Upcoming permission changes for the week of March 29, 2026

The following permissions will be added to the Vertex AI Viewer role (roles/aiplatform.viewer):

aiplatform.endpoints.explain
aiplatform.endpoints.getIamPolicy
aiplatform.endpoints.predict
aiplatform.entityTypes.exportFeatureValues
aiplatform.entityTypes.getIamPolicy
aiplatform.entityTypes.readFeatureValues
aiplatform.entityTypes.streamingReadFeatureValues
aiplatform.featureGroups.getIamPolicy
aiplatform.featureOnlineStores.getIamPolicy
aiplatform.featureViews.getIamPolicy
aiplatform.featurestores.batchReadFeatureValues
aiplatform.featurestores.getIamPolicy
aiplatform.featurestores.readFeatures
aiplatform.humanInTheLoops.queryAnnotationStats
aiplatform.locations.evaluateInstances
aiplatform.memories.retrieve
aiplatform.migratableResources.search
aiplatform.notebookRuntimeTemplates.apply
aiplatform.notebookRuntimeTemplates.getIamPolicy

The following permissions will be added to the Analytics Hub Admin role (roles/analyticshub.admin):

analyticshub.dataExchanges.subscribe
analyticshub.listings.subscribe

The following permissions will be added to the Analytics Hub Viewer role (roles/analyticshub.viewer):

analyticshub.subscriptions.get
analyticshub.subscriptions.list

The following permission will be added to the Apigee Connect Admin role (roles/apigeeconnect.Admin):

apigeeconnect.endpoints.connect

The following permissions will be added to the App Hub Editor role (roles/apphub.editor):

apphub.applications.getIamPolicy
apphub.serviceProjectAttachments.create
apphub.serviceProjectAttachments.delete
apphub.serviceProjectAttachments.get
apphub.serviceProjectAttachments.list

The following permissions will be added to the App Hub Viewer role (roles/apphub.viewer):

apphub.applications.getIamPolicy
apphub.serviceProjectAttachments.get
apphub.serviceProjectAttachments.list

The following permission will be added to the Artifact Registry Administrator role (roles/artifactregistry.admin):

artifactregistry.repositories.createOnPush

The following permissions will be added to the Backup and DR Admin role (roles/backupdr.admin):

backupdr.resourceBackupConfigs.get
backupdr.resourceBackupConfigs.list

The following permissions will be added to the Backup and DR Viewer role (roles/backupdr.viewer):

backupdr.resourceBackupConfigs.get
backupdr.resourceBackupConfigs.list

The following permission will be added to the Bare Metal Solution Admin role (roles/baremetalsolution.admin):

baremetalsolution.procurements.create

The following permission will be added to the Bare Metal Solution Editor role (roles/baremetalsolution.editor):

baremetalsolution.procurements.create

The following permission will be added to the Batch Administrator role (roles/batch.admin):

batch.states.report

The following permissions will be added to the BigLake Editor role (roles/biglake.editor):

biglake.databases.create
biglake.databases.delete
biglake.databases.get
biglake.databases.list
biglake.databases.update
biglake.locks.check
biglake.locks.create
biglake.locks.delete
biglake.locks.list
biglake.tables.lock

The following permission will be added to the MigrationWorkflow Editor role (roles/bigquerymigration.editor):

bigquerymigration.translation.translate

The following permissions will be added to the Bigtable Viewer role (roles/bigtable.viewer):

bigtable.authorizedViews.getIamPolicy
bigtable.authorizedViews.listEffectiveTags
bigtable.authorizedViews.listTagBindings
bigtable.authorizedViews.readRows
bigtable.authorizedViews.sampleRowKeys
bigtable.backups.getIamPolicy
bigtable.backups.read
bigtable.instances.executeQuery
bigtable.instances.getIamPolicy
bigtable.instances.ping
bigtable.keyvisualizer.get
bigtable.keyvisualizer.list
bigtable.logicalViews.getIamPolicy
bigtable.logicalViews.readRows
bigtable.materializedViews.getIamPolicy
bigtable.materializedViews.readRows
bigtable.materializedViews.sampleRowKeys
bigtable.schemaBundles.getIamPolicy
bigtable.tables.getIamPolicy
bigtable.tables.readRows
bigtable.tables.sampleRowKeys

The following permissions will be added to the Billing Account Administrator role (roles/billing.admin):

billing.costRecommendations.listScoped
billing.resourceCosts.get
billing.resourcebudgets.read
billing.resourcebudgets.write

The following permissions will be added to the Billing Account Viewer role (roles/billing.viewer):

billing.costRecommendations.listScoped
billing.resourceCosts.get
billing.resourcebudgets.read

