Access control with IAM
Stay organized with collections Save and categorize content based on your preferences.

This page describes Application Design Center roles and permissions.

To control access to App Design Center, use Identity and Access Management (IAM) to assign roles and permissions to users, groups, and service accounts.

To deploy or view the Google Cloud resources defined in the Terraform configuration, grant the service account permissions that are specific to these resources. Resource permissions are in addition to the App Design Center permissions listed on this page. For a list of all roles and the permissions they contain, see Identity and Access Management basic and predefined roles reference.

Predefined Application Design Center roles

To grant access to specific Google Cloud resources and prevent unauthorized access to other resources, use App Design Center's predefined roles.

Use the following IAM roles to manage spaces and author templates:

Application Design Center Admin (roles/designcenter.admin)
Application Design Center User (roles/designcenter.user)
Application Design Center Viewer (roles/designcenter.viewer)

Use the following IAM roles to create application configurations and manage deployment lifecycles:

Application Admin (roles/designcenter.applicationAdmin)
Application Editor (roles/designcenter.applicationEditor)
Application Viewer (roles/designcenter.applicationViewer)

Application Design Center role descriptions

The following table describes App Design Center roles and their typical responsibilities.

Role	Description	Purpose
Application Design Center Admin	Ability to create and manage all App Design Center artifacts, and delegate application control to other users.	To manage the full lifecycle of an application. Typically Platform Admins, who generally have administrative permissions and full visibility of the end-to-end architecture.
Application Design Center User	Ability to create and update application templates.	To scale the capability to create, update, or delete application templates to ease the effort of Platform Admins. Typically a Platform Engineer who needs to create and manage application templates.
Application Design Center Viewer	Ability to view spaces, catalogs, templates, applications, and their attributes.	To enable basic visibility across spaces, catalogs and applications, and their dependencies. Typically most personnel in the organization. To get the most value, grant all App Design Center users this role.
Application Admin	Ability to create, manage and deploy applications, and delegate application control to other application developers.	To manage application instances and deployments, as well as the ability to attach service projects required to store individual resources. Typically administrators and developers who are responsible for application creation.
Application Editor	Ability to create, manage, and deploy applications.	To scale the capability to manage instances and deployments to ease the effort of application administrators. Typically an application operator who has a good understanding of deployments.
Application User	Ability to view application instances.	To enable basic visibility across templates and applications, and their dependencies. Typically most personnel in the organization. To get the most value, grant all Application Design Center users this role.

General Application Design Center permissions

The following table describes general App Design Center permissions and the IAM roles that have these permissions.

