Stay organized with collections
Save and categorize content based on your preferences.
An Application Operator (AO) is a member of the development team within the
Platform Administrator (PA) organization. AOs interact with project-level
resources. You can assign the following predefined roles to team members:
AI OCR Developer: Access the Optical Character Recognition service to
detect text in images.
AI Speech Chirp Developer: Access the Chirp model of the Speech-to-Text
service to recognize speech and transcribe audio.
AI Speech Developer: Access the Speech-to-Text service to recognize
speech and transcribe audio.
AI Text Embedding Developer: Access the Text Embedding service to
convert English natural language into numerical vectors.
AI Text Embedding Multilingual Developer: Access the Text Embedding
service to convert multilingual natural language into numerical vectors.
AI Translation Developer: Access the Vertex AI Translation
service to translate text.
Backup Creator: Creates manual backups and restores.
Certificate Authority Service Admin: Has access to manage
certificate authorities and certificate requests in their project.
Custom Role Project Admin: Creates and manages custom roles within a
project.
Dashboard Editor: Has read and write access on Dashboard custom
resources.
Dashboard Viewer: Has read-only access on Dashboard custom resources.
Discovery Engine Admin: Get full access to all Discovery Engine
resources.
Discovery Engine Developer: Get read and write access to all
Discovery Engine resources.
Discovery Engine Reader: Get read access to all
Discovery Engine resources.
Global Load Balancer Admin: Has read and write permissions on all load balancer resources in the project namespace in the global API server.
Harbor Instance Admin: Has full access to manage Harbor instances in
a project.
Harbor Instance Viewer: Has read-only access to view Harbor instances
in a project.
Harbor Project Creator: Has access to manage Harbor instance projects.
K8s Network Policy Admin: Manages network policies in user clusters.
KMS Admin: Manages KMS keys in a project, including the AEADKey and
SigningKey keys. This role can also import and export keys.
KMS Creator: Has create and read access on KMS keys in a project.
KMS Developer: Has access to perform crypto operations using keys in
projects.
KMS Key Export Admin: Has access to export KMS keys as wrapped keys
from the KMS.
KMS Key Import Admin: Has access to import KMS keys as wrapped keys to
the KMS.
KMS Viewer: Has read-only access to KMS keys in their project, and can
view key import and export.
LoggingRule Creator: Creates LoggingRule custom resources in the
project namespace.
LoggingRule Editor: Edits LoggingRule custom resources in the
project namespace.
LoggingRule Viewer: Views LoggingRule custom resources in the
project namespace.
LoggingTarget Creator: Creates LoggingTarget custom resources in the
project namespace.
LoggingTarget Editor: Edits LoggingTarget custom resources in the
project namespace.
LoggingTarget Viewer: Views LoggingTarget custom resources in the
project namespace.
Load Balancer Admin: has read and write permissions on all load balancer resources in the project namespace.
Marketplace Editor: Has create, update, and delete access on service
instances in a project.
MonitoringRule Editor: Has read and write access to MonitoringRule
resources.
MonitoringRule Viewer: Has read-only access to MonitoringRule
custom resources.
MonitoringTarget Editor: Has read and write access to MonitoringTarget
custom resources.
MonitoringTarget Viewer: Has read-only access to MonitoringTarget
custom resources.
Namespace Admin: Manages all resources within the project namespace.
NAT Viewer: Has read-only access to deployments in user clusters.
ObservabilityPipeline Editor: Has read and write access on
ObservabilityPipeine custom resources.
ObservabilityPipeline Viewer: Has read-only access on
ObservabilityPipeline custom resources.
Project Bucket Admin: Manages the storage buckets and objects within
buckets.
Project Bucket Object Admin: Has read-only access on buckets within a
project, and read-write access on the objects in those buckets.
Project Bucket Object Viewer: Has read-only access on buckets within a
project and the objects in those buckets.
Project IAM Admin: Manages the IAM
allow policies of projects.
Project NetworkPolicy Admin: Manages the project network policies in
the project namespace.
Project DB Admin: Administers Database Service for a project.
Project DB Editor: Has read-write access to Database Service for a project.
Project DB Viewer: Has read-only access to Database Service for a project.
Project Viewer: Has read-only access to all resources within project
namespaces.
Project VirtualMachine Admin: Manages VMs in the project namespace.
