This page describes the Identity and Access Management (IAM) roles required to configure to Access Context Manager.
Required roles
The following table lists the permissions and roles required to create and list access policies:
| Action | Required permissions and roles | 
|---|---|
| Create an organization-level access policy or scoped policies | 
         Permission:  
          Role that provides the permission: Access Context Manager Editor role
          ( | 
| List an organization-level access policy or scoped policies | 
         Permission:  
          Roles that provides the permission: Access Context Manager Editor role
          ( Access Context Manager Reader role
          ( | 
You can only create, list, or delegate scoped policies if you have those permissions at the organization level. After you create a scoped policy, you can grant permission to manage the policy by adding IAM bindings on the scoped policy.
Permissions granted at the organization-level apply to all access policies, including the organization-level policy and any scoped policies.
The following curated IAM roles provide the necessary permissions
to view or configure access levels or grant permissions to delegated administrators
on scoped policies using the gcloud command-line tool:
- Access Context Manager Admin: roles/accesscontextmanager.policyAdmin
- Access Context Manager Editor: roles/accesscontextmanager.policyEditor
- Access Context Manager Reader: roles/accesscontextmanager.policyReader
Additionally, to let your users manage Access Context Manager using the
Google Cloud console, the Resource Manager Organization Viewer
(roles/resourcemanager.organizationViewer) role is required.
To grant one of these roles, use the Google Cloud console or
use the gcloud command-line tool:
Admin allows read-write access
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:example@customer.org" \ --role="roles/accesscontextmanager.policyAdmin"
Editor allows read-write access
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:example@customer.org" \ --role="roles/accesscontextmanager.policyEditor"
Reader allows read-only access
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:example@customer.org" \ --role="roles/accesscontextmanager.policyReader"
Organization Viewer allows access to VPC Service Controls using the Google Cloud console
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:example@customer.org" \ --role="roles/resourcemanager.organizationViewer"