Model Armor roles and permissions

This page lists the IAM roles and permissions for Model Armor. To search through all roles and permissions, see the role and permission index.

Model Armor roles

Role Permissions

Role	Permissions
Model Armor Admin (`roles/modelarmor.admin`) Grants full access to all modelarmor resources. Intended for administrators & owners.	`modelarmor.locations.` `modelarmor.locations.get` `modelarmor.locations.list` `modelarmor.templates.` `modelarmor.templates.create` `modelarmor.templates.delete` `modelarmor.templates.get` `modelarmor.templates.list` `modelarmor.templates.update` `modelarmor.templates.useToSanitizeModelResponse` `modelarmor.templates.useToSanitizeUserPrompt` `resourcemanager.projects.get` `resourcemanager.projects.list`
Model Armor Callout User ^Beta (`roles/modelarmor.calloutUser`) Grants access to use Model Armor Callout service. Intended for users & applications which plan to use Model Armor Callout service.	`modelarmor.callouts.invoke` `modelarmor.locations.*` `modelarmor.locations.get` `modelarmor.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Model Armor Floor Setting Admin (`roles/modelarmor.floorSettingsAdmin`) Grants full access to all Model Armor Floor Setting resources. Intended for administrators & owners.	`modelarmor.floorSettings.` `modelarmor.floorSettings.get` `modelarmor.floorSettings.update` `modelarmor.locations.` `modelarmor.locations.get` `modelarmor.locations.list` `resourcemanager.folders.get` `resourcemanager.folders.list` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Model Armor Floor Setting Viewer (`roles/modelarmor.floorSettingsViewer`) Grants read access to all Model Armor Floor Setting resources. Intended for viewers.	`modelarmor.floorSettings.get` `modelarmor.locations.*` `modelarmor.locations.get` `modelarmor.locations.list` `resourcemanager.folders.get` `resourcemanager.folders.list` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Model Armor Service Agent (`roles/modelarmor.serviceAgent`) Gives Model Armor Service Account permission to make DLP calls. Warning: Do not grant service agent roles to any principals except service agents.	`dlp.analyzeRiskTemplates.get` `dlp.analyzeRiskTemplates.list` `dlp.deidentifyTemplates.get` `dlp.deidentifyTemplates.list` `dlp.inspectFindings.list` `dlp.inspectTemplates.get` `dlp.inspectTemplates.list` `dlp.jobTriggers.get` `dlp.jobTriggers.list` `dlp.jobs.get` `dlp.jobs.list` `dlp.kms.encrypt` `dlp.locations.*` `dlp.locations.get` `dlp.locations.list` `dlp.storedInfoTypes.get` `dlp.storedInfoTypes.list` `serviceusage.services.use`
Model Armor User (`roles/modelarmor.user`) Grants access to sanitize APIs for templates. Intended for users & applications which plan to use a template.	`modelarmor.locations.*` `modelarmor.locations.get` `modelarmor.locations.list` `modelarmor.templates.useToSanitizeModelResponse` `modelarmor.templates.useToSanitizeUserPrompt` `resourcemanager.projects.get` `resourcemanager.projects.list`
Model Armor Viewer (`roles/modelarmor.viewer`) Grants read access to all model armor resources. Intended for viewers.	`modelarmor.locations.*` `modelarmor.locations.get` `modelarmor.locations.list` `modelarmor.templates.get` `modelarmor.templates.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Model Armor Admin

(roles/modelarmor.admin)

Grants full access to all modelarmor resources. Intended for administrators & owners.

modelarmor.locations.*

modelarmor.locations.get
modelarmor.locations.list

modelarmor.templates.*

modelarmor.templates.create
modelarmor.templates.delete
modelarmor.templates.get
modelarmor.templates.list
modelarmor.templates.update
modelarmor.templates.useToSanitizeModelResponse
modelarmor.templates.useToSanitizeUserPrompt

resourcemanager.projects.get

resourcemanager.projects.list

Model Armor Callout User ^Beta

(roles/modelarmor.calloutUser)

Grants access to use Model Armor Callout service. Intended for users & applications which plan to use Model Armor Callout service.

modelarmor.callouts.invoke

modelarmor.locations.*

modelarmor.locations.get
modelarmor.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Model Armor Floor Setting Admin

(roles/modelarmor.floorSettingsAdmin)

Grants full access to all Model Armor Floor Setting resources. Intended for administrators & owners.

modelarmor.floorSettings.*

modelarmor.floorSettings.get
modelarmor.floorSettings.update

modelarmor.locations.*

modelarmor.locations.get
modelarmor.locations.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Model Armor Floor Setting Viewer

