Access control

Controlling who can access resources is key to cloud security. You can manage access through IAM Role Bindings, which set permissions for users, groups and service accounts. While resource manager roles help manage the resource hierarchy, they don’t grant access to the cloud resources within a project.

For more information, see our Access Management documentation.

Resource Manager roles and permissions

Roles are made up of permissions, which are needed to perform specific actions. While permissions can’t be assigned directly, they are granted through roles. You might find the same role available at different levels of the hierarchy, but with varying permissions, because not all permissions apply to every scope.

For example, the Resource Manager Reader role at the project level only includes the resource-manager.project.get permission. This is because permissions like resource-manager.folder.get aren’t applicable at the project level, as there are no child folder resources below a project.

To assign a new role to a user in your organization, the user must first have one of these prerequisite roles:

• The Owner role
• One of the legacy roles: organization.member, organization.auditor or organization.viewer

We recommend using the organization.viewer role. It’s the best choice because it provides minimal read-only permissions at the organization level but does not inherit access to any of the organization’s folders or projects.

Expand

Lowest Scope	Name	Description	Permissions
Project	Resource Manager Reader	Users with this role can view the details of child elements like projects and folders, but not the resources within those projects.	resource-manager.organization.get resource-manager.organization.direct.get resource-manager.folder.get resource-manager.folder.list resource-manager.project.get resource-manager.project.list
Project	Resource Manager Project Mover	Users with this role can move projects within the same organization to a different parent.	resource-manager.organization.get resource-manager.organization.direct.get resource-manager.folder.list resource-manager.folder.get resource-manager.project.get resource-manager.project.list resource-manager.project.edit resource-manager.project.move
Project	Resource Manager Project Deleter	This role allows users to delete projects within a given scope.	resource-manager.organization.get resource-manager.organization.direct.get resource-manager.folder.get resource-manager.folder.list resource-manager.project.delete resource-manager.project.get resource-manager.project.list
Project	Resource Manager Admin	This role is a combination of every resource manager permission.	resource-manager.folder.create resource-manager.folder.delete resource-manager.folder.edit resource-manager.folder.get resource-manager.folder.list resource-manager.folder.move resource-manager.organization.direct.get resource-manager.organization.edit resource-manager.organization.get resource-manager.project.create resource-manager.project.delete resource-manager.project.edit resource-manager.project.get resource-manager.project.list resource-manager.project.move
Folder	Resource Manager Project Creator	This role allows users to create projects within a given scope.	resource-manager.organization.get resource-manager.organization.direct.get resource-manager.folder.get resource-manager.folder.list resource-manager.project.list resource-manager.project.create
Folder	Resource Manager Folder Creator	This role allows users to create folders within a given scope.	resource-manager.organization.get resource-manager.organization.direct.get resource-manager.folder.create resource-manager.folder.get resource-manager.folder.list resource-manager.project.list
Folder	Resource Manager Folder Editor	This role allows users to browse the resource hierarchy and edit folders.	resource-manager.organization.get resource-manager.organization.direct.get resource-manager.folder.edit resource-manager.folder.get resource-manager.folder.list resource-manager.project.list
Folder	Resource Manager Folder Mover	Users with this role can movefolderswithin the same organization to a different parent.	resource-manager.organization.get resource-manager.organization.direct.get resource-manager.folder.move resource-manager.folder.edit resource-manager.folder.get resource-manager.folder.list resource-manager.project.list
Folder	Resource Manager Folder Deleter	This role allows users to delete folders within a given scope.	resource-manager.organization.get resource-manager.organization.direct.get resource-manager.folder.get resource-manager.folder.list resource-manager.folder.delete resource-manager.project.list

Caution

A “get” and a “list” permission both give you full access to a resource’s details. When it comes to the data you can see, they’re the same. For instance, if you have the resource-manager.project.list permission on a folder, you can see all of its child projects and their respective data attributes.

However, these permissions are used for different actions:

• The list permission lets you use the “list” API, which returns multiple resources at once
• The get permission lets you use the “get” API, which retrieves the details of a single, specific resource

So, even if you have get permissions, you won’t be able to use a “list” API to see any resources. You need the specificlist permissionto do that.

Legacy permissions

Throughout the evolution of our access management system, we’ve introduced few permission changes. Occasionally, you may still encounter some of these deprecated legacy permissions in the system. They remain for now to ensure a safe transition until we can permanently remove them.

The following is a list of these permissions and their descriptions:

Expand

Permission Name	Description
project.read	Alias for resource-manager.project.get
resource-manager.project.direct.get	Deprecated permission. Alias for resource-manager.project.get
resource-manager.organization.direct.get	Deprecated permission. Alias for resource-manager.organization.get
resource-manager.resource.project.edit	Deprecated permission. It will be removed in future releases.

Legacy roles

Expand

Lowest Scope	Name	Description	Permissions
Organization	organization.member	This role grants access to the organization level only (e.g., creating projects, reading organization details). It’s marked as legacy because its permissions do not inherit down to any child objects, like folders or projects. You’ll need to assign specific access to those items.	audit-log.resource.entry.get billing-account.billing-details.get customer.billing-account.get customer.billing-account.list customer.linkable-billing-account.list customer.organization.customer.get customer.organization.list customer.project.billing-account.get iaas.network-area.getiaas.network-area.list iaas.network-area.project.list iaas.network-area.range.getiaas.network-area.range.list iaas.network-area.route.get iaas.network-area.route.list iaas.network-area.rt.getiaas.network-area.rt.list iaas.network-area.rt.route.get iaas.network-area.rt.route.list iaas.regional-network-area.get iaas.regional-network-area.list iaas.resource.request.get iam.resource.member.get iam.resource.role.getpartner.reseller.get resource-manager.organization.direct.get resource-manager.organization.get resource-manager.project.create
Organization	organization.auditor	The Organization Auditor role exists at the organization level only. It doesn’t grant access to any child objects, like folders or projects. Use this role to give users read-only access to the organization itself, including its audit log, billing account and network areas. This is a legacy role because its permissions don’t inherit to child items.	audit-log.resource.entry.get billing-account.billing-details.get customer.billing-account.get customer.billing-account.list customer.linkable-billing-account.list customer.organization.customer.get customer.organization.list customer.project.billing-account.get iaas.network-area.getiaas.network-area.list iaas.network-area.project.list iaas.network-area.range.getiaas.network-area.range.list iaas.network-area.route.get iaas.network-area.route.list iaas.network-area.rt.getiaas.network-area.rt.list iaas.network-area.rt.route.get iaas.network-area.rt.route.list iaas.regional-network-area.get iaas.regional-network-area.list iaas.resource.request.get iam.resource.member.get iam.resource.role.getpartner.reseller.get resource-manager.organization.direct.get resource-manager.organization.get
Organization	organization.viewer	The Organization Viewer role exists at the organization level only. It doesn’t grant access to any child objects, like folders or projects. Use this role to give users minimal read-only access to the organization itself. This is a legacy role because its permissions don’t inherit to child items.	resource-manager.organization.direct.get resource-manager.organization.get