Service Management roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for Service Management. To search through all roles and permissions, see the role and permission index.

Service Management roles

Role Permissions

Role	Permissions
Service Management Administrator (`roles/servicemanagement.admin`) Full control of Google Service Management resources.	`monitoring.timeSeries.list` `resourcemanager.folders.get` `resourcemanager.folders.list` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceconsumermanagement.` `serviceconsumermanagement.consumers.get` `serviceconsumermanagement.quota.get` `serviceconsumermanagement.quota.update` `serviceconsumermanagement.tenancyu.addResource` `serviceconsumermanagement.tenancyu.create` `serviceconsumermanagement.tenancyu.delete` `serviceconsumermanagement.tenancyu.list` `serviceconsumermanagement.tenancyu.removeResource` `servicemanagement.` `servicemanagement.services.bind` `servicemanagement.services.check` `servicemanagement.services.create` `servicemanagement.services.delete` `servicemanagement.services.get` `servicemanagement.services.getIamPolicy` `servicemanagement.services.list` `servicemanagement.services.quota` `servicemanagement.services.report` `servicemanagement.services.setIamPolicy` `servicemanagement.services.update` `serviceusage.quotas.get` `serviceusage.services.get`
Service Checker (`roles/servicemanagement.checker`) Can check admission of a service during runtime.	`servicemanagement.services.check`
Service Config Editor (`roles/servicemanagement.configEditor`) Access to update the service config and create rollouts.	`servicemanagement.services.get` `servicemanagement.services.update`
Quota Administrator ^Beta (`roles/servicemanagement.quotaAdmin`) Provides access to administer service quotas. Lowest-level resources where you can grant this role: Project	`cloudquotas.` `cloudquotas.quotas.get` `cloudquotas.quotas.update` `monitoring.alertPolicies.` `monitoring.alertPolicies.create` `monitoring.alertPolicies.createTagBinding` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.deleteTagBinding` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.alertPolicies.update` `monitoring.timeSeries.list` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.*` `serviceusage.quotas.get` `serviceusage.quotas.update` `serviceusage.services.disable` `serviceusage.services.enable` `serviceusage.services.get` `serviceusage.services.list`
Quota Viewer ^Beta (`roles/servicemanagement.quotaViewer`) Provides access to view service quotas. Lowest-level resources where you can grant this role: Project	`cloudquotas.quotas.get` `monitoring.timeSeries.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`
Service Reporter (`roles/servicemanagement.reporter`) Can report usage of a service during runtime.	`servicemanagement.services.report`
Service Consumer (`roles/servicemanagement.serviceConsumer`) Can enable the service.	`servicemanagement.services.bind`
Service Controller (`roles/servicemanagement.serviceController`) Can check preconditions and report usage of a service during runtime. Lowest-level resources where you can grant this role: Project	`servicemanagement.services.check` `servicemanagement.services.get` `servicemanagement.services.quota` `servicemanagement.services.report`

Service Management Administrator

(roles/servicemanagement.admin)

Full control of Google Service Management resources.

monitoring.timeSeries.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceconsumermanagement.*

serviceconsumermanagement.consumers.get
serviceconsumermanagement.quota.get
serviceconsumermanagement.quota.update
serviceconsumermanagement.tenancyu.addResource
serviceconsumermanagement.tenancyu.create
serviceconsumermanagement.tenancyu.delete
serviceconsumermanagement.tenancyu.list
serviceconsumermanagement.tenancyu.removeResource

servicemanagement.*

servicemanagement.services.bind
servicemanagement.services.check
servicemanagement.services.create
servicemanagement.services.delete
servicemanagement.services.get
servicemanagement.services.getIamPolicy
servicemanagement.services.list
servicemanagement.services.quota
servicemanagement.services.report
servicemanagement.services.setIamPolicy
servicemanagement.services.update

serviceusage.quotas.get

serviceusage.services.get

Service Checker

(roles/servicemanagement.checker)

Can check admission of a service during runtime.

servicemanagement.services.check

Service Config Editor

(roles/servicemanagement.configEditor)

Access to update the service config and create rollouts.

servicemanagement.services.get

servicemanagement.services.update

Quota Administrator ^Beta

(roles/servicemanagement.quotaAdmin)

Provides access to administer service quotas.

