Access control with Identity and Access Management

This page describes access control with Identity and Access Management (IAM) in Secure Source Manager.

Overview

IAM permissions and roles determine your ability to create, view, edit, or delete data in a Secure Source Manager instance.

A role is a collection of permissions. You can't grant a principal permissions directly; instead, you grant them a role. When you grant a role to a principal, you grant them all the permissions that the role contains. You can grant multiple roles to the same principal.

Grant predefined Secure Source Manager roles

Every Secure Source Manager API method requires that the principal (user, group, or service account) making the request has the required permissions to use the resource. Permissions are given to principals by setting policies that grant the principal a predefined role on the resource.

Secure Source Manager roles are not visible in the Google Cloud console until you have assigned each role to a principal. For information on granting roles on Secure Source Manager instance and repository resources, see Grant and revoke IAM roles.

Secure Source Manager Permissions

The following table describes the permissions available in Secure Source Manager predefined roles.

Permission Description
securesourcemanager.instances.access Access the Secure Source Manager instance via UI, HTTP API and git protocol (HTTP,SSH). This is used for controlling access to the instance.
securesourcemanager.instances.createRepository Add Git repository resources in a Secure Source Manager instance.
securesourcemanager.instances.create Create an instance
securesourcemanager.instances.get Get details of an instance, such as the creation time.
securesourcemanager.instances.delete Delete an instance.
securesourcemanager.instances.update Update the parameters of an instance.
securesourcemanager.instances.setIamPolicy Set IAM policies on an instance.
securesourcemanager.instances.getIamPolicy Retrieve IAM policies on an instance.
securesourcemanager.sshkeys.create Add an SSH key to an instance. A user can only add an SSH key for themselves.
securesourcemanager.sshkeys.createAny Add a service account SSH key to an instance. The user must also have the
.actAs permission on that service account.
securesourcemanager.sshkeys.list List SSH keys that belong to the instance. A user can only list SSH keys that they own.
securesourcemanager.sshkeys.listAny List SSH keys that belong to the instance. A user can list all SSH service account keys in the instance.
securesourcemanager.sshkeys.get Get SSH keys that belong to the instance. A user can only get SSH keys they own.
securesourcemanager.sshkeys.delete Remove an SSH key from an instance. A user can only remove an SSH key for themselves.
securesourcemanager.repositories.update Update repository metadata.
securesourcemanager.sshkeys.deleteAny Remove a service account SSH key from an instance. A user with this permission can remove any service account SSH key in the instance.
securesourcemanager.repositories.create Create a Secure Source Manager repository.
securesourcemanager.repositories.list List the metadata for repositories in a project.
securesourcemanager.repositories.get Get the metadata of a repository.
securesourcemanager.repositories.fetch Git clone/fetch a repository.
securesourcemanager.repositories.push Git push to a repository.
securesourcemanager.repositories.delete Delete a repository.
securesourcemanager.repositories.setIamPolicy Grant or remove repository roles or permissions to users, service accounts, and groups.
securesourcemanager.repositories.getIamPolicy View repository roles and permissions.
securesourcemanager.repositories.testIamPermissions Test whether a principal has a specified permission on a repository.
securesourcemanager.repositories.readIssues Read-only operations on the issues section of a repository in the Secure Source Manager web interface.
securesourcemanager.repositories.writeIssues Write operations on the issues section of a repository in the Secure Source Manager web interface.
securesourcemanager.repositories.readPullRequests Read-only operations on the pull requests section of a repository in the Secure Source Manager web interface.
securesourcemanager.repositories.writePullRequests Write operations on the pull request section of a repository in the Secure Source Manager web interface.

Secure Source Manager predefined roles

In addition to the project and folder level, Secure Source Manager IAM roles can be granted on the instance and repository resources.

You can view all predefined Secure Source Manager roles and the permissions available in each role by searching for Secure Source Manager in the predefined roles section of IAM basic and predefined roles reference.

Instance Roles

Instance roles give principals permissions on the Secure Source Manager instance. Repository roles are granted separately.

Repository Roles

Repository roles give principals permissions on Secure Source Manager repositories.

Custom roles

In addition to the predefined roles, Secure Source Manager also supports custom roles. For more information, see Creating and managing custom roles in the IAM documentation.

Repository role management

The following sections describe required roles for common repository actions.

Manage repositories

To get the permissions that you need to create, delete, and add users to a Secure Source Manager repository, ask your administrator to grant you the following IAM roles:

Create repositories

To get the permissions that you need to create repositories in a Secure Source Manager instance, ask your administrator to grant you the following IAM roles:

View a repository

To get the permissions that you need to view a repository, ask your administrator to grant you the following IAM roles:

Use a repository and create issues and pull requests

To get the permissions that you need to push to and pull from a repository, create issues and pull requests, ask your administrator to grant you the following IAM roles:

What's next