API Management roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for API Management. To search through all roles and permissions, see the role and permission index.

API Management roles

Role Permissions

Role	Permissions
API Management Admin ^Beta (`roles/apim.admin`) Full access to API Management resources.	`apim.*` `apim.apiObservations.batchEditTags` `apim.apiObservations.get` `apim.apiObservations.list` `apim.apiOperations.get` `apim.apiOperations.list` `apim.locations.get` `apim.locations.list` `apim.locations.listApiObservationTags` `apim.observationJobs.create` `apim.observationJobs.delete` `apim.observationJobs.disable` `apim.observationJobs.enable` `apim.observationJobs.get` `apim.observationJobs.list` `apim.observationSources.create` `apim.observationSources.delete` `apim.observationSources.get` `apim.observationSources.list` `apim.operations.cancel` `apim.operations.delete` `apim.operations.get` `apim.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
APIM API Discovery Service Agent (`roles/apim.apiDiscoveryServiceAgent`) Gives APIM the ability to manage resources in consumer project Warning: Do not grant service agent roles to any principals except service agents.	`compute.backendServices.create` `compute.backendServices.delete` `compute.backendServices.get` `compute.backendServices.list` `compute.backendServices.update` `compute.backendServices.use` `compute.globalOperations.get` `compute.networks.use` `compute.regionBackendServices.create` `compute.regionBackendServices.delete` `compute.regionBackendServices.get` `compute.regionBackendServices.list` `compute.regionBackendServices.update` `compute.regionBackendServices.use` `compute.regionNetworkEndpointGroups.attachNetworkEndpoints` `compute.regionNetworkEndpointGroups.create` `compute.regionNetworkEndpointGroups.delete` `compute.regionNetworkEndpointGroups.detachNetworkEndpoints` `compute.regionNetworkEndpointGroups.get` `compute.regionNetworkEndpointGroups.list` `compute.regionNetworkEndpointGroups.use` `compute.regionOperations.get` `compute.subnetworks.use` `networkservices.operations.*` `networkservices.operations.cancel` `networkservices.operations.delete` `networkservices.operations.get` `networkservices.operations.list`
API Management Viewer ^Beta (`roles/apim.viewer`) Readonly access to API Management resources.	`apim.apiObservations.get` `apim.apiObservations.list` `apim.apiOperations.` `apim.apiOperations.get` `apim.apiOperations.list` `apim.locations.` `apim.locations.get` `apim.locations.list` `apim.locations.listApiObservationTags` `apim.observationJobs.get` `apim.observationJobs.list` `apim.observationSources.get` `apim.observationSources.list` `apim.operations.get` `apim.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

API Management Admin ^Beta

(roles/apim.admin)

Full access to API Management resources.

apim.*

apim.apiObservations.batchEditTags
apim.apiObservations.get
apim.apiObservations.list
apim.apiOperations.get
apim.apiOperations.list
apim.locations.get
apim.locations.list
apim.locations.listApiObservationTags
apim.observationJobs.create
apim.observationJobs.delete
apim.observationJobs.disable
apim.observationJobs.enable
apim.observationJobs.get
apim.observationJobs.list
apim.observationSources.create
apim.observationSources.delete
apim.observationSources.get
apim.observationSources.list
apim.operations.cancel
apim.operations.delete
apim.operations.get
apim.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

APIM API Discovery Service Agent

(roles/apim.apiDiscoveryServiceAgent)

Gives APIM the ability to manage resources in consumer project

compute.backendServices.create

compute.backendServices.delete

compute.backendServices.get

compute.backendServices.list

compute.backendServices.update

compute.backendServices.use

compute.globalOperations.get

compute.networks.use

compute.regionBackendServices.create

compute.regionBackendServices.delete

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.update

compute.regionBackendServices.use

compute.regionNetworkEndpointGroups.attachNetworkEndpoints

compute.regionNetworkEndpointGroups.create

compute.regionNetworkEndpointGroups.delete

compute.regionNetworkEndpointGroups.detachNetworkEndpoints

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.use

compute.regionOperations.get

compute.subnetworks.use

networkservices.operations.*

networkservices.operations.cancel
networkservices.operations.delete
networkservices.operations.get
networkservices.operations.list

API Management Viewer ^Beta

(roles/apim.viewer)

Readonly access to API Management resources.

apim.apiObservations.get

apim.apiObservations.list

apim.apiOperations.*

apim.apiOperations.get
apim.apiOperations.list

apim.locations.*

apim.locations.get
apim.locations.list
apim.locations.listApiObservationTags

apim.observationJobs.get

apim.observationJobs.list

apim.observationSources.get

apim.observationSources.list

apim.operations.get

apim.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

API Management permissions

Permission	Included in roles
`apim.apiObservations.batchEditTags`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.apiObservations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`)
`apim.apiObservations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`apim.apiOperations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`)
`apim.apiOperations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`apim.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`)
`apim.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`apim.locations.listApiObservationTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`)
`apim.observationJobs.create`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.observationJobs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.observationJobs.disable`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.observationJobs.enable`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.observationJobs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`)
`apim.observationJobs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`apim.observationSources.create`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.observationSources.delete`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.observationSources.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`)
`apim.observationSources.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`apim.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`)
`apim.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)

API Management roles and permissions
Stay organized with collections Save and categorize content based on your preferences.