Stay organized with collections
Save and categorize content based on your preferences.
When you create a Google Cloud project, you are the only user on the project. By
default, no other users have access to your project or its resources.
Identity and Access Management (IAM) manages access to Google Cloud resources, like
clusters. Permissions are assigned to IAM principals.
IAM lets you grant roles to
principals. A role is a
collection of permissions, and when granted to a principal, controls access to
one or more Google Cloud resources. You
can use the following types of roles:
Basic roles provide coarse permissions
limited to Owner, Editor, and Viewer.
Pre-defined roles,
provide finer-grained access than basic roles and address many common use
cases.
Custom roles allow you to create
unique combinations of permissions.
A principal can be any of the following:
User account
Service account
Google Workspace Google Group
Google Workspace domain
Cloud Identity domain
IAM policy types
IAM supports the following policy types:
Allow policies: grant roles to principals. For details, see
Allow policy.
Deny policies: prevent principals from using specific IAM
permissions regardless of the roles that those principals are granted. For
details, see Deny policies.
Use deny policies to restrict specific principals from performing specific
actions in your project, folder, or organization even if an IAM
allow policy grants those principals a role that contains the relevant
permissions.
Predefined roles
IAM provides predefined roles to grant granular access to
specific Google Cloud resources and to prevent unwanted access to other
resources. Google Cloud creates and maintains these roles and automatically
updates their permissions as necessary, such as when Google Cloud Observability adds
new features.
Predefined roles for Google Cloud Observability contain permissions for features that
span multiple product areas. For this reason, you might see some permissions,
like observability.scopes.get, included in predefined roles for those
product areas. For example, the Logs Viewer role (roles/logging.viewer)
includes the observability.scopes.get permission in addition to many
logging-specific permissions.
The following table lists the predefined roles for Google Cloud Observability. For
each role, the table displays the role title, description, contained
permissions, and the lowest-level resource type where the roles can be granted.
You can grant the predefined roles at the Google Cloud project level or, in
most cases, any type higher in the
resource hierarchy.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[],[],null,["# Control access with IAM\n\nWhen you create a Google Cloud project, you are the only user on the project. By\ndefault, no other users have access to your project or its resources.\nIdentity and Access Management (IAM) manages access to Google Cloud resources, like\nclusters. Permissions are assigned to IAM *principals*.\n\nIAM lets you grant [roles](/iam/docs/understanding-roles) to\n[principals](/iam/docs/overview#concepts_related_identity). A role is a\ncollection of permissions, and when granted to a principal, controls access to\none or more Google Cloud [resources](/iam/docs/overview#resource). You\ncan use the following types of roles:\n\n- [Basic roles](/iam/docs/understanding-roles#basic) provide coarse permissions limited to Owner, Editor, and Viewer.\n- [Pre-defined roles](/iam/docs/understanding-roles#predefined_roles), provide finer-grained access than basic roles and address many common use cases.\n- [Custom roles](/iam/docs/understanding-custom-roles) allow you to create unique combinations of permissions.\n\nA principal can be any of the following:\n\n- User account\n- Service account\n- Google Workspace Google Group\n- Google Workspace domain\n- Cloud Identity domain\n\n### IAM policy types\n\nIAM supports the following policy types:\n\n- **Allow policies** : grant roles to principals. For details, see [Allow policy](/iam/docs/overview#cloud-iam-policy).\n- **Deny policies** : prevent principals from using specific IAM permissions regardless of the roles that those principals are granted. For details, see [Deny policies](/iam/docs/deny-overview).\n\nUse deny policies to restrict specific principals from performing specific\nactions in your project, folder, or organization even if an IAM\nallow policy grants those principals a role that contains the relevant\npermissions.\n\nPredefined roles\n----------------\n\nIAM provides predefined roles to grant granular access to\nspecific Google Cloud resources and to prevent unwanted access to other\nresources. Google Cloud creates and maintains these roles and automatically\nupdates their permissions as necessary, such as when Google Cloud Observability adds\nnew features.\n\nPredefined roles for Google Cloud Observability contain permissions for features that\nspan multiple product areas. For this reason, you might see some permissions,\nlike `observability.scopes.get`, included in predefined roles for those\nproduct areas. For example, the Logs Viewer role (`roles/logging.viewer`)\nincludes the `observability.scopes.get` permission in addition to many\nlogging-specific permissions.\n\nThe following table lists the predefined roles for Google Cloud Observability. For\neach role, the table displays the role title, description, contained\npermissions, and the lowest-level resource type where the roles can be granted.\nYou can grant the predefined roles at the Google Cloud project level or, in\nmost cases, any type higher in the\n[resource hierarchy](/resource-manager/docs/cloud-platform-resource-hierarchy).\n\nTo get a list of all\nindividual permissions contained in a role, see\n[Getting the role metadata](/iam/docs/creating-custom-roles#getting_the_role_metadata).\n\n### Observability roles\n\n### Telemetry API roles\n\nWhat's next\n-----------\n\n- [Logging: Control access with IAM](/logging/docs/access-control)\n- [Monitoring: Control access with IAM](/monitoring/access-control)\n- [Trace: Control access with IAM](/trace/docs/iam)"]]