Stay organized with collections
Save and categorize content based on your preferences.
Access control with IAM
This page describes the Identity and Access Management (IAM) roles required to use
Access Approval.
Required roles
The following sections mention the IAM roles and permissions
required to perform various actions with Access Approval. The sections
also provide instructions about granting the required roles.
View Access Approval requests and configuration
The following table lists the IAM permissions required to view
Access Approval requests and configuration:
Predefined IAM role
Required permissions and roles
roles/accessapproval.viewer
accessapproval.requests.get
accessapproval.requests.list
accessapproval.serviceAccounts.get
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
To grant the Access Approval Viewer (roles/accessapproval.viewer)
role, do the following:
Console
To grant this IAM role to yourself, do the following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eThis page outlines the required Identity and Access Management (IAM) roles for using Access Approval within Google Cloud.\u003c/p\u003e\n"],["\u003cp\u003eTo view Access Approval requests and configurations, you need the \u003ccode\u003eroles/accessapproval.viewer\u003c/code\u003e role, which includes specific permissions like \u003ccode\u003eaccessapproval.requests.get\u003c/code\u003e and \u003ccode\u003eaccessapproval.requests.list\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eApproving or viewing Access Approval requests requires the \u003ccode\u003eroles/accessapproval.approver\u003c/code\u003e role, with permissions such as \u003ccode\u003eaccessapproval.requests.approve\u003c/code\u003e and \u003ccode\u003eaccessapproval.requests.dismiss\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eManaging the Access Approval settings requires the \u003ccode\u003eroles/accessapproval.configEditor\u003c/code\u003e role, which enables actions like updating or deleting configurations.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eroles/accessapproval.invalidator\u003c/code\u003e role is necessary to invalidate existing, approved Access Approval requests.\u003c/p\u003e\n"]]],[],null,["# Access control with IAM\n=======================\n\nThis page describes the Identity and Access Management (IAM) roles required to use\nAccess Approval.\n\nRequired roles\n--------------\n\nThe following sections mention the IAM roles and permissions\nrequired to perform various actions with Access Approval. The sections\nalso provide instructions about granting the required roles.\n\n### View Access Approval requests and configuration\n\nThe following table lists the IAM permissions required to view\nAccess Approval requests and configuration:\n\nTo grant the Access Approval Viewer (`roles/accessapproval.viewer`)\nrole, do the following: \n\n### Console\n\n\nTo grant this IAM role to yourself, do the following:\n\n1. Go to the **IAM** page in the Google Cloud console.\n\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam?supportedpurview=project)\n2. In the **View by principals** tab, click person_add**Grant access**.\n3. In the **New principals** field in the right pane, enter your email address.\n4. Click the **Select a role** field, and select the **Access Approval Viewer** role from the menu.\n5. Click **Save**.\n\n### gcloud\n\nRun the following command: \n\n gcloud organizations add-iam-policy-binding \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e \\\n --member='user:\u003cvar translate=\"no\"\u003eEMAIL_ID\u003c/var\u003e' \\\n --role='roles/accessapproval.viewer'\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: The organization ID.\n- \u003cvar translate=\"no\"\u003eEMAIL_ID\u003c/var\u003e: The email ID of the user.\n\nFor more information about the command, see [gcloud organizations\nadd-iam-policy-binding](/sdk/gcloud/reference/organizations/add-iam-policy-binding).\n\n### View and approve an Access Approval request\n\nThe following table lists the IAM permissions required to view\nand approve an Access Approval request:\n\nTo grant the Access Approval Approver\n(`roles/accessapproval.approver`) role, do the following: \n\n### Console\n\n\nTo grant this IAM role to yourself, do the following:\n\n1. Go to the **IAM** page in the Google Cloud console.\n\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam?supportedpurview=project)\n2. In the **View by principals** tab, click person_add**Grant access**.\n3. In the **New principals** field in the right pane, enter your email address.\n4. Click the **Select a role** field, and select the **Access Approval Approver** role from the menu.\n5. Click **Save**.\n\n### gcloud\n\nRun the following command: \n\n gcloud organizations add-iam-policy-binding \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e \\\n --member='user:\u003cvar translate=\"no\"\u003eEMAIL_ID\u003c/var\u003e' \\\n --role='roles/accessapproval.approver'\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: The organization ID.\n- \u003cvar translate=\"no\"\u003eEMAIL_ID\u003c/var\u003e: The email ID of the user.\n\n### Update the Access Approval configuration\n\nThe following table lists the IAM permissions required to\nupdate Access Approval configuration:\n\nTo grant the Access Approval Config Editor\n(`roles/accessapproval.configEditor`) role, do the following: \n\n### Console\n\n\nTo grant this IAM role to yourself, do the following:\n\n1. Go to the **IAM** page in the Google Cloud console.\n\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam?supportedpurview=project)\n2. In the **View by principals** tab, click person_add**Grant access**.\n3. In the **New principals** field in the right pane, enter your email address.\n4. Click the **Select a role** field, and select the **Access Approval Config Editor** role from the menu.\n5. Click **Save**.\n\n### gcloud\n\nRun the following command: \n\n gcloud organizations add-iam-policy-binding \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e \\\n --member='user:\u003cvar translate=\"no\"\u003eEMAIL_ID\u003c/var\u003e' \\\n --role='roles/accessapproval.approver'\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: The organization ID.\n- \u003cvar translate=\"no\"\u003eEMAIL_ID\u003c/var\u003e: The email ID of the user.\n\n### Invalidate existing Access Approval requests\n\nThe following table lists the IAM permissions required to\ninvalidate existing Access Approval requests that have been approved:\n\nTo grant the Access Approval Invalidator\n(`roles/accessapproval.invalidator`) role, do the following: \n\n### Console\n\n\nTo grant this IAM role to yourself, do the following:\n\n1. Go to the **IAM** page in the Google Cloud console.\n\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam?supportedpurview=project)\n2. In the **View by principals** tab, click person_add**Grant access**.\n3. In the **New principals** field in the right pane, enter your email address.\n4. Click the **Select a role** field, and select the **Access Approval Invalidator** role from the menu.\n5. Click **Save**.\n\n### gcloud\n\nRun the following command: \n\n gcloud organizations add-iam-policy-binding \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e \\\n --member='user:\u003cvar translate=\"no\"\u003eEMAIL_ID\u003c/var\u003e' \\\n --role='roles/accessapproval.invalidator'\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: The organization ID.\n- \u003cvar translate=\"no\"\u003eEMAIL_ID\u003c/var\u003e: The email ID of the user.\n\nWhat's next\n-----------\n\n- [Grant or revoke a single IAM role](/iam/docs/granting-changing-revoking-access#single-role)\n- [Manage access to service accounts](/iam/docs/manage-access-service-accounts)"]]