The following permissions will be added to the Certificate Manager Editor role (roles/certificatemanager.editor):

certificatemanager.certissuanceconfigs.delete
certificatemanager.certmapentries.delete
certificatemanager.certmaps.delete
certificatemanager.certs.delete
certificatemanager.dnsauthorizations.delete
certificatemanager.operations.cancel
certificatemanager.operations.delete
certificatemanager.trustconfigs.delete

The following permissions will be added to the Chronicle API Admin role (roles/chronicle.admin):

chronicle.federationGroups.create
chronicle.federationGroups.delete
chronicle.federationGroups.get
chronicle.federationGroups.list
chronicle.federationGroups.update
chronicle.instances.delete
chronicle.instances.permitFederationAccess
chronicle.instances.soarThreatManager
chronicle.instances.soarVulnerabilityManager
chronicle.instances.undelete

The following permissions will be added to the Chronicle API Editor role (roles/chronicle.editor):

chronicle.calculatedFieldDefinitions.update
chronicle.collectors.create
chronicle.collectors.delete
chronicle.collectors.update
chronicle.connectors.delete
chronicle.connectors.get
chronicle.connectors.update
chronicle.customFields.update
chronicle.enrichmentControls.delete
chronicle.entitiesBlocklists.delete
chronicle.entitiesBlocklists.update
chronicle.errorNotificationConfigs.create
chronicle.errorNotificationConfigs.delete
chronicle.errorNotificationConfigs.update
chronicle.federationGroups.get
chronicle.federationGroups.list
chronicle.formDynamicParameters.update
chronicle.forwarders.create
chronicle.forwarders.delete
chronicle.forwarders.update
chronicle.instances.permitFederationAccess
chronicle.instances.verifyNonce
chronicle.integrationActions.delete
chronicle.integrations.delete
chronicle.jobs.delete
chronicle.legacyCaseFederationPlatforms.delete
chronicle.legacyCaseFederationPlatforms.get
chronicle.legacyCaseFederationPlatforms.update
chronicle.logProcessingPipelines.associateStreams
chronicle.logProcessingPipelines.create
chronicle.logProcessingPipelines.delete
chronicle.logProcessingPipelines.dissociateStreams
chronicle.logProcessingPipelines.update
chronicle.moduleSettingsProperties.get
chronicle.rules.delete
chronicle.shareConfigs.get
chronicle.shareConfigs.update
chronicle.systemNotifications.get
chronicle.systemNotifications.update
chronicle.tenants.create
chronicle.tenants.list
chronicle.tenants.update

The following permissions will be added to the Chronicle API Viewer role (roles/chronicle.viewer):

chronicle.caseWallRecords.get
chronicle.connectorInstanceLogs.get
chronicle.connectorInstances.get
chronicle.connectorRevisions.get
chronicle.connectors.get
chronicle.contentPacks.export
chronicle.customLists.get
chronicle.emailTemplates.get
chronicle.entitiesBlocklists.get
chronicle.federationGroups.get
chronicle.federationGroups.list
chronicle.instances.permitFederationAccess
chronicle.instances.verifyNonce
chronicle.integrationActionRevisions.get
chronicle.integrationInstances.get
chronicle.integrationLogicalOperatorRevisions.get
chronicle.integrationLogicalOperators.get
chronicle.integrations.get
chronicle.jobInstanceLogs.get
chronicle.jobInstances.get
chronicle.jobRevisions.get
chronicle.jobs.get
chronicle.legacyCaseFederationPlatforms.get
chronicle.legacyPlaybooks.get
chronicle.managerRevisions.get
chronicle.managers.get
chronicle.moduleSettingsProperties.get
chronicle.notificationSettings.get
chronicle.remoteAgents.get
chronicle.shareConfigs.get
chronicle.systemNotifications.get
chronicle.tasks.get
chronicle.tenants.list
chronicle.transformerDefinitions.get
chronicle.transformerDefinitions.list
chronicle.transformerRevisions.get
chronicle.uniqueEntities.get
chronicle.userLocalizations.get
chronicle.userNotifications.get
chronicle.workdeskContacts.get
chronicle.workdeskLinks.get
chronicle.workdeskNotes.get

