversationManager", "stage": "GA", "title": "Dialogflow Conversation Manager" }, { "description": "Can read & write entity types.", "etag": "AA==", "name": "roles/dialogflow.entityTypeAdmin", "stage": "GA", "title": "Dialogflow Entity Type Admin" }, { "description": "Can read & update environment and its sub-resources.", "etag": "AA==", "name": "roles/dialogflow.environmentEditor", "stage": "GA", "title": "Dialogflow Environment editor" }, { "description": "Can read & update flow and its sub-resources.", "etag": "AA==", "name": "roles/dialogflow.flowEditor", "stage": "GA", "title": "Dialogflow Flow editor" }, { "description": "Can add, remove, enable and disable Dialogflow integrations.", "etag": "AA==", "name": "roles/dialogflow.integrationManager", "stage": "GA", "title": "Dialogflow Integration Manager" }, { "description": "Can read & write intents.", "etag": "AA==", "name": "roles/dialogflow.intentAdmin", "stage": "GA", "title": "Dialogflow Intent Admin" }, { "description": "Can read agent and session properties; cannot query for intent.", "etag": "AA==", "has_undocumented": true, "name": "roles/dialogflow.reader", "stage": "GA", "title": "Dialogflow API Reader" }, { "description": "Gives Dialogflow Service Account access to resources on behalf of user project for Integrations (Facebook Messenger, Slack, Telephony, etc.), BigQuery, Discovery Engine, Integration Connectors, Application Integration, and Vertex.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/dialogflow.serviceAgent", "stage": "GA", "title": "Dialogflow Service Agent" }, { "description": "Can read & write test cases.", "etag": "AA==", "name": "roles/dialogflow.testCaseAdmin", "stage": "GA", "title": "Dialogflow Test Case Admin" }, { "description": "Can read & write webhooks.", "etag": "AA==", "name": "roles/dialogflow.webhookAdmin", "stage": "GA", "title": "Dialogflow Webhook Admin" }, { "description": "Grants full access to all discoveryengine resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.admin", "stage": "GA", "title": "Discovery Engine Admin" }, { "description": "Grants admin-level access to Agent resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.agentAdmin", "stage": "BETA", "title": "Agent Admin" }, { "description": "Grants admin-level access to Gemini Enterprise resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.agentspaceAdmin", "stage": "GA", "title": "Gemini Enterprise Admin" }, { "description": "Grants access to edit Gemini Enterprise resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.agentspaceEditor", "stage": "BETA", "title": "Gemini Enterprise Editor" }, { "description": "Grants restricted user-level access to Gemini Enterprise resources, for fine-grained control over multiple Gemini Enterprise instances in the same project. Principals with this role will need to be granted an unrestricted user-level role (e.g. /agentspaceUser) on an Engine policy in order to use Gemini Enterprise.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.agentspaceRestrictedUser", "stage": "BETA", "title": "Gemini Enterprise Restricted User" }, { "description": "Grants user-level access to Gemini Enterprise resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.agentspaceUser", "stage": "GA", "title": "Gemini Enterprise User" }, { "description": "Grants access to view the details of Gemini Enterprise resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.agentspaceViewer", "stage": "BETA", "title": "Gemini Enterprise Viewer" }, { "description": "Grants read and write access to all discovery engine resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.editor", "stage": "GA", "title": "Discovery Engine Editor" }, { "description": "Grants read and write access to a Cloud NotebookLM Notebook.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.notebookEditor", "stage": "BETA", "title": "Cloud NotebookLM Notebook Editor" }, { "description": "Grants full access to Cloud NotebookLM resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.notebookLmOwner", "stage": "BETA", "title": "Cloud NotebookLM Admin" }, { "description": "Grants user-level access to Cloud NotebookLM resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.notebookLmUser", "stage": "BETA", "title": "Cloud NotebookLM User" }, { "description": "Grants full access to a Cloud NotebookLM Notebook.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.notebookOwner", "stage": "BETA", "title": "Cloud NotebookLM Notebook Owner" }, { "description": "Grants read-only access to a Cloud NotebookLM Notebook.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.notebookViewer", "stage": "BETA", "title": "Cloud NotebookLM Notebook Viewer" }, { "description": "Grants user-level access to the Podcast resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.podcastApiUser", "stage": "BETA", "title": "Podcast API User" }, { "description": "Discovery Engine service uploads documents and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects using Cloud Logging, and writes and reads metrics for customer using Cloud Monitoring.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/discoveryengine.serviceAgent", "stage": "GA", "title": "Discovery Engine Service Agent" }, { "description": "Grants user-level access to Discovery Engine resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.user", "stage": "GA", "title": "Discovery Engine User" }, { "description": "Grants read access to all discovery engine resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/discoveryengine.viewer", "stage": "GA", "title": "Discovery Engine Viewer" }, { "description": "Administer DLP including jobs and templates.", "etag": "AA==", "name": "roles/dlp.admin", "stage": "GA", "title": "DLP Administrator" }, { "description": "Edit DLP analyze risk templates.", "etag": "AA==", "name": "roles/dlp.analyzeRiskTemplatesEditor", "stage": "GA", "title": "DLP Analyze Risk Templates Editor" }, { "description": "Read DLP analyze risk templates.", "etag": "AA==", "name": "roles/dlp.analyzeRiskTemplatesReader", "stage": "GA", "title": "DLP Analyze Risk Templates Reader" }, { "description": "Read DLP column profiles.", "etag": "AA==", "name": "roles/dlp.columnDataProfilesReader", "stage": "GA", "title": "DLP Column Data Profiles Reader" }, { "description": "Manage DLP Connections.", "etag": "AA==", "name": "roles/dlp.connectionsAdmin", "stage": "GA", "title": "DLP Connections Admin" }, { "description": "View DLP Connections.", "etag": "AA==", "name": "roles/dlp.connectionsReader", "stage": "GA", "title": "DLP Connections Viewer" }, { "description": "Manage DLP profiles.", "etag": "AA==", "name": "roles/dlp.dataProfilesAdmin", "stage": "GA", "title": "DLP Data Profiles Admin" }, { "description": "Read DLP profiles.", "etag": "AA==", "name": "roles/dlp.dataProfilesReader", "stage": "GA", "title": "DLP Data Profiles Reader" }, { "description": "Edit DLP de-identify templates.", "etag": "AA==", "name": "roles/dlp.deidentifyTemplatesEditor", "stage": "GA", "title": "DLP De-identify Templates Editor" }, { "description": "Read DLP de-identify templates.", "etag": "AA==", "name": "roles/dlp.deidentifyTemplatesReader", "stage": "GA", "title": "DLP De-identify Templates Reader" }, { "description": "Manage DLP Cost Estimates.", "etag": "AA==", "name": "roles/dlp.estimatesAdmin", "stage": "GA", "title": "DLP Cost Estimation" }, { "description": "Manage DLP file store profiles.", "etag": "AA==", "name": "roles/dlp.fileStoreProfilesAdmin", "stage": "GA", "title": "DLP File Store Data Profiles Admin" }, { "description": "Read DLP file store profiles.", "etag": "AA==", "name": "roles/dlp.fileStoreProfilesReader", "stage": "GA", "title": "DLP File Store Data Profiles Reader" }, { "description": "Read DLP stored findings.", "etag": "AA==", "name": "roles/dlp.inspectFindingsReader", "stage": "GA", "title": "DLP Inspect Findings Reader" }, { "description": "Edit DLP inspect templates.", "etag": "AA==", "name": "roles/dlp.inspectTemplatesEditor", "stage": "GA", "title": "DLP Inspect Templates Editor" }, { "description": "Read DLP inspect templates.", "etag": "AA==", "name": "roles/dlp.inspectTemplatesReader", "stage": "GA", "title": "DLP Inspect Templates Reader" }, { "description": "Edit job triggers configurations.", "etag": "AA==", "name": "roles/dlp.jobTriggersEditor", "stage": "GA", "title": "DLP Job Triggers Editor" }, { "description": "Read job triggers.", "etag": "AA==", "name": "roles/dlp.jobTriggersReader", "stage": "GA", "title": "DLP Job Triggers Reader" }, { "description": "Edit and create jobs", "etag": "AA==", "name": "roles/dlp.jobsEditor", "stage": "GA", "title": "DLP Jobs Editor" }, { "description": "Read jobs", "etag": "AA==", "name": "roles/dlp.jobsReader", "stage": "GA", "title": "DLP Jobs Reader" }, { "description": "Permissions needed by the DLP service account to generate data profiles within an organization or folder.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/dlp.orgdriver", "stage": "GA", "title": "DLP Organization Data Profiles Driver" }, { "description": "Read DLP project profiles.", "etag": "AA==", "name": "roles/dlp.projectDataProfilesReader", "stage": "GA", "title": "DLP Project Data Profiles Reader" }, { "description": "Permissions needed by the DLP service account to generate data profiles within a project.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/dlp.projectdriver", "stage": "GA", "title": "DLP Project Data Profiles Driver" }, { "description": "Read DLP entities, such as jobs and templates.", "etag": "AA==", "name": "roles/dlp.reader", "stage": "GA", "title": "DLP Reader" }, { "description": "Gives Cloud DLP service agent permissions for BigQuery, Cloud Storage, Datastore, Pub/Sub and Cloud KMS.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/dlp.serviceAgent", "stage": "GA", "title": "DLP API Service Agent" }, { "description": "Edit DLP stored info types.", "etag": "AA==", "name": "roles/dlp.storedInfoTypesEditor", "stage": "GA", "title": "DLP Stored InfoTypes Editor" }, { "description": "Read DLP stored info types.", "etag": "AA==", "name": "roles/dlp.storedInfoTypesReader", "stage": "GA", "title": "DLP Stored InfoTypes Reader" }, { "description": "Manage DLP subscriptions.", "etag": "AA==", "name": "roles/dlp.subscriptionsAdmin", "stage": "GA", "title": "DLP Subscription Admin" }, { "description": "View DLP subscriptions.", "etag": "AA==", "name": "roles/dlp.subscriptionsReader", "stage": "GA", "title": "DLP Subscription Viewer" }, { "description": "Manage DLP table profiles.", "etag": "AA==", "name": "roles/dlp.tableDataProfilesAdmin", "stage": "GA", "title": "DLP Table Data Profiles Admin" }, { "description": "Read DLP table profiles.", "etag": "AA==", "name": "roles/dlp.tableDataProfilesReader", "stage": "GA", "title": "DLP Table Data Profiles Reader" }, { "description": "Inspect, Redact, and De-identify Content", "etag": "AA==", "name": "roles/dlp.user", "stage": "GA", "title": "DLP User" }, { "description": "Full read-write access to DNS resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dns.admin", "stage": "GA", "title": "DNS Administrator" }, { "description": "Access to target networks with DNS peering zones", "etag": "AA==", "name": "roles/dns.peer", "stage": "GA", "title": "DNS Peer" }, { "description": "Read-only access to DNS resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dns.reader", "stage": "GA", "title": "DNS Reader" }, { "description": "Gives Cloud DNS Service Agent access to Cloud Platform resources.", "etag": "AA==", "name": "roles/dns.serviceAgent", "stage": "GA", "title": "Cloud DNS Service Agent" }, { "description": "Grants full access to all resources in Document AI", "etag": "AA==", "has_undocumented": true, "name": "roles/documentai.admin", "stage": "BETA", "title": "Document AI Administrator" }, { "description": "Grants access to process documents in Document AI", "etag": "AA==", "name": "roles/documentai.apiUser", "stage": "BETA", "title": "Document AI API User" }, { "description": "Grants access to use all resources in Document AI", "etag": "AA==", "has_undocumented": true, "name": "roles/documentai.editor", "stage": "BETA", "title": "Document AI Editor" }, { "description": "Grants access to view all resources and process documents in Document AI", "etag": "AA==", "has_undocumented": true, "name": "roles/documentai.viewer", "stage": "BETA", "title": "Document AI Viewer" }, { "description": "Gives DocumentAI Core Service Account access to consumer resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/documentaicore.serviceAgent", "stage": "GA", "title": "DocumentAI Core Service Agent" }, { "description": "Full access to Cloud Domains Registrations and related resources.", "etag": "AA==", "has_privesc": true, "name": "roles/domains.admin", "stage": "GA", "title": "Cloud Domains Admin" }, { "description": "Read-only access to Cloud Domains Registrations and related resources.", "etag": "AA==", "name": "roles/domains.viewer", "stage": "GA", "title": "Cloud Domains Viewer" }, { "description": "Full access to Data Security Posture Management resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dspm.admin", "stage": "GA", "title": "Data Security Posture Management Admin" }, { "description": "Gives DSPM Service Account access to consumer resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/dspm.serviceAgent", "stage": "GA", "title": "DSPM Service Agent" }, { "description": "Readonly access to Data Security Posture Management resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/dspm.viewer", "stage": "GA", "title": "Data Security Posture Management Viewer" }, { "description": "Provides access to see and configure Earth subscriptions.", "etag": "AA==", "has_undocumented": true, "name": "roles/earth.subscriptionsAdmin", "stage": "BETA", "title": "Earth Subscriptions Administrator" }, { "description": "Provides read-only access to Earth subscriptions.", "etag": "AA==", "has_undocumented": true, "name": "roles/earth.subscriptionsViewer", "stage": "BETA", "title": "Earth Subscriptions Viewer" }, { "description": "Full access to all Earth Engine resource features", "etag": "AA==", "name": "roles/earthengine.admin", "stage": "BETA", "title": "Earth Engine Resource Admin" }, { "description": "Publisher of Earth Engine Apps", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/earthengine.appsPublisher", "stage": "BETA", "title": "Earth Engine Apps Publisher" }, { "description": "Viewer of all Earth Engine resources", "etag": "AA==", "name": "roles/earthengine.viewer", "stage": "BETA", "title": "Earth Engine Resource Viewer" }, { "description": "Writer of all Earth Engine resources", "etag": "AA==", "name": "roles/earthengine.writer", "stage": "BETA", "title": "Earth Engine Resource Writer" }, { "description": "Full access to Edge Container all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.admin", "stage": "GA", "title": "Edge Container Admin" }, { "description": "Access to manage API Keys.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.apiKeyAdmin", "stage": "GA", "title": "Edge Container API Key Admin" }, { "description": "Read-only access to API Keys.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.apiKeyViewer", "stage": "GA", "title": "Edge Container API Key Viewer" }, { "description": "Grants the Edge Container Cluster Service Account access to manage resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/edgecontainer.clusterServiceAgent", "stage": "GA", "title": "Edge Container Cluster Service Agent" }, { "description": "Access to manage Identity Providers.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.identityProviderAdmin", "stage": "GA", "title": "Edge Container Identity Provider Admin" }, { "description": "Read-only access to Identity Providers.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.identityProviderViewer", "stage": "GA", "title": "Edge Container Identity Provider Viewer" }, { "description": "Access to use Edge Container Machine resources.", "etag": "AA==", "name": "roles/edgecontainer.machineUser", "stage": "GA", "title": "Edge Container Machine User" }, { "description": "Access to get Edge Container cluster offline credentials", "etag": "AA==", "name": "roles/edgecontainer.offlineCredentialUser", "stage": "GA", "title": "Edge Container Cluster offline Credential User" }, { "description": "Access to manage Service Accounts.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.serviceAccountAdmin", "stage": "GA", "title": "Edge Container Service Account Admin" }, { "description": "Access to manage Service Account Keys.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.serviceAccountKeyAdmin", "stage": "GA", "title": "Edge Container Service Account Key Admin" }, { "description": "Access to view Service Account Keys.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.serviceAccountKeyViewer", "stage": "GA", "title": "Edge Container Service Account Key Viewer" }, { "description": "Read-only access to Service Accounts.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.serviceAccountViewer", "stage": "GA", "title": "Edge Container Service Account Viewer" }, { "description": "Grants the Edge Container Service Account access to manage resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.serviceAgent", "stage": "GA", "title": "Edge Container Service Agent" }, { "description": "Read-only access to Edge Container all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.viewer", "stage": "GA", "title": "Edge Container Viewer" }, { "description": "Access to manage zonal projects.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.zonalProjectAdmin", "stage": "GA", "title": "Edge Container Zonal Project Admin" }, { "description": "Read-only access to zonal projects.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.zonalProjectViewer", "stage": "GA", "title": "Edge Container Zonal Project Viewer" }, { "description": "Access to mutate zonal service.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.zonalServiceAdmin", "stage": "GA", "title": "Edge Container Zonal Service Admin" }, { "description": "Read-only access to zonal services.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.zonalServiceViewer", "stage": "GA", "title": "Edge Container Zonal Service Viewer" }, { "description": "Access to manage Iam Policy in the zone.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.zoneIamAdmin", "stage": "GA", "title": "Edge Container Zone Iam Policy Admin" }, { "description": "Read-only access to Iam Policy in the zone.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.zoneIamViewer", "stage": "GA", "title": "Edge Container Zone Iam Policy Viewer" }, { "description": "Read-only access to Roles in the zone.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.zoneRolesViewer", "stage": "GA", "title": "Edge Container Roles Viewer" }, { "description": "Read-only access to zones.", "etag": "AA==", "has_undocumented": true, "name": "roles/edgecontainer.zoneViewer", "stage": "GA", "title": "Edge Container Zone Viewer" }, { "description": "Full access to Edge Network all resources.", "etag": "AA==", "name": "roles/edgenetwork.admin", "stage": "GA", "title": "Edge Network Admin" }, { "description": "Read-only access to Edge Network all resources.", "etag": "AA==", "name": "roles/edgenetwork.viewer", "stage": "GA", "title": "Edge Network Viewer" }, { "description": "View, create, update, and delete most Google Cloud resources. See the list of included permissions.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/editor", "stage": "GA", "title": "Editor" }, { "description": "Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller.", "etag": "AA==", "name": "roles/endpoints.serviceAgent", "stage": "GA", "title": "Cloud Endpoints Service Agent" }, { "description": "Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content.", "etag": "AA==", "name": "roles/endpointsportal.serviceAgent", "stage": "GA", "title": "Endpoints Portal Service Agent" }, { "description": "Administrator of Enterprise Knowledge Graph resources", "etag": "AA==", "name": "roles/enterpriseknowledgegraph.admin", "stage": "BETA", "title": "Enterprise Knowledge Graph Admin" }, { "description": "Editor of Enterprise Knowledge Graph resources", "etag": "AA==", "name": "roles/enterpriseknowledgegraph.editor", "stage": "BETA", "title": "Enterprise Knowledge Graph Editor" }, { "description": "Gives Enterprise Knowledge Graph Service Account access to consumer resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/enterpriseknowledgegraph.serviceAgent", "stage": "GA", "title": "Enterprise Knowledge Graph Service Agent" }, { "description": "Viewer of Enterprise Knowledge Graph resources", "etag": "AA==", "name": "roles/enterpriseknowledgegraph.viewer", "stage": "BETA", "title": "Enterprise Knowledge Graph Viewer" }, { "description": "Full access to Enterprise Purchasing resources.", "etag": "AA==", "name": "roles/enterprisepurchasing.admin", "stage": "BETA", "title": "Enterprise Purchasing Admin" }, { "description": "Edit access to Enterprise Purchasing resources.", "etag": "AA==", "name": "roles/enterprisepurchasing.editor", "stage": "BETA", "title": "Enterprise Purchasing Editor" }, { "description": "Readonly access to Enterprise Purchasing resources.", "etag": "AA==", "name": "roles/enterprisepurchasing.viewer", "stage": "BETA", "title": "Enterprise Purchasing Viewer" }, { "description": "Administrative access to Error Reporting.", "etag": "AA==", "name": "roles/errorreporting.admin", "stage": "BETA", "title": "Error Reporting Admin" }, { "description": "User access to Error Reporting. Can list all errors and update their metadata. Can delete error events.", "etag": "AA==", "name": "roles/errorreporting.user", "stage": "BETA", "title": "Error Reporting User" }, { "description": "Read-only access to all Error Reporting data.", "etag": "AA==", "name": "roles/errorreporting.viewer", "stage": "BETA", "title": "Error Reporting Viewer" }, { "description": "Can send error events to Error Reporting. Intended for service accounts.", "etag": "AA==", "name": "roles/errorreporting.writer", "stage": "BETA", "title": "Error Reporting Writer" }, { "description": "Full access to all essential contacts", "etag": "AA==", "name": "roles/essentialcontacts.admin", "stage": "GA", "title": "Essential Contacts Admin" }, { "description": "Viewer for all essential contacts", "etag": "AA==", "name": "roles/essentialcontacts.viewer", "stage": "GA", "title": "Essential Contacts Viewer" }, { "description": "Full control over all Eventarc resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/eventarc.admin", "stage": "GA", "title": "Eventarc Admin" }, { "description": "Can publish events to Eventarc Channel Connections.", "etag": "AA==", "name": "roles/eventarc.connectionPublisher", "stage": "BETA", "title": "Eventarc Connection Publisher" }, { "description": "Access to read and write Eventarc resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/eventarc.developer", "stage": "GA", "title": "Eventarc Developer" }, { "description": "Can receive events from all event providers.", "etag": "AA==", "name": "roles/eventarc.eventReceiver", "stage": "GA", "title": "Eventarc Event Receiver" }, { "description": "Full control over Message Buses resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/eventarc.messageBusAdmin", "stage": "GA", "title": "Eventarc Message Bus Admin" }, { "description": "Access to publish to or bind to a Message Bus.", "etag": "AA==", "has_undocumented": true, "name": "roles/eventarc.messageBusUser", "stage": "GA", "title": "Eventarc Message Bus User" }, { "description": "Can collect events from multiple projects in an org for a source resource.", "etag": "AA==", "has_undocumented": true, "name": "roles/eventarc.multiProjectEventCollector", "stage": "BETA", "title": "Eventarc Event Collector" }, { "description": "Can publish events to Eventarc channels.", "etag": "AA==", "name": "roles/eventarc.publisher", "stage": "BETA", "title": "Eventarc Publisher" }, { "description": "Gives Eventarc service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/eventarc.serviceAgent", "stage": "GA", "title": "Eventarc Service Agent" }, { "description": "Can view the state of all Eventarc resources, including IAM policies.", "etag": "AA==", "has_undocumented": true, "name": "roles/eventarc.viewer", "stage": "GA", "title": "Eventarc Viewer" }, { "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/externalexposure.serviceAgent", "stage": "GA", "title": "External Exposure Service Agent" }, { "description": "Read-write access to Filestore instances and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/file.editor", "stage": "BETA", "title": "Cloud Filestore Editor" }, { "description": "Gives Cloud Filestore service account access to managed resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/file.serviceAgent", "stage": "GA", "title": "Cloud Filestore Service Agent" }, { "description": "Read-only access to Filestore instances and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/file.viewer", "stage": "BETA", "title": "Cloud Filestore Viewer" }, { "description": "Full access to all Financial Services API resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/financialservices.admin", "stage": "GA", "title": "Financial Services Admin" }, { "description": "View access to all Financial Services API resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/financialservices.viewer", "stage": "GA", "title": "Financial Services Viewer" }, { "description": "Full access to Firebase products.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/firebase.admin", "stage": "GA", "title": "Firebase Admin" }, { "description": "Full access to Google Analytics for Firebase.", "etag": "AA==", "name": "roles/firebase.analyticsAdmin", "stage": "GA", "title": "Firebase Analytics Admin" }, { "description": "Read access to Google Analytics for Firebase.", "etag": "AA==", "name": "roles/firebase.analyticsViewer", "stage": "GA", "title": "Firebase Analytics Viewer" }, { "description": "Read and write access to Firebase App Distribution with the Admin SDK", "etag": "AA==", "name": "roles/firebase.appDistributionSdkServiceAgent", "stage": "GA", "title": "Firebase App Distribution Admin SDK Service Agent" }, { "description": "Full access to Firebase Develop products and Analytics.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/firebase.developAdmin", "stage": "GA", "title": "Firebase Develop Admin" }, { "description": "Read access to Firebase Develop products and Analytics.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/firebase.developViewer", "stage": "GA", "title": "Firebase Develop Viewer" }, { "description": "Full access to Firebase Grow products and Analytics.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebase.growthAdmin", "stage": "GA", "title": "Firebase Grow Admin" }, { "description": "Read access to Firebase Grow products and Analytics.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebase.growthViewer", "stage": "GA", "title": "Firebase Grow Viewer" }, { "description": "Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/firebase.managementServiceAgent", "stage": "GA", "title": "Firebase Service Management Service Agent" }, { "description": "Full access to Firebase Quality products and Analytics.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebase.qualityAdmin", "stage": "GA", "title": "Firebase Quality Admin" }, { "description": "Read access to Firebase Quality products and Analytics.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebase.qualityViewer", "stage": "GA", "title": "Firebase Quality Viewer" }, { "description": "Read and write access to Firebase products available in the Admin SDK", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/firebase.sdkAdminServiceAgent", "stage": "GA", "title": "Firebase Admin SDK Administrator Service Agent" }, { "description": "Access to provision apps with the Admin SDK.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebase.sdkProvisioningServiceAgent", "stage": "GA", "title": "Firebase SDK Provisioning Service Agent" }, { "description": "Read-only access to Firebase products.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/firebase.viewer", "stage": "GA", "title": "Firebase Viewer" }, { "description": "Full read/write access to Firebase A/B Testing resources.", "etag": "AA==", "name": "roles/firebaseabt.admin", "stage": "BETA", "title": "Firebase A/B Testing Admin" }, { "description": "Read-only access to Firebase A/B Testing resources.", "etag": "AA==", "name": "roles/firebaseabt.viewer", "stage": "BETA", "title": "Firebase A/B Testing Viewer" }, { "description": "Full management of Firebase App Check.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebaseappcheck.admin", "stage": "GA", "title": "Firebase App Check Admin" }, { "description": "Grants Firebase App Check Service Account access to consumer app attestation resources, such as reCAPTCHA Enterprise and Play Integrity API.", "etag": "AA==", "name": "roles/firebaseappcheck.serviceAgent", "stage": "GA", "title": "Firebase App Check Service Agent" }, { "description": "Access to token verification capabilities for Firebase App Check.", "etag": "AA==", "name": "roles/firebaseappcheck.tokenVerifier", "stage": "GA", "title": "Firebase App Check Token Verifier" }, { "description": "Read-only access for Firebase App Check.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebaseappcheck.viewer", "stage": "GA", "title": "Firebase App Check Viewer" }, { "description": "Full read/write access to Firebase App Distribution resources.", "etag": "AA==", "name": "roles/firebaseappdistro.admin", "stage": "GA", "title": "Firebase App Distribution Admin" }, { "description": "Read-only access to Firebase App Distribution resources.", "etag": "AA==", "name": "roles/firebaseappdistro.viewer", "stage": "GA", "title": "Firebase App Distribution Viewer" }, { "description": "Full access to Firebase App Hosting API resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebaseapphosting.admin", "stage": "BETA", "title": "Firebase App Hosting Admin" }, { "description": "Contains the basic necessary permissions for building and running Apps on Firebase App Hosting. Gives access to get and update App Hosting builds, upload artifacts to Artifact Registry and Storage, write logs. Intended to be granted to the user-supplied App Hosting Compute service account.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/firebaseapphosting.computeRunner", "stage": "BETA", "title": "Firebase App Hosting Compute Runner" }, { "description": "Grants read & update access to Firebase App Hosting backend, builds, and releases resources, plus permission to invoke the backend, but doesn't allow for new backends to be created.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebaseapphosting.developer", "stage": "BETA", "title": "Firebase App Hosting Developer" }, { "description": "Gives Firebase App Hosting access to resource for Building & Deploying Backends.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/firebaseapphosting.serviceAgent", "stage": "GA", "title": "Firebase App Hosting Service Agent" }, { "description": "Grants readonly access to Firebase App Hosting resources, but not permission to invoke the backend. Intended for auditors, PMs, ect. Includes minimal viewer permissions for Firebase Console.