Permissions	Description	Application Design Center Admin	Application Design Center User	Application Design Center Viewer
cloudresourcemanager.projects.get	Get projects.	✔	✔	✔
cloudresourcemanager.projects.list	List projects.	✔	✔	✔
designcenter.operations.get	Get operations.	✔	✔	✔
designcenter.operations.list	List operations.	✔	✔	✔
designcenter.operations.delete	Delete operations.	✔
designcenter.operations.cancel	Cancel operations.	✔
designcenter.locations.get	Get an application location.	✔	✔	✔
designcenter.locations.list	List application locations.	✔	✔	✔
designcenter.spaces.create	Add a space.	✔
designcenter.spaces.get	Get a space.	✔	✔	✔
designcenter.spaces.delete	Delete a space.	✔
designcenter.spaces.update	Update a space.	✔
designcenter.spaces.list	List spaces.	✔	✔	✔
designcenter.spaces.setIAMPolicy	Set IAM policies on spaces.	✔
designcenter.spaces.getIAMPolicy	List IAM policies for spaces.	✔	✔	✔
designcenter.applications.create	Create an application instance.	✔
designcenter.applications.get	Get an application instance.	✔	✔	✔
designcenter.applications.delete	Delete an application instance.	✔
designcenter.applications.update	Update an application instance.	✔
designcenter.applications.list	List application instances.	✔	✔	✔
designcenter.applicationtemplates.create	Add an application template to a space.	✔	✔
designcenter.applicationtemplates.get	Get an application template from a space.	✔	✔	✔
designcenter.applicationtemplates.delete	Delete an application template from a space.	✔	✔
designcenter.applicationtemplates.update	Update an application template from a space.	✔	✔
designcenter.applicationtemplates.list	List application templates in a space.	✔	✔	✔
designcenter.applicationtemplaterevisions.get	Get application template revisions.	✔	✔	✔
designcenter.applicationtemplaterevisions.delete	Delete application template revisions.	✔	✔
designcenter.applicationtemplaterevisions.list	List application template revisions.	✔	✔	✔
designcenter.elements.create	Create an element in a template.	✔	✔
designcenter.elements.get	Get an element in a template.	✔	✔	✔
designcenter.elements.delete	Delete an element from a template.	✔	✔
designcenter.elements.update	Update an element in a template.	✔	✔
designcenter.elements.list	List elements in a template.	✔	✔	✔
designcenter.components.create	Create a component in a template.	✔	✔
designcenter.component.get	Get a component in a template.	✔	✔	✔
designcenter.component.delete	Delete a component in a template.	✔	✔
designcenter.component.update	Update a component in a template.	✔	✔
designcenter.component.list	List components in a template.	✔	✔	✔
designcenter.connections.create	Add a connection between two elements in a template.	✔	✔
designcenter.connections.get	Get element connections in a template.	✔	✔	✔
designcenter.connections.delete	Delete an element connection in a template.	✔	✔
designcenter.connections.update	Update a element connection in a template.	✔	✔
designcenter.connections.list	List element connections in a template.	✔	✔	✔
designcenter.catalogs.create	Add a catalog.	✔
designcenter.catalogs.get	Get a catalog.	✔	✔	✔
designcenter.catalogs.delete	Delete a catalog.	✔
designcenter.catalogs.update	Update a catalog.	✔
designcenter.catalogs.list	List catalogs.	✔	✔	✔
designcenter.catalogtemplates.create	Add a template to a catalog.	✔
designcenter.catalogtemplates.get	Get a template from a catalog.	✔	✔	✔
designcenter.catalogtemplates.delete	Delete a template from a catalog.	✔
designcenter.catalogtemplates.update	Update a template in a catalog.	✔
designcenter.catalogtemplates.list	List templates in a catalog.	✔	✔	✔
designcenter.catalogtemplaterevisions.create	Add a template revision to a catalog.	✔
designcenter.catalogtemplaterevisions.get	Get a template revision from a catalog.	✔	✔	✔
designcenter.catalogtemplaterevisions.delete	Delete a template revision from a catalog.	✔
designcenter.catalogtemplaterevisions.list	List template revisions in a catalog.	✔	✔	✔
designcenter.shares.get	Get a catalog share.	✔	✔	✔
designcenter.shares.delete	Delete a catalog share.	✔
designcenter.shares.update	Update a catalog share.	✔
designcenter.shares.list	List catalog shares.	✔	✔	✔
designcenter.sharedTemplates.get	Get a shared template.	✔	✔	✔
designcenter.sharedTemplates.list	List shared templates.	✔	✔	✔
designcenter.sharedTemplateRevisionss.get	Get a shared template revision.	✔	✔	✔
designcenter.sharedTemplateRevisionss.list	List shared template revisions.	✔	✔	✔
storage.googleapis.com/objectUser	Create, view, list, update, and delete objects, folders, and managed folders, along with their metadata.	✔
storage.googleapis.com/objectViewer	view objects and their metadata, excluding ACLs. Can also list the objects, folders, and managed folders in a bucket.	✔	✔	✔
apphub.serviceProjectAttachments.list	List App Hub service projects attachments added to host project.	✔	✔

Application configuration and deployment permissions

The following table describes application configuration and deployment permissions and the IAM roles that have these permissions.

