Roles and permissions

This page describes the Identity and Access Management (IAM) roles and permissions needed for running Firewall Insights.

You can grant users or service accounts permissions or a predefined role, or you can create a custom role that uses permissions that you specify. The following table describes the IAM predefined roles and their associated permissions.

For more information, see the IAM permissions reference.

Description Role Permissions (methods)
View firewalls and their details

Grant one of the following roles:

  • Firewall Recommender Admin role (roles/recommender.firewallAdmin)
  • Firewall Recommender Viewer role (roles/recommender.firewallViewer)
compute.firewalls.list
Only view insights

Grant one of the following roles:

  • Firewall Recommender Admin role (roles/recommender.firewallAdmin)
  • Firewall Recommender Viewer role (roles/recommender.firewallViewer)
projects.locations.insightTypes.insights.list
View insights metrics

Grant one of the following roles:

  • Firewall Recommender Admin role (roles/recommender.firewallAdmin)
  • Firewall Recommender Viewer role (roles/recommender.firewallViewer)
monitoring.timeSeries.list
View and modify insights Grant the Firewall Recommender Admin role (roles/recommender.firewallAdmin)

For more information about project roles and permissions, see the following:

Get required roles and permissions

To get the permissions that you need to enable APIs and features, ask your administrator to grant you the following IAM roles on your project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to enable APIs and features. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to enable APIs and features:

  • Enable APIs: serviceusage.services.enable
  • Enable shadowed rule or overly permissive rule insights: recommender.computeFirewallInsightTypeConfigs.update

You might also be able to get these permissions with custom roles or other predefined roles.

Select a project

Before you complete any prerequisites or take any other actions with Firewall Insights, we recommend that you create or select a Google Cloud project. Use the following steps:

  1. In the Google Cloud console, go to the Project selector page.

    Go to Project selector

  2. Select or create a Google Cloud project.

  3. Make sure that billing is enabled for your Google Cloud project.

What's next