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebaseapphosting.viewer", "stage": "BETA", "title": "Firebase App Hosting Viewer" }, { "description": "Full read/write access to Firebase Authentication resources.", "etag": "AA==", "name": "roles/firebaseauth.admin", "stage": "GA", "title": "Firebase Authentication Admin" }, { "description": "Read-only access to Firebase Authentication resources.", "etag": "AA==", "name": "roles/firebaseauth.viewer", "stage": "GA", "title": "Firebase Authentication Viewer" }, { "description": "Full read/write access to Firebase Cloud Messaging API resources.", "etag": "AA==", "name": "roles/firebasecloudmessaging.admin", "stage": "GA", "title": "Firebase Cloud Messaging API Admin" }, { "description": "Full read/write access to symbol mapping file resources for Firebase Crash Reporting.", "etag": "AA==", "name": "roles/firebasecrash.symbolMappingsAdmin", "stage": "GA", "title": "Firebase Crash Symbol Uploader" }, { "description": "Full read/write access to Firebase Crashlytics resources.", "etag": "AA==", "name": "roles/firebasecrashlytics.admin", "stage": "GA", "title": "Firebase Crashlytics Admin" }, { "description": "Access to BigQuery export for Crashlytics", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/firebasecrashlytics.serviceAgent", "stage": "GA", "title": "Firebase Crashlytics Service Agent" }, { "description": "Read-only access to Firebase Crashlytics resources.", "etag": "AA==", "name": "roles/firebasecrashlytics.viewer", "stage": "GA", "title": "Firebase Crashlytics Viewer" }, { "description": "Full read/write access to Firebase Realtime Database resources.", "etag": "AA==", "name": "roles/firebasedatabase.admin", "stage": "GA", "title": "Firebase Realtime Database Admin" }, { "description": "Access to publish triggers", "etag": "AA==", "name": "roles/firebasedatabase.serviceAgent", "stage": "GA", "title": "Firebase Realtime Database Service Agent" }, { "description": "Read-only access to Firebase Realtime Database resources.", "etag": "AA==", "name": "roles/firebasedatabase.viewer", "stage": "GA", "title": "Firebase Realtime Database Viewer" }, { "description": "Full access to Firebase Data Connect API resources, including data.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebasedataconnect.admin", "stage": "BETA", "title": "Firebase Data Connect API Admin" }, { "description": "Full access to data sources.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebasedataconnect.dataAdmin", "stage": "BETA", "title": "Firebase Data Connect API Data Admin" }, { "description": "Readonly access to data sources.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebasedataconnect.dataViewer", "stage": "BETA", "title": "Firebase Data Connect API Data Viewer" }, { "description": "Gives Firebase Data Connect access to administer Cloud SQL instances.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebasedataconnect.serviceAgent", "stage": "GA", "title": "Firebase Data Connect Service Agent" }, { "description": "Readonly access to Firebase Data Connect API resources. This role does not grant any access to data.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebasedataconnect.viewer", "stage": "BETA", "title": "Firebase Data Connect API Viewer" }, { "description": "Full read/write access to Firebase Dynamic Links resources.", "etag": "AA==", "name": "roles/firebasedynamiclinks.admin", "stage": "GA", "title": "Firebase Dynamic Links Admin" }, { "description": "Read-only access to Firebase Dynamic Links resources.", "etag": "AA==", "name": "roles/firebasedynamiclinks.viewer", "stage": "GA", "title": "Firebase Dynamic Links Viewer" }, { "description": "View, create, and delete Firebase Extensions Instances and Extensions Versions, and update Extensions Instances", "etag": "AA==", "name": "roles/firebaseextensions.developer", "stage": "BETA", "title": "Firebase Extensions Developer" }, { "description": "Viewer of Firebase Extensions Instances", "etag": "AA==", "name": "roles/firebaseextensions.viewer", "stage": "BETA", "title": "Firebase Extensions Viewer" }, { "description": "Fully manage Firebase Extensions", "etag": "AA==", "name": "roles/firebaseextensionspublisher.extensionsAdmin", "stage": "BETA", "title": "Firebase Extensions Publisher - Extensions Admin" }, { "description": "View Firebase Extensions", "etag": "AA==", "name": "roles/firebaseextensionspublisher.extensionsViewer", "stage": "BETA", "title": "Firebase Extensions Publisher - Extensions Viewer" }, { "description": "Full read/write access to Firebase Hosting resources.", "etag": "AA==", "name": "roles/firebasehosting.admin", "stage": "GA", "title": "Firebase Hosting Admin" }, { "description": "Read-only access to Firebase Hosting resources.", "etag": "AA==", "name": "roles/firebasehosting.viewer", "stage": "GA", "title": "Firebase Hosting Viewer" }, { "description": "Full read/write access to Firebase In-App Messaging resources.", "etag": "AA==", "name": "roles/firebaseinappmessaging.admin", "stage": "BETA", "title": "Firebase In-App Messaging Admin" }, { "description": "Read-only access to Firebase In-App Messaging resources.", "etag": "AA==", "name": "roles/firebaseinappmessaging.viewer", "stage": "BETA", "title": "Firebase In-App Messaging Viewer" }, { "description": "Full management of Firebase Messaging Campaigns.", "etag": "AA==", "name": "roles/firebasemessagingcampaigns.admin", "stage": "BETA", "title": "Firebase Messaging Campaigns Admin" }, { "description": "Read-only access for Firebase Messaging Campaigns.", "etag": "AA==", "name": "roles/firebasemessagingcampaigns.viewer", "stage": "BETA", "title": "Firebase Messaging Campaigns Viewer" }, { "description": "Full read/write access to Firebase ML Kit resources.", "etag": "AA==", "name": "roles/firebaseml.admin", "stage": "BETA", "title": "Firebase ML Kit Admin" }, { "description": "Access to Cloud ML and AI resources used by Firebase ML", "etag": "AA==", "has_undocumented": true, "name": "roles/firebaseml.serviceAgent", "stage": "GA", "title": "Firebase Machine Learning Service Agent" }, { "description": "Read-only access to Firebase ML Kit resources.", "etag": "AA==", "name": "roles/firebaseml.viewer", "stage": "BETA", "title": "Firebase ML Kit Viewer" }, { "description": "Grants Firebase Extensions API Service Account access to manage resources.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/firebasemods.serviceAgent", "stage": "GA", "title": "Firebase Extensions API Service Agent" }, { "description": "Full read/write access to Firebase Cloud Messaging resources.", "etag": "AA==", "name": "roles/firebasenotifications.admin", "stage": "GA", "title": "Firebase Cloud Messaging Admin" }, { "description": "Read-only access to Firebase Cloud Messaging resources.", "etag": "AA==", "name": "roles/firebasenotifications.viewer", "stage": "GA", "title": "Firebase Cloud Messaging Viewer" }, { "description": "Full access to firebaseperformance resources.", "etag": "AA==", "name": "roles/firebaseperformance.admin", "stage": "GA", "title": "Firebase Performance Reporting Admin" }, { "description": "Read-only access to firebaseperformance resources.", "etag": "AA==", "name": "roles/firebaseperformance.viewer", "stage": "GA", "title": "Firebase Performance Reporting Viewer" }, { "description": "Full management of Firebase Rules.", "etag": "AA==", "name": "roles/firebaserules.admin", "stage": "GA", "title": "Firebase Rules Admin" }, { "description": "Grants Firebase Security Rules access to Firestore for providing cross-service Rules.", "etag": "AA==", "has_dataaccess": true, "name": "roles/firebaserules.firestoreServiceAgent", "stage": "GA", "title": "Firebase Rules Firestore Service Agent" }, { "description": "Read/write/list access for Datastore entities and Cloud Storage objects, as well as get/list/publish access for PubSub topics.", "etag": "AA==", "has_dataaccess": true, "name": "roles/firebaserules.system", "stage": "GA", "title": "Firebase Rules System" }, { "description": "Read-only access on all resources with the ability to test Rulesets.", "etag": "AA==", "name": "roles/firebaserules.viewer", "stage": "GA", "title": "Firebase Rules Viewer" }, { "description": "Full management of Cloud Storage for Firebase.", "etag": "AA==", "name": "roles/firebasestorage.admin", "stage": "BETA", "title": "Cloud Storage for Firebase Admin" }, { "description": "Access to Cloud Storage for Firebase through API and SDK.", "etag": "AA==", "has_dataaccess": true, "name": "roles/firebasestorage.serviceAgent", "stage": "GA", "title": "Cloud Storage for Firebase Service Agent" }, { "description": "Read-only access for Cloud Storage for Firebase.", "etag": "AA==", "name": "roles/firebasestorage.viewer", "stage": "BETA", "title": "Cloud Storage for Firebase Viewer" }, { "description": "Full access to Firebase AI Logic resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebasevertexai.admin", "stage": "BETA", "title": "Firebase AI Logic Admin" }, { "description": "Read access to Firebase AI Logic resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/firebasevertexai.viewer", "stage": "BETA", "title": "Firebase AI Logic Viewer" }, { "description": "Gives Firestore service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/firestore.serviceAgent", "stage": "GA", "title": "Firestore Service Agent" }, { "description": "Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf.", "etag": "AA==", "name": "roles/firewallinsights.serviceAgent", "stage": "GA", "title": "Cloud Firewall Insights Service Agent" }, { "description": "Limited read access to Fleet Engine resources", "etag": "AA==", "name": "roles/fleetengine.consumerSdkUser", "stage": "GA", "title": "Fleet Engine Consumer SDK User" }, { "description": "Full access to Fleet Engine Delivery resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/fleetengine.deliveryAdmin", "stage": "GA", "title": "Fleet Engine Delivery Admin" }, { "description": "Limited read access to Fleet Engine Delivery resources", "etag": "AA==", "name": "roles/fleetengine.deliveryConsumer", "stage": "GA", "title": "Fleet Engine Delivery Consumer User" }, { "description": "Grants read access to all Fleet Engine Delivery resources", "etag": "AA==", "name": "roles/fleetengine.deliveryFleetReader", "stage": "GA", "title": "Fleet Engine Delivery Fleet Reader User" }, { "description": "Full access to Fleet Engine DeliveryVehicles and Tasks resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/fleetengine.deliverySuperUser", "stage": "GA", "title": "Fleet Engine Delivery Super User" }, { "description": "Read and write access to Fleet Engine Delivery resources", "etag": "AA==", "name": "roles/fleetengine.deliveryTrustedDriver", "stage": "GA", "title": "Fleet Engine Delivery Trusted Driver User" }, { "description": "Limited write access to Fleet Engine Delivery Vehicle resources", "etag": "AA==", "name": "roles/fleetengine.deliveryUntrustedDriver", "stage": "GA", "title": "Fleet Engine Delivery Untrusted Driver User" }, { "description": "Read and limited update access to Fleet Engine resources", "etag": "AA==", "name": "roles/fleetengine.driverSdkUser", "stage": "GA", "title": "Fleet Engine Driver SDK User" }, { "description": "Full access to Vehicle and Trip resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/fleetengine.ondemandAdmin", "stage": "GA", "title": "Fleet Engine On-Demand Admin" }, { "description": "Grants the FleetEngine Service Account access to manage resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/fleetengine.serviceAgent", "stage": "GA", "title": "FleetEngine Service Agent" }, { "description": "Full access to all Fleet Engine resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/fleetengine.serviceSuperUser", "stage": "GA", "title": "Fleet Engine Service Super User" }, { "description": "Gives Game Services Service Account access to GCP resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/gameservices.serviceAgent", "stage": "GA", "title": "Game Services Service Agent" }, { "description": "Full access to GDC Hardware Management resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gdchardwaremanagement.admin", "stage": "BETA", "title": "GDC Hardware Management Admin" }, { "description": "Create, read, and update access to GDC Hardware Management resources that support those operations. Also grants delete access to HardwareGroup resource.", "etag": "AA==", "name": "roles/gdchardwaremanagement.operator", "stage": "BETA", "title": "GDC Hardware Management Operator" }, { "description": "Readonly access to GDC Hardware Management resources.", "etag": "AA==", "name": "roles/gdchardwaremanagement.reader", "stage": "BETA", "title": "GDC Hardware Management Reader" }, { "description": "Grants full administrative access to Gemini Cloud Assist investigations.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminicloudassist.investigationAdmin", "stage": "BETA", "title": "Gemini Cloud Assist Investigation Admin" }, { "description": "Grants the ability to create a new Cloud Assist investigation, list existing investigations that you have permission to view, and check the status of investigations.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminicloudassist.investigationCreator", "stage": "BETA", "title": "Gemini Cloud Assist Investigation Creator" }, { "description": "Grants the ability to list, view, edit, and run existing Gemini Cloud Assist investigations. The ability to create or delete an investigation is granted separately.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminicloudassist.investigationEditor", "stage": "BETA", "title": "Gemini Cloud Assist Investigation Editor" }, { "description": "Grants full administrative access to Gemini Cloud Assist investigations, except the ability to create a new investigation.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminicloudassist.investigationOwner", "stage": "BETA", "title": "Gemini Cloud Assist Investigation Owner" }, { "description": "Grants the ability to list existing investigations that you have permission to view and check the status of investigations. Access to individual investigations must be granted separately.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminicloudassist.investigationUser", "stage": "BETA", "title": "Gemini Cloud Assist Investigation User" }, { "description": "Grants read-only access to existing Gemini Cloud Assist investigations, including revision information and IAM policy information for investigations.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminicloudassist.investigationViewer", "stage": "BETA", "title": "Gemini Cloud Assist Investigation Viewer" }, { "description": "Grants the ability to use Gemini Cloud Assist chat and create investigations.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminicloudassist.user", "stage": "BETA", "title": "Gemini Cloud Assist User" }, { "description": "Gives Gemini Code Assist Management Service Agent access to Cloud Platform resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminicodeassistmanagement.serviceAgent", "stage": "GA", "title": "Gemini Code Assist Management Service Agent" }, { "description": "Create access to Gemini Data Analytics resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminidataanalytics.dataAgentCreator", "stage": "BETA", "title": "Gemini Data Analytics Data Agent Creator" }, { "description": "Chat and Edit access to Gemini Data Analytics resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminidataanalytics.dataAgentEditor", "stage": "BETA", "title": "Gemini Data Analytics Data Agent Editor" }, { "description": "Full access to existing Gemini Data Analytics resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminidataanalytics.dataAgentOwner", "stage": "BETA", "title": "Gemini Data Analytics Data Agent Owner" }, { "description": "Stateless access to Gemini Data Analytics chat.", "etag": "AA==", "name": "roles/geminidataanalytics.dataAgentStatelessUser", "stage": "BETA", "title": "Gemini Data Analytics Stateless Chat User" }, { "description": "Chat and View access to Gemini Data Analytics resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminidataanalytics.dataAgentUser", "stage": "BETA", "title": "Gemini Data Analytics Data Agent User" }, { "description": "Readonly access to Gemini Data Analytics resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/geminidataanalytics.dataAgentViewer", "stage": "BETA", "title": "Gemini Data Analytics Data Agent Viewer" }, { "description": "Grants Generative Language Service Agent permissions required to read data from GCS buckets", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/generativelanguage.serviceAgent", "stage": "GA", "title": "Generative Language Service Agent" }, { "description": "Full access to genomics datasets and operations.", "etag": "AA==", "name": "roles/genomics.admin", "stage": "GA", "title": "Genomics Admin" }, { "description": "Access to read and edit genomics datasets and operations.", "etag": "AA==", "name": "roles/genomics.editor", "stage": "GA", "title": "Genomics Editor" }, { "description": "Full access to operate on genomics pipelines.", "etag": "AA==", "name": "roles/genomics.pipelinesRunner", "stage": "GA", "title": "Genomics Pipelines Runner" }, { "description": "Gives Genomics Service Account access to compute resources. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/genomics.serviceAgent", "stage": "GA", "title": "Genomics Service Agent" }, { "description": "Access to view genomics datasets and operations.", "etag": "AA==", "name": "roles/genomics.viewer", "stage": "GA", "title": "Genomics Viewer" }, { "description": "Full access to all Backup for GKE resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkebackup.admin", "stage": "GA", "title": "Backup for GKE Admin" }, { "description": "Allows administrators to manage all BackupPlan and Backup resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkebackup.backupAdmin", "stage": "GA", "title": "Backup for GKE Backup Admin" }, { "description": "Grants permissions to execute Backup for GKE resources across projects.", "etag": "AA==", "name": "roles/gkebackup.crossProjectServiceAgent", "stage": "GA", "title": "Backup for GKE Cross Project Service Agent" }, { "description": "Allows administrators to manage Backup resources for specific BackupPlans", "etag": "AA==", "has_undocumented": true, "name": "roles/gkebackup.delegatedBackupAdmin", "stage": "GA", "title": "Backup for GKE Delegated Backup Admin" }, { "description": "Allows administrators to manage Restore resources for specific RestorePlans", "etag": "AA==", "name": "roles/gkebackup.delegatedRestoreAdmin", "stage": "GA", "title": "Backup for GKE Delegated Restore Admin" }, { "description": "Allows administrators to manage all RestorePlan and Restore resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkebackup.restoreAdmin", "stage": "GA", "title": "Backup for GKE Restore Admin" }, { "description": "Grants the Backup for GKE Service Account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/gkebackup.serviceAgent", "stage": "GA", "title": "Backup for GKE Service Agent" }, { "description": "Read-only access to all Backup for GKE resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkebackup.viewer", "stage": "GA", "title": "Backup for GKE Viewer" }, { "description": "Gives the Warp Run service agent access to Cloud Platform resources.", "etag": "AA==", "name": "roles/gkedataplanemanagement.warpRunServiceAgent", "stage": "GA", "title": "Warp Run Service Agent" }, { "description": "Full access to Fleet resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkehub.admin", "stage": "GA", "title": "Fleet Admin (formerly GKE Hub Admin)" }, { "description": "Ability to set up GKE Connect between external clusters and Google.", "etag": "AA==", "name": "roles/gkehub.connect", "stage": "GA", "title": "GKE Connect Agent" }, { "description": "Gives the GKE Hub service agent permission to manage the project for cross-project fleet registration.", "etag": "AA==", "has_privesc": true, "name": "roles/gkehub.crossProjectServiceAgent", "stage": "GA", "title": "GKE Hub Cross Project Service Agent" }, { "description": "Edit access to Fleet resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkehub.editor", "stage": "GA", "title": "Fleet Editor (formerly GKE Hub Editor)" }, { "description": "Full access to Connect Gateway.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkehub.gatewayAdmin", "stage": "GA", "title": "Connect Gateway Admin" }, { "description": "Edit access to Connect Gateway.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkehub.gatewayEditor", "stage": "GA", "title": "Connect Gateway Editor" }, { "description": "Read-only access to Connect Gateway.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkehub.gatewayReader", "stage": "GA", "title": "Connect Gateway Reader" }, { "description": "Admin access to Fleet Scopes to set IAM Bindings and RBACRoleBindings.", "etag": "AA==", "name": "roles/gkehub.scopeAdmin", "stage": "GA", "title": "Fleet Scope Admin" }, { "description": "Edit access to Namespaces under Fleet Scopes.", "etag": "AA==", "name": "roles/gkehub.scopeEditor", "stage": "GA", "title": "Fleet Scope Editor" }, { "description": "Role for project-level permissions for editor of Fleet Scopes.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkehub.scopeEditorProjectLevel", "stage": "GA", "title": "Fleet Project-level Scope Editor" }, { "description": "Viewer of Fleet Scopes and associated resources.", "etag": "AA==", "name": "roles/gkehub.scopeViewer", "stage": "GA", "title": "Fleet Scope Viewer" }, { "description": "Role for project-level permissions for viewer of Fleet Scopes.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkehub.scopeViewerProjectLevel", "stage": "GA", "title": "Fleet Project-level Scope Viewer" }, { "description": "Gives the GKE Hub service agent access to Cloud Platform resources.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/gkehub.serviceAgent", "stage": "GA", "title": "GKE Hub Service Agent" }, { "description": "Read-only access to Fleets and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkehub.viewer", "stage": "GA", "title": "Fleet Viewer (formerly GKE Hub Viewer)" }, { "description": "Admin access to Anthos Multi-cloud resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkemulticloud.admin", "stage": "GA", "title": "Anthos Multi-cloud Admin" }, { "description": "Grants the Anthos Multi-Cloud Container Service Account access to manage resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkemulticloud.containerServiceAgent", "stage": "GA", "title": "Anthos Multi-Cloud Container Service Agent" }, { "description": "Grants the Anthos Multi-Cloud Control Plane Machine Service Account access to manage resources.", "etag": "AA==", "name": "roles/gkemulticloud.controlPlaneMachineServiceAgent", "stage": "GA", "title": "Anthos Multi-Cloud Control Plane Machine Service Agent" }, { "description": "Grants the Anthos Multi-Cloud Node Pool Machine Service Account access to manage resources.", "etag": "AA==", "name": "roles/gkemulticloud.nodePoolMachineServiceAgent", "stage": "GA", "title": "Anthos Multi-Cloud Node Pool Machine Service Agent" }, { "description": "Grants the Anthos Multi-Cloud Service Account access to manage resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkemulticloud.serviceAgent", "stage": "GA", "title": "Anthos Multi-Cloud Service Agent" }, { "description": "Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkemulticloud.telemetryWriter", "stage": "GA", "title": "Anthos Multi-cloud Telemetry Writer" }, { "description": "Viewer access to Anthos Multi-cloud resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkemulticloud.viewer", "stage": "GA", "title": "Anthos Multi-cloud Viewer" }, { "description": "Full access to GKE on-prem all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkeonprem.admin", "stage": "GA", "title": "GKE on-prem Admin" }, { "description": "Gives the GKE On-Prem service agent access to Cloud Platform resources.", "etag": "AA==", "name": "roles/gkeonprem.serviceAgent", "stage": "GA", "title": "GKE On-Prem Service Agent" }, { "description": "Read-only access to GKE on-prem all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/gkeonprem.viewer", "stage": "GA", "title": "GKE on-prem Viewer" }, { "description": "Full access to Google Workspace Add-ons resources", "etag": "AA==", "name": "roles/gsuiteaddons.developer", "stage": "GA", "title": "Google Workspace Add-ons Developer" }, { "description": "Read-only access to Google Workspace Add-ons resources", "etag": "AA==", "name": "roles/gsuiteaddons.reader", "stage": "GA", "title": "Google Workspace Add-ons Reader" }, { "description": "Testing execution access to Google Workspace Add-ons resources", "etag": "AA==", "name": "roles/gsuiteaddons.tester", "stage": "GA", "title": "Google Workspace Add-ons Tester" }, { "description": "Create, delete, update, read and list annotations.", "etag": "AA==", "name": "roles/healthcare.annotationEditor", "stage": "GA", "title": "Healthcare Annotation Editor" }, { "description": "Read and list annotations in an Annotation store.", "etag": "AA==", "name": "roles/healthcare.annotationReader", "stage": "GA", "title": "Healthcare Annotation Reader" }, { "description": "Administer Annotation stores.", "etag": "AA==", "name": "roles/healthcare.annotationStoreAdmin", "stage": "GA", "title": "Healthcare Annotation Administrator" }, { "description": "List Annotation Stores in a dataset.", "etag": "AA==", "name": "roles/healthcare.annotationStoreViewer", "stage": "GA", "title": "Healthcare Annotation Store Viewer" }, { "description": "Edit AttributeDefinition objects.", "etag": "AA==", "name": "roles/healthcare.attributeDefinitionEditor", "stage": "GA", "title": "Healthcare Attribute Definition Editor" }, { "description": "Read AttributeDefinition objects in a consent store.", "etag": "AA==", "name": "roles/healthcare.attributeDefinitionReader", "stage": "GA", "title": "Healthcare Attribute Definition Reader" }, { "description": "Administer ConsentArtifact objects.", "etag": "AA==", "name": "roles/healthcare.consentArtifactAdmin", "stage": "GA", "title": "Healthcare Consent Artifact Administrator" }, { "description": "Edit ConsentArtifact objects.", "etag": "AA==", "name": "roles/healthcare.consentArtifactEditor", "stage": "GA", "title": "Healthcare Consent Artifact Editor" }, { "description": "Read ConsentArtifact objects in a consent store.", "etag": "AA==", "name": "roles/healthcare.consentArtifactReader", "stage": "GA", "title": "Healthcare Consent Artifact Reader" }, { "description": "Edit Consent objects.", "etag": "AA==", "name": "roles/healthcare.consentEditor", "stage": "GA", "title": "Healthcare Consent Editor" }, { "description": "Read Consent objects in a consent store.", "etag": "AA==", "name": "roles/healthcare.consentReader", "stage": "GA", "title": "Healthcare Consent Reader" }, { "description": "Administer Consent stores.", "etag": "AA==", "name": "roles/healthcare.consentStoreAdmin", "stage": "GA", "title": "Healthcare Consent Store Administrator" }, { "description": "List Consent Stores in a dataset.", "etag": "AA==", "name": "roles/healthcare.consentStoreViewer", "stage": "GA", "title": "Healthcare Consent Store Viewer" }, { "description": "Administer Healthcare Datasets.", "etag": "AA==", "name": "roles/healthcare.datasetAdmin", "stage": "GA", "title": "Healthcare Dataset Administrator" }, { "description": "List the Healthcare Datasets in a project.", "etag": "AA==", "name": "roles/healthcare.datasetViewer", "stage": "GA", "title": "Healthcare Dataset Viewer" }, { "description": "Edit DICOM images individually and in bulk.", "etag": "AA==", "has_undocumented": true, "name": "roles/healthcare.dicomEditor", "stage": "GA", "title": "Healthcare DICOM Editor" }, { "description": "Administer DICOM stores.", "etag": "AA==", "name": "roles/healthcare.dicomStoreAdmin", "stage": "GA", "title": "Healthcare DICOM Store Administrator" }, { "description": "List DICOM Stores in a dataset.", "etag": "AA==", "name": "roles/healthcare.dicomStoreViewer", "stage": "GA", "title": "Healthcare DICOM Store Viewer" }, { "description": "Retrieve DICOM images from a DICOM store.", "etag": "AA==", "name": "roles/healthcare.dicomViewer", "stage": "GA", "title": "Healthcare DICOM Viewer" }, { "description": "Create, delete, update, read and search FHIR resources.", "etag": "AA==", "name": "roles/healthcare.fhirResourceEditor", "stage": "GA", "title": "Healthcare FHIR Resource Editor" }, { "description": "Read and search FHIR resources.", "etag": "AA==", "name": "roles/healthcare.fhirResourceReader", "stage": "GA", "title": "Healthcare FHIR Resource Reader" }, { "description": "Administer FHIR resource stores.", "etag": "AA==", "has_undocumented": true, "name": "roles/healthcare.fhirStoreAdmin", "stage": "GA", "title": "Healthcare FHIR Store Administrator" }, { "description": "List FHIR Stores in a dataset.", "etag": "AA==", "name": "roles/healthcare.fhirStoreViewer", "stage": "GA", "title": "Healthcare FHIR Store Viewer" }, { "description": "List and read HL7v2 messages, update message labels, and publish new messages.", "etag": "AA==", "name": "roles/healthcare.hl7V2Consumer", "stage": "GA", "title": "Healthcare HL7v2 Message Consumer" }, { "description": "Read, write, and delete access to HL7v2 messages.", "etag": "AA==", "name": "roles/healthcare.hl7V2Editor", "stage": "GA", "title": "Healthcare HL7v2 Message Editor" }, { "description": "Ingest HL7v2 messages received from a source network.", "etag": "AA==", "name": "roles/healthcare.hl7V2Ingest", "stage": "GA", "title": "Healthcare HL7v2 Message Ingest" }, { "description": "Administer HL7v2 Stores.", "etag": "AA==", "has_undocumented": true, "name": "roles/healthcare.hl7V2StoreAdmin", "stage": "GA", "title": "Healthcare HL7v2 Store Administrator" }, { "description": "View HL7v2 Stores in a dataset.", "etag": "AA==", "name": "roles/healthcare.hl7V2StoreViewer", "stage": "GA", "title": "Healthcare HL7v2 Store Viewer" }, { "description": "Extract and analyze medical entities from a given text.", "etag": "AA==", "name": "roles/healthcare.nlpServiceViewer", "stage": "BETA", "title": "Healthcare NLP Service Viewer" }, { "description": "Gives the Healthcare Service Account access to networks, Kubernetes engine, and Pub/Sub resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/healthcare.serviceAgent", "stage": "GA", "title": "Healthcare Service Agent" }, { "description": "Edit UserDataMapping objects.", "etag": "AA==", "name": "roles/healthcare.userDataMappingEditor", "stage": "GA", "title": "Healthcare User Data Mapping Editor" }, { "description": "Read UserDataMapping objects in a consent store.", "etag": "AA==", "name": "roles/healthcare.userDataMappingReader", "stage": "GA", "title": "Healthcare User Data Mapping Reader" }, { "description": "Edit access to Cluster Director resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/hypercomputecluster.editor", "stage": "BETA", "title": "Cluster Director Editor" }, { "description": "Grants Cluster Director Service Agent access to necessary GCP resources.