Predefined role descriptions

Google Distributed Cloud (GDC) air-gapped has the following predefined roles that you can assign to team members:

PA roles

Platform Administrators (PA) manage organization level resources and project lifecycle management. You can assign the following predefined roles to team members:

AI Platform Admin: Grants permissions to manage pre-trained services.
Backup Repository Admin: Manages backup repositories.
Billing Viewer: Has read-only access to SKU descriptions, inventory machines, and fleets on the cost table page.
Bucket Admin: Manages storage buckets within organizations and projects and the objects in those buckets.
Bucket Object Admin: Has read-only access on buckets within an organization, and read-write access on the objects in those buckets.
Bucket Object Viewer: Has read-only access on buckets within a organization and the objects in those buckets.
DR Backup Admin: Performs disaster recovery backups.
DR System Admin: Manages resources in the dr-system namespace for setting up backups on the control plane.
Flow Log Admin: Manages flow log resources for logging network traffic metadata.
Flow Log Viewer: Provides read-only access to flow log configurations.
GDCH Restrict By Attributes Policy Admin: Has full access to the GDCHRestrictByAttributes constraint.
GDCH Restricted Service Policy Admin: Manages policy templates for the organization and has full access to constraints. Applies or rolls back policies for an organization or project.
IdP Federation Admin: Has full access to configure identity providers.
KMS Rotation Job Admin: Has full access to create and manage the RotationJob resource, which rotate key management system (KMS) root keys.
Log Querier: Has read-only access to reach the audit log or operational log endpoint from the Log Query API to view logs for a project.
Org Network Policy Admin: Manages organization network policies in the platform namespace.
Org Session Admin: Has access to the revocation command. Users bound to this Role are added to the ACLs for authentication and authorization.
Organization Backup Admin: Has read and write access to manage backups.
Organization IAM Viewer: Has read-only access to all resources that the Organization IAM Administrator has access to.
Organization DB Admin: Manages Database Service resources for an organization.
Organization IAM Admin: Creates, updates, and deletes any permissions and allow policies within the org admin cluster.
Organization Upgrade Admin: Modifies maintenance windows for an organization. Maintenance windows are created automatically during organization creation.
Organization Upgrade Viewer: Views maintenance windows.
Project Creator: Creates new projects.
Project Editor: Deletes projects.
SIEM Export Org Creator: Creates SIEMOrgForwarder custom resources.
SIEM Export Org Editor: Has read and write access on SIEMOrgForwarder custom resources.
SIEM Export Org Viewer Has read-only access to view SIEMOrgForwarder custom resources.
System Cluster Backup Repository Admin: Has full access to manage backup repositories.
Transfer Appliance Request Creator: Can read and create transfer appliance requests, which allow you to quickly and securely transfer large amounts of data to Distributed Cloud using a high capacity storage server.
User Cluster Backup Admin: Manages backup resources such as backup and restore plans in user clusters.
User Cluster Admin: Creates, updates, and deletes the user cluster, and manages the user cluster's lifecycle.
User Cluster Developer: Has cluster admin permissions in user clusters.
User Cluster Node Viewer: Has read-only cluster admin permissions in user clusters.

AO roles

An Application Operator (AO) is a member of the development team within the Platform Administrator (PA) organization. AOs interact with project-level resources. You can assign the following predefined roles to team members:

K8s Network Policy Admin: Manages network policies in user clusters.

KMS Admin: Manages KMS keys in a project, including the AEADKey and SigningKey keys. This role can also import and export keys.

KMS Creator: Has create and read access on KMS keys in a project.

KMS Developer: Has access to perform crypto operations using keys in projects.

KMS Key Export Admin: Has access to export KMS keys as wrapped keys from the KMS.

KMS Key Import Admin: Has access to import KMS keys as wrapped keys to the KMS.

KMS Viewer: Has read-only access to KMS keys in their project, and can view key import and export.

Marketplace Editor: Has create, update, and delete access on service instances in a project.

MonitoringRule Editor: Has read and write access to MonitoringRule resources.

MonitoringRule Viewer: Has read-only access to MonitoringRule custom resources.

MonitoringTarget Editor: Has read and write access to MonitoringTarget custom resources.

MonitoringTarget Viewer: Has read-only access to MonitoringTarget custom resources.

Namespace Admin: Manages all resources within the project namespace.

NAT Viewer: Has read-only access to deployments in user clusters.

ObservabilityPipeline Editor: Has read and write access on ObservabilityPipeine custom resources.

ObservabilityPipeline Viewer: Has read-only access on ObservabilityPipeline custom resources.

Project Bucket Admin: Manages the storage buckets and objects within buckets.

Project Bucket Object Admin: Has read-only access on buckets within a project, and read-write access on the objects in those buckets.

Project Bucket Object Viewer: Has read-only access on buckets within a project and the objects in those buckets.

Project IAM Admin: Manages the IAM allow policies of projects.

Project NetworkPolicy Admin: Manages the project network policies in the project namespace.

Project DB Admin: Administers Database Service for a project.

Project DB Editor: Has read-write access to Database Service for a project.

Project DB Viewer: Has read-only access to Database Service for a project.

Project Viewer: Has read-only access to all resources within project namespaces.

Project VirtualMachine Admin: Manages VMs in the project namespace.

Project VirtualMachine Image Admin: Manages VM images in the project namespace.

Secret Admin: Manages Kubernetes secrets in projects.

Secret Viewer: Views Kubernetes secrets in projects.

Service Configuration Admin: Has read and write access to service configurations within a project namespace.

Service Configuration Viewer: Has read access to service configurations within a project namespace.

Vertex AI Optical Character Recognition (OCR) Developer: Accesses the OCR service.

Vertex AI Speech-to-Text Developer: Accesses the Speech-to-Text service.

Vertex AI Translation Developer: Accesses the Translation service.

Vertex AI Prediction User: Accesses the Online Prediction service.

Workbench Notebooks Admin: Has read-write access to all notebook resources within a project namespace.

Workbench Notebooks Viewer: Has read-only access to all notebook resources within a project namespace.

Common roles

The following predefined common roles apply to all authenticated users:

AI Platform Viewer: Grants permissions to view pre-trained services.
DB Options Viewer: Views all configuration options that can be used in Database Service.
DB UI Viewer: Grants permissions to authenticated users to view the Database Service UI.
DNS Suffix Viewer: Accesses the domain name service (DNS) suffix config map.
Flow Log Admin: Has read and write access to all Flow Log resources.
Flow Log Viewer: Has read-only access to all Flow Log resources.
Marketplace Viewer: Has read-only access on service versions and service instances.
Pricing Calculator User: Has read-only access to stock keeping unit (SKU) descriptions.
Project Discovery Viewer: Has read access for all authenticated users to the project view.
Public Image Viewer: Has read access for all authenticated users on the public VM images in the namespace vm-images.
Virtual Machine Type Viewer: Has read access to cluster-scoped virtual machine types.
VM Type Viewer: Has read access to the predefined virtual machine types.