The following permissions will be added to the Cloud Asset Viewer role (roles/cloudasset.viewer):

cloudasset.savedqueries.get
cloudasset.savedqueries.list

The following permission will be added to the Cloud Functions viewer role (roles/cloudfunctions.viewer):

cloudfunctions.functions.sourceCodeGet

The following permissions will be added to the Cloud Talent Solution Admin role (roles/cloudjobdiscovery.admin):

cloudjobdiscovery.companies.create
cloudjobdiscovery.companies.delete
cloudjobdiscovery.companies.get
cloudjobdiscovery.companies.list
cloudjobdiscovery.companies.update
cloudjobdiscovery.events.create
cloudjobdiscovery.jobs.create
cloudjobdiscovery.jobs.delete
cloudjobdiscovery.jobs.get
cloudjobdiscovery.jobs.search
cloudjobdiscovery.jobs.update
cloudjobdiscovery.profiles.create
cloudjobdiscovery.profiles.delete
cloudjobdiscovery.profiles.get
cloudjobdiscovery.profiles.search
cloudjobdiscovery.profiles.update
cloudjobdiscovery.tenants.create
cloudjobdiscovery.tenants.delete
cloudjobdiscovery.tenants.get
cloudjobdiscovery.tenants.update

The following permissions will be added to the Cloud KMS Admin role (roles/cloudkms.admin):

cloudkms.cryptoKeyVersions.manageRawAesCbcKeys
cloudkms.cryptoKeyVersions.manageRawAesCtrKeys
cloudkms.cryptoKeyVersions.manageRawPKCS1Keys
cloudkms.cryptoKeyVersions.useToDecapsulate
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.cryptoKeyVersions.useToSign
cloudkms.cryptoKeyVersions.useToVerify
cloudkms.cryptoKeyVersions.viewPublicKey
cloudkms.locations.generateRandomBytes
cloudkms.protectedResources.search
cloudkms.singleTenantHsmInstanceProposals.approve
cloudkms.singleTenantHsmInstanceProposals.create
cloudkms.singleTenantHsmInstanceProposals.execute

The following permissions will be added to the Cloud KMS Viewer role (roles/cloudkms.viewer):

cloudkms.cryptoKeys.getIamPolicy
cloudkms.ekmConfigs.getIamPolicy
cloudkms.ekmConnections.getIamPolicy
cloudkms.ekmConnections.verifyConnectivity
cloudkms.importJobs.getIamPolicy
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.listEffectiveTags
cloudkms.keyRings.listTagBindings
cloudkms.locations.generateRandomBytes
cloudkms.projects.showEffectiveAutokeyConfig
cloudkms.projects.showEffectiveKajEnrollmentConfig
cloudkms.projects.showEffectiveKajPolicyConfig
cloudkms.protectedResources.search

The following permissions will be added to the Cloud SQL Editor role (roles/cloudsql.editor):

cloudsql.backupRuns.delete
cloudsql.databases.delete
cloudsql.instances.clone
cloudsql.instances.create
cloudsql.instances.createBackupDrBackup
cloudsql.instances.delete
cloudsql.instances.demoteMaster
cloudsql.instances.executeSql
cloudsql.instances.import
cloudsql.instances.login
cloudsql.instances.promoteReplica
cloudsql.instances.resetSslConfig
cloudsql.instances.restoreBackup
cloudsql.instances.startReplica
cloudsql.instances.stopReplica
cloudsql.instances.updateBackupDrConfig
cloudsql.sslCerts.create
cloudsql.sslCerts.delete
cloudsql.users.create
cloudsql.users.delete
cloudsql.users.update

The following permissions will be added to the Cloud SQL Viewer role (roles/cloudsql.viewer):

cloudsql.instances.createBackupDrBackup
cloudsql.schemas.view

The following permissions will be added to the Support Account Administrator role (roles/cloudsupport.admin):

cloudsupport.techCases.create
cloudsupport.techCases.escalate
cloudsupport.techCases.get
cloudsupport.techCases.list
cloudsupport.techCases.update

The following permissions will be added to the Support Account Viewer role (roles/cloudsupport.viewer):

cloudsupport.accounts.getIamPolicy
cloudsupport.operations.get
cloudsupport.techCases.get
cloudsupport.techCases.list

The following permissions will be added to the Cloud Translation API Viewer role (roles/cloudtranslate.viewer):

cloudtranslate.adaptiveMtDatasets.predict
cloudtranslate.customModels.predict
cloudtranslate.datasets.export
cloudtranslate.generalModels.batchDocPredict
cloudtranslate.generalModels.batchPredict
cloudtranslate.generalModels.docPredict
cloudtranslate.generalModels.predict
cloudtranslate.glossaries.batchDocPredict
cloudtranslate.glossaries.batchPredict
cloudtranslate.glossaries.docPredict
cloudtranslate.glossaries.predict
cloudtranslate.languageDetectionModels.predict

The following permissions will be added to the Compute Viewer role (roles/compute.viewer):

compute.disks.createSnapshot
compute.disks.useReadOnly
compute.healthChecks.useReadOnly
compute.httpHealthChecks.useReadOnly
compute.httpsHealthChecks.useReadOnly
compute.images.useReadOnly
compute.instanceTemplates.useReadOnly
compute.instances.useReadOnly
compute.instantSnapshots.useReadOnly
compute.machineImages.useReadOnly
compute.regionHealthChecks.useReadOnly
compute.resourcePolicies.useReadOnly
compute.snapshots.useReadOnly