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/hypercomputecluster.serviceAgent", "stage": "GA", "title": "Cluster Director Service Agent" }, { "description": "Readonly access to Cluster Director resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/hypercomputecluster.viewer", "stage": "BETA", "title": "Cluster Director Viewer" }, { "description": "Access Policy admin role, with permissions to read and modify access policies, and to bind and unbind access policies to targets", "etag": "AA==", "has_undocumented": true, "name": "roles/iam.accessPolicyAdmin", "stage": "BETA", "title": "Access Policy Admin" }, { "description": "Access Policies user role, with permissions to view access policies, and to bind and unbind access policies to targets", "etag": "AA==", "has_undocumented": true, "name": "roles/iam.accessPolicyUser", "stage": "BETA", "title": "Access Policy User" }, { "description": "Access Policy Viewer role, with permissions to read access policies and view associated policy bindings", "etag": "AA==", "has_undocumented": true, "name": "roles/iam.accessPolicyViewer", "stage": "BETA", "title": "Access Policy Viewer" }, { "description": "Designed for a data scientist power user to manage data platform services and associated Compute services for analyzing data and building data processing, transformation and analysis pipelines.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/iam.dataScientist", "stage": "GA", "title": "Data Scientist" }, { "description": "Role for an administrator to manage all structured and non structured datastores in GCP.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/iam.databasesAdmin", "stage": "GA", "title": "Databases Admin" }, { "description": "Deny admin role, with permissions to read and modify deny policies", "etag": "AA==", "has_undocumented": true, "name": "roles/iam.denyAdmin", "stage": "GA", "title": "Deny Admin" }, { "description": "Deny Reviewer role, with permissions to read deny policies", "etag": "AA==", "name": "roles/iam.denyReviewer", "stage": "GA", "title": "Deny Reviewer" }, { "description": "Enables DevOps users to build and deploy applications, create, manage and perform administrative tasks on associated GCP resources", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/iam.devOps", "stage": "GA", "title": "Dev Ops" }, { "description": "Enables full control for management of key infrastructure services: GCE, GKE, Storage and Networking", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/iam.infrastructureAdmin", "stage": "GA", "title": "Infrastructure Administrator" }, { "description": "Enables an ML engineer as a power user for using GCP for building and deploying AI based applications.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/iam.mlEngineer", "stage": "GA", "title": "ML Engineer" }, { "description": "Designed for a Network Administrator to manage Network and related GCP resources, create customized monitoring, and viewing configurations", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/iam.networkAdmin", "stage": "GA", "title": "Network Administrator" }, { "description": "Full rights to create and manage OAuth clients.", "etag": "AA==", "name": "roles/iam.oauthClientAdmin", "stage": "GA", "title": "IAM OAuth Client Admin" }, { "description": "Read access to a particular instance of an OAuth client.", "etag": "AA==", "name": "roles/iam.oauthClientViewer", "stage": "GA", "title": "IAM OAuth Client Viewer" }, { "description": "Operation user role, with permissions to view and list operations in IAM v3", "etag": "AA==", "name": "roles/iam.operationViewer", "stage": "GA", "title": "IAM Operation Viewer" }, { "description": "Access to administer all custom roles in the organization and the projects below it.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/iam.organizationRoleAdmin", "stage": "GA", "title": "Organization Role Administrator" }, { "description": "Read access to all custom roles in the organization and the projects below it.", "etag": "AA==", "has_undocumented": true, "name": "roles/iam.organizationRoleViewer", "stage": "GA", "title": "Organization Role Viewer" }, { "description": "Principal Access Boundary admin role, with permissions to read and modify principal access boundary policies, and to bind and unbind principal access boundary policies to targets. Also includes permissions to read principal authorization activities analysis and permissions to list assets from Cloud Asset Inventory", "etag": "AA==", "has_undocumented": true, "name": "roles/iam.principalAccessBoundaryAdmin", "stage": "GA", "title": "Principal Access Boundary Policy Admin" }, { "description": "Principal Access Boundary Policies user role, with permissions to view principal access boundary policies, and to bind and unbind principal access boundary policies to targets", "etag": "AA==", "name": "roles/iam.principalAccessBoundaryUser", "stage": "GA", "title": "Principal Access Boundary Policy User" }, { "description": "Principal Access Boundary Reviewer role, with permissions to read principal access boundary policies and view associated policy bindings", "etag": "AA==", "name": "roles/iam.principalAccessBoundaryViewer", "stage": "GA", "title": "Principal Access Boundary Policy Viewer" }, { "description": "Access to administer all custom roles in the project.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/iam.roleAdmin", "stage": "GA", "title": "Role Administrator" }, { "description": "Read access to all custom roles in the project.", "etag": "AA==", "has_undocumented": true, "name": "roles/iam.roleViewer", "stage": "GA", "title": "Role Viewer" }, { "description": "Rights to sync users and groups from external identity providers.", "etag": "AA==", "has_undocumented": true, "name": "roles/iam.scimSyncer", "stage": "GA", "title": "SCIM Data Syncer" }, { "description": "Security admin role, with permissions to get and set any IAM policy.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/iam.securityAdmin", "stage": "GA", "title": "Security Admin" }, { "description": "Read-only role designed for enabling security audit of your GCP environment, associated policies and viewing configurations.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/iam.securityAuditor", "stage": "GA", "title": "Security Auditor" }, { "description": "Security reviewer role, with permissions to get any IAM policy.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/iam.securityReviewer", "stage": "GA", "title": "Security Reviewer" }, { "description": "Create and manage service accounts.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/iam.serviceAccountAdmin", "stage": "GA", "title": "Service Account Admin" }, { "description": "Create and delete service account API Key bindings", "etag": "AA==", "has_undocumented": true, "name": "roles/iam.serviceAccountApiKeyBindingAdmin", "stage": "GA", "title": "Service Account API Key Binding Admin" }, { "description": "Access to create service accounts.", "etag": "AA==", "name": "roles/iam.serviceAccountCreator", "stage": "GA", "title": "Create Service Accounts" }, { "description": "Access to delete service accounts.", "etag": "AA==", "name": "roles/iam.serviceAccountDeleter", "stage": "GA", "title": "Delete Service Accounts" }, { "description": "Create and manage (and rotate) service account keys.", "etag": "AA==", "has_credentialexposure": true, "has_privesc": true, "name": "roles/iam.serviceAccountKeyAdmin", "stage": "GA", "title": "Service Account Key Admin" }, { "description": "Create OpenID Connect (OIDC) identity tokens", "etag": "AA==", "has_privesc": true, "name": "roles/iam.serviceAccountOpenIdTokenCreator", "stage": "GA", "title": "Service Account OpenID Connect Identity Token Creator" }, { "description": "Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).", "etag": "AA==", "has_privesc": true, "name": "roles/iam.serviceAccountTokenCreator", "stage": "GA", "title": "Service Account Token Creator" }, { "description": "Run operations as the service account.", "etag": "AA==", "has_privesc": true, "name": "roles/iam.serviceAccountUser", "stage": "GA", "title": "Service Account User" }, { "description": "Read access to service accounts, metadata, and keys.", "etag": "AA==", "name": "roles/iam.serviceAccountViewer", "stage": "GA", "title": "View Service Accounts" }, { "description": "Enables operational monitoring, performance optimization and reliability management of applications built on GCP.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/iam.siteReliabilityEngineer", "stage": "GA", "title": "Site Reliability Engineer" }, { "description": "Provide a user the ability to create and manage support cases in their own enterprise by viewing their GCP resource configurations, monitoring and logging information that may be needed for providing required information to GCP support.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/iam.supportUser", "stage": "GA", "title": "Support User" }, { "description": "Full rights to create and manage all workforce pools in the org, along with the ability to delegate permissions to other admins.", "etag": "AA==", "has_undocumented": true, "name": "roles/iam.workforcePoolAdmin", "stage": "GA", "title": "IAM Workforce Pool Admin" }, { "description": "Rights to edit a particular instance of a workforce pool.", "etag": "AA==", "name": "roles/iam.workforcePoolEditor", "stage": "GA", "title": "IAM Workforce Pool Editor" }, { "description": "Rights to read workforce pool.", "etag": "AA==", "name": "roles/iam.workforcePoolViewer", "stage": "GA", "title": "IAM Workforce Pool Viewer" }, { "description": "Full rights to create and manage workload identity pools.", "etag": "AA==", "name": "roles/iam.workloadIdentityPoolAdmin", "stage": "BETA", "title": "IAM Workload Identity Pool Admin" }, { "description": "Read access to workload identity pools.", "etag": "AA==", "name": "roles/iam.workloadIdentityPoolViewer", "stage": "BETA", "title": "IAM Workload Identity Pool Viewer" }, { "description": "Impersonate service accounts from federated workloads.", "etag": "AA==", "has_privesc": true, "name": "roles/iam.workloadIdentityUser", "stage": "GA", "title": "Workload Identity User" }, { "description": "IAM workspace pool admin able to bind IAM policies to Dasher accounts.", "etag": "AA==", "name": "roles/iam.workspacePoolAdmin", "stage": "GA", "title": "Workspace Pool IAM Admin" }, { "description": "Administrator of IAP Permissions", "etag": "AA==", "name": "roles/iap.admin", "stage": "GA", "title": "IAP Policy Admin" }, { "description": "Access HTTPS resources which use Identity-Aware Proxy", "etag": "AA==", "name": "roles/iap.httpsResourceAccessor", "stage": "GA", "title": "IAP-secured Web App User" }, { "description": "Remediate IAP resource", "etag": "AA==", "name": "roles/iap.remediatorUser", "stage": "BETA", "title": "IAP-secured Resource Remediator User" }, { "description": "Administrator of IAP Settings.", "etag": "AA==", "name": "roles/iap.settingsAdmin", "stage": "GA", "title": "IAP Settings Admin" }, { "description": "Edit Tunnel Destination Group resources which use Identity-Aware Proxy", "etag": "AA==", "name": "roles/iap.tunnelDestGroupEditor", "stage": "GA", "title": "IAP-secured Tunnel Destination Group Editor" }, { "description": "View Tunnel Destination Group resources which use Identity-Aware Proxy", "etag": "AA==", "name": "roles/iap.tunnelDestGroupViewer", "stage": "GA", "title": "IAP-secured Tunnel Destination Group Viewer" }, { "description": "Access Tunnel resources which use Identity-Aware Proxy", "etag": "AA==", "name": "roles/iap.tunnelResourceAccessor", "stage": "GA", "title": "IAP-secured Tunnel User" }, { "description": "Full access to Identity Platform resources.", "etag": "AA==", "name": "roles/identityplatform.admin", "stage": "BETA", "title": "Identity Platform Admin" }, { "description": "Read access to Identity Platform resources.", "etag": "AA==", "name": "roles/identityplatform.viewer", "stage": "BETA", "title": "Identity Platform Viewer" }, { "description": "Full access to Identity Toolkit resources.", "etag": "AA==", "name": "roles/identitytoolkit.admin", "stage": "GA", "title": "Identity Toolkit Admin" }, { "description": "Gives Identity Platform service account access to customer project resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/identitytoolkit.serviceAgent", "stage": "GA", "title": "Identity Platform Service Agent" }, { "description": "Read access to Identity Toolkit resources.", "etag": "AA==", "name": "roles/identitytoolkit.viewer", "stage": "GA", "title": "Identity Toolkit Viewer" }, { "description": "Full access to Cloud IDS all resources.", "etag": "AA==", "name": "roles/ids.admin", "stage": "BETA", "title": "Cloud IDS Admin" }, { "description": "Read-only access to Cloud IDS all resources.", "etag": "AA==", "name": "roles/ids.viewer", "stage": "BETA", "title": "Cloud IDS Viewer" }, { "description": "A user that has full access to all Apigee integrations.", "etag": "AA==", "name": "roles/integrations.apigeeIntegrationAdminRole", "stage": "GA", "title": "Apigee Integration Admin" }, { "description": "A developer that can deploy/undeploy Apigee integrations to the integration runtime.", "etag": "AA==", "name": "roles/integrations.apigeeIntegrationDeployerRole", "stage": "GA", "title": "Apigee Integration Deployer" }, { "description": "A developer that can list, create and update Apigee integrations.", "etag": "AA==", "name": "roles/integrations.apigeeIntegrationEditorRole", "stage": "GA", "title": "Apigee Integration Editor" }, { "description": "A role that can invoke Apigee integrations.", "etag": "AA==", "name": "roles/integrations.apigeeIntegrationInvokerRole", "stage": "GA", "title": "Apigee Integration Invoker" }, { "description": "A developer that can list and view Apigee integrations.", "etag": "AA==", "name": "roles/integrations.apigeeIntegrationsViewer", "stage": "GA", "title": "Apigee Integration Viewer" }, { "description": "A role that can approve / reject Apigee integrations that contain a suspension/wait task.", "etag": "AA==", "name": "roles/integrations.apigeeSuspensionResolver", "stage": "GA", "title": "Apigee Integration Approver" }, { "description": "A developer that can list and view Certificates.", "etag": "AA==", "name": "roles/integrations.certificateViewer", "stage": "GA", "title": "Certificate Viewer" }, { "description": "A user that has full access (CRUD) to all integrations.", "etag": "AA==", "has_undocumented": true, "name": "roles/integrations.integrationAdmin", "stage": "GA", "title": "Application Integration Admin" }, { "description": "A developer that can deploy/undeploy integrations to the integration runtime.", "etag": "AA==", "name": "roles/integrations.integrationDeployer", "stage": "GA", "title": "Application Integration Deployer" }, { "description": "A developer that can list, create and update integrations.", "etag": "AA==", "has_undocumented": true, "name": "roles/integrations.integrationEditor", "stage": "GA", "title": "Application Integration Editor" }, { "description": "A role that can invoke integrations.", "etag": "AA==", "has_undocumented": true, "name": "roles/integrations.integrationInvoker", "stage": "GA", "title": "Application Integration Invoker" }, { "description": "A developer that can list and view integrations.", "etag": "AA==", "has_undocumented": true, "name": "roles/integrations.integrationViewer", "stage": "GA", "title": "Application Integration Viewer" }, { "description": "A user that has full access to all Security integrations.", "etag": "AA==", "name": "roles/integrations.securityIntegrationAdmin", "stage": "BETA", "title": "Security Integration Admin" }, { "description": "Service agent that grants access to execute an integration.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/integrations.serviceAgent", "stage": "GA", "title": "Application Integration Service Agent" }, { "description": "A user that has full access (CRUD) to all SFDC instances.", "etag": "AA==", "name": "roles/integrations.sfdcInstanceAdmin", "stage": "GA", "title": "Application Integration SFDC Instance Admin" }, { "description": "A developer that can list, create and update integrations.", "etag": "AA==", "name": "roles/integrations.sfdcInstanceEditor", "stage": "GA", "title": "Application Integration SFDC Instance Editor" }, { "description": "A developer that can list and view SFDC instances.", "etag": "AA==", "name": "roles/integrations.sfdcInstanceViewer", "stage": "GA", "title": "Application Integration SFDC Instance Viewer" }, { "description": "A role that can resolve suspended integrations.", "etag": "AA==", "name": "roles/integrations.suspensionResolver", "stage": "GA", "title": "Application Integration Approver" }, { "description": "This role can perform all account manager related operations", "etag": "AA==", "name": "roles/issuerswitch.accountManagerAdmin", "stage": "BETA", "title": "Issuerswitch Account Manager Admin" }, { "description": "This role can perform all account manager transactions related operations", "etag": "AA==", "name": "roles/issuerswitch.accountManagerTransactionsAdmin", "stage": "BETA", "title": "Issuerswitch Account Manager Transactions Admin" }, { "description": "This role can view all account manager transactions", "etag": "AA==", "name": "roles/issuerswitch.accountManagerTransactionsViewer", "stage": "BETA", "title": "Issuerswitch Account Manager Transactions Viewer" }, { "description": "Access to all issuer switch roles", "etag": "AA==", "name": "roles/issuerswitch.admin", "stage": "BETA", "title": "Issuerswitch Admin" }, { "description": "Full access to issuer switch participants", "etag": "AA==", "name": "roles/issuerswitch.issuerParticipantsAdmin", "stage": "BETA", "title": "Issuerswitch Participants Admin" }, { "description": "Full access to issuer switch resolutions", "etag": "AA==", "name": "roles/issuerswitch.resolutionsAdmin", "stage": "BETA", "title": "Issuerswitch Resolutions Admin" }, { "description": "Full access to issuer switch rules", "etag": "AA==", "name": "roles/issuerswitch.rulesAdmin", "stage": "BETA", "title": "Issuerswitch Rules Admin" }, { "description": "This role can view rules and related metadata.", "etag": "AA==", "name": "roles/issuerswitch.rulesViewer", "stage": "BETA", "title": "Issuerswitch Rules Viewer" }, { "description": "This role can view all transactions", "etag": "AA==", "name": "roles/issuerswitch.transactionsViewer", "stage": "BETA", "title": "Issuerswitch Transactions Viewer" }, { "description": "Full access to all Config Controller resources.", "etag": "AA==", "name": "roles/krmapihosting.admin", "stage": "GA", "title": "Config Controller Admin" }, { "description": "Grants permissions to resources managed by AnthosApiEndpoint.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/krmapihosting.anthosApiEndpointServiceAgent", "stage": "GA", "title": "KRM API Hosting AnthosApiEndpoint Service Agent" }, { "description": "Gives KRM API Hosting service account access to managed resource.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/krmapihosting.serviceAgent", "stage": "GA", "title": "KRM API Hosting Service Agent" }, { "description": "Read-only access to all Config Controller resources.", "etag": "AA==", "name": "roles/krmapihosting.viewer", "stage": "GA", "title": "Config Controller Viewer" }, { "description": "Publisher of Kubernetes clusters metadata", "etag": "AA==", "name": "roles/kubernetesmetadata.publisher", "stage": "GA", "title": "Metadata Publisher" }, { "description": "Service account role used to setup authentication for the control plane used by KubeRun Events.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/kuberun.eventsControlPlaneServiceAgent", "stage": "GA", "title": "KubeRun Events Control Plane Service Agent" }, { "description": "Service account role used to setup authentication for the data plane used by KubeRun Events.", "etag": "AA==", "has_dataaccess": true, "name": "roles/kuberun.eventsDataPlaneServiceAgent", "stage": "GA", "title": "KubeRun Events Data Plane Service Agent" }, { "description": "Full access to Cloud License Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/licensemanager.admin", "stage": "GA", "title": "Cloud License Manager Admin" }, { "description": "Readonly access to Cloud License Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/licensemanager.viewer", "stage": "GA", "title": "Cloud License Manager Viewer" }, { "description": "Full control of Cloud Life Sciences resources.", "etag": "AA==", "name": "roles/lifesciences.admin", "stage": "BETA", "title": "Cloud Life Sciences Admin" }, { "description": "Access to read and edit Cloud Life Sciences resources.", "etag": "AA==", "name": "roles/lifesciences.editor", "stage": "BETA", "title": "Cloud Life Sciences Editor" }, { "description": "Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/lifesciences.serviceAgent", "stage": "GA", "title": "Cloud Life Sciences Service Agent" }, { "description": "Access to read Cloud Life Sciences resources.", "etag": "AA==", "name": "roles/lifesciences.viewer", "stage": "BETA", "title": "Cloud Life Sciences Viewer" }, { "description": "Full access to operate on Cloud Life Sciences workflows.", "etag": "AA==", "name": "roles/lifesciences.workflowsRunner", "stage": "BETA", "title": "Cloud Life Sciences Workflows Runner" }, { "description": "Full access to Live Stream resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/livestream.editor", "stage": "GA", "title": "Live Stream Editor" }, { "description": "Uploads media files to customer GCS buckets.", "etag": "AA==", "has_dataaccess": true, "name": "roles/livestream.serviceAgent", "stage": "GA", "title": "Live Stream Service Agent" }, { "description": "Read access to Live Stream resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/livestream.viewer", "stage": "GA", "title": "Live Stream Viewer" }, { "description": "Access to all logging permissions, and dependent permissions.", "etag": "AA==", "has_undocumented": true, "name": "roles/logging.admin", "stage": "GA", "title": "Logging Admin" }, { "description": "Ability to write logs to a log bucket.", "etag": "AA==", "name": "roles/logging.bucketWriter", "stage": "GA", "title": "Logs Bucket Writer" }, { "description": "Access to configure log exporting and metrics.", "etag": "AA==", "has_undocumented": true, "name": "roles/logging.configWriter", "stage": "GA", "title": "Logs Configuration Writer" }, { "description": "Ability to read restricted fields in a log bucket.", "etag": "AA==", "name": "roles/logging.fieldAccessor", "stage": "GA", "title": "Log Field Accessor" }, { "description": "Ability to see links for a bucket.", "etag": "AA==", "name": "roles/logging.linkViewer", "stage": "GA", "title": "Log Link Accessor" }, { "description": "Access to write logs.", "etag": "AA==", "name": "roles/logging.logWriter", "stage": "GA", "title": "Logs Writer" }, { "description": "Access to view all logs, including logs with private contents.", "etag": "AA==", "has_undocumented": true, "name": "roles/logging.privateLogViewer", "stage": "GA", "title": "Private Logs Viewer" }, { "description": "Grants a Cloud Logging Service Account the ability to create and link datasets.", "etag": "AA==", "name": "roles/logging.serviceAgent", "stage": "GA", "title": "Cloud Logging Service Agent" }, { "description": "Ability to write SQL Alerts.", "etag": "AA==", "has_undocumented": true, "name": "roles/logging.sqlAlertWriter", "stage": "BETA", "title": "SQL Alert Writer" }, { "description": "Ability to read logs in a view.", "etag": "AA==", "name": "roles/logging.viewAccessor", "stage": "GA", "title": "Logs View Accessor" }, { "description": "Access to view logs, except for logs with private contents.", "etag": "AA==", "has_undocumented": true, "name": "roles/logging.viewer", "stage": "GA", "title": "Logs Viewer" }, { "description": "Full access to all Looker resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/looker.admin", "stage": "GA", "title": "Looker Admin" }, { "description": "Access to log in to a Looker instance.", "etag": "AA==", "name": "roles/looker.instanceUser", "stage": "GA", "title": "Looker Instance User" }, { "description": "Gives the Looker service account permission to manage customer resources. Does not include permissions to access BigQuery", "etag": "AA==", "has_undocumented": true, "name": "roles/looker.restrictedServiceAgent", "stage": "GA", "title": "Looker Service Agent" }, { "description": "Gives the Looker service account permission to manage customer resources", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/looker.serviceAgent", "stage": "GA", "title": "Looker Service Agent" }, { "description": "Read-only access to all Looker resources.", "etag": "AA==", "name": "roles/looker.viewer", "stage": "GA", "title": "Looker Viewer" }, { "description": "Admin of Looker instance mapping to a Studio subscription", "etag": "AA==", "has_undocumented": true, "name": "roles/lookerstudio.lookerAdmin", "stage": "BETA", "title": "Looker Admin" }, { "description": "Looker Studio Pro Manager", "etag": "AA==", "name": "roles/lookerstudio.proManager", "stage": "BETA", "title": "Looker Studio Pro Manager" }, { "description": "Full access to Google Cloud Managed Lustre resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/lustre.admin", "stage": "GA", "title": "Google Cloud Managed Lustre Admin" }, { "description": "Readonly access to Google Cloud Managed Lustre resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/lustre.viewer", "stage": "GA", "title": "Google Cloud Managed Lustre Viewer" }, { "description": "Readonly access to Maintenance API resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/maintenance.viewer", "stage": "BETA", "title": "Maintenance API Viewer" }, { "description": "Full access to Managed Flink resources.", "etag": "AA==", "name": "roles/managedflink.admin", "stage": "BETA", "title": "Managed Flink Admin" }, { "description": "Full access to Managed Flink Jobs and Sessions and read access to Deployments.", "etag": "AA==", "name": "roles/managedflink.developer", "stage": "BETA", "title": "Managed Flink Developer" }, { "description": "Gives Managed Flink Service Agent access to Cloud Platform resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/managedflink.serviceAgent", "stage": "GA", "title": "Managed Flink Service Agent" }, { "description": "Readonly access to Managed Flink resources.", "etag": "AA==", "name": "roles/managedflink.viewer", "stage": "BETA", "title": "Managed Flink Viewer" }, { "description": "Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.", "etag": "AA==", "name": "roles/managedidentities.admin", "stage": "GA", "title": "Google Cloud Managed Identities Admin" }, { "description": "Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level", "etag": "AA==", "name": "roles/managedidentities.backupAdmin", "stage": "GA", "title": "Google Cloud Managed Identities Backup Admin" }, { "description": "Read-only access to Google Cloud Managed Identities Backup and related resources.", "etag": "AA==", "name": "roles/managedidentities.backupViewer", "stage": "GA", "title": "Google Cloud Managed Identities Backup Viewer" }, { "description": "Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.", "etag": "AA==", "name": "roles/managedidentities.domainAdmin", "stage": "GA", "title": "Google Cloud Managed Identities Domain Admin" }, { "description": "Access to domain join VMs with Cloud AD", "etag": "AA==", "name": "roles/managedidentities.domainJoin", "stage": "BETA", "title": "Google Cloud Managed Identities Domain Join" }, { "description": "Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level", "etag": "AA==", "name": "roles/managedidentities.peeringAdmin", "stage": "GA", "title": "Google Cloud Managed Identities Peering Admin" }, { "description": "Read-only access to Google Cloud Managed Identities Peering and related resources.", "etag": "AA==", "name": "roles/managedidentities.peeringViewer", "stage": "GA", "title": "Google Cloud Managed Identities Peering Viewer" }, { "description": "Gives Managed Identities service account access to managed resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/managedidentities.serviceAgent", "stage": "GA", "title": "Cloud Managed Identities Service Agent" }, { "description": "Read-only access to Google Cloud Managed Identities Domains and related resources.", "etag": "AA==", "name": "roles/managedidentities.viewer", "stage": "GA", "title": "Google Cloud Managed Identities Viewer" }, { "description": "Read and write access to Managed Kafka ACL resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.aclEditor", "stage": "GA", "title": "Managed Kafka ACL Editor" }, { "description": "Readonly access to Managed Kafka ACL resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.aclViewer", "stage": "GA", "title": "Managed Kafka ACL Viewer" }, { "description": "Full access to Managed Kafka resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.admin", "stage": "GA", "title": "Managed Kafka Admin" }, { "description": "Provides access to connect to the Kafka servers in a cluster, i.e. provides Kafka data plane access. Intended for, e.g., producers and consumers.", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.client", "stage": "GA", "title": "Managed Kafka Client" }, { "description": "Provides read and write access to Kafka clusters. Intended for, e.g., IT Departments that provision Kafka clusters, but need not be able to read or modify topics or consumer groups.", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.clusterEditor", "stage": "GA", "title": "Managed Kafka Cluster Editor" }, { "description": "Provides read and write access to Kafka Connect clusters. Intended for, e.g., IT Departments that provision Kafka Connect clusters, but need not be able to read or modify connectors.", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.connectClusterEditor", "stage": "BETA", "title": "Managed Kafka Connect Cluster Editor" }, { "description": "Provides read and write access to connectors. Intended for, e.g., developers who configure and operate connectors.", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.connectorEditor", "stage": "BETA", "title": "Managed Kafka Connector Editor" }, { "description": "Provides read and write access to consumer group metadata. Intended for, e.g., developers who configure consumer groups.", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.consumerGroupEditor", "stage": "GA", "title": "Managed Kafka Consumer Group Editor" }, { "description": "Full access to schemas, schema versions and configs", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.schemaRegistryAdmin", "stage": "BETA", "title": "Schema Registry Admin" }, { "description": "View and edit schemas and schema versions", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.schemaRegistryEditor", "stage": "BETA", "title": "Schema Registry Editor" }, { "description": "View schemas and schema versions", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.schemaRegistryViewer", "stage": "BETA", "title": "Schema Registry Viewer" }, { "description": "Gives Managed Kafka Service Agent access to Cloud Platform resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.serviceAgent", "stage": "GA", "title": "Managed Kafka Service Agent" }, { "description": "Provides read and write access to topic metadata. Intended for, e.g., developers who configure topics.", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.topicEditor", "stage": "GA", "title": "Managed Kafka Topic Editor" }, { "description": "Readonly access to Managed Kafka resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/managedkafka.viewer", "stage": "GA", "title": "Managed Kafka