Project VirtualMachine Image Admin: Manages VM images in the project
namespace.
Secret Admin: Manages Kubernetes secrets in projects.
Secret Viewer: Views Kubernetes secrets in projects.
Service Configuration Admin: Has read and write access to service
configurations within a project namespace.
Service Configuration Viewer: Has read access to service configurations
within a project namespace.
Subnet Project Admin (global): Manages multiple zone subnets within projects.
Subnet Project Admin: Manages zonal subnets within projects.
Subnet Project Operator: Manages leaf type auto-allocated subnets within projects.
Vertex AI Prediction User: Access the Online Prediction service to make
requests to your model endpoint.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eApplication Operators (AOs) are development team members within the Platform Administrator (PA) organization who interact with project-level resources.\u003c/p\u003e\n"],["\u003cp\u003eThere are a wide variety of predefined roles for team members, encompassing AI model access, artifact management, backups, certificate management, and more.\u003c/p\u003e\n"],["\u003cp\u003eRoles exist for managing Kubernetes resources such as secrets, network policies, and custom resources like \u003ccode\u003eDashboard\u003c/code\u003e, \u003ccode\u003eLoggingRule\u003c/code\u003e, and \u003ccode\u003eMonitoringRule\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eCommon roles provide broad permissions to all authenticated users, including access to AI Platform, Database Service UI, and pre-defined virtual machine types.\u003c/p\u003e\n"],["\u003cp\u003eDifferent access levels are available within each service, such as Admin, Editor, and Viewer, allowing for granular control over project resources and services.\u003c/p\u003e\n"]]],[],null,["# Predefined role descriptions for AOs\n\nAn Application Operator (AO) is a member of the development team within the\nPlatform Administrator (PA) organization. AOs interact with project-level\nresources. You can assign the following predefined roles to team members:\n\n- **AI OCR Developer**: Access the Optical Character Recognition service to detect text in images.\n- **AI Speech Chirp Developer**: Access the Chirp model of the Speech-to-Text service to recognize speech and transcribe audio.\n- **AI Speech Developer**: Access the Speech-to-Text service to recognize speech and transcribe audio.\n- **AI Text Embedding Developer**: Access the Text Embedding service to convert English natural language into numerical vectors.\n- **AI Text Embedding Multilingual Developer**: Access the Text Embedding service to convert multilingual natural language into numerical vectors.\n- **AI Translation Developer**: Access the Vertex AI Translation service to translate text.\n- **Backup Creator**: Creates manual backups and restores.\n- **Certificate Authority Service Admin**: Has access to manage certificate authorities and certificate requests in their project.\n- **Custom Role Project Admin**: Creates and manages custom roles within a project.\n- **Dashboard Editor** : Has read and write access on `Dashboard` custom resources.\n- **Dashboard Viewer** : Has read-only access on `Dashboard` custom resources.\n- **Discovery Engine Admin**: Get full access to all Discovery Engine resources.\n- **Discovery Engine Developer**: Get read and write access to all Discovery Engine resources.\n- **Discovery Engine Reader**: Get read access to all Discovery Engine resources.\n- **Global Load Balancer Admin**: Has read and write permissions on all load balancer resources in the project namespace in the global API server.\n- **Harbor Instance Admin**: Has full access to manage Harbor instances in a project.\n- **Harbor Instance Viewer**: Has read-only access to view Harbor instances in a project.\n- **Harbor Project Creator**: Has access to manage Harbor instance projects.\n- **K8s Network Policy Admin**: Manages network policies in user clusters.\n- **KMS Admin** : Manages KMS keys in a project, including the `AEADKey` and `SigningKey` keys. This role can also import and export keys.\n- **KMS Creator**: Has create and read access on KMS keys in a project.\n- **KMS Developer**: Has access to perform crypto operations using keys in projects.\n- **KMS Key Export Admin**: Has access to export KMS keys as wrapped keys from the KMS.\n- **KMS Key Import Admin**: Has access to import KMS keys as wrapped keys to the KMS.\n- **KMS Viewer**: Has read-only access to KMS keys in their project, and can view key import and export.\n- **LoggingRule Creator** : Creates `LoggingRule` custom resources in the project namespace.