Lowest-level resources where you can grant this role:

Project

cloudquotas.*

cloudquotas.quotas.get
cloudquotas.quotas.update

monitoring.alertPolicies.*

monitoring.alertPolicies.create
monitoring.alertPolicies.createTagBinding
monitoring.alertPolicies.delete
monitoring.alertPolicies.deleteTagBinding
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.listEffectiveTags
monitoring.alertPolicies.listTagBindings
monitoring.alertPolicies.update

monitoring.timeSeries.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.*

serviceusage.quotas.get
serviceusage.quotas.update

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

Quota Viewer ^Beta

(roles/servicemanagement.quotaViewer)

Provides access to view service quotas.

Lowest-level resources where you can grant this role:

Project

cloudquotas.quotas.get

monitoring.timeSeries.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Service Reporter

(roles/servicemanagement.reporter)

Can report usage of a service during runtime.

servicemanagement.services.report

Service Consumer

(roles/servicemanagement.serviceConsumer)

Can enable the service.

servicemanagement.services.bind

Service Controller

(roles/servicemanagement.serviceController)

Can check preconditions and report usage of a service during runtime.

Lowest-level resources where you can grant this role:

Project

servicemanagement.services.check

servicemanagement.services.get

servicemanagement.services.quota

servicemanagement.services.report

Service Management permissions

Permission	Included in roles
`servicemanagement.services.bind`	Owner (`roles/owner`) Editor (`roles/editor`) Firebase SDK Provisioning Service Agent (`roles/firebase.sdkProvisioningServiceAgent`) Service Management Administrator (`roles/servicemanagement.admin`) Service Consumer (`roles/servicemanagement.serviceConsumer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`servicemanagement.services.check`	Owner (`roles/owner`) Editor (`roles/editor`) Service Management Administrator (`roles/servicemanagement.admin`) Service Checker (`roles/servicemanagement.checker`) Service Controller (`roles/servicemanagement.serviceController`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Endpoints Service Agent (`roles/endpoints.serviceAgent`) Cloud API Gateway Service Agent (`roles/apigateway.serviceAgent`)
`servicemanagement.services.create`	Owner (`roles/owner`) Editor (`roles/editor`) Service Management Administrator (`roles/servicemanagement.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud API Gateway Management Service Agent (`roles/apigateway_management.serviceAgent`)
`servicemanagement.services.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Service Management Administrator (`roles/servicemanagement.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud API Gateway Management Service Agent (`roles/apigateway_management.serviceAgent`)
`servicemanagement.services.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Service Management Administrator (`roles/servicemanagement.admin`) Service Config Editor (`roles/servicemanagement.configEditor`) Service Controller (`roles/servicemanagement.serviceController`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Endpoints Service Agent (`roles/endpoints.serviceAgent`) Endpoints Portal Service Agent (`roles/endpointsportal.serviceAgent`) Cloud API Gateway Management Service Agent (`roles/apigateway_management.serviceAgent`)
`servicemanagement.services.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service Management Administrator (`roles/servicemanagement.admin`)
`servicemanagement.services.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service Management Administrator (`roles/servicemanagement.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Endpoints Portal Service Agent (`roles/endpointsportal.serviceAgent`) Cloud API Gateway Management Service Agent (`roles/apigateway_management.serviceAgent`)
`servicemanagement.services.quota`	Owner (`roles/owner`) Editor (`roles/editor`) Service Management Administrator (`roles/servicemanagement.admin`) Service Controller (`roles/servicemanagement.serviceController`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Endpoints Service Agent (`roles/endpoints.serviceAgent`) Cloud API Gateway Service Agent (`roles/apigateway.serviceAgent`)
`servicemanagement.services.report`	Owner (`roles/owner`) Editor (`roles/editor`) Service Management Administrator (`roles/servicemanagement.admin`) Service Reporter (`roles/servicemanagement.reporter`) Service Controller (`roles/servicemanagement.serviceController`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Endpoints Service Agent (`roles/endpoints.serviceAgent`) Cloud API Gateway Service Agent (`roles/apigateway.serviceAgent`)
`servicemanagement.services.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Service Management Administrator (`roles/servicemanagement.admin`)
`servicemanagement.services.update`	Owner (`roles/owner`) Editor (`roles/editor`) Service Management Administrator (`roles/servicemanagement.admin`) Service Config Editor (`roles/servicemanagement.configEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud API Gateway Management Service Agent (`roles/apigateway_management.serviceAgent`)

Service Management roles and permissions
Stay organized with collections Save and categorize content based on your preferences.