Stay organized with collections
Save and categorize content based on your preferences.
This page describes the Identity and Access Management (IAM) roles required to
configure to Access Context Manager.
Required roles
The following table lists the permissions and roles required to create and list
access policies:
Action
Required permissions and roles
Create an organization-level access policy or scoped policies
Permission: accesscontextmanager.policies.create
Role that provides the permission: Access Context Manager Editor role
(roles/accesscontextmanager.policyEditor)
List an organization-level access policy or scoped policies
Permission: accesscontextmanager.policies.list
Roles that provides the permission: Access Context Manager Editor role
(roles/accesscontextmanager.policyEditor)
Access Context Manager Reader role
(roles/accesscontextmanager.policyReader)
You can only create, list, or delegate scoped policies if you have those permissions
at the organization level. After you create a scoped policy, you can grant permission to
manage the policy by adding IAM bindings on the scoped policy.
Permissions granted at the organization-level apply to all access policies, including
the organization-level policy and any scoped policies.
The following curated IAM roles provide the necessary permissions
to view or configure access levels or grant permissions to delegated administrators
on scoped policies using the gcloud command-line tool:
Additionally, to let your users manage Access Context Manager using the
Google Cloud console, the Resource Manager Organization Viewer
(roles/resourcemanager.organizationViewer) role is required.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-04-17 UTC."],[[["Super administrators have default permissions for Access Context Manager roles, but require the Resource Manager Organization Viewer role to manage it via the Google Cloud console."],["Creating or listing access policies requires the `accesscontextmanager.policies.create` or `accesscontextmanager.policies.list` permission, which are provided by the Access Context Manager Editor or Reader roles respectively."],["Scoped policy management is independent of folder or project permissions, and permissions must be granted at the organization level."],["The Access Context Manager Admin, Editor, and Reader roles provide read-write or read-only access for managing access levels or delegating permissions, and the Resource Manager Organization Viewer role is required for console management."],["Users with resource ownership in the organization can potentially learn access level names without having the proper permissions, as seen in cases like Identity-Aware Proxy generating JWTs."]]],[]]