Permissions	Description	Application Admin	Application Editor	Application User
cloudresourcemanager.projects.get	Get projects.	✔	✔	✔
cloudresourcemanager.projects.list	List projects.	✔	✔	✔
designcenter.spaces.get	Get a space.	✔	✔	✔
designcenter.spaces.list	List spaces.	✔	✔	✔
designcenter.applications.create	Author applications in a space.	✔	✔
designcenter.applications.get	Retrieve existing applications from a space.	✔	✔	✔
designcenter.applications.delete	Delete applications from a space.	✔	✔
designcenter.applications.update	Update existing applications in a space.	✔	✔
designcenter.applications.list	View a list of existing applications in a space.	✔	✔	✔
designcenter.applications.setIAMPolicy	Set IAM policies on application instances.	✔
designcenter.applications.getIAMPolicy	Get IAM policies from application instances.	✔	✔	✔
designcenter.applicationtemplates.get	Retrieve application templates from a space.	✔	✔	✔
designcenter.applicationtemplates.list	List application templates in a space.	✔	✔	✔
designcenter.applicationtemplaterevisions.get	Retrieve application template revisions from a space.	✔	✔	✔
designcenter.applicationtemplaterevisions.list	List application template revisions in a space.	✔	✔	✔
designcenter.shares.get	Get a catalog share.	✔	✔	✔
designcenter.shares.list	List catalog shares.	✔	✔	✔
designcenter.sharedTemplates.get	Get a shared template.	✔	✔	✔
designcenter.sharedTemplates.list	List shared templates.	✔	✔	✔
designcenter.sharedTemplateRevisions.get	Get a shared template revision.	✔	✔	✔
designcenter.sharedTemplateRevisions.list	List shared template revisions.	✔	✔	✔
apphub.applications.create	Create an App Hub application.	✔	✔
apphub.applications.get	Get details about an App Hub application.	✔	✔	✔
apphub.applications.delete	Delete an App Hub application.	✔	✔
apphub.applications.list	List App Hub applications.	✔	✔	✔
apphub.applications.update	Update App Hub application details or metadata.	✔	✔
apphub.locations.get	Get an App Hub application location.	✔	✔	✔
apphub.locations.list	List App Hub application locations.	✔	✔	✔
apphub.serviceProjectAttachments.list	List App Hub service projects attachments added to host project.	✔	✔
Infrastructure Manager Viewer(roles/config.viewer)	Read deployments, revisions, and IAM policies.	✔	✔	✔

Grant roles required to deploy applications

When developers preview and deploy applications, they can use an existing service account, or a new service account can be automatically created. If you want developers to use your service account, you must do the following:

Add IAM policy bindings to the service account and user account.
Grant the service account the roles required to deploy each resource.
Add permissions to the service account to deploy outside of the project where the service account was created.

To grant the required roles to service accounts, add the following IAM policy bindings to the service account:

Add an IAM policy binding for the role of roles/iam.serviceAccountUserrole for the service agent to your service account:
```
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:service-SERVICE_ACCOUNT_PROJECT_ID@gcp-sa-designcenter.iam.gserviceaccount.com" \
    --role="roles/iam.serviceAccountUser"
```
Replace the following:
- SERVICE_ACCOUNT_EMAIL: Your service account email.
- SERVICE_ACCOUNT_PROJECT_ID: The project ID of the project that contains your service account.
Add an IAM policy binding for the role of roles/iam.serviceAccountUser for a user to your service account:
```
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
    --member="user:USER_EMAIL" \
    --role="roles/iam.serviceAccountUser"
```
Replace the following:
- SERVICE_ACCOUNT_EMAIL: Your service account email.
- USER_EMAIL: The user email for the user who performs the deployment.

In the project that has your service account, add IAM policy bindings for the required service agent roles on the management project that contains your space:

gcloud projects add-iam-policy-binding SERVICE_ACCOUNT_PROJECT_ID \
    --member="serviceAccount:service-MANAGEMENT_PROJECT_NUMBER@gcp-sa-designcenter.iam.gserviceaccount.com" \
    --role="roles/apphub.editor"

gcloud projects add-iam-policy-binding SERVICE_ACCOUNT_PROJECT_ID \
    --member="serviceAccount:service-MANAGEMENT_PROJECT_NUMBER@gcp-sa-designcenter.iam.gserviceaccount.com" \
    --role="roles/config.agent"

gcloud projects add-iam-policy-binding SERVICE_ACCOUNT_PROJECT_ID \
    --member="serviceAccount:service-MANAGEMENT_PROJECT_NUMBER@gcp-sa-designcenter.iam.gserviceaccount.com" \
    --role="roles/serviceusage.ServiceUsageAdmin"

Replace the following:

SERVICE_ACCOUNT_PROJECT_ID: The project ID of the project that contains your service account.
MANAGEMENT_PROJECT_NUMBER: The project number of the management project that contains your space.

Grant your service account the roles required to deploy resources in projects. The required roles are displayed when developers deploy applications.

For example, to grant the roles/run.admin role, add the following policy binding:
```
gcloud projects add-iam-policy-binding SERVICE_ACCOUNT_PROJECT_ID \
    --member="serviceAccount:service-DEPLOYMENT_PROJECT_NUMBER@gcp-sa-designcenter.iam.gserviceaccount.com" \
    --role="roles/run.admin"
```
Replace the following:
- SERVICE_ACCOUNT_PROJECT_ID: The project ID of the project that contains your service account.
- DEPLOYMENT_PROJECT_NUMBER: The project number of the project where you're deploying resources.
App Design Center uses Infrastructure Manager to deploy applications in the console. To use your own service account to deploy with Infrastructure Manager, complete the steps in Grant access to projects.

What's next

Manage and assign spaces.