(roles/modelarmor.floorSettingsViewer)

Grants read access to all Model Armor Floor Setting resources. Intended for viewers.

modelarmor.floorSettings.get

modelarmor.locations.*

modelarmor.locations.get
modelarmor.locations.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Model Armor Service Agent

(roles/modelarmor.serviceAgent)

Gives Model Armor Service Account permission to make DLP calls.

dlp.analyzeRiskTemplates.get

dlp.analyzeRiskTemplates.list

dlp.deidentifyTemplates.get

dlp.deidentifyTemplates.list

dlp.inspectFindings.list

dlp.inspectTemplates.get

dlp.inspectTemplates.list

dlp.jobTriggers.get

dlp.jobTriggers.list

dlp.jobs.get

dlp.jobs.list

dlp.kms.encrypt

dlp.locations.*

dlp.locations.get
dlp.locations.list

dlp.storedInfoTypes.get

dlp.storedInfoTypes.list

serviceusage.services.use

Model Armor User

(roles/modelarmor.user)

Grants access to sanitize APIs for templates. Intended for users & applications which plan to use a template.

modelarmor.locations.*

modelarmor.locations.get
modelarmor.locations.list

modelarmor.templates.useToSanitizeModelResponse

modelarmor.templates.useToSanitizeUserPrompt

resourcemanager.projects.get

resourcemanager.projects.list

Model Armor Viewer

(roles/modelarmor.viewer)

Grants read access to all model armor resources. Intended for viewers.

modelarmor.locations.*

modelarmor.locations.get
modelarmor.locations.list

modelarmor.templates.get

modelarmor.templates.list

resourcemanager.projects.get

resourcemanager.projects.list

Model Armor permissions

Permission	Included in roles
`modelarmor.callouts.invoke`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Callout User (`roles/modelarmor.calloutUser`)
`modelarmor.floorSettings.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Model Armor Floor Setting Admin (`roles/modelarmor.floorSettingsAdmin`) Model Armor Floor Setting Viewer (`roles/modelarmor.floorSettingsViewer`) Security Center Admin (`roles/securitycenter.admin`)
`modelarmor.floorSettings.update`	Owner (`roles/owner`) Model Armor Floor Setting Admin (`roles/modelarmor.floorSettingsAdmin`) Security Center Admin (`roles/securitycenter.admin`)
`modelarmor.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Model Armor Admin (`roles/modelarmor.admin`) Model Armor Callout User (`roles/modelarmor.calloutUser`) Model Armor Floor Setting Admin (`roles/modelarmor.floorSettingsAdmin`) Model Armor Floor Setting Viewer (`roles/modelarmor.floorSettingsViewer`) Model Armor User (`roles/modelarmor.user`) Model Armor Viewer (`roles/modelarmor.viewer`) Security Center Admin (`roles/securitycenter.admin`)
`modelarmor.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Model Armor Admin (`roles/modelarmor.admin`) Model Armor Callout User (`roles/modelarmor.calloutUser`) Model Armor Floor Setting Admin (`roles/modelarmor.floorSettingsAdmin`) Model Armor Floor Setting Viewer (`roles/modelarmor.floorSettingsViewer`) Model Armor User (`roles/modelarmor.user`) Model Armor Viewer (`roles/modelarmor.viewer`) Security Center Admin (`roles/securitycenter.admin`)
`modelarmor.templates.create`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Admin (`roles/modelarmor.admin`) Security Center Admin (`roles/securitycenter.admin`)
`modelarmor.templates.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Admin (`roles/modelarmor.admin`) Security Center Admin (`roles/securitycenter.admin`)
`modelarmor.templates.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Model Armor Admin (`roles/modelarmor.admin`) Model Armor Viewer (`roles/modelarmor.viewer`) Security Center Admin (`roles/securitycenter.admin`)
`modelarmor.templates.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Model Armor Admin (`roles/modelarmor.admin`) Model Armor Viewer (`roles/modelarmor.viewer`) Security Center Admin (`roles/securitycenter.admin`)
`modelarmor.templates.update`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Admin (`roles/modelarmor.admin`) Security Center Admin (`roles/securitycenter.admin`)
`modelarmor.templates.useToSanitizeModelResponse`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Admin (`roles/modelarmor.admin`) Model Armor User (`roles/modelarmor.user`) Security Center Admin (`roles/securitycenter.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`)
`modelarmor.templates.useToSanitizeUserPrompt`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Admin (`roles/modelarmor.admin`) Model Armor User (`roles/modelarmor.user`) Security Center Admin (`roles/securitycenter.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`)

Model Armor roles and permissions