Control access with IAM

This page describes the IAM roles and permissions that are required to set up and use Audit Manager.

User Task Roles and permissions
Administrator Set up Audit Manager access
  • Audit Manager Admin (roles/auditmanager.admin)

    This role grants users the ability to enable auditing on a project or folder, generate an audit scope, and create or view Audit Manager reports.

  • Storage Admin (roles/storage.admin) or Storage Legacy Bucket Owner (roles/storage.legacyBucketOwner)

    These roles grant users the ability to create, overwrite, and delete storage buckets. Users need to specify a storage bucket when enrolling a resource for auditing.

  • resourcemanager.organizations.setIamPolicy

    This additional permission is required to enroll an organization.

  • resourcemanager.folders.setIamPolicy

    This additional permission is required to enroll a folder.

Auditor Run audit and view reports
  • Audit Manager Auditor (roles/auditmanager.auditor)

    This role grants users the ability to generate an audit scope, and to create or view Audit Manager reports.

  • Storage Legacy Object Reader (roles/storage.legacyObjectReader)

    This role grants users the ability to read storage buckets.

For more information about granting roles, see the IAM documentation.

What's next