Viewer" }, { "description": "Access to write Attack Surface Management", "etag": "AA==", "name": "roles/mandiant.attackSurfaceManagementEditor", "stage": "BETA", "title": "Mandiant Attack Surface Management Editor" }, { "description": "Access to read Attack Surface Management", "etag": "AA==", "name": "roles/mandiant.attackSurfaceManagementViewer", "stage": "BETA", "title": "Mandiant Attack Surface Management Viewer" }, { "description": "Access to write Digital Threat Monitoring", "etag": "AA==", "name": "roles/mandiant.digitalThreatMonitoringEditor", "stage": "BETA", "title": "Mandiant Digital Threat Monitoring Editor" }, { "description": "Access to read Digital Threat Monitoring", "etag": "AA==", "name": "roles/mandiant.digitalThreatMonitoringViewer", "stage": "BETA", "title": "Mandiant Digital Threat Monitoring Viewer" }, { "description": "Access to write Expertise On Demand", "etag": "AA==", "name": "roles/mandiant.expertiseOnDemandEditor", "stage": "BETA", "title": "Mandiant Expertise On Demand Editor" }, { "description": "Access to read Expertise On Demand", "etag": "AA==", "name": "roles/mandiant.expertiseOnDemandViewer", "stage": "BETA", "title": "Mandiant Expertise On Demand Viewer" }, { "description": "Access to write Threat Intel", "etag": "AA==", "name": "roles/mandiant.threatIntelEditor", "stage": "BETA", "title": "Mandiant Threat Intel Editor" }, { "description": "Access to read Threat Intel", "etag": "AA==", "name": "roles/mandiant.threatIntelViewer", "stage": "BETA", "title": "Mandiant Threat Intel Viewer" }, { "description": "Access to write Validation", "etag": "AA==", "name": "roles/mandiant.validationEditor", "stage": "BETA", "title": "Mandiant Validation Editor" }, { "description": "Access to read Validation", "etag": "AA==", "name": "roles/mandiant.validationViewer", "stage": "BETA", "title": "Mandiant Validation Viewer" }, { "description": "Grants permission to read and write everything", "etag": "AA==", "has_undocumented": true, "name": "roles/mapsadmin.admin", "stage": "GA", "title": "Maps API Admin" }, { "description": "Grants permission to read everything", "etag": "AA==", "has_undocumented": true, "name": "roles/mapsadmin.viewer", "stage": "GA", "title": "Maps API Viewer" }, { "description": "Grants read-only access to Mobility Solutions Overages metric data.", "etag": "AA==", "has_undocumented": true, "name": "roles/mapsanalytics.mobilitySolutionsOverageViewer", "stage": "BETA", "title": "Mobility Solutions Overages Viewer" }, { "description": "Grants read-only access to all of the Maps Analytics resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/mapsanalytics.viewer", "stage": "BETA", "title": "Maps Analytics Viewer" }, { "description": "Grants read and write access to all the Maps Platform Datasets API resources", "etag": "AA==", "name": "roles/mapsplatformdatasets.admin", "stage": "BETA", "title": "Maps Platform Datasets Admin" }, { "description": "Grants readonly access to all the Maps Platform Datasets API resources", "etag": "AA==", "name": "roles/mapsplatformdatasets.viewer", "stage": "BETA", "title": "Maps Platform Datasets Viewer" }, { "description": "Full access to Marketplace Solutions resources.", "etag": "AA==", "name": "roles/marketplacesolutions.admin", "stage": "BETA", "title": "Marketplace Solutions Admin" }, { "description": "Edit access to Marketplace Solutions resources.", "etag": "AA==", "name": "roles/marketplacesolutions.editor", "stage": "BETA", "title": "Marketplace Solutions Editor" }, { "description": "Readonly access to Marketplace Solutions resources.", "etag": "AA==", "name": "roles/marketplacesolutions.viewer", "stage": "BETA", "title": "Marketplace Solutions Viewer" }, { "description": "Role for calling tools on any MCP server enabled by the parent project.", "etag": "AA==", "has_undocumented": true, "name": "roles/mcp.toolUser", "stage": "BETA", "title": "MCP tool user" }, { "description": "Downloads and uploads media files from and to customer GCS buckets.", "etag": "AA==", "has_dataaccess": true, "name": "roles/mediaasset.serviceAgent", "stage": "GA", "title": "Media Asset Service Agent" }, { "description": "Full access to Memcached instances and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/memcache.admin", "stage": "GA", "title": "Cloud Memorystore Memcached Admin" }, { "description": "Read-Write access to Memcached instances and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/memcache.editor", "stage": "GA", "title": "Cloud Memorystore Memcached Editor" }, { "description": "Gives Cloud Memorystore Memcached service account access to managed resource", "etag": "AA==", "has_undocumented": true, "name": "roles/memcache.serviceAgent", "stage": "GA", "title": "Cloud Memorystore Memcached Service Agent" }, { "description": "Read-only access to Memcached instances and related resources.", "etag": "AA==", "name": "roles/memcache.viewer", "stage": "GA", "title": "Cloud Memorystore Memcached Viewer" }, { "description": "Full access to Memorystore resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/memorystore.admin", "stage": "GA", "title": "Memorystore Admin" }, { "description": "Access to connecting to Memorystore Server db.", "etag": "AA==", "name": "roles/memorystore.dbConnectionUser", "stage": "GA", "title": "Memorystore DB Connector User" }, { "description": "Gives Cloud Memorystore service account access to managed resource", "etag": "AA==", "has_undocumented": true, "name": "roles/memorystore.serviceAgent", "stage": "GA", "title": "Cloud Memorystore Service Agent" }, { "description": "Readonly access to Memorystore resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/memorystore.viewer", "stage": "GA", "title": "Memorystore Viewer" }, { "description": "Full access to all mesh configuration resources", "etag": "AA==", "name": "roles/meshconfig.admin", "stage": "BETA", "title": "Mesh Config Admin" }, { "description": "Apply mesh configuration", "etag": "AA==", "has_privesc": true, "name": "roles/meshconfig.serviceAgent", "stage": "GA", "title": "Mesh Config Service Agent" }, { "description": "Read access to mesh configuration", "etag": "AA==", "name": "roles/meshconfig.viewer", "stage": "BETA", "title": "Mesh Config Viewer" }, { "description": "Anthos Service Mesh Managed Control Plane Agent", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/meshcontrolplane.serviceAgent", "stage": "GA", "title": "Mesh Managed Control Plane Service Agent" }, { "description": "Run user-space Istio components", "etag": "AA==", "has_undocumented": true, "name": "roles/meshdataplane.serviceAgent", "stage": "GA", "title": "Mesh Data Plane Service Agent" }, { "description": "Full access to all Dataproc Metastore resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/metastore.admin", "stage": "GA", "title": "Dataproc Metastore Admin" }, { "description": "Read and write access to all Dataproc Metastore resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/metastore.editor", "stage": "GA", "title": "Dataproc Metastore Editor" }, { "description": "Access to the Metastore Federation resource.", "etag": "AA==", "name": "roles/metastore.federationAccessor", "stage": "GA", "title": "Metastore Federation Accessor" }, { "description": "Access to read and modify the metadata of databases and tables under those databases.", "etag": "AA==", "name": "roles/metastore.metadataEditor", "stage": "GA", "title": "Dataproc Metastore Metadata Editor" }, { "description": "Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.", "etag": "AA==", "name": "roles/metastore.metadataMutateAdmin", "stage": "GA", "title": "Dataproc Metastore Metadata Mutate Admin" }, { "description": "Read-only access to Dataproc Metastore resources with additional metadata operations permission.", "etag": "AA==", "has_undocumented": true, "name": "roles/metastore.metadataOperator", "stage": "GA", "title": "Dataproc Metastore Metadata Operator" }, { "description": "Full access to the metadata of databases and tables under those databases.", "etag": "AA==", "has_undocumented": true, "name": "roles/metastore.metadataOwner", "stage": "GA", "title": "Dataproc Metastore Data Owner" }, { "description": "Access to query metadata from a Dataproc Metastore service's underlying metadata store. ", "etag": "AA==", "name": "roles/metastore.metadataQueryAdmin", "stage": "GA", "title": "Dataproc Metastore Metadata Query Admin" }, { "description": "Access to the Dataproc Metastore gRPC endpoint", "etag": "AA==", "name": "roles/metastore.metadataUser", "stage": "GA", "title": "Dataproc Metastore Metadata User" }, { "description": "Access to read the metadata of databases and tables under those databases", "etag": "AA==", "name": "roles/metastore.metadataViewer", "stage": "GA", "title": "Dataproc Metastore Metadata Viewer" }, { "description": "Access to Dataproc Metastore Managed Migration resources and workflow.", "etag": "AA==", "has_credentialexposure": true, "name": "roles/metastore.migrationAdmin", "stage": "GA", "title": "Dataproc Metastore Managed Migration Admin" }, { "description": "Gives the Dataproc Metastore service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/metastore.serviceAgent", "stage": "GA", "title": "Dataproc Metastore Service Agent" }, { "description": "Read-only access to all Dataproc Metastore resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/metastore.user", "stage": "GA", "title": "Dataproc Metastore Viewer" }, { "description": "Full access to Migration Center all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/migrationcenter.admin", "stage": "BETA", "title": "Migration Center Admin" }, { "description": "Migration Center Discover Client role", "etag": "AA==", "name": "roles/migrationcenter.discoveryClient", "stage": "BETA", "title": "Migration Center Discovery Client" }, { "description": "Registrator of Migration Center Discover Clients", "etag": "AA==", "name": "roles/migrationcenter.discoveryClientRegistrator", "stage": "BETA", "title": "Migration Center Discovery Client Registrator" }, { "description": "Gives Migration Center Service Account access to objects storedin object store and Cloud Migration products.", "etag": "AA==", "has_dataaccess": true, "name": "roles/migrationcenter.serviceAgent", "stage": "GA", "title": "Migration Center Service Agent" }, { "description": "Read-only access to Migration Center all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/migrationcenter.viewer", "stage": "BETA", "title": "Migration Center Viewer" }, { "description": "Full access to AI Platform.", "etag": "AA==", "name": "roles/ml.admin", "stage": "GA", "title": "AI Platform Admin" }, { "description": "Access to create training and prediction jobs, models and versions, send online prediction requests.", "etag": "AA==", "name": "roles/ml.developer", "stage": "GA", "title": "AI Platform Developer" }, { "description": "Full access to the job.", "etag": "AA==", "name": "roles/ml.jobOwner", "stage": "GA", "title": "AI Platform Job Owner" }, { "description": "Full access to the model and its versions.", "etag": "AA==", "name": "roles/ml.modelOwner", "stage": "GA", "title": "AI Platform Model Owner" }, { "description": "Permissions to read the model and its versions, and use them for prediction.", "etag": "AA==", "name": "roles/ml.modelUser", "stage": "GA", "title": "AI Platform Model User" }, { "description": "Full access to the operation.", "etag": "AA==", "name": "roles/ml.operationOwner", "stage": "GA", "title": "AI Platform Operation Owner" }, { "description": "AI Platform service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/ml.serviceAgent", "stage": "GA", "title": "AI Platform Service Agent" }, { "description": "Read-only access to AI Platform resources.", "etag": "AA==", "name": "roles/ml.viewer", "stage": "GA", "title": "AI Platform Viewer" }, { "description": "Grants full access to all modelarmor resources. Intended for administrators & owners.", "etag": "AA==", "has_undocumented": true, "name": "roles/modelarmor.admin", "stage": "GA", "title": "Model Armor Admin" }, { "description": "Grants access to use Model Armor Callout service. Intended for users & applications which plan to use Model Armor Callout service.", "etag": "AA==", "has_undocumented": true, "name": "roles/modelarmor.calloutUser", "stage": "BETA", "title": "Model Armor Callout User" }, { "description": "Grants full access to all Model Armor Floor Setting resources. Intended for administrators & owners.", "etag": "AA==", "has_undocumented": true, "name": "roles/modelarmor.floorSettingsAdmin", "stage": "GA", "title": "Model Armor Floor Setting Admin" }, { "description": "Grants read access to all Model Armor Floor Setting resources. Intended for viewers.", "etag": "AA==", "has_undocumented": true, "name": "roles/modelarmor.floorSettingsViewer", "stage": "GA", "title": "Model Armor Floor Setting Viewer" }, { "description": "Gives Model Armor Service Account permission to make DLP calls.", "etag": "AA==", "has_undocumented": true, "name": "roles/modelarmor.serviceAgent", "stage": "GA", "title": "Model Armor Service Agent" }, { "description": "Grants access to sanitize APIs for templates. Intended for users & applications which plan to use a template.", "etag": "AA==", "has_undocumented": true, "name": "roles/modelarmor.user", "stage": "GA", "title": "Model Armor User" }, { "description": "Grants read access to all model armor resources. Intended for viewers.", "etag": "AA==", "has_undocumented": true, "name": "roles/modelarmor.viewer", "stage": "GA", "title": "Model Armor Viewer" }, { "description": "All current and future monitoring permissions.", "etag": "AA==", "has_undocumented": true, "name": "roles/monitoring.admin", "stage": "GA", "title": "Monitoring Admin" }, { "description": "Read/write access to alerting policies.", "etag": "AA==", "has_undocumented": true, "name": "roles/monitoring.alertPolicyEditor", "stage": "GA", "title": "Monitoring AlertPolicy Editor" }, { "description": "Read-only access to alerting policies.", "etag": "AA==", "has_undocumented": true, "name": "roles/monitoring.alertPolicyViewer", "stage": "GA", "title": "Monitoring AlertPolicy Viewer" }, { "description": "Read access to alerts.", "etag": "AA==", "has_undocumented": true, "name": "roles/monitoring.alertViewer", "stage": "BETA", "title": "Monitoring Alert Viewer" }, { "description": "Read/write access to incidents from Cloud Console.", "etag": "AA==", "has_undocumented": true, "name": "roles/monitoring.cloudConsoleIncidentEditor", "stage": "BETA", "title": "Monitoring Cloud Console Incident Editor" }, { "description": "Read access to incidents from Cloud Console.", "etag": "AA==", "has_undocumented": true, "name": "roles/monitoring.cloudConsoleIncidentViewer", "stage": "BETA", "title": "Monitoring Cloud Console Incident Viewer" }, { "description": "Read/write access to dashboard configurations.", "etag": "AA==", "has_undocumented": true, "name": "roles/monitoring.dashboardEditor", "stage": "GA", "title": "Monitoring Dashboard Configuration Editor" }, { "description": "Read-only access to dashboard configurations.", "etag": "AA==", "has_undocumented": true, "name": "roles/monitoring.dashboardViewer", "stage": "GA", "title": "Monitoring Dashboard Configuration Viewer" }, { "description": "Read/write access to all monitoring data and configuration.", "etag": "AA==", "has_undocumented": true, "name": "roles/monitoring.editor", "stage": "GA", "title": "Monitoring Editor" }, { "description": "Write-only access to metrics. This provides exactly the permissions needed by the Stackdriver agent and other systems that send metrics.", "etag": "AA==", "has_undocumented": true, "name": "roles/monitoring.metricWriter", "stage": "GA", "title": "Monitoring Metric Writer" }, { "description": "Access to add and remove monitored projects from metrics scopes.", "etag": "AA==", "name": "roles/monitoring.metricsScopesAdmin", "stage": "BETA", "title": "Monitoring Metrics Scopes Admin" }, { "description": "Read-only access to metrics scopes and their monitored projects.", "etag": "AA==", "name": "roles/monitoring.metricsScopesViewer", "stage": "BETA", "title": "Monitoring Metrics Scopes Viewer" }, { "description": "Read/write access to notification channels.", "etag": "AA==", "name": "roles/monitoring.notificationChannelEditor", "stage": "BETA", "title": "Monitoring NotificationChannel Editor" }, { "description": "Read-only access to notification channels.", "etag": "AA==", "name": "roles/monitoring.notificationChannelViewer", "stage": "BETA", "title": "Monitoring NotificationChannel Viewer" }, { "description": "Grants Cloud Monitoring and Cloud Alerting permission to access consumer resources and track usage.", "etag": "AA==", "has_undocumented": true, "name": "roles/monitoring.notificationServiceAgent", "stage": "GA", "title": "Monitoring Service Agent" }, { "description": "Read/write access to services.", "etag": "AA==", "name": "roles/monitoring.servicesEditor", "stage": "GA", "title": "Monitoring Services Editor" }, { "description": "Read-only access to services.", "etag": "AA==", "name": "roles/monitoring.servicesViewer", "stage": "GA", "title": "Monitoring Services Viewer" }, { "etag": "AA==", "name": "roles/monitoring.snoozeEditor", "stage": "GA", "title": "Monitoring Snooze Editor" }, { "etag": "AA==", "name": "roles/monitoring.snoozeViewer", "stage": "GA", "title": "Monitoring Snooze Viewer" }, { "description": "Read/write access to uptime check configurations.", "etag": "AA==", "name": "roles/monitoring.uptimeCheckConfigEditor", "stage": "BETA", "title": "Monitoring Uptime Check Configuration Editor" }, { "description": "Read-only access to uptime check configurations.", "etag": "AA==", "name": "roles/monitoring.uptimeCheckConfigViewer", "stage": "BETA", "title": "Monitoring Uptime Check Configuration Viewer" }, { "description": "Read-only access to get and list information about all monitoring data and configuration.", "etag": "AA==", "has_undocumented": true, "name": "roles/monitoring.viewer", "stage": "GA", "title": "Monitoring Viewer" }, { "description": "Gives the Multi Cluster Ingress service agent access to CloudPlatform resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/multiclusteringress.serviceAgent", "stage": "GA", "title": "Multi Cluster Ingress Service Agent" }, { "description": "Gives the Multi-cluster metering service agent access to CloudPlatform resources.", "etag": "AA==", "name": "roles/multiclustermetering.serviceAgent", "stage": "GA", "title": "Multi-cluster metering Service Agent" }, { "description": "Gives the Multi-Cluster Service Discovery service access to Cloud Platform resources.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/multiclusterservicediscovery.serviceAgent", "stage": "GA", "title": "Multi-Cluster Service Discovery Service Agent" }, { "description": "Admin access to Google Home Developer Console resources", "etag": "AA==", "name": "roles/nestconsole.homeDeveloperAdmin", "stage": "GA", "title": "Google Home Developer Console Admin" }, { "description": "Read-Write access to Google Home Developer Console resources", "etag": "AA==", "name": "roles/nestconsole.homeDeveloperEditor", "stage": "GA", "title": "Google Home Developer Console Editor" }, { "description": "Read-only access to Google Home Developer Console resources", "etag": "AA==", "name": "roles/nestconsole.homeDeveloperViewer", "stage": "GA", "title": "Google Home Developer Console Reader" }, { "description": "Full access to Google Cloud NetApp Volumes resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/netapp.admin", "stage": "BETA", "title": "Google Cloud NetApp Volumes Admin" }, { "description": "Access to export data from Google Cloud NetApp Volumes.", "etag": "AA==", "has_undocumented": true, "name": "roles/netapp.dataExporter", "stage": "BETA", "title": "Google Cloud NetApp Volumes Data Exporter" }, { "description": "Readonly access to Google Cloud NetApp Volumes resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/netapp.viewer", "stage": "BETA", "title": "Google Cloud NetApp Volumes Viewer" }, { "description": "This role is managed by NetApp, not Google.", "etag": "AA==", "name": "roles/netappcloudvolumes.admin", "stage": "BETA", "title": "NetApp Cloud Volumes Admin" }, { "description": "This role is managed by NetApp, not Google.", "etag": "AA==", "name": "roles/netappcloudvolumes.viewer", "stage": "BETA", "title": "NetApp Cloud Volumes Viewer" }, { "description": "Gives Network Actions service account access to read required resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networkactions.serviceAgent", "stage": "GA", "title": "Network Actions Service Agent" }, { "description": "Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.", "etag": "AA==", "name": "roles/networkconnectivity.consumerNetworkAdmin", "stage": "GA", "title": "Service Automation Consumer Network Admin" }, { "description": "Enables full access to group resources and read-only access to hub and spoke resources", "etag": "AA==", "has_undocumented": true, "name": "roles/networkconnectivity.groupAdmin", "stage": "GA", "title": "Group Admin" }, { "description": "Enables use access on group resources", "etag": "AA==", "name": "roles/networkconnectivity.groupUser", "stage": "GA", "title": "Group User" }, { "description": "Enables full access to hub and spoke resources", "etag": "AA==", "has_undocumented": true, "name": "roles/networkconnectivity.hubAdmin", "stage": "GA", "title": "Hub & Spoke Admin" }, { "description": "Enables read-only access to hub and spoke resources", "etag": "AA==", "has_undocumented": true, "name": "roles/networkconnectivity.hubViewer", "stage": "GA", "title": "Hub & Spoke Viewer" }, { "description": "Full access to all Multicloud Data Transfer Config resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networkconnectivity.multicloudDataTransferConfigAdmin", "stage": "GA", "title": "Multicloud Data Transfer Config Admin" }, { "description": "Read-only access to all Multicloud Data Transfer Config resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networkconnectivity.multicloudDataTransferConfigViewer", "stage": "GA", "title": "Multicloud Data Transfer Config Viewer" }, { "description": "Access to all Destination resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networkconnectivity.multicloudDataTransferDestinationAdmin", "stage": "GA", "title": "Destination Admin" }, { "description": "Read-only access to all Destination resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networkconnectivity.multicloudDataTransferDestinationViewer", "stage": "GA", "title": "Destination Viewer" }, { "description": "Full access to all Regional Endpoint resources.", "etag": "AA==", "name": "roles/networkconnectivity.regionalEndpointAdmin", "stage": "GA", "title": "Regional Endpoint Admin" }, { "description": "Read-only access to all Regional Endpoint resources.", "etag": "AA==", "name": "roles/networkconnectivity.regionalEndpointViewer", "stage": "GA", "title": "Regional Endpoint Viewer" }, { "description": "Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networkconnectivity.serviceAgent", "stage": "GA", "title": "Network Connectivity Service Agent" }, { "description": "Service Class User uses a ServiceClass", "etag": "AA==", "name": "roles/networkconnectivity.serviceClassUser", "stage": "GA", "title": "Service Class User" }, { "description": "Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps", "etag": "AA==", "name": "roles/networkconnectivity.serviceProducerAdmin", "stage": "GA", "title": "Service Automation Service Producer Admin" }, { "description": "Enables full access to spoke resources and read-only access to hub resources", "etag": "AA==", "has_undocumented": true, "name": "roles/networkconnectivity.spokeAdmin", "stage": "GA", "title": "Spoke Admin" }, { "description": "Enables full access to Transport resources", "etag": "AA==", "has_undocumented": true, "name": "roles/networkconnectivity.transportAdmin", "stage": "GA", "title": "Transport Admin" }, { "description": "Enables view access to Transport resources", "etag": "AA==", "has_undocumented": true, "name": "roles/networkconnectivity.transportViewer", "stage": "GA", "title": "Transport Viewer" }, { "description": "Full access to Network Management resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networkmanagement.admin", "stage": "GA", "title": "Network Management Admin" }, { "description": "Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine.", "etag": "AA==", "name": "roles/networkmanagement.serviceAgent", "stage": "GA", "title": "GCP Network Management Service Agent" }, { "description": "Read-only access to Network Management resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networkmanagement.viewer", "stage": "GA", "title": "Network Management Viewer" }, { "description": "Allows the Network Security service to access dependent resources", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.authzServiceAgent", "stage": "GA", "title": "Network Security Authz Service Agent" }, { "description": "Enables full access to DNS Threat Detector resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.dnsThreatDetectorAdmin", "stage": "GA", "title": "DNS Threat Detector Admin" }, { "description": "Enables view access to DNS Threat Detector resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.dnsThreatDetectorViewer", "stage": "GA", "title": "DNS Threat Detector Viewer" }, { "description": "Enables full access to firewall endpoint and firewall endpoint association resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.firewallEndpointAdmin", "stage": "BETA", "title": "Firewall Endpoint Admin" }, { "description": "Enables full access to intercept resources on the Producer's side.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.interceptDeploymentAdmin", "stage": "BETA", "title": "Intercept Deployment Admin" }, { "description": "Allows an external consumer to connect to a producer's interceptDeploymentGroup.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.interceptDeploymentExternalUser", "stage": "BETA", "title": "Intercept Deployment External User" }, { "description": "Allows a consumer to view and connect to a producer's interceptDeploymentGroup.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.interceptDeploymentUser", "stage": "BETA", "title": "Intercept Deployment User" }, { "description": "Enables read-only access to intercept resources on the Producer's side.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.interceptDeploymentViewer", "stage": "BETA", "title": "Intercept Deployment Viewer" }, { "description": "Enables full access to intercept resources on the consumer's side.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.interceptEndpointAdmin", "stage": "BETA", "title": "Intercept Endpoint Admin" }, { "description": "Allows a consumer to connect their networks to a interceptEndpointGroup.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.interceptEndpointUser", "stage": "BETA", "title": "Intercept Endpoint User" }, { "description": "Enables read-only access to intercept resources on the Consumer's side.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.interceptEndpointViewer", "stage": "BETA", "title": "Intercept Endpoint Viewer" }, { "description": "Enables full access to mirroring resources on the Producer's side.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.mirroringDeploymentAdmin", "stage": "BETA", "title": "Mirroring Deployment Admin" }, { "description": "Allows an external consumer to a producer's mirroringDeploymentGroup.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.mirroringDeploymentExternalUser", "stage": "BETA", "title": "Mirroring Deployment External User" }, { "description": "Allows a consumer to view and connect to a Producer's mirroringDeploymentGroup.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.mirroringDeploymentUser", "stage": "BETA", "title": "Mirroring Deployment User" }, { "description": "Enables read-only access to mirroring resources on the Producer's side.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.mirroringDeploymentViewer", "stage": "BETA", "title": "Mirroring Deployment Viewer" }, { "description": "Enables full access to mirroring resources on the consumer's side.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.mirroringEndpointAdmin", "stage": "BETA", "title": "Mirroring Endpoint Admin" }, { "description": "Allows a consumer to connect their networks to a mirroringEndpointGroup.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.mirroringEndpointUser", "stage": "BETA", "title": "Mirroring Endpoint User" }, { "description": "Enables read-only access to mirroring resources on the Consumer's side.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.mirroringEndpointViewer", "stage": "BETA", "title": "Mirroring Endpoint Viewer" }, { "description": "Enables full access to security profile and security profile group resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networksecurity.securityProfileAdmin", "stage": "BETA", "title": "Security Profile Admin" }, { "description": "Provides full access to Service Extensions resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networkservices.serviceExtensionsAdmin", "stage": "BETA", "title": "Service Extensions Admin" }, { "description": "Provides read-only access to Service Extensions resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/networkservices.serviceExtensionsViewer", "stage": "BETA", "title": "Service Extensions Viewer" }, { "description": "Full access to Notebooks all resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/notebooks.admin", "stage": "GA", "title": "Notebooks Admin" }, { "description": "Full access to Notebooks all resources through compute API.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/notebooks.legacyAdmin", "stage": "GA", "title": "Notebooks Legacy Admin" }, { "description": "Read-only access to Notebooks all resources through compute API.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/notebooks.legacyViewer", "stage": "GA", "title": "Notebooks Legacy Viewer" }, { "description": "Restricted access for running scheduled Notebooks.