Secured Landing Zone roles and permissions

This page lists the IAM roles and permissions for Secured Landing Zone. To search through all roles and permissions, see the role and permission index.

Secured Landing Zone roles

Role Permissions

Role	Permissions
SLZ BQDW Blueprint Organization Level Remediator ^Beta (`roles/securedlandingzone.bqdwOrgRemediator`) Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization.	`accesscontextmanager.servicePerimeters.get` `accesscontextmanager.servicePerimeters.list` `accesscontextmanager.servicePerimeters.update`
SLZ BQDW Blueprint Project Level Remediator ^Beta (`roles/securedlandingzone.bqdwProjectRemediator`) Access to modify (remediate) resources in SLZ BQDW Blueprint at Project.	`bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.datasets.setIamPolicy` `bigquery.datasets.update` `cloudkms.cryptoKeys.get` `cloudkms.cryptoKeys.getIamPolicy` `cloudkms.cryptoKeys.list` `cloudkms.cryptoKeys.setIamPolicy` `cloudkms.cryptoKeys.update` `cloudkms.keyRings.getIamPolicy` `cloudkms.keyRings.setIamPolicy` `pubsub.topics.get` `pubsub.topics.getIamPolicy` `pubsub.topics.list` `pubsub.topics.setIamPolicy` `pubsub.topics.update` `resourcemanager.projects.update` `serviceusage.services.use` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.list` `storage.buckets.setIamPolicy` `storage.buckets.update`
Overwatch Activator ^Beta (`roles/securedlandingzone.overwatchActivator`) This role can activate or suspend Overwatches	`resourcemanager.projects.get` `resourcemanager.projects.list` `securedlandingzone.overwatches.activate` `securedlandingzone.overwatches.suspend`
Overwatch Admin ^Beta (`roles/securedlandingzone.overwatchAdmin`) Full access to Overwatches	`resourcemanager.projects.get` `resourcemanager.projects.list` `securedlandingzone.*` `securedlandingzone.operations.get` `securedlandingzone.overwatches.activate` `securedlandingzone.overwatches.create` `securedlandingzone.overwatches.delete` `securedlandingzone.overwatches.get` `securedlandingzone.overwatches.list` `securedlandingzone.overwatches.suspend` `securedlandingzone.overwatches.update`
Overwatch Viewer ^Beta (`roles/securedlandingzone.overwatchViewer`) This role can view all properties of Overwatches	`resourcemanager.projects.get` `resourcemanager.projects.list` `securedlandingzone.operations.get` `securedlandingzone.overwatches.get` `securedlandingzone.overwatches.list`
Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Grants Secured Landing Zone service account permissions to manage resources in the customer project Warning: Do not grant service agent roles to any principals except service agents.	`cloudasset.assets.exportOrgPolicy` `cloudasset.assets.exportResource` `cloudasset.feeds.create` `cloudasset.feeds.delete` `cloudasset.feeds.update` `logging.logEntries.list` `pubsub.subscriptions.consume` `pubsub.subscriptions.create` `pubsub.subscriptions.delete` `pubsub.topics.attachSubscription` `pubsub.topics.create` `pubsub.topics.delete` `pubsub.topics.detachSubscription` `pubsub.topics.getIamPolicy` `pubsub.topics.setIamPolicy` `resourcemanager.projects.get` `securitycenter.assetsecuritymarks.update` `securitycenter.findings.list` `securitycenter.findings.update` `securitycenter.sources.list` `securitycenter.sources.update` `serviceusage.services.use`

SLZ BQDW Blueprint Organization Level Remediator ^Beta

(roles/securedlandingzone.bqdwOrgRemediator)

Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization.

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

accesscontextmanager.servicePerimeters.update

SLZ BQDW Blueprint Project Level Remediator ^Beta

(roles/securedlandingzone.bqdwProjectRemediator)

Access to modify (remediate) resources in SLZ BQDW Blueprint at Project.

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.setIamPolicy

bigquery.datasets.update

cloudkms.cryptoKeys.get

cloudkms.cryptoKeys.getIamPolicy

cloudkms.cryptoKeys.list

cloudkms.cryptoKeys.setIamPolicy

cloudkms.cryptoKeys.update

cloudkms.keyRings.getIamPolicy

cloudkms.keyRings.setIamPolicy

pubsub.topics.get

pubsub.topics.getIamPolicy

pubsub.topics.list

pubsub.topics.setIamPolicy

pubsub.topics.update

resourcemanager.projects.update

serviceusage.services.use

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

storage.buckets.setIamPolicy

storage.buckets.update

Overwatch Activator ^Beta

(roles/securedlandingzone.overwatchActivator)

This role can activate or suspend Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.overwatches.activate

securedlandingzone.overwatches.suspend

Overwatch Admin ^Beta

(roles/securedlandingzone.overwatchAdmin)

Full access to Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.*

securedlandingzone.operations.get
securedlandingzone.overwatches.activate
securedlandingzone.overwatches.create
securedlandingzone.overwatches.delete
securedlandingzone.overwatches.get
securedlandingzone.overwatches.list
securedlandingzone.overwatches.suspend
securedlandingzone.overwatches.update

Overwatch Viewer ^Beta

(roles/securedlandingzone.overwatchViewer)

This role can view all properties of Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.operations.get

securedlandingzone.overwatches.get

securedlandingzone.overwatches.list

Secured Landing Zone Service Agent

(roles/securedlandingzone.serviceAgent)

Grants Secured Landing Zone service account permissions to manage resources in the customer project

cloudasset.assets.exportOrgPolicy

cloudasset.assets.exportResource

cloudasset.feeds.create

cloudasset.feeds.delete

cloudasset.feeds.update

logging.logEntries.list

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.getIamPolicy

pubsub.topics.setIamPolicy

resourcemanager.projects.get

securitycenter.assetsecuritymarks.update

securitycenter.findings.list

securitycenter.findings.update

securitycenter.sources.list

securitycenter.sources.update

serviceusage.services.use

Secured Landing Zone permissions

Permission	Included in roles
`securedlandingzone.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Overwatch Admin (`roles/securedlandingzone.overwatchAdmin`) Overwatch Viewer (`roles/securedlandingzone.overwatchViewer`)
`securedlandingzone.overwatches.activate`	Owner (`roles/owner`) Editor (`roles/editor`) Overwatch Activator (`roles/securedlandingzone.overwatchActivator`) Overwatch Admin (`roles/securedlandingzone.overwatchAdmin`)
`securedlandingzone.overwatches.create`	Owner (`roles/owner`) Editor (`roles/editor`) Overwatch Admin (`roles/securedlandingzone.overwatchAdmin`)
`securedlandingzone.overwatches.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Overwatch Admin (`roles/securedlandingzone.overwatchAdmin`)
`securedlandingzone.overwatches.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Overwatch Admin (`roles/securedlandingzone.overwatchAdmin`) Overwatch Viewer (`roles/securedlandingzone.overwatchViewer`)
`securedlandingzone.overwatches.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Overwatch Admin (`roles/securedlandingzone.overwatchAdmin`) Overwatch Viewer (`roles/securedlandingzone.overwatchViewer`)
`securedlandingzone.overwatches.suspend`	Owner (`roles/owner`) Editor (`roles/editor`) Overwatch Activator (`roles/securedlandingzone.overwatchActivator`) Overwatch Admin (`roles/securedlandingzone.overwatchAdmin`)
`securedlandingzone.overwatches.update`	Owner (`roles/owner`) Editor (`roles/editor`) Overwatch Admin (`roles/securedlandingzone.overwatchAdmin`)

Secured Landing Zone roles and permissions