Stay organized with collections
Save and categorize content based on your preferences.
You can set or get the Identity and Access Management (IAM), or access control, policy for
one or more Connectivity Tests. In addition, you can view the
permissions that a user or service account has for a specific
Connectivity Test.
This document shows access control examples that use the Network Management API.
To follow these steps in the Google Cloud console or by using gcloud commands,
see the IAM how-to guides.
For information about policy bindings and etags listed in the following commands,
see the API reference for IAM policies.
For information about the IAM roles and permissions needed to run
Connectivity Tests, see
Roles and permissions.
Set an access control policy
This procedure sets the access control policy on the specified
Connectivity Tests resource.
TEST_ID: the ID of the
Connectivity Tests object (test) that you are running
VERSION: specifies the format of the policy;
valid values are 0, 1, and 3—any operation that affects
conditional role bindings must specify version 3
ETAG: used for optimistic concurrency control as
a way to help prevent simultaneous updates of a policy from overwriting
each other (an example etag is BwWbrqiZFRs=)
ROLE: a role that is assigned to principals
(for example, roles/networkmanagement.admin)
PRINCIPAL: specifies the identities requesting
access for a Google Cloud resource (for example,
user:username@yourcompany.com); for a list of principal, or member,
types, see the
API reference for IAM policies
Get an access control policy
This procedure gets the access control policy for the specified
Connectivity Tests resource.
TEST_ID: the ID of the Connectivity Tests
object (test) that you are running
VERSION: specifies the format of the policy;
valid values are 0, 1, and 3—any operation that affects
conditional role bindings must specify version 3
ETAG: used for optimistic concurrency control
as a way to help prevent simultaneous updates of a policy from overwriting
each other (an example etag is BwWbrqiZFRs=)
ROLE: a role that is assigned to principals (for
example, roles/networkmanagement.admin)
PRINCIPAL: specifies the identities requesting
access for a Google Cloud resource (for example,
user:username@yourcompany.com); for a list of principal types,
see the API reference for IAM policies
Test IAM permissions
This procedure returns permissions that a user or service account has for a
Connectivity Tests resource.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Manage access policies\n\nYou can set or get the Identity and Access Management (IAM), or access control, policy for\none or more Connectivity Tests. In addition, you can view the\npermissions that a user or service account has for a specific\nConnectivity Test.\n\nThis document shows access control examples that use the Network Management API.\nTo follow these steps in the Google Cloud console or by using `gcloud` commands,\nsee the [IAM how-to guides](/iam/docs/how-to).\n\nFor information about policy bindings and etags listed in the following commands,\nsee the [API reference for IAM policies](/iam/docs/reference/rest/v1/Policy).\n\nFor information about the IAM roles and permissions needed to run\nConnectivity Tests, see\n[Roles and permissions](/network-intelligence-center/docs/connectivity-tests/concepts/access-control).\n\nSet an access control policy\n----------------------------\n\nThis procedure sets the access control policy on the specified\nConnectivity Tests resource. \n\n### API\n\nUse the [`networkmanagement.connectivitytests.setIamPolicy`](/network-intelligence-center/docs/connectivity-tests/reference/networkmanagement/rest/v1/projects.locations.global.connectivityTests/setIamPolicy)\nmethod to set the access control policy for a \u003cvar translate=\"no\"\u003eUSER\u003c/var\u003e,\n\u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e, and \u003cvar translate=\"no\"\u003eTEST_ID\u003c/var\u003e.