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/notebooks.runner", "stage": "GA", "title": "Notebooks Runner" }, { "description": "Provide access for notebooks service agent to manage notebook instances in user projects", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/notebooks.serviceAgent", "stage": "GA", "title": "AI Platform Notebooks Service Agent" }, { "description": "Read-only access to Notebooks all resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/notebooks.viewer", "stage": "GA", "title": "Notebooks Viewer" }, { "description": "Read/write access to OAuth config resources", "etag": "AA==", "has_undocumented": true, "name": "roles/oauthconfig.editor", "stage": "BETA", "title": "OAuth Config Editor" }, { "description": "Read-only access to OAuth config resources", "etag": "AA==", "has_undocumented": true, "name": "roles/oauthconfig.viewer", "stage": "BETA", "title": "OAuth Config Viewer" }, { "description": "Full access to Observability resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/observability.admin", "stage": "BETA", "title": "Observability Admin" }, { "description": "Grants permissions to use Cloud Observability Analytics.", "etag": "AA==", "has_undocumented": true, "name": "roles/observability.analyticsUser", "stage": "BETA", "title": "Observability Analytics User" }, { "description": "Edit access to Observability resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/observability.editor", "stage": "BETA", "title": "Observability Editor" }, { "description": "Grants permission to view and edit Observability, Logging, Trace, and Monitoring scopes", "etag": "AA==", "has_undocumented": true, "name": "roles/observability.scopesEditor", "stage": "BETA", "title": "Observability Scopes Editor" }, { "description": "Grants Observability service account the ability to list, create and link datasets in the consumer project.", "etag": "AA==", "has_undocumented": true, "name": "roles/observability.serviceAgent", "stage": "GA", "title": "Observability Service Agent" }, { "description": "Read only access to data defined by an Observability View.", "etag": "AA==", "has_undocumented": true, "name": "roles/observability.viewAccessor", "stage": "BETA", "title": "Observability View Accessor" }, { "description": "Read only access to Observability resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/observability.viewer", "stage": "BETA", "title": "Observability Viewer" }, { "description": "Grants Oracle Database@Google Cloud access to services and APIs in the user project", "etag": "AA==", "has_undocumented": true, "name": "roles/oci.serviceAgent", "stage": "GA", "title": "Oracle Database@Google Cloud Service Agent" }, { "description": "All permissions for On-Demand Scanning", "etag": "AA==", "name": "roles/ondemandscanning.admin", "stage": "BETA", "title": "On-Demand Scanning Admin" }, { "description": "Read-only access to resource metadata.", "etag": "AA==", "name": "roles/opsconfigmonitoring.resourceMetadata.viewer", "stage": "BETA", "title": "Ops Config Monitoring Resource Metadata Viewer" }, { "description": "Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.", "etag": "AA==", "name": "roles/opsconfigmonitoring.resourceMetadata.writer", "stage": "BETA", "title": "Ops Config Monitoring Resource Metadata Writer" }, { "description": "Grants full access to manage all Oracle Database resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.admin", "stage": "GA", "title": "Oracle Database@Google Cloud admin" }, { "description": "Grants full access to manage all Autonomous Database resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.autonomousDatabaseAdmin", "stage": "GA", "title": "Oracle Database@Google Cloud Autonomous Database Admin" }, { "description": "Grants read access to see all Autonomous Database resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.autonomousDatabaseViewer", "stage": "GA", "title": "Oracle Database@Google Cloud Autonomous Database Viewer" }, { "description": "Grants full access to manage all Exadata Infrastructure resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.cloudExadataInfrastructureAdmin", "stage": "GA", "title": "Oracle Database@Google Cloud Exadata Infrastructure Admin" }, { "description": "Grants user access to use all Exadata Infrastructure resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.cloudExadataInfrastructureUser", "stage": "GA", "title": "Oracle Database@Google Cloud Exadata Infrastructure User" }, { "description": "Grants read access to see all Exadata Infrastructure resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.cloudExadataInfrastructureViewer", "stage": "GA", "title": "Oracle Database@Google Cloud Exadata Infrastructure Viewer" }, { "description": "Grants full access to manage all VM Cluster resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.cloudVmClusterAdmin", "stage": "GA", "title": "Oracle Database@Google Cloud VM Cluster Admin" }, { "description": "Grants read access to see all VM Cluster resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.cloudVmClusterViewer", "stage": "GA", "title": "Oracle Database@Google Cloud VM Cluster Viewer" }, { "description": "Grants read access to see all Container Database resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.databaseViewer", "stage": "GA", "title": "Oracle Database@Google Cloud Container Database Viewer" }, { "description": "Grants full access to manage all DB System resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.dbSystemAdmin", "stage": "GA", "title": "Oracle Database@Google Cloud DB System Admin" }, { "description": "Grants read access to see all DB System resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.dbSystemViewer", "stage": "GA", "title": "Oracle Database@Google Cloud DB System Viewer" }, { "description": "Grants full access to manage all Exadata Database Service on Exascale Infrastracture VM Cluster resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.exadbVmClusterAdmin", "stage": "GA", "title": "Oracle Database@Google Cloud Exadata Database Service on Exascale Infrastracture VM Cluster Admin" }, { "description": "Grants read access to see all Exadata Database Service on Exascale Infrastracture VM Cluster resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.exadbVmClusterViewer", "stage": "GA", "title": "Oracle Database@Google Cloud Exadata Database Service on Exascale Infrastracture VM Cluster Viewer" }, { "description": "Grants full access to manage all Exadata Database Service on Exascale Infrastracture Storage Vault resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.exascaleDbStorageVaultAdmin", "stage": "GA", "title": "Oracle Database@Google Cloud Exadata Database Service on Exascale Infrastracture Storage Vault Admin" }, { "description": "Grants read access to see all Exadata Database Service on Exascale Infrastracture Storage Vault resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.exascaleDbStorageVaultViewer", "stage": "GA", "title": "Oracle Database@Google Cloud Exadata Database Service on Exascale Infrastracture Storage Vault Viewer" }, { "description": "Grants full access to manage all ODB Network and ODB Subnet resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.networkAdmin", "stage": "GA", "title": "Oracle Database@Google Network Admin" }, { "description": "Grants full access to manage all ODB Network resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.odbNetworkAdmin", "stage": "GA", "title": "Oracle Database@Google ODB Network Admin" }, { "description": "Grants read access to see all ODB Network resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.odbNetworkViewer", "stage": "GA", "title": "Oracle Database@Google ODB Network Viewer" }, { "description": "Grants full access to manage all ODB Subnet resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.odbSubnetAdmin", "stage": "GA", "title": "Oracle Database@Google ODB Subnet Admin" }, { "description": "Grants use access to ODB Subnet resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.odbSubnetUser", "stage": "GA", "title": "Oracle Database@Google ODB Subnet User" }, { "description": "Grants read access to see all ODB Subnet resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.odbSubnetViewer", "stage": "GA", "title": "Oracle Database@Google ODB Subnet Viewer" }, { "description": "Grants read access to see all Pluggable Database resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.pluggableDatabaseViewer", "stage": "GA", "title": "Oracle Database@Google Cloud Pluggable Database Viewer" }, { "description": "Grants view access to all Oracle Database resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/oracledatabase.viewer", "stage": "GA", "title": "Oracle Database@Google Cloud viewer" }, { "description": "The permission to set Organization Policies on resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/orgpolicy.policyAdmin", "stage": "GA", "title": "Organization Policy Administrator" }, { "description": "Access to view Organization Policies on resources.", "etag": "AA==", "name": "roles/orgpolicy.policyViewer", "stage": "GA", "title": "Organization Policy Viewer" }, { "description": "Full access to OS Config resources", "etag": "AA==", "has_undocumented": true, "name": "roles/osconfig.admin", "stage": "GA", "title": "OS Config Admin" }, { "description": "Full admin access to GuestPolicies", "etag": "AA==", "name": "roles/osconfig.guestPolicyAdmin", "stage": "BETA", "title": "GuestPolicy Admin" }, { "description": "Editor of GuestPolicy resources", "etag": "AA==", "name": "roles/osconfig.guestPolicyEditor", "stage": "BETA", "title": "GuestPolicy Editor" }, { "description": "Viewer of GuestPolicy resources", "etag": "AA==", "name": "roles/osconfig.guestPolicyViewer", "stage": "BETA", "title": "GuestPolicy Viewer" }, { "description": "Viewer of OS Policies Compliance of VM instances", "etag": "AA==", "name": "roles/osconfig.instanceOSPoliciesComplianceViewer", "stage": "BETA", "title": "InstanceOSPoliciesCompliance Viewer" }, { "description": "Viewer of OS Inventories", "etag": "AA==", "name": "roles/osconfig.inventoryViewer", "stage": "GA", "title": "OS Inventory Viewer" }, { "description": "Full admin access to OS Policy Assignments", "etag": "AA==", "name": "roles/osconfig.osPolicyAssignmentAdmin", "stage": "GA", "title": "OSPolicyAssignment Admin" }, { "description": "Editor of OS Policy Assignments", "etag": "AA==", "name": "roles/osconfig.osPolicyAssignmentEditor", "stage": "GA", "title": "OSPolicyAssignment Editor" }, { "description": "Viewer of OS policy assignment reports for VM instances", "etag": "AA==", "name": "roles/osconfig.osPolicyAssignmentReportViewer", "stage": "GA", "title": "OSPolicyAssignmentReport Viewer" }, { "description": "Viewer of OS Policy Assignments", "etag": "AA==", "name": "roles/osconfig.osPolicyAssignmentViewer", "stage": "GA", "title": "OSPolicyAssignment Viewer" }, { "description": "Full admin access to PatchDeployments", "etag": "AA==", "name": "roles/osconfig.patchDeploymentAdmin", "stage": "GA", "title": "PatchDeployment Admin" }, { "description": "Viewer of PatchDeployment resources", "etag": "AA==", "name": "roles/osconfig.patchDeploymentViewer", "stage": "GA", "title": "PatchDeployment Viewer" }, { "description": "Access to execute Patch Jobs.", "etag": "AA==", "name": "roles/osconfig.patchJobExecutor", "stage": "GA", "title": "Patch Job Executor" }, { "description": "Get and list Patch Jobs.", "etag": "AA==", "name": "roles/osconfig.patchJobViewer", "stage": "GA", "title": "Patch Job Viewer" }, { "description": "Admin of PolicyOrchestrator resources", "etag": "AA==", "has_undocumented": true, "name": "roles/osconfig.policyOrchestratorAdmin", "stage": "BETA", "title": "PolicyOrchestrator Admin" }, { "description": "Viewer of PolicyOrchestrator resources", "etag": "AA==", "has_undocumented": true, "name": "roles/osconfig.policyOrchestratorViewer", "stage": "BETA", "title": "PolicyOrchestrator Viewer" }, { "description": "Read/write access to project feature settings", "etag": "AA==", "name": "roles/osconfig.projectFeatureSettingsEditor", "stage": "GA", "title": "Project Feature Settings Editor" }, { "description": "Read access to project feature settings", "etag": "AA==", "name": "roles/osconfig.projectFeatureSettingsViewer", "stage": "GA", "title": "Project Feature Settings Viewer" }, { "description": "Grants OS Config Rollout Service Account access to zonal OS Config resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/osconfig.rolloutServiceAgent", "stage": "GA", "title": "Cloud OS Config Rollout Service Agent" }, { "description": "Grants OS Config Service Account access to Google Compute Engine instances.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/osconfig.serviceAgent", "stage": "GA", "title": "Cloud OS Config Service Agent" }, { "description": "Provides read-only access to VM Manager Upgrade Reports", "etag": "AA==", "name": "roles/osconfig.upgradeReportViewer", "stage": "BETA", "title": "Upgrade Report Viewer" }, { "description": "Readonly access to OS Config resources", "etag": "AA==", "has_undocumented": true, "name": "roles/osconfig.viewer", "stage": "GA", "title": "OS Config Viewer" }, { "description": "Viewer of OS VulnerabilityReports", "etag": "AA==", "name": "roles/osconfig.vulnerabilityReportViewer", "stage": "GA", "title": "OS VulnerabilityReport Viewer" }, { "description": "Full access to most Google Cloud resources. See the list of included permissions.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/owner", "stage": "GA", "title": "Owner" }, { "description": "Full access to Parallelstore resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/parallelstore.admin", "stage": "GA", "title": "Parallelstore Admin" }, { "description": "Gives the Parallelstore service agent ability to access customer resources.", "etag": "AA==", "name": "roles/parallelstore.serviceAgent", "stage": "GA", "title": "Parallelstore Service Agent" }, { "description": "Readonly access to Parallelstore resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/parallelstore.viewer", "stage": "GA", "title": "Parallelstore Viewer" }, { "description": "Grants full access to all Parameter Manager resources. Intended for project admins & owners who need to perform all administrative tasks.", "etag": "AA==", "has_undocumented": true, "name": "roles/parametermanager.admin", "stage": "GA", "title": "Parameter Manager Admin" }, { "description": "Grants read access to ParameterManager ParameterVersion resources. Intended for users & applications that need to perform read operations on ParameterVersions only.", "etag": "AA==", "has_undocumented": true, "name": "roles/parametermanager.parameterAccessor", "stage": "GA", "title": "Parameter Manager Parameter Accessor" }, { "description": "Grants create access to Parameter Manager ParameterVersion resources. Intended for users & applications that need to perform create operations on ParameterVersions only.", "etag": "AA==", "has_undocumented": true, "name": "roles/parametermanager.parameterVersionAdder", "stage": "GA", "title": "Parameter Manager Parameter Version Adder" }, { "description": "Grants read & write access to all Parameter Manager ParameterVersion resources. Intended for users & applications that need to view Parameters and perform create/read/update/delete/list operations on ParameterVersions only.", "etag": "AA==", "has_undocumented": true, "name": "roles/parametermanager.parameterVersionManager", "stage": "GA", "title": "Parameter Manager Parameter Version Manager" }, { "description": "Grants read access to Parameter Manager Parameter & ParameterVersion resources. Intended for users & applications that need to perform read/list operations on Parameters and ParameterVersions only.", "etag": "AA==", "has_undocumented": true, "name": "roles/parametermanager.parameterViewer", "stage": "GA", "title": "Parameter Manager Parameter Viewer" }, { "description": "Full access to all Payments Reseller resources, including subscriptions, products and promotions", "etag": "AA==", "has_undocumented": true, "name": "roles/paymentsresellersubscription.partnerAdmin", "stage": "BETA", "title": "Payments Reseller Admin" }, { "description": "Read access to all Payments Reseller resources, including subscriptions, products and promotions", "etag": "AA==", "name": "roles/paymentsresellersubscription.partnerViewer", "stage": "BETA", "title": "Payments Reseller Viewer" }, { "description": "Read access to Payments Reseller Product resource", "etag": "AA==", "name": "roles/paymentsresellersubscription.productViewer", "stage": "BETA", "title": "Payments Reseller Products Viewer" }, { "description": "Read access to Payments Reseller Promotion resource", "etag": "AA==", "name": "roles/paymentsresellersubscription.promotionViewer", "stage": "BETA", "title": "Payments Reseller Promotions Viewer" }, { "description": "Write access to Payments Reseller Subscription resource", "etag": "AA==", "has_undocumented": true, "name": "roles/paymentsresellersubscription.subscriptionEditor", "stage": "BETA", "title": "Payments Reseller Subscriptions Editor" }, { "description": "Read access to Payments Reseller Subscription resource", "etag": "AA==", "name": "roles/paymentsresellersubscription.subscriptionViewer", "stage": "BETA", "title": "Payments Reseller Subscriptions Viewer" }, { "description": "Editor of UserSessions for a Payments Partner", "etag": "AA==", "has_undocumented": true, "name": "roles/paymentsresellersubscription.userSessionEditor", "stage": "BETA", "title": "Payments Partner UserSessions Editor" }, { "description": "Viewer user that can read all activity analysis.", "etag": "AA==", "has_undocumented": true, "name": "roles/policyanalyzer.activityAnalysisViewer", "stage": "BETA", "title": "Activity Analysis Viewer" }, { "description": "Grants the ability to enable and disable the usage of the policy remediator for the organization", "etag": "AA==", "name": "roles/policyremediatormanager.policyRemediatorAdmin", "stage": "BETA", "title": "Policy Remediator Admin" }, { "description": "Grants the ability to read/view the state of the policy remediator for the organization", "etag": "AA==", "name": "roles/policyremediatormanager.policyRemediatorReader", "stage": "BETA", "title": "Policy Remediator Reader" }, { "description": "Admin user that can run and access replays.", "etag": "AA==", "has_undocumented": true, "name": "roles/policysimulator.admin", "stage": "BETA", "title": "Simulator Admin" }, { "description": "OrgPolicy Admin that can run and access simulations.", "etag": "AA==", "name": "roles/policysimulator.orgPolicyAdmin", "stage": "BETA", "title": "OrgPolicy Simulator Admin" }, { "description": "Full access to all CA Service resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/privateca.admin", "stage": "GA", "title": "CA Service Admin" }, { "description": "Read-only access to all CA Service resources.", "etag": "AA==", "name": "roles/privateca.auditor", "stage": "GA", "title": "CA Service Auditor" }, { "description": "Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/privateca.caManager", "stage": "GA", "title": "CA Service Operation Manager" }, { "description": "Create certificates and read-only access for CA Service resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/privateca.certificateManager", "stage": "GA", "title": "CA Service Certificate Manager" }, { "description": "Request certificates from CA Service.", "etag": "AA==", "name": "roles/privateca.certificateRequester", "stage": "GA", "title": "CA Service Certificate Requester" }, { "description": "Read CA Pools in CA Service.", "etag": "AA==", "name": "roles/privateca.poolReader", "stage": "GA", "title": "CA Service Pool Reader" }, { "description": "Read, list and use certificate templates.", "etag": "AA==", "name": "roles/privateca.templateUser", "stage": "GA", "title": "CA Service Certificate Template User" }, { "description": "Request certificates from CA Service with caller's identity.", "etag": "AA==", "name": "roles/privateca.workloadCertificateRequester", "stage": "GA", "title": "CA Service Workload Certificate Requester" }, { "description": "Full access to Privileged Access Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/privilegedaccessmanager.admin", "stage": "GA", "title": "Privileged Access Manager Admin" }, { "description": "Gives privileged access manager service account access to modify IAM policies on GCP folders", "etag": "AA==", "name": "roles/privilegedaccessmanager.folderServiceAgent", "stage": "GA", "title": "Privileged Access Manager Folder Service Agent" }, { "description": "Gives privileged access manager service account access to modify IAM policies on GCP organizations", "etag": "AA==", "has_undocumented": true, "name": "roles/privilegedaccessmanager.organizationServiceAgent", "stage": "GA", "title": "Privileged Access Manager Organization Service Agent" }, { "description": "Gives privileged access manager service account access to modify IAM policies on GCP projects", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/privilegedaccessmanager.projectServiceAgent", "stage": "GA", "title": "Privileged Access Manager Project Service Agent" }, { "description": "Gives privileged access manager service account access to modify IAM policies on GCP resources", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/privilegedaccessmanager.serviceAgent", "stage": "GA", "title": "Privileged Access Manager Service Agent" }, { "description": "Administrator of Privileged Access Manager Settings.", "etag": "AA==", "has_undocumented": true, "name": "roles/privilegedaccessmanager.settingsAdmin", "stage": "BETA", "title": "Privileged Access Manager Settings Admin" }, { "description": "Readonly access to Privileged Access Manager Settings & Effective Settings.", "etag": "AA==", "has_undocumented": true, "name": "roles/privilegedaccessmanager.settingsViewer", "stage": "BETA", "title": "Privileged Access Manager Settings Viewer" }, { "description": "Readonly access to Privileged Access Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/privilegedaccessmanager.viewer", "stage": "GA", "title": "Privileged Access Manager Viewer" }, { "description": "Gives Progressive Rollout the ability to roll out a customer change.", "etag": "AA==", "name": "roles/progressiverollout.serviceAgent", "stage": "GA", "title": "Progressive Rollout Service Agent" }, { "description": "Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.", "etag": "AA==", "name": "roles/proximitybeacon.attachmentEditor", "stage": "GA", "title": "Beacon Attachment Editor" }, { "description": "Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.", "etag": "AA==", "name": "roles/proximitybeacon.attachmentPublisher", "stage": "GA", "title": "Beacon Attachment Publisher" }, { "description": "Can view all attachments under a namespace; no beacon or namespace permissions.", "etag": "AA==", "name": "roles/proximitybeacon.attachmentViewer", "stage": "GA", "title": "Beacon Attachment Viewer" }, { "description": "Necessary access to register, modify, and view beacons; no attachment or namespace permissions.", "etag": "AA==", "name": "roles/proximitybeacon.beaconEditor", "stage": "GA", "title": "Beacon Editor" }, { "description": "This role can create a new externalAccountKey resource.", "etag": "AA==", "name": "roles/publicca.externalAccountKeyCreator", "stage": "BETA", "title": "External Account Key Creator" }, { "description": "Full access to topics, subscriptions, and snapshots.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/pubsub.admin", "stage": "GA", "title": "Pub/Sub Admin" }, { "description": "Modify topics and subscriptions, publish and consume messages.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/pubsub.editor", "stage": "GA", "title": "Pub/Sub Editor" }, { "description": "Publish messages to a topic.", "etag": "AA==", "name": "roles/pubsub.publisher", "stage": "GA", "title": "Pub/Sub Publisher" }, { "description": "Grants Cloud Pub/Sub Service Account access to manage resources.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/pubsub.serviceAgent", "stage": "GA", "title": "Cloud Pub/Sub Service Agent" }, { "description": "Consume messages from a subscription, attach subscriptions to a topic, and seek to a snapshot.", "etag": "AA==", "has_dataaccess": true, "name": "roles/pubsub.subscriber", "stage": "GA", "title": "Pub/Sub Subscriber" }, { "description": "View topics, subscriptions, and snapshots.", "etag": "AA==", "has_undocumented": true, "name": "roles/pubsub.viewer", "stage": "GA", "title": "Pub/Sub Viewer" }, { "description": "Full access to topics, subscriptions and reservations.", "etag": "AA==", "name": "roles/pubsublite.admin", "stage": "GA", "title": "Pub/Sub Lite Admin" }, { "description": "Modify topics, subscriptions and reservations, publish and consume messages.", "etag": "AA==", "name": "roles/pubsublite.editor", "stage": "GA", "title": "Pub/Sub Lite Editor" }, { "description": "Publish messages to a topic.", "etag": "AA==", "name": "roles/pubsublite.publisher", "stage": "GA", "title": "Pub/Sub Lite Publisher" }, { "description": "Grants Pub/Sub Lite Service Agent access to project resources.", "etag": "AA==", "name": "roles/pubsublite.serviceAgent", "stage": "GA", "title": "Pub/Sub Lite Service Agent" }, { "description": "Subscribe to and read messages from a topic.", "etag": "AA==", "name": "roles/pubsublite.subscriber", "stage": "GA", "title": "Pub/Sub Lite Subscriber" }, { "description": "View topics, subscriptions and reservations.", "etag": "AA==", "name": "roles/pubsublite.viewer", "stage": "GA", "title": "Pub/Sub Lite Viewer" }, { "description": "Gives RMA service account access to MC resources.", "etag": "AA==", "name": "roles/rapidmigrationassessment.serviceAgent", "stage": "GA", "title": "RMA Service Agent" }, { "description": "Full access to publication reader resources", "etag": "AA==", "name": "roles/readerrevenuesubscriptionlinking.admin", "stage": "GA", "title": "Subscription Linking Admin" }, { "description": "This role can view all publication reader entitlements", "etag": "AA==", "name": "roles/readerrevenuesubscriptionlinking.entitlementsViewer", "stage": "GA", "title": "Subscription Linking Entitlements Viewer" }, { "description": "This role can view all publication reader resources", "etag": "AA==", "name": "roles/readerrevenuesubscriptionlinking.viewer", "stage": "GA", "title": "Subscription Linking Viewer" }, { "description": "Access to view and modify reCAPTCHA Enterprise keys", "etag": "AA==", "has_undocumented": true, "name": "roles/recaptchaenterprise.admin", "stage": "GA", "title": "reCAPTCHA Enterprise Admin" }, { "description": "Access to create and annotate reCAPTCHA Enterprise assessments", "etag": "AA==", "name": "roles/recaptchaenterprise.agent", "stage": "GA", "title": "reCAPTCHA Enterprise Agent" }, { "description": "Access to view reCAPTCHA Enterprise keys and metrics", "etag": "AA==", "has_undocumented": true, "name": "roles/recaptchaenterprise.viewer", "stage": "GA", "title": "reCAPTCHA Enterprise Viewer" }, { "description": "Admin of AlloyDB insights and recommendations.", "etag": "AA==", "name": "roles/recommender.alloydbAdmin", "stage": "GA", "title": "AlloyDB Recommender Admin" }, { "description": "Viewer of AlloyDB insights and recommendations.", "etag": "AA==", "name": "roles/recommender.alloydbViewer", "stage": "GA", "title": "AlloyDB Recommender Viewer" }, { "description": "Admin of BigQuery Capacity Commitments insights and recommendations.", "etag": "AA==", "name": "roles/recommender.bigQueryCapacityCommitmentsAdmin", "stage": "BETA", "title": "BigQuery Slot Recommender Admin" }, { "description": "Billing Account Admin of BigQuery Capacity Commitments insights and recommendations.", "etag": "AA==", "name": "roles/recommender.bigQueryCapacityCommitmentsBillingAccountAdmin", "stage": "BETA", "title": "BigQuery Recommender Billing Account Admin" }, { "description": "Billing Account Viewer of BigQuery Capacity Commitments insights and recommendations.", "etag": "AA==", "name": "roles/recommender.bigQueryCapacityCommitmentsBillingAccountViewer", "stage": "BETA", "title": "BigQuery Recommender Billing Account Viewer" }, { "description": "Project Admin of BigQuery Capacity Commitments insights and recommendations.", "etag": "AA==", "name": "roles/recommender.bigQueryCapacityCommitmentsProjectAdmin", "stage": "BETA", "title": "BigQuery Recommender Project Admin" }, { "description": "Project Viewer of BigQuery Capacity Commitments insights and recommendations.", "etag": "AA==", "name": "roles/recommender.bigQueryCapacityCommitmentsProjectViewer", "stage": "BETA", "title": "BigQuery Recommender Project Viewer" }, { "description": "Viewer of BigQuery Capacity Commitments insights and recommendations.", "etag": "AA==", "name": "roles/recommender.bigQueryCapacityCommitmentsViewer", "stage": "BETA", "title": "BigQuery Slot Recommender Viewer" }, { "description": "Admin of BigQuery Materialized View Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.bigqueryMaterializedViewAdmin", "stage": "GA", "title": "BigQuery Materialized View Recommender Admin" }, { "description": "Viewer of BigQuery Materialized View Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.bigqueryMaterializedViewViewer", "stage": "GA", "title": "BigQuery Materialized View Recommender Viewer" }, { "description": "Admin of BigQuery Partitioning Clustering recommendations.", "etag": "AA==", "name": "roles/recommender.bigqueryPartitionClusterAdmin", "stage": "BETA", "title": "BigQuery Partitioning Clustering Recommender Admin" }, { "description": "Viewer of BigQuery Partitioning Clustering recommendations.", "etag": "AA==", "name": "roles/recommender.bigqueryPartitionClusterViewer", "stage": "BETA", "title": "BigQuery Partitioning Clustering Recommender Viewer" }, { "description": "Admin of Bigtable Cluster Performance Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.bigtableClusterPerformanceAdmin", "stage": "BETA", "title": "Bigtable Cluster Performance Recommender Admin" }, { "description": "Viewer of Bigtable Cluster Performance Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.bigtableClusterPerformanceViewer", "stage": "BETA", "title": "Bigtable Cluster Performance Recommender Viewer" }, { "description": "Admin of Billing Account Usage Commitment Recommender.", "etag": "AA==", "name": "roles/recommender.billingAccountCudAdmin", "stage": "BETA", "title": "Billing Account Usage Commitment Recommender Admin" }, { "description": "Viewer of Billing Account Usage Commitment Recommender.", "etag": "AA==", "name": "roles/recommender.billingAccountCudViewer", "stage": "BETA", "title": "Billing Account Usage Commitment Recommender Viewer" }, { "description": "Admin of all Cloud Asset insights.", "etag": "AA==", "name": "roles/recommender.cloudAssetInsightsAdmin", "stage": "GA", "title": "Cloud Asset Insights Admin" }, { "description": "Viewer of all Cloud Asset insights.", "etag": "AA==", "name": "roles/recommender.cloudAssetInsightsViewer", "stage": "GA", "title": "Cloud Asset Insights Viewer" }, { "description": "Admin of Cloud Cost General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudCostRecommendationAdmin", "stage": "BETA", "title": "Cloud Cost General Recommendations Recommender Admin" }, { "description": "Viewer of Cloud Cost General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudCostRecommendationViewer", "stage": "BETA", "title": "Cloud Cost General Recommendations Recommender Viewer" }, { "description": "Admin of Cloud Deprecation General Recommender Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudDeprecationRecommendationAdmin", "stage": "BETA", "title": "Cloud Deprecation General Recommender Admin" }, { "description": "Viewer of Cloud Deprecation General Recommender Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudDeprecationRecommendationViewer", "stage": "BETA", "title": "Cloud Deprecation General Recommender Viewer" }, { "description": "Admin of Cloud Manageability General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudManageabilityRecommendationAdmin", "stage": "BETA", "title": "Cloud Manageability General Recommendations Recommender Admin" }, { "description": "Viewer of Cloud Manageability General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudManageabilityRecommendationViewer", "stage": "BETA", "title": "Cloud Manageability General Recommendations Recommender Viewer" }, { "description": "Admin of Cloud Performance General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudPerformanceRecommendationAdmin", "stage": "BETA", "title": "Cloud Performance General Recommendations