Assured Workloads roles and permissions

This page lists the IAM roles and permissions for Assured Workloads. To search through all roles and permissions, see the role and permission index.

Assured Workloads roles

Role Permissions

Role	Permissions
Assured Workloads Administrator (`roles/assuredworkloads.admin`) Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	`assuredworkloads.` `assuredworkloads.operations.get` `assuredworkloads.operations.list` `assuredworkloads.updates.list` `assuredworkloads.updates.update` `assuredworkloads.violations.get` `assuredworkloads.violations.list` `assuredworkloads.violations.update` `assuredworkloads.workload.create` `assuredworkloads.workload.delete` `assuredworkloads.workload.get` `assuredworkloads.workload.list` `assuredworkloads.workload.update` `axt.labels.set` `bigquery.config.update` `logging.settings.update` `orgpolicy.policies.` `orgpolicy.policies.create` `orgpolicy.policies.delete` `orgpolicy.policies.list` `orgpolicy.policies.update` `orgpolicy.policy.*` `orgpolicy.policy.get` `orgpolicy.policy.set` `resourcemanager.folders.create` `resourcemanager.folders.get` `resourcemanager.folders.list` `resourcemanager.organizations.get` `resourcemanager.projects.create` `resourcemanager.projects.get` `resourcemanager.projects.list`
Assured Workloads Editor (`roles/assuredworkloads.editor`) Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	`assuredworkloads.` `assuredworkloads.operations.get` `assuredworkloads.operations.list` `assuredworkloads.updates.list` `assuredworkloads.updates.update` `assuredworkloads.violations.get` `assuredworkloads.violations.list` `assuredworkloads.violations.update` `assuredworkloads.workload.create` `assuredworkloads.workload.delete` `assuredworkloads.workload.get` `assuredworkloads.workload.list` `assuredworkloads.workload.update` `axt.labels.set` `bigquery.config.update` `logging.settings.update` `orgpolicy.policies.` `orgpolicy.policies.create` `orgpolicy.policies.delete` `orgpolicy.policies.list` `orgpolicy.policies.update` `orgpolicy.policy.*` `orgpolicy.policy.get` `orgpolicy.policy.set` `resourcemanager.folders.create` `resourcemanager.folders.get` `resourcemanager.folders.list` `resourcemanager.organizations.get` `resourcemanager.projects.create` `resourcemanager.projects.get` `resourcemanager.projects.list`
Assured Workloads Monitoring Service Agent (`roles/assuredworkloads.monitoringServiceAgent`) Gives the Assured Workloads service account access to create CAIS feed and monitor Assured Workloads. Warning: Do not grant service agent roles to any principals except service agents.	`cloudasset.assets.exportResource` `cloudasset.assets.listResource` `cloudasset.feeds.create` `cloudasset.feeds.delete` `cloudasset.feeds.get`
Assured Workloads Reader (`roles/assuredworkloads.reader`) Grants read access to all Assured Workloads resources and CRM resources - project/folder	`assuredworkloads.operations.*` `assuredworkloads.operations.get` `assuredworkloads.operations.list` `assuredworkloads.updates.list` `assuredworkloads.violations.get` `assuredworkloads.violations.list` `assuredworkloads.workload.get` `assuredworkloads.workload.list` `orgpolicy.policies.list` `orgpolicy.policy.get` `resourcemanager.folders.get` `resourcemanager.folders.list` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Assured Workloads Service Agent (`roles/assuredworkloads.serviceAgent`) Gives the Assured Workloads service account access to create KMS keyrings and keys, monitor Assured Workloads and read Organization Policies. Warning: Do not grant service agent roles to any principals except service agents.	`cloudkms.cryptoKeys.create` `cloudkms.keyRings.create` `orgpolicy.policies.list` `orgpolicy.policy.get` `serviceusage.services.enable` `serviceusage.services.get` `serviceusage.services.use`

Assured Workloads Administrator

(roles/assuredworkloads.admin)

Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

assuredworkloads.*

assuredworkloads.operations.get
assuredworkloads.operations.list
assuredworkloads.updates.list
assuredworkloads.updates.update
assuredworkloads.violations.get
assuredworkloads.violations.list
assuredworkloads.violations.update
assuredworkloads.workload.create
assuredworkloads.workload.delete
assuredworkloads.workload.get
assuredworkloads.workload.list
assuredworkloads.workload.update

axt.labels.set

bigquery.config.update

logging.settings.update

orgpolicy.policies.*

orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update

orgpolicy.policy.*

orgpolicy.policy.get
orgpolicy.policy.set

resourcemanager.folders.create

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.create

resourcemanager.projects.get

resourcemanager.projects.list

Assured Workloads Editor

(roles/assuredworkloads.editor)

Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

assuredworkloads.*

assuredworkloads.operations.get
assuredworkloads.operations.list
assuredworkloads.updates.list
assuredworkloads.updates.update
assuredworkloads.violations.get
assuredworkloads.violations.list
assuredworkloads.violations.update
assuredworkloads.workload.create
assuredworkloads.workload.delete
assuredworkloads.workload.get
assuredworkloads.workload.list
assuredworkloads.workload.update

axt.labels.set

bigquery.config.update

logging.settings.update

orgpolicy.policies.*

orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update

orgpolicy.policy.*

orgpolicy.policy.get
orgpolicy.policy.set

resourcemanager.folders.create

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.create

resourcemanager.projects.get

resourcemanager.projects.list

Assured Workloads Monitoring Service Agent

(roles/assuredworkloads.monitoringServiceAgent)

Gives the Assured Workloads service account access to create CAIS feed and monitor Assured Workloads.

cloudasset.assets.exportResource

cloudasset.assets.listResource

cloudasset.feeds.create

cloudasset.feeds.delete

cloudasset.feeds.get

Assured Workloads Reader

(roles/assuredworkloads.reader)

Grants read access to all Assured Workloads resources and CRM resources - project/folder

assuredworkloads.operations.*

assuredworkloads.operations.get
assuredworkloads.operations.list

assuredworkloads.updates.list

assuredworkloads.violations.get

assuredworkloads.violations.list

assuredworkloads.workload.get

assuredworkloads.workload.list

orgpolicy.policies.list

orgpolicy.policy.get

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Assured Workloads Service Agent

(roles/assuredworkloads.serviceAgent)

Gives the Assured Workloads service account access to create KMS keyrings and keys, monitor Assured Workloads and read Organization Policies.

cloudkms.cryptoKeys.create

cloudkms.keyRings.create

orgpolicy.policies.list

orgpolicy.policy.get

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.use

Assured Workloads permissions

Permission	Included in roles
`assuredworkloads.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Support User (`roles/iam.supportUser`)
`assuredworkloads.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`assuredworkloads.updates.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`assuredworkloads.updates.update`	Owner (`roles/owner`) Editor (`roles/editor`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`)
`assuredworkloads.violations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Controls Partner Monitoring Service Agent (`roles/cloudcontrolspartner.monitoringServiceAgent`)
`assuredworkloads.violations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Controls Partner Monitoring Service Agent (`roles/cloudcontrolspartner.monitoringServiceAgent`)
`assuredworkloads.violations.update`	Owner (`roles/owner`) Editor (`roles/editor`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`)
`assuredworkloads.workload.create`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`)
`assuredworkloads.workload.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`)
`assuredworkloads.workload.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Support User (`roles/iam.supportUser`)
`assuredworkloads.workload.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`assuredworkloads.workload.update`	Owner (`roles/owner`) Editor (`roles/editor`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`)

Assured Workloads roles and permissions