On-Demand Scanning API roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for On-Demand Scanning API. To search through all roles and permissions, see the role and permission index.

On-Demand Scanning API roles

Role Permissions

Role	Permissions
On-Demand Scanning Admin ^Beta (`roles/ondemandscanning.admin`) All permissions for On-Demand Scanning	`ondemandscanning.*` `ondemandscanning.operations.cancel` `ondemandscanning.operations.delete` `ondemandscanning.operations.get` `ondemandscanning.operations.list` `ondemandscanning.operations.wait` `ondemandscanning.scans.analyzePackages` `ondemandscanning.scans.listVulnerabilities` `ondemandscanning.scans.scan`
On-Demand Scanning Service Agent (`roles/ondemandscanning.serviceAgent`) Gives the On-Demand Scanning API the access it needs to function. Warning: Do not grant service agent roles to any principals except service agents.	`artifactregistry.dockerimages.` `artifactregistry.dockerimages.get` `artifactregistry.dockerimages.list` `artifactregistry.files.download` `artifactregistry.files.get` `artifactregistry.files.list` `artifactregistry.locations.` `artifactregistry.locations.get` `artifactregistry.locations.list` `artifactregistry.mavenartifacts.` `artifactregistry.mavenartifacts.get` `artifactregistry.mavenartifacts.list` `artifactregistry.npmpackages.` `artifactregistry.npmpackages.get` `artifactregistry.npmpackages.list` `artifactregistry.packages.get` `artifactregistry.packages.list` `artifactregistry.projectsettings.get` `artifactregistry.pythonpackages.*` `artifactregistry.pythonpackages.get` `artifactregistry.pythonpackages.list` `artifactregistry.repositories.downloadArtifacts` `artifactregistry.repositories.get` `artifactregistry.repositories.list` `artifactregistry.repositories.listEffectiveTags` `artifactregistry.repositories.listTagBindings` `artifactregistry.repositories.readViaVirtualRepository` `artifactregistry.tags.get` `artifactregistry.tags.list` `artifactregistry.versions.get` `artifactregistry.versions.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.objects.get` `storage.objects.list`

On-Demand Scanning Admin ^Beta

(roles/ondemandscanning.admin)

All permissions for On-Demand Scanning

ondemandscanning.*

ondemandscanning.operations.cancel
ondemandscanning.operations.delete
ondemandscanning.operations.get
ondemandscanning.operations.list
ondemandscanning.operations.wait
ondemandscanning.scans.analyzePackages
ondemandscanning.scans.listVulnerabilities
ondemandscanning.scans.scan

On-Demand Scanning Service Agent

(roles/ondemandscanning.serviceAgent)

Gives the On-Demand Scanning API the access it needs to function.

artifactregistry.dockerimages.*

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

artifactregistry.locations.get
artifactregistry.locations.list

artifactregistry.mavenartifacts.*

artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

artifactregistry.npmpackages.get
artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

storage.objects.get

storage.objects.list

On-Demand Scanning API permissions

Permission	Included in roles
`ondemandscanning.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) On-Demand Scanning Admin (`roles/ondemandscanning.admin`)
`ondemandscanning.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) On-Demand Scanning Admin (`roles/ondemandscanning.admin`)
`ondemandscanning.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) On-Demand Scanning Admin (`roles/ondemandscanning.admin`)
`ondemandscanning.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) On-Demand Scanning Admin (`roles/ondemandscanning.admin`)
`ondemandscanning.operations.wait`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) On-Demand Scanning Admin (`roles/ondemandscanning.admin`)
`ondemandscanning.scans.analyzePackages`	Owner (`roles/owner`) Editor (`roles/editor`) On-Demand Scanning Admin (`roles/ondemandscanning.admin`)
`ondemandscanning.scans.listVulnerabilities`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) On-Demand Scanning Admin (`roles/ondemandscanning.admin`)
`ondemandscanning.scans.scan`	Owner (`roles/owner`) Editor (`roles/editor`) On-Demand Scanning Admin (`roles/ondemandscanning.admin`)

On-Demand Scanning API roles and permissions
Stay organized with collections Save and categorize content based on your preferences.