\n\nThe following example sets a policy that binds the role of\n`networkmanagement.admin` to `username@yourcompany.com` for `mytest-1`. \n\n```\n POST https: //networkmanagement.googleapis.com/v1/{resource=projects/*/locations/global/connectivityTests/TEST_ID}:setIamPolicy\n {\n \"version\": \"VERSION\",\n \"etag\": \"ETAG\",\n \"bindings\": [{\n \"role\": \"ROLE\",\n \"members\": [\n \"PRINCIPAL\"\n ]\n }]\n }\n```\n\nReplace the following values:\n\n- \u003cvar translate=\"no\"\u003eTEST_ID\u003c/var\u003e: the ID of the Connectivity Tests object (test) that you are running\n- \u003cvar translate=\"no\"\u003eVERSION\u003c/var\u003e: specifies the format of the policy; valid values are `0`, `1`, and `3`---any operation that affects conditional role bindings must specify version `3`\n- \u003cvar translate=\"no\"\u003eETAG\u003c/var\u003e: used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other (an example etag is `BwWbrqiZFRs=`)\n- \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: a role that is assigned to principals (for example, `roles/networkmanagement.admin`)\n- \u003cvar translate=\"no\"\u003ePRINCIPAL\u003c/var\u003e: specifies the identities requesting access for a Google Cloud resource (for example, `user:username@yourcompany.com`); for a list of principal, or member, types, see the [API reference for IAM policies](/iam/docs/reference/rest/v1/Policy)\n\nGet an access control policy\n----------------------------\n\nThis procedure gets the access control policy for the specified\nConnectivity Tests resource. \n\n### API\n\nUse the [`networkmanagement.connectivitytests.getIamPolicy`](/network-intelligence-center/docs/connectivity-tests/reference/networkmanagement/rest/v1/projects.locations.global.connectivityTests/getIamPolicy)\nmethod to set the access control policy for a \u003cvar translate=\"no\"\u003ePRINCIPAL\u003c/var\u003e,\n\u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e, and \u003cvar translate=\"no\"\u003eTEST_ID\u003c/var\u003e.\n\nThe following example gets a policy that binds the role of\n`networkmanagement.admin` to `username@yourcompany.com` for `mytest-1`. \n\n```\n GET https: //networkmanagement.googleapis.com/v1/{resource=projects/*/locations/global/connectivityTests/TEST_ID}:getIamPolicy\n {\n \"version\": \"VERSION\",\n \"etag\": \"ETAG\",\n \"bindings\": [{\n \"role\": \"ROLE\",\n \"members\": [\n \"PRINCIPAL\"\n ]\n }]\n }\n```\n\nReplace the following values:\n\n- \u003cvar translate=\"no\"\u003eTEST_ID\u003c/var\u003e: the ID of the Connectivity Tests object (test) that you are running\n- \u003cvar translate=\"no\"\u003eVERSION\u003c/var\u003e: specifies the format of the policy; valid values are `0`, `1`, and `3`---any operation that affects conditional role bindings must specify version `3`\n- \u003cvar translate=\"no\"\u003eETAG\u003c/var\u003e: used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other (an example etag is `BwWbrqiZFRs=`)\n- \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: a role that is assigned to principals (for example, `roles/networkmanagement.admin`)\n- \u003cvar translate=\"no\"\u003ePRINCIPAL\u003c/var\u003e: specifies the identities requesting access for a Google Cloud resource (for example, `user:username@yourcompany.com`); for a list of principal types, see the [API reference for IAM policies](/iam/docs/reference/rest/v1/Policy)\n\nTest IAM permissions\n--------------------\n\nThis procedure returns permissions that a user or service account has for a\nConnectivity Tests resource. \n\n### API\n\nUse the [`networkmanagement.connectivitytests.testIamPermissions`](/network-intelligence-center/docs/connectivity-tests/reference/networkmanagement/rest/v1/projects.locations.global.connectivityTests/testIamPermissions)\nmethod to return the permissions assigned to a \u003cvar translate=\"no\"\u003eTEST_ID\u003c/var\u003e.\n\nThe following example verifies that `username@yourcompany.com` has the\n`networkmanagement.connectivitytests.get` permission for `mytest-1`. \n\n```\n POST https://networkmanagement.googleapis.com/v1/{resource=projects/*/locations/global/connectivityTests/TEST_ID}:testIamPermissions\n {\n \"permissions\": [\n \"networkmanagement.connectivitytests.get\"\n ]\n }\n```\n\nReplace \u003cvar translate=\"no\"\u003eTEST_ID\u003c/var\u003e with the ID of the\nConnectivity Tests object (test) that you are running.\n\nWhat's next\n-----------\n\n- [Learn about Connectivity Tests](/network-intelligence-center/docs/connectivity-tests/concepts/overview)\n- [Troubleshoot Connectivity Tests](/network-intelligence-center/docs/connectivity-tests/support/troubleshooting)"]]