Recommender Admin" }, { "description": "Viewer of Cloud Performance General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudPerformanceRecommendationViewer", "stage": "BETA", "title": "Cloud Performance General Recommendations Recommender Viewer" }, { "description": "Admin of Cloud Reliability General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudReliabilityRecommendationAdmin", "stage": "BETA", "title": "Cloud Reliability General Recommendations Recommender Admin" }, { "description": "Viewer of Cloud Reliability General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudReliabilityRecommendationViewer", "stage": "BETA", "title": "Cloud Reliability General Recommendations Recommender Viewer" }, { "description": "Admin of Cloud Security General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudSecurityRecommendationAdmin", "stage": "BETA", "title": "Cloud Security General Recommendations Recommender Admin" }, { "description": "Viewer of Cloud Security General Recommendations Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.cloudSecurityRecommendationViewer", "stage": "BETA", "title": "Cloud Security General Recommendations Recommender Viewer" }, { "description": "Admin of Cloud SQL insights and recommendations.", "etag": "AA==", "name": "roles/recommender.cloudsqlAdmin", "stage": "BETA", "title": "Cloud SQL Recommender Admin" }, { "description": "Viewer of Cloud SQL insights and recommendations.", "etag": "AA==", "name": "roles/recommender.cloudsqlViewer", "stage": "BETA", "title": "Cloud SQL Recommender Viewer" }, { "description": "Admin of compute recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.computeAdmin", "stage": "GA", "title": "Compute Recommender Admin" }, { "description": "Viewer of compute recommendations.", "etag": "AA==", "name": "roles/recommender.computeViewer", "stage": "GA", "title": "Compute Recommender Viewer" }, { "description": "Admin of GKE Diagnosis Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.containerDiagnosisAdmin", "stage": "GA", "title": "GKE Diagnosis Recommender Admin" }, { "description": "Viewer of GKE Diagnosis Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.containerDiagnosisViewer", "stage": "GA", "title": "GKE Diagnosis Recommender Viewer" }, { "description": "Admin of Diagnostics recommendations.", "etag": "AA==", "name": "roles/recommender.dataflowDiagnosticsAdmin", "stage": "GA", "title": "Dataflow Diagnostics Admin" }, { "description": "Viewer of Diagnostics recommendations.", "etag": "AA==", "name": "roles/recommender.dataflowDiagnosticsViewer", "stage": "GA", "title": "Dataflow Diagnostics Viewer" }, { "description": "Admin of Error Reporting Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.errorReportingAdmin", "stage": "GA", "title": "Error Reporting Recommender Admin" }, { "description": "Viewer of Error Reporting Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.errorReportingViewer", "stage": "GA", "title": "Error Reporting Recommender Viewer" }, { "description": "Exporter of Recommendations", "etag": "AA==", "name": "roles/recommender.exporter", "stage": "GA", "title": "Recommendations Exporter" }, { "description": "Admin of Firestore Database Firebase rules Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.firestoredatabasefirebaserulesAdmin", "stage": "BETA", "title": "Firestore Database Firebase rules Recommender Admin" }, { "description": "Viewer of Firestore Database Firebase rules Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.firestoredatabasefirebaserulesViewer", "stage": "BETA", "title": "Firestore Database Firebase rules Recommender Viewer" }, { "description": "Admin of Firestore Database Reliability Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.firestoredatabasereliabilityAdmin", "stage": "GA", "title": "Firestore Database Reliability Recommender Admin" }, { "description": "Viewer of Firestore Database Reliability Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.firestoredatabasereliabilityViewer", "stage": "GA", "title": "Firestore Database Reliability Recommender Viewer" }, { "description": "Admin of Firewall insights and recommendations.", "etag": "AA==", "name": "roles/recommender.firewallAdmin", "stage": "GA", "title": "Firewall Recommender Admin" }, { "description": "Viewer of Firewall insights and recommendations.", "etag": "AA==", "name": "roles/recommender.firewallViewer", "stage": "GA", "title": "Firewall Recommender Viewer" }, { "description": "Admin of all Google Maps Platform insights and recommendations.", "etag": "AA==", "name": "roles/recommender.gmpAdmin", "stage": "GA", "title": "Google Maps Platform Insights/Recommendations Admin" }, { "description": "Viewer of all Google Maps Platform insights and recommendations.", "etag": "AA==", "name": "roles/recommender.gmpViewer", "stage": "GA", "title": "Google Maps Platform Insights/Recommendations Viewer" }, { "description": "Admin of IAM recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.iamAdmin", "stage": "GA", "title": "IAM Recommender Admin" }, { "description": "Viewer of IAM recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.iamViewer", "stage": "GA", "title": "IAM Recommender Viewer" }, { "description": "Admin of IAM Policy Change Risk Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.iampolicychangeriskAdmin", "stage": "BETA", "title": "IAM Policy Change Risk Recommender Admin" }, { "description": "Viewer of IAM Policy Change Risk Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.iampolicychangeriskViewer", "stage": "BETA", "title": "IAM Policy Change Risk Recommender Viewer" }, { "description": "Admin of Memorystore Manageability Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.memorystoremanageabilityAdmin", "stage": "BETA", "title": "Memorystore Manageability Recommender Admin" }, { "description": "Viewer of Memorystore Manageability Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.memorystoremanageabilityViewer", "stage": "BETA", "title": "Memorystore Manageability Recommender Viewer" }, { "description": "Admin of Memorystore Performance Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.memorystoreperformanceAdmin", "stage": "BETA", "title": "Memorystore Performance Recommender Admin" }, { "description": "Viewer of Memorystore Performance Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.memorystoreperformanceViewer", "stage": "BETA", "title": "Memorystore Performance Recommender Viewer" }, { "description": "Admin of Memorystore Reliability Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.memorystorereliabilityAdmin", "stage": "BETA", "title": "Memorystore Reliability Recommender Admin" }, { "description": "Viewer of Memorystore Reliability Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.memorystorereliabilityViewer", "stage": "BETA", "title": "Memorystore Reliability Recommender Viewer" }, { "description": "Admin of Network Analyzer Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerAdmin", "stage": "GA", "title": "Network Analyzer Recommender Admin" }, { "description": "Admin of Network Analyzer Cloud SQL Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerCloudSqlAdmin", "stage": "GA", "title": "Network Analyzer Cloud SQL Recommender Admin" }, { "description": "Viewer of Network Analyzer Cloud SQL Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerCloudSqlViewer", "stage": "GA", "title": "Network Analyzer Cloud SQL Recommender Viewer" }, { "description": "Admin of Network Analyzer Dynamic Route Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerDynamicRouteAdmin", "stage": "GA", "title": "Network Analyzer Dynamic Route Recommender Admin" }, { "description": "Viewer of Network Analyzer Dynamic Route Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerDynamicRouteViewer", "stage": "GA", "title": "Network Analyzer Dynamic Route Recommender Viewer" }, { "description": "Admin of Network Analyzer GKE Connectivity Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerGkeConnectivityAdmin", "stage": "GA", "title": "Network Analyzer GKE Connectivity Recommender Admin" }, { "description": "Viewer of Network Analyzer GKE Connectivity Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerGkeConnectivityViewer", "stage": "GA", "title": "Network Analyzer GKE Connectivity Recommender Viewer" }, { "description": "Admin of Network Analyzer GKE IP Address Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerGkeIpAddressAdmin", "stage": "GA", "title": "Network Analyzer GKE IP Address Recommender Admin" }, { "description": "Viewer of Network Analyzer GKE IP Address Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerGkeIpAddressViewer", "stage": "GA", "title": "Network Analyzer GKE IP Address Recommender Viewer" }, { "description": "Admin of Network Analyzer GKE Service Account Insights Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerGkeServiceAccountAdmin", "stage": "GA", "title": "Network Analyzer GKE Service Account Insights Recommender Admin" }, { "description": "Viewer of Network Analyzer GKE Service Account Insights Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerGkeServiceAccountViewer", "stage": "GA", "title": "Network Analyzer GKE Service Account Insights Recommender Viewer" }, { "description": "Admin of Network Analyzer IP Address Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerIpAddressAdmin", "stage": "GA", "title": "Network Analyzer IP Address Recommender Admin" }, { "description": "Viewer of Network Analyzer IP Address Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerIpAddressViewer", "stage": "GA", "title": "Network Analyzer IP Address Recommender Viewer" }, { "description": "Admin of Network Analyzer Load Balancer Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerLoadBalancerAdmin", "stage": "GA", "title": "Network Analyzer Load Balancer Recommender Admin" }, { "description": "Viewer of Network Analyzer Load Balancer Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerLoadBalancerViewer", "stage": "GA", "title": "Network Analyzer Load Balancer Recommender Viewer" }, { "description": "Viewer of Network Analyzer Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerViewer", "stage": "GA", "title": "Network Analyzer Recommender Viewer" }, { "description": "Admin of Network Analyzer VPC Connectivity Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerVpcConnectivityAdmin", "stage": "GA", "title": "Network Analyzer VPC Connectivity Recommender Admin" }, { "description": "Viewer of Network Analyzer VPC Connectivity Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.networkAnalyzerVpcConnectivityViewer", "stage": "GA", "title": "Network Analyzer VPC Connectivity Recommender Viewer" }, { "description": "Admin of Org Policy Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.orgPolicyAdmin", "stage": "BETA", "title": "Org Policy Recommender Admin" }, { "description": "Viewer of Org Policy Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.orgPolicyViewer", "stage": "BETA", "title": "Org Policy Recommender Viewer" }, { "description": "Admin of all Product Suggestion insights and recommendations.", "etag": "AA==", "name": "roles/recommender.productSuggestionAdmin", "stage": "BETA", "title": "Product Suggestion Recommenders Admin" }, { "description": "Viewer of all Product Suggestion insights and recommendations.", "etag": "AA==", "name": "roles/recommender.productSuggestionViewer", "stage": "BETA", "title": "Product Suggestion Recommenders Viewer" }, { "description": "Admin of Project Usage Commitment Recommender.", "etag": "AA==", "name": "roles/recommender.projectCudAdmin", "stage": "BETA", "title": "Project Usage Commitment Recommender Admin" }, { "description": "Viewer of Project Usage Commitment Recommender.", "etag": "AA==", "name": "roles/recommender.projectCudViewer", "stage": "BETA", "title": "Project Usage Commitment Recommender Viewer" }, { "description": "Admin of Project Utilization insights and recommendations.", "etag": "AA==", "name": "roles/recommender.projectUtilAdmin", "stage": "GA", "title": "Project Utilization Recommender Admin" }, { "description": "Viewer of Project Utilization insights and recommendations.", "etag": "AA==", "name": "roles/recommender.projectUtilViewer", "stage": "GA", "title": "Project Utilization Recommender Viewer" }, { "description": "Admin of RecentChange RecommenderConfigs.", "etag": "AA==", "name": "roles/recommender.recentChangeConfigAdmin", "stage": "GA", "title": "RecentChange RecommenderConfig Admin" }, { "description": "Admin of Recent Change Risk Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.recentchangeriskAdmin", "stage": "GA", "title": "Recent Change Risk Recommender Admin" }, { "description": "Viewer of Recent Change Risk Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.recentchangeriskViewer", "stage": "GA", "title": "Recent Change Risk Recommender Viewer" }, { "description": "Admin of Service Limit insights and recommendations.", "etag": "AA==", "name": "roles/recommender.serviceLimitAdmin", "stage": "BETA", "title": "Service Limit Recommender Admin" }, { "description": "Viewer of Service Limit insights and recommendations.", "etag": "AA==", "name": "roles/recommender.serviceLimitViewer", "stage": "BETA", "title": "Service Limit Recommender Viewer" }, { "description": "Admin of Service Account Change Risk Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.serviceaccntchangeriskAdmin", "stage": "BETA", "title": "Service Account Change Risk Recommender Admin" }, { "description": "Viewer of Service Account Change Risk Insights and Recommendations.", "etag": "AA==", "name": "roles/recommender.serviceaccntchangeriskViewer", "stage": "BETA", "title": "Service Account Change Risk Recommender Viewer" }, { "description": "Admin of Spanner Project Reliability Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.spannerAdmin", "stage": "BETA", "title": "Spanner Project Reliability Recommender Admin" }, { "description": "Viewer of Spanner Project Reliability Insights and Recommendations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.spannerViewer", "stage": "BETA", "title": "Spanner Project Reliability Recommender Viewer" }, { "description": "Admin of Spend Based Commitment Recommender.", "etag": "AA==", "name": "roles/recommender.ucsAdmin", "stage": "BETA", "title": "Spend Based Commitment Recommender Admin" }, { "description": "Viewer of Spend Based Commitment Recommender.", "etag": "AA==", "name": "roles/recommender.ucsViewer", "stage": "BETA", "title": "Spend Based Commitment Recommender Viewer" }, { "description": "Enables Get and List operations.", "etag": "AA==", "has_undocumented": true, "name": "roles/recommender.viewer", "stage": "GA", "title": "Recommender Viewer" }, { "description": "Full access to Redis instances and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/redis.admin", "stage": "GA", "title": "Cloud Memorystore Redis Admin" }, { "description": "Access to connecting to Redis Server db.", "etag": "AA==", "name": "roles/redis.dbConnectionUser", "stage": "BETA", "title": "Cloud Memorystore Redis Db Connection User" }, { "description": "Read-Write access to Redis instances and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/redis.editor", "stage": "GA", "title": "Cloud Memorystore Redis Editor" }, { "description": "Gives Cloud Memorystore Redis service account access to managed resource", "etag": "AA==", "has_undocumented": true, "name": "roles/redis.serviceAgent", "stage": "GA", "title": "Cloud Memorystore Redis Service Agent" }, { "description": "Read-only access to Redis instances and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/redis.viewer", "stage": "GA", "title": "Cloud Memorystore Redis Viewer" }, { "description": "This role is managed by Redis Labs, not Google.", "etag": "AA==", "name": "roles/redisenterprisecloud.admin", "stage": "BETA", "title": "Redis Enterprise Cloud Admin" }, { "description": "This role is managed by Redis Labs, not Google.", "etag": "AA==", "name": "roles/redisenterprisecloud.viewer", "stage": "BETA", "title": "Redis Enterprise Cloud Viewer" }, { "description": "Remote Build Execution Action Cache Writer", "etag": "AA==", "name": "roles/remotebuildexecution.actionCacheWriter", "stage": "BETA", "title": "Remote Build Execution Action Cache Writer" }, { "description": "Remote Build Execution Artifact Admin", "etag": "AA==", "name": "roles/remotebuildexecution.artifactAdmin", "stage": "BETA", "title": "Remote Build Execution Artifact Admin" }, { "description": "Remote Build Execution Artifact Creator", "etag": "AA==", "name": "roles/remotebuildexecution.artifactCreator", "stage": "BETA", "title": "Remote Build Execution Artifact Creator" }, { "description": "Remote Build Execution Artifact Viewer", "etag": "AA==", "name": "roles/remotebuildexecution.artifactViewer", "stage": "BETA", "title": "Remote Build Execution Artifact Viewer" }, { "description": "Remote Build Execution Configuration Admin", "etag": "AA==", "name": "roles/remotebuildexecution.configurationAdmin", "stage": "BETA", "title": "Remote Build Execution Configuration Admin" }, { "description": "Remote Build Execution Configuration Viewer", "etag": "AA==", "name": "roles/remotebuildexecution.configurationViewer", "stage": "BETA", "title": "Remote Build Execution Configuration Viewer" }, { "description": "Remote Build Execution Logstream Writer", "etag": "AA==", "name": "roles/remotebuildexecution.logstreamWriter", "stage": "BETA", "title": "Remote Build Execution Logstream Writer" }, { "description": "Remote Build Execution Reservation Admin", "etag": "AA==", "name": "roles/remotebuildexecution.reservationAdmin", "stage": "BETA", "title": "Remote Build Execution Reservation Admin" }, { "description": "Gives Remote Build Execution service account access to managed resources.", "etag": "AA==", "name": "roles/remotebuildexecution.serviceAgent", "stage": "GA", "title": "Remote Build Execution Service Agent" }, { "description": "Remote Build Execution Worker", "etag": "AA==", "name": "roles/remotebuildexecution.worker", "stage": "BETA", "title": "Remote Build Execution Worker" }, { "description": "Grants Chrome Remote Desktop Service Agent access to Google Compute Engine metadata.", "etag": "AA==", "has_undocumented": true, "name": "roles/remotingcloud.serviceAgent", "stage": "GA", "title": "Remoting Cloud Service Agent" }, { "description": "Access and administer a folder and all of its sub-resources.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/resourcemanager.folderAdmin", "stage": "GA", "title": "Folder Admin" }, { "description": "Create folder and view all of its sub-resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/resourcemanager.folderCreator", "stage": "GA", "title": "Folder Creator" }, { "description": "Edit, delete, and undelete a folder and all of its child resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/resourcemanager.folderEditor", "stage": "GA", "title": "Folder Editor" }, { "description": "Access and administer a folder IAM policies.", "etag": "AA==", "name": "roles/resourcemanager.folderIamAdmin", "stage": "GA", "title": "Folder IAM Admin" }, { "description": "Move a folder and all of its child resources.", "etag": "AA==", "name": "roles/resourcemanager.folderMover", "stage": "GA", "title": "Folder Mover" }, { "description": "Access to view a folder and all of its child resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/resourcemanager.folderViewer", "stage": "GA", "title": "Folder Viewer" }, { "description": "Access to modify Liens on projects.", "etag": "AA==", "name": "roles/resourcemanager.lienModifier", "stage": "GA", "title": "Project Lien Modifier" }, { "description": "Access to manage IAM policies and view organization policies for organizations, folders, and projects.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/resourcemanager.organizationAdmin", "stage": "GA", "title": "Organization Administrator" }, { "description": "Access only to view an Organization.", "etag": "AA==", "name": "roles/resourcemanager.organizationViewer", "stage": "GA", "title": "Organization Viewer" }, { "description": "Access to create new GCP projects.", "etag": "AA==", "name": "roles/resourcemanager.projectCreator", "stage": "GA", "title": "Project Creator" }, { "description": "Access to delete GCP projects.", "etag": "AA==", "name": "roles/resourcemanager.projectDeleter", "stage": "GA", "title": "Project Deleter" }, { "description": "Access and administer a project IAM policies.", "etag": "AA==", "has_privesc": true, "name": "roles/resourcemanager.projectIamAdmin", "stage": "GA", "title": "Project IAM Admin" }, { "description": "Access to update and move a project", "etag": "AA==", "name": "roles/resourcemanager.projectMover", "stage": "GA", "title": "Project Mover" }, { "description": "Access to create, delete, update, and manage access to Tags", "etag": "AA==", "name": "roles/resourcemanager.tagAdmin", "stage": "GA", "title": "Tag Administrator" }, { "description": "Access to create, delete and list TagHolds under a TagValue", "etag": "AA==", "name": "roles/resourcemanager.tagHoldAdmin", "stage": "GA", "title": "Tag Hold Administrator" }, { "description": "Access to list Tags and manage their associations with resources", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/resourcemanager.tagUser", "stage": "GA", "title": "Tag User" }, { "description": "Access to list Tags and their associations with resources", "etag": "AA==", "has_undocumented": true, "name": "roles/resourcemanager.tagViewer", "stage": "GA", "title": "Tag Viewer" }, { "description": "Provides admin capabilities to set Resource Setting Values on resources.", "etag": "AA==", "name": "roles/resourcesettings.admin", "stage": "GA", "title": "Resource Settings Administrator" }, { "description": "Provides capabilities to view Resource Settings and Resource Setting Values on resources.", "etag": "AA==", "name": "roles/resourcesettings.viewer", "stage": "GA", "title": "Resource Settings Viewer" }, { "description": "Full access to Retail api resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/retail.admin", "stage": "GA", "title": "Retail Admin" }, { "description": "Full access to Retail api resources except purge, rejoin, and setSponsorship.", "etag": "AA==", "has_undocumented": true, "name": "roles/retail.editor", "stage": "GA", "title": "Retail Editor" }, { "description": "Grants access and approval rights to MerchantControls in the merchant console.", "etag": "AA==", "has_undocumented": true, "name": "roles/retail.merchantApprover", "stage": "BETA", "title": "Retail Merchant Approver" }, { "description": "Grants access to own MerchantControls in the merchant console.", "etag": "AA==", "has_undocumented": true, "name": "roles/retail.merchantCreator", "stage": "BETA", "title": "Retail Merchant Creator" }, { "description": "Retail service uploads product feeds and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/retail.serviceAgent", "stage": "GA", "title": "Retail Service Agent" }, { "description": "Grants access to read all resources in Retail.", "etag": "AA==", "has_undocumented": true, "name": "roles/retail.viewer", "stage": "GA", "title": "Retail Viewer" }, { "description": "Read/write access to RISC config resources.", "etag": "AA==", "name": "roles/riscconfigs.admin", "stage": "BETA", "title": "RISC Configuration Admin" }, { "description": "Read-only access to RISC config resources.", "etag": "AA==", "name": "roles/riscconfigs.viewer", "stage": "BETA", "title": "RISC Configuration Viewer" }, { "description": "Grants all Risk Manager permissions", "etag": "AA==", "name": "roles/riskmanager.admin", "stage": "BETA", "title": "Risk Manager Admin" }, { "description": "Access to edit Risk Manager resources", "etag": "AA==", "name": "roles/riskmanager.editor", "stage": "BETA", "title": "Risk Manager Editor" }, { "description": "Access to review Risk Manager reports", "etag": "AA==", "name": "roles/riskmanager.reviewer", "stage": "BETA", "title": "Risk Manager Report Reviewer" }, { "description": "Service agent that grants Risk Manager service access to fetch findings for generating Reports", "etag": "AA==", "has_undocumented": true, "name": "roles/riskmanager.serviceAgent", "stage": "GA", "title": "Risk Manager Service Agent" }, { "description": "Access to view Risk Manager resources", "etag": "AA==", "name": "roles/riskmanager.viewer", "stage": "BETA", "title": "Risk Manager Viewer" }, { "description": "Full access to Rapid Migration Assessment all resources.", "etag": "AA==", "name": "roles/rma.admin", "stage": "GA", "title": "Rapid Migration Assessment Admin" }, { "description": "Update and Read access to Rapid Migration Assessment all resources.", "etag": "AA==", "name": "roles/rma.runner", "stage": "GA", "title": "Rapid Migration Assessment Runner" }, { "description": "Read-only access to Rapid Migration Assessment all resources.", "etag": "AA==", "name": "roles/rma.viewer", "stage": "GA", "title": "Rapid Migration Assessment Viewer" }, { "description": "This role can create long-running operations via BatchOptimizeTours.", "etag": "AA==", "name": "roles/routeoptimization.editor", "stage": "GA", "title": "Route Optimization Editor" }, { "description": "Grants Route Optimization Service Account access to read and write GCS objects in the host project.", "etag": "AA==", "has_dataaccess": true, "name": "roles/routeoptimization.serviceAgent", "stage": "GA", "title": "Route Optimization Service Agent" }, { "description": "This role can view any long-running Operations.", "etag": "AA==", "name": "roles/routeoptimization.viewer", "stage": "GA", "title": "Route Optimization Viewer" }, { "description": "Full control over all Cloud Run resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/run.admin", "stage": "GA", "title": "Cloud Run Admin" }, { "description": "Can build Cloud Run functions and source deployed services.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/run.builder", "stage": "GA", "title": "Cloud Run Builder" }, { "description": "Read and write access to all Cloud Run resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/run.developer", "stage": "GA", "title": "Cloud Run Developer" }, { "description": "Can invoke Cloud Run services and execute Cloud Run jobs.", "etag": "AA==", "name": "roles/run.invoker", "stage": "GA", "title": "Cloud Run Invoker" }, { "description": "Can execute and cancel Cloud Run jobs.", "etag": "AA==", "has_undocumented": true, "name": "roles/run.jobsExecutor", "stage": "GA", "title": "Cloud Run Jobs Executor" }, { "description": "Can execute and cancel Cloud Run jobs with overrides.", "etag": "AA==", "has_undocumented": true, "name": "roles/run.jobsExecutorWithOverrides", "stage": "GA", "title": "Cloud Run Jobs Executor With Overrides" }, { "description": "Gives Cloud Run service account access to managed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/run.serviceAgent", "stage": "GA", "title": "Cloud Run Service Agent" }, { "description": "Can invoke Cloud Run services.", "etag": "AA==", "has_undocumented": true, "name": "roles/run.servicesInvoker", "stage": "GA", "title": "Cloud Run Service Invoker" }, { "description": "Deploy and manage Cloud Run source deployed resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/run.sourceDeveloper", "stage": "GA", "title": "Cloud Run Source Developer" }, { "description": "View Cloud Run source deployed resources.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/run.sourceViewer", "stage": "GA", "title": "Cloud Run Source Viewer" }, { "description": "Can view the state of all Cloud Run resources, including IAM policies.", "etag": "AA==", "has_undocumented": true, "name": "roles/run.viewer", "stage": "GA", "title": "Cloud Run Viewer" }, { "description": "Access to create and change Serverless Integrations and their configuration.", "etag": "AA==", "name": "roles/runapps.developer", "stage": "BETA", "title": "Serverless Integrations Developer" }, { "description": "Access to deploy Serverless Integrations.", "etag": "AA==", "name": "roles/runapps.operator", "stage": "BETA", "title": "Serverless Integrations Operator" }, { "description": "Gives Serverless Integrations Service Account access to customer project resources.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/runapps.serviceAgent", "stage": "GA", "title": "Serverless Integrations Service Agent" }, { "description": "Readonly access to Serverless Integrations resources.", "etag": "AA==", "name": "roles/runapps.viewer", "stage": "BETA", "title": "Serverless Integrations Viewer" }, { "description": "Full access to RuntimeConfig resources.", "etag": "AA==", "name": "roles/runtimeconfig.admin", "stage": "GA", "title": "Cloud RuntimeConfig Admin" }, { "description": "Provide full access to all SaaS Service Management resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/saasservicemgmt.admin", "stage": "BETA", "title": "SaaS Service Management Admin" }, { "description": "Service Agent used by SaaS Service Management.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/saasservicemgmt.serviceAgent", "stage": "GA", "title": "SaaS Service Management Service Agent" }, { "description": "Provides read-only access to SaaS Service Management resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/saasservicemgmt.viewer", "stage": "BETA", "title": "SaaS Service Management Viewer" }, { "description": "Service agent used by SecLM to access resources used by SecLM Workbenches.", "etag": "AA==", "has_undocumented": true, "name": "roles/seclm.serviceAgent", "stage": "GA", "title": "SecLM Service Agent" }, { "description": "Full access to administer Secret Manager resources.