When you create a Google Cloud project, you are the only user on the project. By default, no other users have access to your project or its resources. Identity and Access Management (IAM) manages Google Cloud resources, like clusters. Permissions are assigned to IAM principals.
IAM lets you grant roles to principals. A role is a collection of permissions, and when granted to a principal, controls access to one or more Google Cloud resources. You can use the following types of roles:
- Basic roles provide coarse permissions limited to Owner, Editor, and Viewer.
- Pre-defined roles, provide finer-grained access than basic roles and address many common use cases.
- Custom roles allow you to create unique combinations of permissions.
A principal can be any of the following:
- User account
- Service account
- Google Workspace Google Group
- Google Workspace domain
- Cloud Identity domain
IAM policy types
IAM supports the following policy types:
- Allow policies: grant roles to principals. For details, see Allow policy.
- Deny policies: prevent principals from using specific IAM permissions regardless of the roles that those principals are granted. For details, see Deny policies.
Use deny policies to restrict specific principals from performing specific actions in your project, folder, or organization even if an IAM allow policy grants those principals a role that contains the relevant permissions.
Predefined roles
IAM provides predefined roles to grant granular access to specific Google Cloud resources and to prevent unwanted access to other resources. Google Cloud creates and maintains these roles and automatically updates their permissions as necessary, such as when Google Cloud Observability adds new features.
Predefined roles for Google Cloud Observability contain permissions for features that
span multiple product areas. For this reason, you might see some permissions,
like observability.scopes.get, included in predefined roles for those
product areas. For example, the Logs Viewer role (roles/logging.viewer)
includes the observability.scopes.get permission in addition to many
logging-specific permissions.
The following table lists the predefined roles for Google Cloud Observability. For each role, the table displays the role title, description, contained permissions, and the lowest-level resource type where the roles can be granted. You can grant the predefined roles at the Google Cloud project level or, in most cases, any type higher in the resource hierarchy.
To get a list of all individual permissions contained in a role, see Getting the role metadata.
| Role | Permissions |
|---|---|
Observability Admin Beta( Full access to Observability resources. |
|
Observability Analytics User Beta( Grants permissions to use Cloud Observability Analytics. |
|
Observability Editor Beta( Edit access to Observability resources. |
|
Observability Viewer Beta( Read only access to Observability resources. |
|