组织政策服务角色和权限

本页面列出了组织政策服务的 IAM 角色和权限。如需搜索所有角色和权限，请参阅角色和权限索引。

组织政策服务角色

Role Permissions

Role	Permissions
Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies. Lowest-level resources where you can grant this role: Organization	`cloudasset.assets.analyzeOrgPolicy` `cloudasset.assets.exportResource` `cloudasset.assets.listResource` `cloudasset.assets.searchAllResources` `orgpolicy.` `orgpolicy.constraints.list` `orgpolicy.customConstraints.create` `orgpolicy.customConstraints.delete` `orgpolicy.customConstraints.get` `orgpolicy.customConstraints.list` `orgpolicy.customConstraints.update` `orgpolicy.policies.create` `orgpolicy.policies.delete` `orgpolicy.policies.list` `orgpolicy.policies.update` `orgpolicy.policy.get` `orgpolicy.policy.set` `policysimulator.orgPolicyViolations.list` `policysimulator.orgPolicyViolationsPreviews.` `policysimulator.orgPolicyViolationsPreviews.create` `policysimulator.orgPolicyViolationsPreviews.get` `policysimulator.orgPolicyViolationsPreviews.list` `recommender.orgPolicyInsights.` `recommender.orgPolicyInsights.get` `recommender.orgPolicyInsights.list` `recommender.orgPolicyInsights.update` `recommender.orgPolicyRecommendations.` `recommender.orgPolicyRecommendations.get` `recommender.orgPolicyRecommendations.list` `recommender.orgPolicyRecommendations.update`
Organization Policy Viewer (`roles/orgpolicy.policyViewer`) Provides access to view Organization Policies on resources. Lowest-level resources where you can grant this role: Project	`orgpolicy.constraints.list` `orgpolicy.customConstraints.get` `orgpolicy.customConstraints.list` `orgpolicy.policies.list` `orgpolicy.policy.get`

Organization Policy Administrator

(roles/orgpolicy.policyAdmin)

Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.

Lowest-level resources where you can grant this role:

Organization

cloudasset.assets.analyzeOrgPolicy

cloudasset.assets.exportResource

cloudasset.assets.listResource

cloudasset.assets.searchAllResources

orgpolicy.*

orgpolicy.constraints.list
orgpolicy.customConstraints.create
orgpolicy.customConstraints.delete
orgpolicy.customConstraints.get
orgpolicy.customConstraints.list
orgpolicy.customConstraints.update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set

policysimulator.orgPolicyViolations.list

policysimulator.orgPolicyViolationsPreviews.*

policysimulator.orgPolicyViolationsPreviews.create
policysimulator.orgPolicyViolationsPreviews.get
policysimulator.orgPolicyViolationsPreviews.list

recommender.orgPolicyInsights.*

recommender.orgPolicyInsights.get
recommender.orgPolicyInsights.list
recommender.orgPolicyInsights.update

recommender.orgPolicyRecommendations.*

recommender.orgPolicyRecommendations.get
recommender.orgPolicyRecommendations.list
recommender.orgPolicyRecommendations.update

Organization Policy Viewer

(roles/orgpolicy.policyViewer)

Provides access to view Organization Policies on resources.

Lowest-level resources where you can grant this role:

Project

orgpolicy.constraints.list

orgpolicy.customConstraints.get

orgpolicy.customConstraints.list

orgpolicy.policies.list

orgpolicy.policy.get

组织政策服务权限

权限	以下角色拥有此权限
`orgpolicy.constraints.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) Folder Admin (`roles/resourcemanager.folderAdmin`) Folder Creator (`roles/resourcemanager.folderCreator`) Folder Editor (`roles/resourcemanager.folderEditor`) Folder Viewer (`roles/resourcemanager.folderViewer`) Organization Administrator (`roles/resourcemanager.organizationAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`) 服务代理角色警告：请勿向服务代理以外的任何主账号授予服务代理角色。 Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`orgpolicy.customConstraints.create`	Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.customConstraints.delete`	Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.customConstraints.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) OrgPolicy Simulator Admin (`roles/policysimulator.orgPolicyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.customConstraints.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) OrgPolicy Simulator Admin (`roles/policysimulator.orgPolicyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.customConstraints.update`	Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.policies.create`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.policies.delete`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.policies.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) OrgPolicy Simulator Admin (`roles/policysimulator.orgPolicyAdmin`) Folder Admin (`roles/resourcemanager.folderAdmin`) Folder Creator (`roles/resourcemanager.folderCreator`) Folder Editor (`roles/resourcemanager.folderEditor`) Folder Viewer (`roles/resourcemanager.folderViewer`) Organization Administrator (`roles/resourcemanager.organizationAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`) 服务代理角色警告：请勿向服务代理以外的任何主账号授予服务代理角色。 Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Assured Workloads Service Agent (`roles/assuredworkloads.serviceAgent`)
`orgpolicy.policies.update`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.policy.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Consumer Procurement Entitlement Manager (`roles/consumerprocurement.entitlementManager`) Consumer Procurement Entitlement Viewer (`roles/consumerprocurement.entitlementViewer`) Consumer Procurement Administrator (`roles/consumerprocurement.procurementAdmin`) Consumer Procurement Viewer (`roles/consumerprocurement.procurementViewer`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) OrgPolicy Simulator Admin (`roles/policysimulator.orgPolicyAdmin`) Folder Admin (`roles/resourcemanager.folderAdmin`) Folder Creator (`roles/resourcemanager.folderCreator`) Folder Editor (`roles/resourcemanager.folderEditor`) Folder Viewer (`roles/resourcemanager.folderViewer`) Organization Administrator (`roles/resourcemanager.organizationAdmin`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`) API Keys Admin (`roles/serviceusage.apiKeysAdmin`) Storage Admin (`roles/storage.admin`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Workload Manager Admin (`roles/workloadmanager.admin`) Workload Manager Evaluation Admin (`roles/workloadmanager.evaluationAdmin`) Workload Manager Evaluation Viewer (`roles/workloadmanager.evaluationViewer`) Workload Manager Viewer (`roles/workloadmanager.viewer`) Workload Manager Worker (`roles/workloadmanager.worker`) 服务代理角色警告：请勿向服务代理以外的任何主账号授予服务代理角色。 Assured Workloads Service Agent (`roles/assuredworkloads.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Health Analytics Service Agent (`roles/securitycenter.securityHealthAnalyticsServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`orgpolicy.policy.set`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)

组织政策服务角色和权限