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/secretmanager.admin", "stage": "GA", "title": "Secret Manager Admin" }, { "description": "Allows accessing the payload of secrets.", "etag": "AA==", "name": "roles/secretmanager.secretAccessor", "stage": "GA", "title": "Secret Manager Secret Accessor" }, { "description": "Allows adding versions to existing secrets.", "etag": "AA==", "name": "roles/secretmanager.secretVersionAdder", "stage": "GA", "title": "Secret Manager Secret Version Adder" }, { "description": "Allows creating and managing versions of existing secrets.", "etag": "AA==", "name": "roles/secretmanager.secretVersionManager", "stage": "GA", "title": "Secret Manager Secret Version Manager" }, { "description": "Allows viewing metadata of all Secret Manager resources", "etag": "AA==", "name": "roles/secretmanager.viewer", "stage": "GA", "title": "Secret Manager Viewer" }, { "description": "Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization.", "etag": "AA==", "name": "roles/securedlandingzone.bqdwOrgRemediator", "stage": "BETA", "title": "SLZ BQDW Blueprint Organization Level Remediator" }, { "description": "Access to modify (remediate) resources in SLZ BQDW Blueprint at Project.", "etag": "AA==", "has_privesc": true, "name": "roles/securedlandingzone.bqdwProjectRemediator", "stage": "BETA", "title": "SLZ BQDW Blueprint Project Level Remediator" }, { "description": "This role can activate or suspend Overwatches", "etag": "AA==", "name": "roles/securedlandingzone.overwatchActivator", "stage": "BETA", "title": "Overwatch Activator" }, { "description": "Full access to Overwatches", "etag": "AA==", "name": "roles/securedlandingzone.overwatchAdmin", "stage": "BETA", "title": "Overwatch Admin" }, { "description": "This role can view all properties of Overwatches", "etag": "AA==", "name": "roles/securedlandingzone.overwatchViewer", "stage": "BETA", "title": "Overwatch Viewer" }, { "description": "Grants Secured Landing Zone service account permissions to manage resources in the customer project", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "name": "roles/securedlandingzone.serviceAgent", "stage": "GA", "title": "Secured Landing Zone Service Agent" }, { "description": "Full access to all Secure Source Manager resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/securesourcemanager.admin", "stage": "GA", "title": "Secure Source Manager Admin" }, { "description": "An instance accessor can access an instance, but not necessarily create resources in the instance.", "etag": "AA==", "name": "roles/securesourcemanager.instanceAccessor", "stage": "GA", "title": "Secure Source Manager Instance Accessor" }, { "description": "Read-write access to all Secure Source Manager resources (full control except for the ability to modify permissions).", "etag": "AA==", "name": "roles/securesourcemanager.instanceManager", "stage": "GA", "title": "Secure Source Manager Instance Manager" }, { "description": "Full control over Secure Source Manager instances, including listing, creating, and deleting them. Also enables instance user management.", "etag": "AA==", "has_undocumented": true, "name": "roles/securesourcemanager.instanceOwner", "stage": "GA", "title": "Secure Source Manager Instance Owner" }, { "description": "An instance repository creator can connect to a Cloud Git instance via IAP (HTTPS) and create repositories in the instance.", "etag": "AA==", "name": "roles/securesourcemanager.instanceRepositoryCreator", "stage": "GA", "title": "Secure Source Manager Instance Repository Creator" }, { "description": "A repoAdmin has the ability to CRUD a repository and its children as well as assign users to a repository. They can also set, get, or check IAM policies on the repository.", "etag": "AA==", "has_undocumented": true, "name": "roles/securesourcemanager.repoAdmin", "stage": "GA", "title": "Secure Source Manager Repository Admin" }, { "description": "A repoCreator has access to create repostiory in a project, the creator will then become the repoAdmin on this repository.", "etag": "AA==", "name": "roles/securesourcemanager.repoCreator", "stage": "GA", "title": "Secure Source Manager Repository Creator" }, { "description": "A pull request approver can approve pull requests in a repository.", "etag": "AA==", "has_undocumented": true, "name": "roles/securesourcemanager.repoPullRequestApprover", "stage": "GA", "title": "Secure Source Manager Repository Pull Request Approver" }, { "description": "A repoReader has read access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.", "etag": "AA==", "has_undocumented": true, "name": "roles/securesourcemanager.repoReader", "stage": "GA", "title": "Secure Source Manager Repository Reader" }, { "description": "A repoWriter has read/write access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.", "etag": "AA==", "has_undocumented": true, "name": "roles/securesourcemanager.repoWriter", "stage": "GA", "title": "Secure Source Manager Repository Writer" }, { "description": "Gives Secure Source Manager service account access to managed resources.", "etag": "AA==", "has_privesc": true, "name": "roles/securesourcemanager.serviceAgent", "stage": "GA", "title": "Secure Source Manager Service Agent" }, { "description": "An sshKeyUser can create SSH keys for themselves and list/delete SSH keys they own.", "etag": "AA==", "name": "roles/securesourcemanager.sshKeyUser", "stage": "GA", "title": "Secure Source Manager SSH Key User" }, { "description": "Admin(super user) access to security center", "etag": "AA==", "has_credentialexposure": true, "has_undocumented": true, "name": "roles/securitycenter.admin", "stage": "GA", "title": "Security Center Admin" }, { "description": "Admin Read-write access to security center", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.adminEditor", "stage": "GA", "title": "Security Center Admin Editor" }, { "description": "Admin Read access to security center", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.adminViewer", "stage": "GA", "title": "Security Center Admin Viewer" }, { "description": "Write access to asset security marks", "etag": "AA==", "name": "roles/securitycenter.assetSecurityMarksWriter", "stage": "GA", "title": "Security Center Asset Security Marks Writer" }, { "description": "Run asset discovery access to assets", "etag": "AA==", "name": "roles/securitycenter.assetsDiscoveryRunner", "stage": "GA", "title": "Security Center Assets Discovery Runner" }, { "description": "Read access to assets", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.assetsViewer", "stage": "GA", "title": "Security Center Assets Viewer" }, { "description": "Read access to security center attack paths", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.attackPathsViewer", "stage": "GA", "title": "Security Center Attack Paths Reader" }, { "description": "Gives Mandiant Attack Surface Management the ability to scan Cloud Platform resources.", "etag": "AA==", "name": "roles/securitycenter.attackSurfaceManagementScannerServiceAgent", "stage": "GA", "title": "Attack Surface Management Scanner Service Agent" }, { "description": "Security Center automation service agent can configure GCP resources to enable security scanning.", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.automationServiceAgent", "stage": "GA", "title": "Security Center Automation Service Agent" }, { "description": "Read-Write access to security center BigQuery Exports", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.bigQueryExportsEditor", "stage": "GA", "title": "Security Center BigQuery Exports Editor" }, { "description": "Read access to security center BigQuery Exports", "etag": "AA==", "name": "roles/securitycenter.bigQueryExportsViewer", "stage": "GA", "title": "Security Center BigQuery Exports Viewer" }, { "description": "Read access to security center compliance reports", "etag": "AA==", "name": "roles/securitycenter.complianceReportsViewer", "stage": "BETA", "title": "Security Center Compliance Reports Viewer" }, { "description": "Read access to security center compliance snapshots", "etag": "AA==", "name": "roles/securitycenter.complianceSnapshotsViewer", "stage": "BETA", "title": "Security Center Compliance Snapshots Viewer" }, { "description": "Security Center Control service agent can monitor and configure GCP resources and import security findings.", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.controlServiceAgent", "stage": "GA", "title": "Security Center Control Service Agent" }, { "description": "Write access to security center external systems", "etag": "AA==", "name": "roles/securitycenter.externalSystemsEditor", "stage": "GA", "title": "Security Center External Systems Editor" }, { "description": "Write access to finding security marks", "etag": "AA==", "name": "roles/securitycenter.findingSecurityMarksWriter", "stage": "GA", "title": "Security Center Finding Security Marks Writer" }, { "description": "Ability to mute findings in bulk", "etag": "AA==", "name": "roles/securitycenter.findingsBulkMuteEditor", "stage": "GA", "title": "Security Center Findings Bulk Mute Editor" }, { "description": "Read-write access to findings", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.findingsEditor", "stage": "GA", "title": "Security Center Findings Editor" }, { "description": "Set mute access to findings", "etag": "AA==", "name": "roles/securitycenter.findingsMuteSetter", "stage": "GA", "title": "Security Center Findings Mute Setter" }, { "description": "Set state access to findings", "etag": "AA==", "name": "roles/securitycenter.findingsStateSetter", "stage": "GA", "title": "Security Center Findings State Setter" }, { "description": "Read access to findings", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.findingsViewer", "stage": "GA", "title": "Security Center Findings Viewer" }, { "description": "Set workflow state access to findings", "etag": "AA==", "name": "roles/securitycenter.findingsWorkflowStateSetter", "stage": "BETA", "title": "Security Center Findings Workflow State Setter" }, { "description": "Gives Security Center access to execute Integrations.", "etag": "AA==", "name": "roles/securitycenter.integrationExecutorServiceAgent", "stage": "GA", "title": "Security Center Integration Executor Service Agent" }, { "description": "Write access to security center issues", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.issuesEditor", "stage": "GA", "title": "Security Center Issues Editor" }, { "description": "Read access to security center issues", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.issuesViewer", "stage": "GA", "title": "Security Center Issues Viewer" }, { "description": "Read-Write access to security center mute configurations", "etag": "AA==", "name": "roles/securitycenter.muteConfigsEditor", "stage": "GA", "title": "Security Center Mute Configurations Editor" }, { "description": "Read access to security center mute configurations", "etag": "AA==", "name": "roles/securitycenter.muteConfigsViewer", "stage": "GA", "title": "Security Center Mute Configurations Viewer" }, { "description": "Write access to notification configurations", "etag": "AA==", "name": "roles/securitycenter.notificationConfigEditor", "stage": "GA", "title": "Security Center Notification Configurations Editor" }, { "description": "Read access to notification configurations", "etag": "AA==", "name": "roles/securitycenter.notificationConfigViewer", "stage": "GA", "title": "Security Center Notification Configurations Viewer" }, { "description": "Security Center service agent can publish notifications to Pub/Sub topics.", "etag": "AA==", "name": "roles/securitycenter.notificationServiceAgent", "stage": "GA", "title": "Security Center Notification Service Agent" }, { "description": "Read-Write access to security center resource value configurations", "etag": "AA==", "name": "roles/securitycenter.resourceValueConfigsEditor", "stage": "GA", "title": "Security Center Resource Value Configurations Editor" }, { "description": "Read access to security center resource value configurations", "etag": "AA==", "name": "roles/securitycenter.resourceValueConfigsViewer", "stage": "GA", "title": "Security Center Resource Value Configurations Viewer" }, { "description": "Read access to security center risk reports", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.riskReportsViewer", "stage": "GA", "title": "Security Center Risk Reports Viewer" }, { "description": "Test access to Security Health Analytics Custom Modules", "etag": "AA==", "name": "roles/securitycenter.securityHealthAnalyticsCustomModulesTester", "stage": "GA", "title": "Security Health Analytics Custom Modules Tester" }, { "description": "Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities.", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.securityHealthAnalyticsServiceAgent", "stage": "GA", "title": "Security Health Analytics Service Agent" }, { "description": "Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/securitycenter.securityResponseServiceAgent", "stage": "GA", "title": "Google Cloud Security Response Service Agent" }, { "description": "Security Center service agent can scan GCP resources and import security scans.", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.serviceAgent", "stage": "GA", "title": "Security Center Service Agent" }, { "description": "Admin(super user) access to security center settings", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.settingsAdmin", "stage": "GA", "title": "Security Center Settings Admin" }, { "description": "Read-Write access to security center settings", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.settingsEditor", "stage": "GA", "title": "Security Center Settings Editor" }, { "description": "Read access to security center settings", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycenter.settingsViewer", "stage": "GA", "title": "Security Center Settings Viewer" }, { "description": "Read access to security center simulations", "etag": "AA==", "name": "roles/securitycenter.simulationsViewer", "stage": "GA", "title": "Security Center Simulations Reader" }, { "description": "Admin access to sources", "etag": "AA==", "name": "roles/securitycenter.sourcesAdmin", "stage": "GA", "title": "Security Center Sources Admin" }, { "description": "Read-write access to sources", "etag": "AA==", "name": "roles/securitycenter.sourcesEditor", "stage": "GA", "title": "Security Center Sources Editor" }, { "description": "Read access to sources", "etag": "AA==", "name": "roles/securitycenter.sourcesViewer", "stage": "GA", "title": "Security Center Sources Viewer" }, { "description": "Read access to security center valued resources", "etag": "AA==", "name": "roles/securitycenter.valuedResourcesViewer", "stage": "GA", "title": "Security Center Valued Resources Reader" }, { "description": "Full access to manage Cloud Security Command Center services and custom modules configuration.", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycentermanagement.admin", "stage": "GA", "title": "Security Center Management Admin" }, { "description": "Full access to manage Cloud Security Command Center custom modules.", "etag": "AA==", "name": "roles/securitycentermanagement.customModulesEditor", "stage": "GA", "title": "Security Center Management Custom Modules Editor" }, { "description": "Readonly access to Cloud Security Command Center custom modules.", "etag": "AA==", "name": "roles/securitycentermanagement.customModulesViewer", "stage": "GA", "title": "Security Center Management Custom Modules Viewer" }, { "description": "Full access to manage Cloud Security Command Center ETD custom modules.", "etag": "AA==", "name": "roles/securitycentermanagement.etdCustomModulesEditor", "stage": "GA", "title": "Security Center Management Custom ETD Modules Editor" }, { "description": "Readonly access to Cloud Security Command Center ETD custom modules.", "etag": "AA==", "name": "roles/securitycentermanagement.etdCustomModulesViewer", "stage": "GA", "title": "Security Center Management ETD Custom Modules Viewer" }, { "description": "Full access to manage Cloud Security Command Center services configuration.", "etag": "AA==", "name": "roles/securitycentermanagement.securityCenterServicesEditor", "stage": "GA", "title": "Security Center Management Services Editor" }, { "description": "Readonly access to Cloud Security Command Center services configuration.", "etag": "AA==", "name": "roles/securitycentermanagement.securityCenterServicesViewer", "stage": "GA", "title": "Security Center Management Services Viewer" }, { "description": "Full access to manage Cloud Security Command Center settings", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycentermanagement.settingsEditor", "stage": "GA", "title": "Security Center Management Settings Editor" }, { "description": "Readonly access to Cloud Security Command Center settings", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycentermanagement.settingsViewer", "stage": "GA", "title": "Security Center Management Settings Viewer" }, { "description": "Full access to manage Cloud Security Command Center SHA custom modules.", "etag": "AA==", "name": "roles/securitycentermanagement.shaCustomModulesEditor", "stage": "GA", "title": "Security Center Management SHA Custom Modules Editor" }, { "description": "Readonly access to Cloud Security Command Center SHA custom modules.", "etag": "AA==", "name": "roles/securitycentermanagement.shaCustomModulesViewer", "stage": "GA", "title": "Security Center Management SHA Custom Modules Viewer" }, { "description": "Readonly access to Cloud Security Command Center services and custom modules configuration.", "etag": "AA==", "has_undocumented": true, "name": "roles/securitycentermanagement.viewer", "stage": "GA", "title": "Security Center Management Viewer" }, { "description": "Full access to Security Posture service APIs.", "etag": "AA==", "name": "roles/securityposture.admin", "stage": "GA", "title": "Security Posture Admin" }, { "description": "Mutate and read permissions to the Posture Deployment resource.", "etag": "AA==", "name": "roles/securityposture.postureDeployer", "stage": "GA", "title": "Security Posture Deployer" }, { "description": "Read only access to the Posture Deployment resource.", "etag": "AA==", "name": "roles/securityposture.postureDeploymentsViewer", "stage": "GA", "title": "Security Posture Deployments Viewer" }, { "description": "Mutate and read permissions to the Posture resource.", "etag": "AA==", "name": "roles/securityposture.postureEditor", "stage": "GA", "title": "Security Posture Resource Editor" }, { "description": "Read only access to the Posture resource.", "etag": "AA==", "name": "roles/securityposture.postureViewer", "stage": "GA", "title": "Security Posture Resource Viewer" }, { "description": "Create access for Reports, e.g. IaC Validation Report.", "etag": "AA==", "name": "roles/securityposture.reportCreator", "stage": "GA", "title": "Security Posture Shift-Left Validator" }, { "description": "Read only access to all the SecurityPosture Service resources.", "etag": "AA==", "name": "roles/securityposture.viewer", "stage": "GA", "title": "Security Posture Viewer" }, { "description": "Full access to ServiceBroker resources.", "etag": "AA==", "name": "roles/servicebroker.admin", "stage": "DEPRECATED", "title": "Service Broker Admin" }, { "description": "Operational access to the ServiceBroker resources.", "etag": "AA==", "name": "roles/servicebroker.operator", "stage": "DEPRECATED", "title": "Service Broker Operator" }, { "description": "Administrate tenancy units", "etag": "AA==", "name": "roles/serviceconsumermanagement.tenancyUnitsAdmin", "stage": "BETA", "title": "Admin of Tenancy Units" }, { "description": "View tenancy units", "etag": "AA==", "name": "roles/serviceconsumermanagement.tenancyUnitsViewer", "stage": "BETA", "title": "Viewer of Tenancy Units" }, { "description": "Full control of all Service Directory resources and permissions.", "etag": "AA==", "name": "roles/servicedirectory.admin", "stage": "GA", "title": "Service Directory Admin" }, { "description": "Edit Service Directory resources.", "etag": "AA==", "name": "roles/servicedirectory.editor", "stage": "GA", "title": "Service Directory Editor" }, { "description": "Gives access to attach VPC Networks to Service Directory Endpoints", "etag": "AA==", "name": "roles/servicedirectory.networkAttacher", "stage": "GA", "title": "Service Directory Network Attacher" }, { "description": "Gives access to VPC Networks via Service Directory", "etag": "AA==", "name": "roles/servicedirectory.pscAuthorizedService", "stage": "GA", "title": "Private Service Connect Authorized Service" }, { "description": "Give the Service Directory service agent access to Cloud Platform resources.", "etag": "AA==", "name": "roles/servicedirectory.serviceAgent", "stage": "GA", "title": "Service Directory Service Agent" }, { "description": "View Service Directory resources.", "etag": "AA==", "name": "roles/servicedirectory.viewer", "stage": "GA", "title": "Service Directory Viewer" }, { "description": "Readonly access to Personalized Service Health resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/servicehealth.viewer", "stage": "GA", "title": "Personalized Service Health Viewer" }, { "description": "Full control of Google Service Management resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/servicemanagement.admin", "stage": "GA", "title": "Service Management Administrator" }, { "description": "Can check admission of a service during runtime.", "etag": "AA==", "has_undocumented": true, "name": "roles/servicemanagement.checker", "stage": "GA", "title": "Service Checker" }, { "description": "Access to update the service config and create rollouts.", "etag": "AA==", "name": "roles/servicemanagement.configEditor", "stage": "GA", "title": "Service Config Editor" }, { "description": "Access to administer service quotas.", "etag": "AA==", "has_undocumented": true, "name": "roles/servicemanagement.quotaAdmin", "stage": "BETA", "title": "Quota Administrator" }, { "description": "Access to view service quotas.", "etag": "AA==", "has_undocumented": true, "name": "roles/servicemanagement.quotaViewer", "stage": "BETA", "title": "Quota Viewer" }, { "description": "Can report usage of a service during runtime.", "etag": "AA==", "name": "roles/servicemanagement.reporter", "stage": "GA", "title": "Service Reporter" }, { "description": "Can enable the service.", "etag": "AA==", "name": "roles/servicemanagement.serviceConsumer", "stage": "GA", "title": "Service Consumer" }, { "description": "Can check preconditions and report usage of a service during runtime.", "etag": "AA==", "name": "roles/servicemanagement.serviceController", "stage": "GA", "title": "Service Controller" }, { "description": "Full control of service networking with projects.", "etag": "AA==", "has_undocumented": true, "name": "roles/servicenetworking.networksAdmin", "stage": "BETA", "title": "Service Networking Admin" }, { "description": "Gives permission to manage network configuration, such as establishing network peering, necessary for service producers", "etag": "AA==", "has_undocumented": true, "name": "roles/servicenetworking.serviceAgent", "stage": "GA", "title": "Service Networking Service Agent" }, { "description": "Read-only access to Security Insights resources", "etag": "AA==", "name": "roles/servicesecurityinsights.securityInsightsViewer", "stage": "BETA", "title": "Security Insights Viewer" }, { "description": "Ability to create, delete, update, get and list API keys for a project.", "etag": "AA==", "has_undocumented": true, "name": "roles/serviceusage.apiKeysAdmin", "stage": "GA", "title": "API Keys Admin" }, { "description": "Ability to get and list API keys for a project.", "etag": "AA==", "name": "roles/serviceusage.apiKeysViewer", "stage": "GA", "title": "API Keys Viewer" }, { "description": "Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.", "etag": "AA==", "has_undocumented": true, "name": "roles/serviceusage.serviceUsageAdmin", "stage": "GA", "title": "Service Usage Admin" }, { "description": "Ability to inspect service states and operations, and consume quota and billing for a consumer project.", "etag": "AA==", "has_undocumented": true, "name": "roles/serviceusage.serviceUsageConsumer", "stage": "GA", "title": "Service Usage Consumer" }, { "description": "Ability to inspect service states and operations for a consumer project.", "etag": "AA==", "has_undocumented": true, "name": "roles/serviceusage.serviceUsageViewer", "stage": "GA", "title": "Service Usage Viewer" }, { "description": "Admin access to repositories", "etag": "AA==", "name": "roles/source.admin", "stage": "GA", "title": "Source Repository Administrator" }, { "description": "Read access to repositories", "etag": "AA==", "name": "roles/source.reader", "stage": "GA", "title": "Source Repository Reader" }, { "description": "Read / Write access to repositories", "etag": "AA==", "name": "roles/source.writer", "stage": "GA", "title": "Source Repository Writer" }, { "description": "Allow Cloud Source Repositories to integrate with other Cloud services.", "etag": "AA==", "has_privesc": true, "name": "roles/sourcerepo.serviceAgent", "stage": "GA", "title": "Cloud Source Repositories Service Agent" }, { "description": "Full control of Cloud Spanner resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/spanner.admin", "stage": "GA", "title": "Cloud Spanner Admin" }, { "description": "Administrator role to manage Cloud Spanner backups. Does not include permissions to restore from Cloud Spanner backups.", "etag": "AA==", "has_undocumented": true, "name": "roles/spanner.backupAdmin", "stage": "GA", "title": "Cloud Spanner Backup Admin" }, { "description": "Role with limited permissions to create and manage Cloud Spanner backups. Does not have permission to modify backups.", "etag": "AA==", "has_undocumented": true, "name": "roles/spanner.backupWriter", "stage": "GA", "title": "Cloud Spanner Backup Writer" }, { "description": "Full control of Cloud Spanner databases.", "etag": "AA==", "has_undocumented": true, "name": "roles/spanner.databaseAdmin", "stage": "GA", "title": "Cloud Spanner Database Admin" }, { "description": "Access to read and/or query a Cloud Spanner database.", "etag": "AA==", "has_undocumented": true, "name": "roles/spanner.databaseReader", "stage": "GA", "title": "Cloud Spanner Database Reader" }, { "description": "Includes all permissions in the spanner.databaseReader role enabling access to read and/or query a Cloud Spanner database using instance resources, as well as the permission to access the database with Data Boost, a fully managed serverless service that provides independent compute resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/spanner.databaseReaderWithDataBoost", "stage": "GA", "title": "Cloud Spanner Database Reader with DataBoost" }, { "description": "In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/`.", "etag": "AA==", "name": "roles/spanner.databaseRoleUser", "stage": "GA", "title": "Cloud Spanner Database Role User" }, { "description": "Access to read, query, write and view and change the schema of Cloud Spanner databases", "etag": "AA==", "has_undocumented": true, "name": "roles/spanner.databaseUser", "stage": "GA", "title": "Cloud Spanner Database User" }, { "description": "Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the Cloud Spanner Database Role User IAM role and its necessary conditions.", "etag": "AA==", "name": "roles/spanner.fineGrainedAccessUser", "stage": "GA", "title": "Cloud Spanner Fine-grained Access User" }, { "description": "Administrator role to restore Cloud Spanner databases from Cloud Spanner backups.", "etag": "AA==", "name": "roles/spanner.restoreAdmin", "stage": "GA", "title": "Cloud Spanner Restore Admin" }, { "description": "Cloud Spanner API Service Agent", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/spanner.serviceAgent", "stage": "GA", "title": "Cloud Spanner API Service Agent" }, { "description": "Viewer access to Cloud Spanner resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/spanner.viewer", "stage": "GA", "title": "Cloud Spanner Viewer" }, { "description": "Grants full access to all Speaker ID resources, including project settings.", "etag": "AA==", "name": "roles/speakerid.admin", "stage": "GA", "title": "Speaker ID Admin" }, { "description": "Grants access to read and write all Speaker ID resources.", "etag": "AA==", "name": "roles/speakerid.editor", "stage": "GA", "title": "Speaker ID Editor" }, { "description": "Grants read access to all Speaker ID resources, and allows verification.", "etag": "AA==", "name": "roles/speakerid.verifier", "stage": "GA", "title": "Speaker ID Verifier" }, { "description": "Grants read access to all Speaker ID resources.", "etag": "AA==", "name": "roles/speakerid.viewer", "stage": "GA", "title": "Speaker ID Viewer" }, { "description": "Gives Spectrum SAS Service Account access to enable analytics on behalf of users.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/spectrumsas.serviceAgent", "stage": "GA", "title": "Spectrum SAS Service Agent" }, { "description": "Grants full access to all resources in Speech-to-text", "etag": "AA==", "name": "roles/speech.admin", "stage": "GA", "title": "Cloud Speech Administrator" }, { "description": "Grants access to the recognition APIs.", "etag": "AA==", "name": "roles/speech.client", "stage": "GA", "title": "Cloud Speech Client" }, { "description": "Grants access to edit resources in Speech-to-text", "etag": "AA==", "name": "roles/speech.editor", "stage": "GA", "title": "Cloud Speech Editor" }, { "description": "Gives Speech-to-Text service account access to GCS resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/speech.serviceAgent", "stage": "GA", "title": "Cloud Speech-to-Text Service Agent" }, { "description": "Read/write access to manage Stackdriver account structure.", "etag": "AA==", "has_undocumented": true, "name": "roles/stackdriver.accounts.editor", "stage": "GA", "title": "Stackdriver Accounts Editor" }, { "description": "Read-only access to get and list information about Stackdriver account structure.", "etag": "AA==", "name": "roles/stackdriver.accounts.viewer", "stage": "GA", "title": "Stackdriver Accounts Viewer" }, { "description": "Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.", "etag": "AA==", "name": "roles/stackdriver.resourceMetadata.writer", "stage": "BETA", "title": "Stackdriver Resource Metadata Writer" }, { "description": "Grants full control of buckets and objects.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/storage.admin", "stage": "GA", "title": "Storage Admin" }, { "description": "Grants permission to view buckets and their metadata, excluding IAM policies.", "etag": "AA==", "has_undocumented": true, "name": "roles/storage.bucketViewer", "stage": "BETA", "title": "Storage Bucket Viewer" }, { "description": "Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.", "etag": "AA==", "has_undocumented": true, "name": "roles/storage.expressModeServiceInput", "stage": "BETA", "title": "Storage Express Mode Service Input" }, { "description": "Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/storage.expressModeServiceOutput", "stage": "BETA", "title": "Storage Express Mode Service Output" }, { "description": "Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/storage.expressModeUserAccess", "stage": "BETA", "title": "Storage Express Mode User Access" }, { "description": "Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/storage.folderAdmin", "stage": "GA", "title": "Storage Folder Admin" }, { "description": "Grants full control over HMAC keys in a project.", "etag": "AA==", "name": "roles/storage.hmacKeyAdmin", "stage": "GA", "title": "Storage HMAC Key Admin" }, { "description": "Grants read access to object metadata in inventory reports.", "etag": "AA==", "name": "roles/storage.insightsCollectorService", "stage": "GA", "title": "Storage Insights Collector Service" }, { "description": "Grants permission to create, replace, and delete objects; list objects in a bucket; create, delete, and list tag bindings; read object metadata when listing (excluding IAM policies); and read and edit bucket metadata, including IAM policies.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/storage.legacyBucketOwner", "stage": "GA", "title": "Storage Legacy Bucket Owner" }, { "description": "Grants permission to list a bucket's contents and read bucket metadata, excluding IAM policies. Also grants permission to read object metadata when listing objects (excluding IAM policies).", "etag": "AA==", "has_undocumented": true, "name": "roles/storage.legacyBucketReader", "stage": "GA", "title": "Storage Legacy Bucket Reader" }, { "description": "Grants permission to create, replace, and delete objects; list objects in a bucket; read object metadata when listing (excluding IAM policies); and read bucket metadata, excluding IAM policies.", "etag": "AA==", "has_undocumented": true, "name": "roles/storage.legacyBucketWriter", "stage": "GA", "title": "Storage Legacy Bucket Writer" }, { "description": "Grants permission to view and edit objects and their metadata, including ACLs.