Access control with IAM

Stay organized with collections Save and categorize content based on your preferences.

This page describes SaaS Runtime roles and permissions.

To use SaaS Runtime, you need to ensure you have the required service accounts. For these service accounts, you need to grant the required permissions. For more details about service accounts and SaaS Runtime, see SaaS Runtime service accounts. For details about service accounts, see Service accounts overview.

To deploy or view the Google Cloud resources defined in the Terraform configuration, you need to grant the service account permissions that are specific to these resources. These permissions are in addition to the permissions required to use SaaS Runtime. For a list of all roles and the permissions they contain, see Identity and Access Management basic and predefined roles reference.

A service account is not required to view SaaS Runtime deployments, revisions, and IAM policies.

Predefined SaaS Runtime roles

IAM provides predefined roles that grant access to specific Google Cloud resources and prevent unauthorized access to other resources.

The following table lists the SaaS Runtime IAM roles and the permissions that they include:

Role	Description	Permissions
SaaS Runtime Admin (roles/saasservicemgmt.admin)	Full access to all SaaS Runtime resources.	saasservicemgmt.rollouts.create saasservicemgmt.rollouts.update saasservicemgmt.rollouts.delete saasservicemgmt.rolloutKinds.create saasservicemgmt.rolloutKinds.update saasservicemgmt.rolloutKinds.delete saasservicemgmt.releases.create saasservicemgmt.releases.update saasservicemgmt.releases.delete saasservicemgmt.units.create saasservicemgmt.units.update saasservicemgmt.units.delete saasservicemgmt.unitKinds.create saasservicemgmt.unitKinds.update saasservicemgmt.unitKinds.delete saasservicemgmt.unitOperations.create saasservicemgmt.unitOperations.update saasservicemgmt.unitOperations.delete saasservicemgmt.tenants.create saasservicemgmt.tenants.update saasservicemgmt.tenants.delete saasservicemgmt.saas.create saasservicemgmt.saas.update saasservicemgmt.saas.delete resourcemanager.projects.get resourcemanager.projects.list saasservicemgmt.locations.list saasservicemgmt.locations.get saasservicemgmt.rollouts.list saasservicemgmt.rollouts.get saasservicemgmt.rolloutKinds.list saasservicemgmt.rolloutKinds.get saasservicemgmt.releases.list saasservicemgmt.releases.get saasservicemgmt.units.list saasservicemgmt.units.get saasservicemgmt.unitKinds.list saasservicemgmt.unitKinds.get saasservicemgmt.unitOperations.list saasservicemgmt.unitOperations.get saasservicemgmt.tenants.list saasservicemgmt.tenants.get saasservicemgmt.saas.list saasservicemgmt.saas.get
SaaS Runtime Viewer (roles/saasservicemgmt.viewer)	Read SaaS Runtime resources: releases, rollouts, rolloutKinds, units, unitKinds, unitOperations, saas, and tenants.	resourcemanager.projects.get resourcemanager.projects.list saasservicemgmt.locations.list saasservicemgmt.locations.get saasservicemgmt.rollouts.list saasservicemgmt.rollouts.get saasservicemgmt.rolloutKinds.list saasservicemgmt.rolloutKinds.get saasservicemgmt.releases.list saasservicemgmt.releases.get saasservicemgmt.units.list saasservicemgmt.units.get saasservicemgmt.unitKinds.list saasservicemgmt.unitKinds.get saasservicemgmt.unitOperations.list saasservicemgmt.unitOperations.get saasservicemgmt.tenants.list saasservicemgmt.tenants.get saasservicemgmt.saas.list saasservicemgmt.saas.get

Permissions

Permissions that the caller must have to call each method is listed in the REST API reference.

What's next

• Learn about IAM.
• Learn more about using conditions in IAM
• Find out more about SaaS Runtime service accounts.