App Hub roles and permissions

App Hub has three Identity and Access Management (IAM) roles:

App Hub Admin (roles/apphub.admin)
App Hub Editor (roles/apphub.editor)
App Hub Viewer (roles/apphub.viewer)

App Hub roles

The following table describes the three roles and their typical responsibilities.

Role	Description	Purpose
App Hub Admin	Ability to attach service project(s) to the host project, create application, update application attributes, register services and workloads, update service and workload attributes, and delegate application control to App Hub Editor	To manage the full lifecycle of a host project and attach the service project(s) Typically platform admins, who generally have administrative permissions and full visibility of the end-to-end architecture
App Hub Editor	Ability to create and update applications; register and unregister services and workloads; update attributes.	To scale the capability to create, update or delete services and workloads, so that it eases the effort of Platform Admins Typically an application operator who has a good understanding of the deployments
App Hub Viewer	Ability to view services, workloads and applications, and their attributes.	To enable basic visibility across services, workloads and applications, and their dependencies Typically most personnel(s) in the organization. To get the most value, all App Hub users should be granted this role

App Hub Permissions

The following table describes App Hub permissions and the IAM roles that have these permissions.

Permissions	Description	AppHub Admin	AppHub Editor	AppHub Viewer
apphub.serviceProjectAttachments.create	Add service project to the host project. This permission is checked on host project during new service project attachment.	✔
apphub.serviceProjectAttachments.delete	Delete service project attachment from host project	✔
apphub.serviceProjectAttachments.list	List service projects attachments added to host project	✔
apphub.serviceProjectAttachments.get	Get service project attachment to host project	✔
apphub.serviceProjectAttachments.attach	Attach project as a service project to host project. This permission is checked on a service project during new service project attachment.	✔
apphub.serviceProjectAttachments.detach	Detach a service project from any host project it is attached to. This permission is only checked on a service project and when detachment takes place from the service project side.	✔
apphub.serviceProjectAttachments.lookup	Get a host project to which a service project is attached. This permission is only checked on service projects when the `LookupServiceProjectAttachment` API is called on that service project.	✔	✔	✔
apphub.services.create	Add services to applications. This permission is checked on the application when adding a service.	✔	✔
apphub.services.delete	Unregister services from applications	✔	✔
apphub.services.update	Update registered services details or metadata	✔	✔
apphub.services.get	Get details about a registered Service	✔	✔	✔
apphub.services.list	List registered services	✔	✔	✔
apphub.discoveredservices.get	Get details about a discovered Service	✔	✔	✔
apphub.discoveredservices.list	List discovered services	✔	✔	✔
apphub.discoveredservices.register	Add services to applications. This permission is checked on the host project when adding service to an application.	✔	✔
apphub.workloads.create	Add workloads to applications. This permission is checked on the application when adding a workload.	✔	✔
apphub.workloads.delete	Unregister workloads from applications	✔	✔
apphub.workloads.update	Update registered workloads details or metadata	✔	✔
apphub.workloads.get	Get details about a registered workload.	✔	✔	✔
apphub.workloads.list	List registered workloads.	✔	✔	✔
apphub.discoveredworkloads.get	Get details about a discovered Workload	✔	✔	✔
apphub.discoveredworkloads.list	List discovered workloads	✔	✔	✔
apphub.discoveredworkloads.register	Add workloads to applications. This permission is checked on the host project when adding workload to an application.	✔	✔
apphub.applications.create	Create application	✔	✔
apphub.applications.delete	Delete application	✔	✔
apphub.applications.update	Update applications details or metadata	✔	✔
apphub.applications.get	Get details about an application	✔	✔	✔
apphub.applications.list	List applications	✔	✔	✔
apphub.applications.setIamPolicy	Set IAM policies on application	✔
apphub.applications.getIamPolicy	Get IAM policies on application	✔
resourcemanager.projects.get	Get project	✔	✔	✔
resourcemanager.projects.list	List projects	✔	✔	✔
apphub.operations.get	Get long running operations	✔	✔	✔
apphub.operations.list	List long running operations	✔	✔	✔
apphub.operations.delete	Delete a long running operation	✔	✔
apphub.operations.cancel	Cancel a long running operation	✔	✔
apphub.locations.get	Get a location	✔	✔	✔
apphub.locations.list	List locations	✔	✔	✔