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/storage.legacyObjectOwner", "stage": "GA", "title": "Storage Legacy Object Owner" }, { "description": "Grants permission to view objects and their metadata, excluding ACLs.", "etag": "AA==", "has_dataaccess": true, "name": "roles/storage.legacyObjectReader", "stage": "GA", "title": "Storage Legacy Object Reader" }, { "description": "Grants full control over objects, including listing, creating, viewing, and deleting objects.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/storage.objectAdmin", "stage": "GA", "title": "Storage Object Admin" }, { "description": "Allows users to create objects. Does not give permission to view, delete, or replace objects.", "etag": "AA==", "has_undocumented": true, "name": "roles/storage.objectCreator", "stage": "GA", "title": "Storage Object Creator" }, { "description": "Access to create, read, update and delete objects and multipart uploads in GCS.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/storage.objectUser", "stage": "GA", "title": "Storage Object User" }, { "description": "Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/storage.objectViewer", "stage": "GA", "title": "Storage Object Viewer" }, { "description": "Full access to Storage Batch Operations resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/storagebatchoperations.admin", "stage": "GA", "title": "Storage Batch Operations Admin" }, { "description": "Readonly access to Storage Batch Operations resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/storagebatchoperations.viewer", "stage": "GA", "title": "Storage Batch Operations Viewer" }, { "description": "Full access to Storage Insights resources.", "etag": "AA==", "name": "roles/storageinsights.admin", "stage": "GA", "title": "Storage Insights Admin" }, { "description": "Data access to Storage Insights.", "etag": "AA==", "name": "roles/storageinsights.analyst", "stage": "GA", "title": "Storage Insights Analyst" }, { "description": "Permissions for Insights to write reports into customer project", "etag": "AA==", "name": "roles/storageinsights.serviceAgent", "stage": "GA", "title": "StorageInsights Service Agent" }, { "description": "Readonly access to Storage Insights resources.", "etag": "AA==", "name": "roles/storageinsights.viewer", "stage": "GA", "title": "Storage Insights Viewer" }, { "description": "Create, update and manage transfer jobs and operations.", "etag": "AA==", "name": "roles/storagetransfer.admin", "stage": "GA", "title": "Storage Transfer Admin" }, { "description": "Grants Storage Transfer Service Agent permissions required to run transfers", "etag": "AA==", "has_dataaccess": true, "name": "roles/storagetransfer.serviceAgent", "stage": "GA", "title": "Storage Transfer Service Agent" }, { "description": "Perform transfers from an agent.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/storagetransfer.transferAgent", "stage": "GA", "title": "Storage Transfer Agent" }, { "description": "Create and update storage transfer jobs and operations.", "etag": "AA==", "name": "roles/storagetransfer.user", "stage": "GA", "title": "Storage Transfer User" }, { "description": "Read access to storage transfer jobs and operations.", "etag": "AA==", "name": "roles/storagetransfer.viewer", "stage": "GA", "title": "Storage Transfer Viewer" }, { "description": "Full access to Stream all resources.", "etag": "AA==", "name": "roles/stream.admin", "stage": "GA", "title": "Stream Admin" }, { "description": "Full access to all StreamContent resources.", "etag": "AA==", "name": "roles/stream.contentAdmin", "stage": "GA", "title": "Stream Content Admin" }, { "description": "Read and build access to StreamContent resources.", "etag": "AA==", "name": "roles/stream.contentBuilder", "stage": "GA", "title": "Stream Content Builder" }, { "description": "Full access to all StreamInstance resources and Read access to all StreamContent resources.", "etag": "AA==", "name": "roles/stream.instanceAdmin", "stage": "GA", "title": "Stream Instance Admin" }, { "description": "Gives Immersive Stream for XR access to the required resources.", "etag": "AA==", "has_dataaccess": true, "name": "roles/stream.serviceAgent", "stage": "GA", "title": "Stream Service Agent" }, { "description": "Read-only access to Stream all resources.", "etag": "AA==", "name": "roles/stream.viewer", "stage": "GA", "title": "Stream Viewer" }, { "description": "Access DevTools for Subscribe with Google", "etag": "AA==", "name": "roles/subscribewithgoogledeveloper.developer", "stage": "BETA", "title": "Subscribe with Google Developer" }, { "description": "Full access to Telco Automation resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/telcoautomation.admin", "stage": "BETA", "title": "Telco Automation Admin" }, { "description": "Ability to manage blueprints", "etag": "AA==", "name": "roles/telcoautomation.blueprintDesigner", "stage": "BETA", "title": "Telco Automation Blueprint Designer" }, { "description": "Ability to manage deployments", "etag": "AA==", "name": "roles/telcoautomation.deploymentAdmin", "stage": "BETA", "title": "Telco Automation Deployment Admin" }, { "description": "Ability to get status of deployments", "etag": "AA==", "has_undocumented": true, "name": "roles/telcoautomation.opsAdminTier1", "stage": "BETA", "title": "Telco Automation Tier 1 Operations Admin" }, { "description": "Ability to manage deployments and their status", "etag": "AA==", "has_undocumented": true, "name": "roles/telcoautomation.opsAdminTier4", "stage": "BETA", "title": "Telco Automation Tier 4 Operations Admin" }, { "description": "Ability to manage deployments", "etag": "AA==", "name": "roles/telcoautomation.serviceOrchestrator", "stage": "BETA", "title": "Telco Automation Service Orchestrator" }, { "description": "Grants permission management access to consumer resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/telemetry.consumerAdmin", "stage": "BETA", "title": "Consumer Admin" }, { "description": "Access to write logs.", "etag": "AA==", "has_undocumented": true, "name": "roles/telemetry.logsWriter", "stage": "BETA", "title": "Cloud Telemetry Logs Writer" }, { "description": "Access to write metrics.", "etag": "AA==", "has_undocumented": true, "name": "roles/telemetry.metricsWriter", "stage": "GA", "title": "Cloud Telemetry Metrics Writer" }, { "description": "Allows an onboarded service to write log data to a destination.", "etag": "AA==", "has_undocumented": true, "name": "roles/telemetry.serviceLogsWriter", "stage": "BETA", "title": "Integrated Service Telemetry Logs Writer" }, { "description": "Allows an onboarded service to write metrics data to a destination.", "etag": "AA==", "has_undocumented": true, "name": "roles/telemetry.serviceMetricsWriter", "stage": "BETA", "title": "Integrated Service Telemetry Metrics Writer" }, { "description": "Allows an onboarded service to write all telemetry data to a destination.", "etag": "AA==", "has_undocumented": true, "name": "roles/telemetry.serviceTelemetryWriter", "stage": "BETA", "title": "Integrated Service Telemetry Writer" }, { "description": "Allows an onboarded service to write trace data to a destination.", "etag": "AA==", "has_undocumented": true, "name": "roles/telemetry.serviceTracesWriter", "stage": "BETA", "title": "Integrated Service Telemetry Traces Writer" }, { "description": "Access to write trace spans.", "etag": "AA==", "has_undocumented": true, "name": "roles/telemetry.tracesWriter", "stage": "GA", "title": "Cloud Telemetry Traces Writer" }, { "description": "Full access to write all telemetry data.", "etag": "AA==", "has_undocumented": true, "name": "roles/telemetry.writer", "stage": "GA", "title": "Cloud Telemetry Writer" }, { "description": "This role can view and edit all properties of resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/threatintelligence.alertAdmin", "stage": "BETA", "title": "GTI Alert Admin" }, { "description": "This role can view and edit properties of resources, except for editing configurations and exporting alerts.", "etag": "AA==", "has_undocumented": true, "name": "roles/threatintelligence.alertUser", "stage": "BETA", "title": "GTI Alert User" }, { "description": "This role can view and edit all properties of resources along with the Projects.", "etag": "AA==", "has_undocumented": true, "name": "roles/threatintelligence.ctemAdmin", "stage": "BETA", "title": "CTEM Admin" }, { "description": "This role can view and edit all properties of resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/threatintelligence.ctemEditor", "stage": "BETA", "title": "CTEM Editor" }, { "description": "CTEM Project Admin", "etag": "AA==", "has_undocumented": true, "name": "roles/threatintelligence.ctemProjectAdmin", "stage": "BETA", "title": "CTEM Project Admin" }, { "description": "This role can view all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/threatintelligence.ctemViewer", "stage": "BETA", "title": "CTEM Viewer" }, { "description": "Edit access to DataSets.", "etag": "AA==", "name": "roles/timeseriesinsights.datasetsEditor", "stage": "BETA", "title": "Timeseries Insights DataSet Editor" }, { "description": "Full access to DataSets.", "etag": "AA==", "name": "roles/timeseriesinsights.datasetsOwner", "stage": "BETA", "title": "Timeseries Insights DataSet Owner" }, { "description": "Read-only access (List and Query) to DataSets.", "etag": "AA==", "name": "roles/timeseriesinsights.datasetsViewer", "stage": "BETA", "title": "Timeseries Insights DataSet Viewer" }, { "description": "Full access to TPU nodes and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/tpu.admin", "stage": "GA", "title": "TPU Admin" }, { "description": "Give Cloud TPUs service account access to managed resources", "etag": "AA==", "has_undocumented": true, "name": "roles/tpu.serviceAgent", "stage": "GA", "title": "Cloud TPU API Service Agent" }, { "description": "Read-only access to TPU nodes and related resources.", "etag": "AA==", "name": "roles/tpu.viewer", "stage": "GA", "title": "TPU Viewer" }, { "description": "Can use shared VPC network (XPN) for the TPU VMs.", "etag": "AA==", "name": "roles/tpu.xpnAgent", "stage": "GA", "title": "TPU Shared VPC Agent" }, { "description": "Traffic Director Client to fetch service configurations and report metrics", "etag": "AA==", "name": "roles/trafficdirector.client", "stage": "BETA", "title": "Traffic Director Client" }, { "description": "Full access to all transcoder resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/transcoder.admin", "stage": "GA", "title": "Transcoder Admin" }, { "description": "Downloads and uploads media files from and to customer GCS buckets. Publishes status updates to customer Pub/Sub.", "etag": "AA==", "has_dataaccess": true, "name": "roles/transcoder.serviceAgent", "stage": "GA", "title": "Transcoder Service Agent" }, { "description": "Viewer of all transcoder resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/transcoder.viewer", "stage": "GA", "title": "Transcoder Viewer" }, { "description": "Full access to Transfer Appliance all resources.", "etag": "AA==", "name": "roles/transferappliance.admin", "stage": "BETA", "title": "Transfer Appliance Admin" }, { "description": "Read-only access to Transfer Appliance all resources.", "etag": "AA==", "name": "roles/transferappliance.viewer", "stage": "BETA", "title": "Transfer Appliance Viewer" }, { "description": "Admin of Translation Hub", "etag": "AA==", "name": "roles/translationhub.admin", "stage": "BETA", "title": "Translation Hub Admin" }, { "description": "Portal user of Translation Hub", "etag": "AA==", "name": "roles/translationhub.portalUser", "stage": "BETA", "title": "Translation Hub Portal User" }, { "description": "Grants full access to all vectorsearch resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/vectorsearch.admin", "stage": "GA", "title": "Vector Search Admin" }, { "description": "Grants read-write access to Collections.", "etag": "AA==", "has_undocumented": true, "name": "roles/vectorsearch.collectionWriter", "stage": "GA", "title": "Vector Search Collection Writer" }, { "description": "Grants read-write access to DataObjects and read access to parent Collections.", "etag": "AA==", "has_undocumented": true, "name": "roles/vectorsearch.dataObjectWriter", "stage": "GA", "title": "Vector Search DataObject Writer" }, { "description": "Grants read-write access to Indexes and read access to parent Collections.", "etag": "AA==", "has_undocumented": true, "name": "roles/vectorsearch.indexWriter", "stage": "GA", "title": "Vector Search Index Writer" }, { "description": "Gives Vector Search access to read Cloud Storage buckets and read/create objects.", "etag": "AA==", "has_dataaccess": true, "has_undocumented": true, "name": "roles/vectorsearch.serviceAgent", "stage": "GA", "title": "Vector Search Service Agent" }, { "description": "Grants read access to all vectorsearch resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/vectorsearch.viewer", "stage": "GA", "title": "Vector Search Viewer" }, { "description": "Full access to all video stitcher resources.", "etag": "AA==", "name": "roles/videostitcher.admin", "stage": "GA", "title": "Video Stitcher Admin" }, { "description": "Full access to video stitcher sessions.", "etag": "AA==", "name": "roles/videostitcher.user", "stage": "GA", "title": "Video Stitcher User" }, { "description": "Read-only access to video stitcher resources.", "etag": "AA==", "name": "roles/videostitcher.viewer", "stage": "GA", "title": "Video Stitcher Viewer" }, { "description": "View most Google Cloud resources. See the list of included permissions.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/viewer", "stage": "GA", "title": "Viewer" }, { "description": "Full access to Vision AI all resources.", "etag": "AA==", "name": "roles/visionai.admin", "stage": "BETA", "title": "VisionAI Admin" }, { "description": "Access to read and write Vision AI Analyses.", "etag": "AA==", "name": "roles/visionai.analysisEditor", "stage": "BETA", "title": "Vision AI Analysis Editor" }, { "description": "Access to read Vision AI Analyses.", "etag": "AA==", "name": "roles/visionai.analysisViewer", "stage": "BETA", "title": "Vision AI Analysis Viewer" }, { "description": "Grants access to edit media asset annotations into the Warehouse.", "etag": "AA==", "name": "roles/visionai.annotationEditor", "stage": "BETA", "title": "VisionAI Warehouse Annotation Editor" }, { "description": "Grants access to view media asset annotations into the Warehouse.", "etag": "AA==", "name": "roles/visionai.annotationViewer", "stage": "BETA", "title": "VisionAI Warehouse Annotation Viewer" }, { "description": "Access to read and write Vision AI Applications.", "etag": "AA==", "name": "roles/visionai.applicationEditor", "stage": "BETA", "title": "Vision AI Application Editor" }, { "description": "Access to read Vision AI Applications.", "etag": "AA==", "name": "roles/visionai.applicationViewer", "stage": "BETA", "title": "Vision AI Application Viewer" }, { "description": "Grants access to ingest media assets into the Warehouse.", "etag": "AA==", "name": "roles/visionai.assetCreator", "stage": "BETA", "title": "VisionAI Warehouse Asset Creator" }, { "description": "Grants access to edit media assets into the Warehouse.", "etag": "AA==", "name": "roles/visionai.assetEditor", "stage": "BETA", "title": "VisionAI Warehouse Asset Editor" }, { "description": "Grants access to view media assets into the Warehouse.", "etag": "AA==", "name": "roles/visionai.assetViewer", "stage": "BETA", "title": "VisionAI Warehouse Asset Viewer" }, { "description": "Access to read and write Vision AI Cluster.", "etag": "AA==", "name": "roles/visionai.clusterEditor", "stage": "BETA", "title": "Vision AI Cluster Editor" }, { "description": "Access to read Vision AI Clusters.", "etag": "AA==", "name": "roles/visionai.clusterViewer", "stage": "BETA", "title": "Vision AI Cluster Viewer" }, { "description": "Full control to everything in a corpus including corpus access control.", "etag": "AA==", "name": "roles/visionai.corpusAdmin", "stage": "BETA", "title": "VisionAI Warehouse Corpus Administrator" }, { "description": "Read-write access to everything in a corpus.", "etag": "AA==", "name": "roles/visionai.corpusEditor", "stage": "BETA", "title": "VisionAI Warehouse Corpus Editor" }, { "description": "Grants access to view everything in a corpus.", "etag": "AA==", "name": "roles/visionai.corpusViewer", "stage": "BETA", "title": "VisionAI Warehouse Corpus Viewer" }, { "description": "Grants access to create/update/delete everything in a corpus.", "etag": "AA==", "name": "roles/visionai.corpusWriter", "stage": "BETA", "title": "VisionAI Warehouse Corpus Writer" }, { "description": "Edit access to Vision AI all resources.", "etag": "AA==", "name": "roles/visionai.editor", "stage": "BETA", "title": "VisionAI Editor" }, { "description": "Access to read and write Vision AI Events.", "etag": "AA==", "name": "roles/visionai.eventEditor", "stage": "BETA", "title": "Vision AI Event Editor" }, { "description": "Access to read Vision AI Events.", "etag": "AA==", "name": "roles/visionai.eventViewer", "stage": "BETA", "title": "Vision AI Event Viewer" }, { "description": "Full control of all Media Warehouse resources and permissions.", "etag": "AA==", "name": "roles/visionai.indexEndpointAdmin", "stage": "BETA", "title": "VisionAI Warehouse IndexEndpoint Administrator" }, { "description": "Read, write and create access to all index endpoints level resources.", "etag": "AA==", "name": "roles/visionai.indexEndpointEditor", "stage": "BETA", "title": "VisionAI Warehouse IndexEndpoint Editor" }, { "description": "Grants access to view all index endpoint resources and be able to search on them. (ReadOnly)\n", "etag": "AA==", "name": "roles/visionai.indexEndpointViewer", "stage": "BETA", "title": "VisionAI Warehouse IndexEndpoint Viewer" }, { "description": "Grants access to perform update, delete, deploy and undeploy operations on the index endpoint.\n", "etag": "AA==", "name": "roles/visionai.indexEndpointWriter", "stage": "BETA", "title": "VisionAI Warehouse IndexEndpoint Writer" }, { "description": "Access to read and write Vision AI Operators.", "etag": "AA==", "name": "roles/visionai.operatorEditor", "stage": "BETA", "title": "Vision AI Operator Editor" }, { "description": "Access to read Vision AI Operators.", "etag": "AA==", "name": "roles/visionai.operatorViewer", "stage": "BETA", "title": "Vision AI Operator Viewer" }, { "description": "Access to read Vision AI Series.", "etag": "AA==", "name": "roles/visionai.packetReceiver", "stage": "BETA", "title": "Vision AI Packet Receiver" }, { "description": "Packet sender to the series.", "etag": "AA==", "name": "roles/visionai.packetSender", "stage": "BETA", "title": "Vision AI Packet Sender" }, { "description": "Access to read and write Vision AI Processors.", "etag": "AA==", "name": "roles/visionai.processorEditor", "stage": "BETA", "title": "Vision AI Processor Editor" }, { "description": "Access to read Vision AI Processors.", "etag": "AA==", "name": "roles/visionai.processorViewer", "stage": "BETA", "title": "Vision AI Processor Viewer" }, { "description": "Access to read and write Vision AI RetailCatalogs.", "etag": "AA==", "name": "roles/visionai.retailcatalogEditor", "stage": "BETA", "title": "Vision AI RetailCatalog Editor" }, { "description": "Access to read Vision AI RetailCatalogs.", "etag": "AA==", "name": "roles/visionai.retailcatalogViewer", "stage": "BETA", "title": "Vision AI RetailCatalog Viewer" }, { "description": "Access to read and write Vision AI RetailEndpoints.", "etag": "AA==", "name": "roles/visionai.retailendpointEditor", "stage": "BETA", "title": "Vision AI RetailEndpoint Editor" }, { "description": "Access to read Vision AI RetailEndpoints.", "etag": "AA==", "name": "roles/visionai.retailendpointViewer", "stage": "BETA", "title": "Vision AI RetailEndpoint Viewer" }, { "description": "Access to read and write Vision AI Series.", "etag": "AA==", "name": "roles/visionai.seriesEditor", "stage": "BETA", "title": "Vision AI Series Editor" }, { "description": "Access to read Vision AI Series.", "etag": "AA==", "name": "roles/visionai.seriesViewer", "stage": "BETA", "title": "Vision AI Series Viewer" }, { "description": "Grants Cloud Vision AI service account permissions to manage resources in consumer project", "etag": "AA==", "has_dataaccess": true, "name": "roles/visionai.serviceAgent", "stage": "GA", "title": "Cloud Vision AI Service Agent" }, { "description": "Access to read and write Vision AI Streams.", "etag": "AA==", "name": "roles/visionai.streamEditor", "stage": "BETA", "title": "Vision AI Stream Editor" }, { "description": "Access to read Vision AI Streams.", "etag": "AA==", "name": "roles/visionai.streamViewer", "stage": "BETA", "title": "Vision AI Stream Viewer" }, { "description": "Access to read & write Vision AI UI Streams.", "etag": "AA==", "name": "roles/visionai.uiStreamEditor", "stage": "BETA", "title": "Vision AI UI Stream Editor" }, { "description": "Access to read Vision AI UI Streams.", "etag": "AA==", "name": "roles/visionai.uiStreamViewer", "stage": "BETA", "title": "Vision AI UI Stream Viewer" }, { "description": "View access to Vision AI all resources.", "etag": "AA==", "name": "roles/visionai.viewer", "stage": "BETA", "title": "VisionAI Viewer" }, { "description": "Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics", "etag": "AA==", "name": "roles/visualinspection.editor", "stage": "GA", "title": "Visual Inspection AI Solution Editor" }, { "description": "Grants Visual Inspection AI Service Agent admin roles for accessing/exporting training data, pushing containers artifacts to GCR and ArtifactsRegistry, and Vertex AI for storing data and running training jobs.", "etag": "AA==", "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/visualinspection.serviceAgent", "stage": "GA", "title": "Visual Inspection AI Service Agent" }, { "description": "ReportUsageMetric access to Visual Inspection AI Service", "etag": "AA==", "name": "roles/visualinspection.usageMetricsReporter", "stage": "GA", "title": "Visual Inspection AI Usage Metrics Reporter" }, { "description": "Read access to Visual Inspection AI resources", "etag": "AA==", "name": "roles/visualinspection.viewer", "stage": "GA", "title": "Visual Inspection AI Viewer" }, { "description": "Ability to view and edit all VM Migration objects", "etag": "AA==", "has_undocumented": true, "name": "roles/vmmigration.admin", "stage": "BETA", "title": "VM Migration Administrator" }, { "description": "Grants VM Migration Service Account access to create migrated VMs, disks and images in the user project.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/vmmigration.serviceAgent", "stage": "GA", "title": "VM Migration Service Agent" }, { "description": "Ability to view all VM Migration objects", "etag": "AA==", "has_undocumented": true, "name": "roles/vmmigration.viewer", "stage": "BETA", "title": "VM Migration Viewer" }, { "description": "Gives permission to manage network configuration, such as establishing network peering, necessary for GCVE", "etag": "AA==", "has_undocumented": true, "name": "roles/vmwareengine.serviceAgent", "stage": "GA", "title": "VMware Engine Service Agent" }, { "description": "Admin has full access to VMware Engine Service", "etag": "AA==", "has_undocumented": true, "name": "roles/vmwareengine.vmwareengineAdmin", "stage": "GA", "title": "VMware Engine Service Admin" }, { "description": "Privileged User has access to VMWare Engine Service Privileged API", "etag": "AA==", "has_undocumented": true, "name": "roles/vmwareengine.vmwareenginePrivilegedUser", "stage": "GA", "title": "VMware Engine Service Privileged User" }, { "description": "Viewer has read-only access to VMware Engine Service", "etag": "AA==", "has_undocumented": true, "name": "roles/vmwareengine.vmwareengineViewer", "stage": "GA", "title": "VMware Engine Service Viewer" }, { "description": "Full access to all Serverless VPC Access resources", "etag": "AA==", "name": "roles/vpcaccess.admin", "stage": "GA", "title": "Serverless VPC Access Admin" }, { "description": "Can create and manage resources to support serverless application to connect to virtual private cloud.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "name": "roles/vpcaccess.serviceAgent", "stage": "GA", "title": "Serverless VPC Access Service Agent" }, { "description": "User of Serverless VPC Access connectors", "etag": "AA==", "name": "roles/vpcaccess.user", "stage": "GA", "title": "Serverless VPC Access User" }, { "description": "Viewer of all Serverless VPC Access resources", "etag": "AA==", "name": "roles/vpcaccess.viewer", "stage": "GA", "title": "Serverless VPC Access Viewer" }, { "description": "Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.", "etag": "AA==", "name": "roles/websecurityscanner.serviceAgent", "stage": "GA", "title": "Cloud Web Security Scanner Service Agent" }, { "description": "Full access to workflows and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/workflows.admin", "stage": "GA", "title": "Workflows Admin" }, { "description": "Read and write access to workflows and related resources, including development and debugging of workflows.", "etag": "AA==", "has_undocumented": true, "name": "roles/workflows.editor", "stage": "GA", "title": "Workflows Editor" }, { "description": "Access to execute workflows and manage the executions using the API. Does not provide access to develop and debug workflows.", "etag": "AA==", "name": "roles/workflows.invoker", "stage": "GA", "title": "Workflows Invoker" }, { "description": "Gives Cloud Workflows service account access to managed resources.", "etag": "AA==", "has_privesc": true, "has_undocumented": true, "name": "roles/workflows.serviceAgent", "stage": "GA", "title": "Cloud Workflows Service Agent" }, { "description": "Read-only access to workflows and related resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/workflows.viewer", "stage": "GA", "title": "Workflows Viewer" }, { "description": "Full access to all Workload Certificate API resources.", "etag": "AA==", "name": "roles/workloadcertificate.admin", "stage": "BETA", "title": "Workload Certificate Admin" }, { "description": "Full access to WorkloadRegistration resources.", "etag": "AA==", "name": "roles/workloadcertificate.registrationAdmin", "stage": "BETA", "title": "Workload Certificate Registration Admin" }, { "description": "Read-only access to WorkloadRegistration resources.", "etag": "AA==", "name": "roles/workloadcertificate.registrationViewer", "stage": "BETA", "title": "Workload Certificate Registration Viewer" }, { "description": "Gives the Workload Certificate service agent access to Cloud Platform resources.", "etag": "AA==", "name": "roles/workloadcertificate.serviceAgent", "stage": "GA", "title": "Workload Certificate Service Agent" }, { "description": "Read-only access to Workload Certificate all resources.", "etag": "AA==", "name": "roles/workloadcertificate.viewer", "stage": "BETA", "title": "Workload Certificate Viewer" }, { "description": "Full access to Workload Manager all resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/workloadmanager.admin", "stage": "BETA", "title": "Workload Manager Admin" }, { "description": "Full access to Workload Manager deployment resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/workloadmanager.deploymentAdmin", "stage": "BETA", "title": "Workload Manager Deployment Admin" }, { "description": "Read-only access to Workload Manager deployment resources.", "etag": "AA==", "name": "roles/workloadmanager.deploymentViewer", "stage": "BETA", "title": "Workload Manager Deployment Viewer" }, { "description": "Full access to Workload Manager evaluation resources.", "etag": "AA==", "name": "roles/workloadmanager.evaluationAdmin", "stage": "BETA", "title": "Workload Manager Evaluation Admin" }, { "description": "Read-only access to Workload Manager evaluation resources.", "etag": "AA==", "name": "roles/workloadmanager.evaluationViewer", "stage": "BETA", "title": "Workload Manager Evaluation Viewer" }, { "description": "The role used to write data to WLM data warehouse.", "etag": "AA==", "has_undocumented": true, "name": "roles/workloadmanager.insightWriter", "stage": "BETA", "title": "Workload Manager Insights Writer" }, { "description": "Gives Workload Manager Service Agent access to CAI export functions and Cloud Monitoring.", "etag": "AA==", "name": "roles/workloadmanager.serviceAgent", "stage": "GA", "title": "Workload Manager Service Agent" }, { "description": "Read-only access to Workload Manager all resources.", "etag": "AA==", "name": "roles/workloadmanager.viewer", "stage": "BETA", "title": "Workload Manager Viewer" }, { "description": "The role used by Workload Manager application runners to read and update workloads.", "etag": "AA==", "name": "roles/workloadmanager.worker", "stage": "BETA", "title": "Workload Manager Worker" }, { "description": "The role used to view the workload related data.", "etag": "AA==", "has_undocumented": true, "name": "roles/workloadmanager.workloadViewer", "stage": "BETA", "title": "Workload Manager Workload Viewer" }, { "description": "Grants CRUD access to all Workstation resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/workstations.admin", "stage": "GA", "title": "Cloud Workstations Admin" }, { "description": "Grants ability to connect a Workstation Cluster to a shared VPC network.", "etag": "AA==", "name": "roles/workstations.networkAdmin", "stage": "GA", "title": "Cloud Workstations Network Admin" }, { "description": "Grants ability to view Cloud Workstations API operations.", "etag": "AA==", "name": "roles/workstations.operationViewer", "stage": "GA", "title": "Cloud Workstations Operation Viewer" }, { "description": "Grants permission to set IAM policy on workstation.", "etag": "AA==", "has_undocumented": true, "name": "roles/workstations.policyAdmin", "stage": "GA", "title": "Cloud Workstations Policy Admin" }, { "description": "Grants the Workstations Service Account access to manage resources in consumer project.", "etag": "AA==", "has_credentialexposure": true, "has_dataaccess": true, "has_privesc": true, "has_undocumented": true, "name": "roles/workstations.serviceAgent", "stage": "GA", "title": "Workstations Service Agent" }, { "description": "Grants runtime access to Workstation resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/workstations.user", "stage": "GA", "title": "Cloud Workstations User" }, { "description": "Grants ability to create Workstation resources.", "etag": "AA==", "has_undocumented": true, "name": "roles/workstations.workstationCreator", "stage": "GA", "title": "Cloud Workstations Creator" }, { "description": "Grants ability to create workstations with exemption from max_usable_workstations Limit.", "etag": "AA==", "has_undocumented": true, "name": "roles/workstations.workstationLimitExemptedCreator", "stage": "GA", "title": "Cloud Workstations Limit Exempted Creator" }, { "description": "Read access to all resources.", "etag": "AA==", "name": "roles/reader", "stage": "ALPHA", "title": "Reader" }, { "description": "Write access to all resources.", "etag": "AA==", "name": "roles/writer", "stage": "ALPHA", "title": "Writer" }, { "description": "Full access to all resources.", "etag": "AA==", "name": "roles/admin", "stage": "ALPHA", "title": "Admin" } ]