\n- **LoggingRule Editor** : Edits `LoggingRule` custom resources in the project namespace.\n- **LoggingRule Viewer** : Views `LoggingRule` custom resources in the project namespace.\n- **LoggingTarget Creator** : Creates `LoggingTarget` custom resources in the project namespace.\n- **LoggingTarget Editor** : Edits `LoggingTarget` custom resources in the project namespace.\n- **LoggingTarget Viewer** : Views `LoggingTarget` custom resources in the project namespace.\n- **Load Balancer Admin**: has read and write permissions on all load balancer resources in the project namespace.\n- **Marketplace Editor**: Has create, update, and delete access on service instances in a project.\n- **MonitoringRule Editor** : Has read and write access to `MonitoringRule` resources.\n- **MonitoringRule Viewer** : Has read-only access to `MonitoringRule` custom resources.\n- **MonitoringTarget Editor** : Has read and write access to `MonitoringTarget` custom resources.\n- **MonitoringTarget Viewer** : Has read-only access to `MonitoringTarget` custom resources.\n- **Namespace Admin**: Manages all resources within the project namespace.\n- **NAT Viewer**: Has read-only access to deployments in user clusters.\n- **ObservabilityPipeline Editor** : Has read and write access on `ObservabilityPipeine` custom resources.\n- **ObservabilityPipeline Viewer** : Has read-only access on `ObservabilityPipeline` custom resources.\n- **Project Bucket Admin**: Manages the storage buckets and objects within buckets.\n- **Project Bucket Object Admin**: Has read-only access on buckets within a project, and read-write access on the objects in those buckets.\n- **Project Bucket Object Viewer**: Has read-only access on buckets within a project and the objects in those buckets.\n- **Project IAM Admin**: Manages the IAM allow policies of projects.\n- **Project NetworkPolicy Admin:** Manages the project network policies in the project namespace.\n- **Project DB Admin**: Administers Database Service for a project.\n- **Project DB Editor**: Has read-write access to Database Service for a project.\n- **Project DB Viewer**: Has read-only access to Database Service for a project.\n- **Project Viewer:** Has read-only access to all resources within project namespaces.\n- **Project VirtualMachine Admin**: Manages VMs in the project namespace.\n- **Project VirtualMachine Image Admin**: Manages VM images in the project namespace.\n- **Secret Admin**: Manages Kubernetes secrets in projects.\n- **Secret Viewer**: Views Kubernetes secrets in projects.\n- **Service Configuration Admin**: Has read and write access to service configurations within a project namespace.\n- **Service Configuration Viewer**: Has read access to service configurations within a project namespace.\n- **Subnet Project Admin (global)**: Manages multiple zone subnets within projects.\n- **Subnet Project Admin**: Manages zonal subnets within projects.\n- **Subnet Project Operator**: Manages leaf type auto-allocated subnets within projects.\n- **Vertex AI Prediction User**: Access the Online Prediction service to make requests to your model endpoint.\n- **Volume Replication Admin**: Manages volume replication resources.\n- **Workbench Notebooks Admin**: Get read and write access to all notebook resources within a project namespace.\n- **Workbench Notebooks Viewer**: Get read-only access to all notebook resources within a project namespace and view the Vertex AI Workbench user interface.\n- **Workload Viewer**: Has read access to workloads in a project.\n\nCommon roles\n------------\n\nThe following predefined common roles apply to all authenticated users:\n\n- **AI Platform Viewer**: Grants permissions to view pre-trained services.\n- **DB Options Viewer**: Views all configuration options that can be used in Database Service.\n- **DB UI Viewer**: Grants permissions to authenticated users to view the Database Service UI.\n- **DNS Suffix Viewer**: Accesses the domain name service (DNS) suffix config map.\n- **Flow Log Admin**: Has read and write access to all Flow Log resources.\n- **Flow Log Viewer**: Has read-only access to all Flow Log resources.\n- **Marketplace Viewer**: Has read-only access on service versions.\n- **Pricing Calculator User**: Has read-only access to stock keeping unit (SKU) descriptions.\n- **Project Discovery Viewer**: Has read access for all authenticated users to the project view.\n- **Public Image Viewer** : Has read access for all authenticated users on the public VM images in the namespace `vm-images`.\n- **Virtual Machine Type Viewer**: Has read access to cluster-scoped virtual machine types.\n- **VM Type Viewer**: Has read access to the predefined virtual machine types."]]