The following permission will be added to the Connector Admin role (roles/connectors.admin):

connectors.connections.listenEvent

The following permissions will be added to the Connector Viewer role (roles/connectors.viewer):

connectors.actions.list
connectors.entities.get
connectors.entities.list
connectors.entityTypes.list

The following permission will be added to the Contact Center AI Platform Admin role (roles/contactcenteraiplatform.admin):

contactcenteraiplatform.locations.generateShifts

The following permission will be added to the Contact Center AI Platform Viewer role (roles/contactcenteraiplatform.viewer):

contactcenteraiplatform.contactCenters.queryQuota

The following permission will be added to the Contact Center AI Insights editor role (roles/contactcenterinsights.editor):

contactcenterinsights.authorizedViews.getIamPolicy

The following permission will be added to the Contact Center AI Insights viewer role (roles/contactcenterinsights.viewer):

contactcenterinsights.authorizedViews.getIamPolicy

The following permissions will be added to the Kubernetes Engine Cluster Viewer role (roles/container.clusterViewer):

container.clusters.listEffectiveTags
container.clusters.listTagBindings
container.pods.getLogs
container.selfSubjectAccessReviews.create
container.selfSubjectRulesReviews.create
container.volumeSnapshots.getStatus

The following permissions will be added to the Content Warehouse Admin role (roles/contentwarehouse.admin):

contentwarehouse.links.create
contentwarehouse.links.delete
contentwarehouse.links.get
contentwarehouse.links.update

The following permissions will be added to the Database Insights viewer role (roles/databaseinsights.viewer):

databaseinsights.aggregatedEvents.query
databaseinsights.clusterEvents.query
databaseinsights.instanceEvents.query

The following permissions will be added to the Data Catalog Viewer role (roles/datacatalog.viewer):

datacatalog.categories.getIamPolicy
datacatalog.taxonomies.getIamPolicy

The following permissions will be added to the Dataflow Admin role (roles/dataflow.admin):

dataflow.shuffle.read
dataflow.shuffle.write
dataflow.streamingWorkItems.ImportState
dataflow.streamingWorkItems.commitWork
dataflow.streamingWorkItems.getData
dataflow.streamingWorkItems.getWork
dataflow.streamingWorkItems.getWorkerMetadata
dataflow.workItems.lease
dataflow.workItems.sendMessage
dataflow.workItems.update

The following permissions will be added to the Dataform Editor role (roles/dataform.editor):

dataform.commentThreads.create
dataform.commentThreads.delete
dataform.commentThreads.update
dataform.comments.create
dataform.comments.delete
dataform.comments.update
dataform.config.update
dataform.folders.addContents
dataform.folders.create
dataform.folders.delete
dataform.folders.move
dataform.folders.update
dataform.operations.cancel
dataform.operations.delete
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.move
dataform.repositories.scheduleRelease
dataform.repositories.scheduleWorkflow
dataform.repositories.update
dataform.teamFolders.create
dataform.teamFolders.delete
dataform.teamFolders.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.update

The following permissions will be added to the Data Lineage Editor role (roles/datalineage.editor):

datalineage.configs.get
datalineage.configs.update
datalineage.processes.delete
datalineage.runs.delete

The following permissions will be added to the Data Lineage Viewer role (roles/datalineage.viewer):

datalineage.configs.get
datalineage.operations.get

The following permissions will be added to the Dataplex Administrator role (roles/dataplex.admin):

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.writeData
dataplex.encryptionConfig.create
dataplex.encryptionConfig.delete
dataplex.encryptionConfig.get
dataplex.encryptionConfig.list
dataplex.encryptionConfig.update
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.getData
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useDataProfileAspect
dataplex.entryGroups.useDataQualityScorecardAspect
dataplex.entryGroups.useDescriptionsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useQueriesAspect
dataplex.entryGroups.useRefreshCadenceAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryGroups.useStorageAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use
dataplex.projects.search

The following permissions will be added to the Dataplex Editor role (roles/dataplex.editor):

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.assets.readData
dataplex.assets.writeData
dataplex.content.create
dataplex.content.update
dataplex.datascans.getData
dataplex.encryptionConfig.create
dataplex.encryptionConfig.delete
dataplex.encryptionConfig.get
dataplex.encryptionConfig.list
dataplex.encryptionConfig.update
dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.getData
dataplex.entries.link
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.export
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.import
dataplex.entryGroups.list
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useDataProfileAspect
dataplex.entryGroups.useDataQualityScorecardAspect
dataplex.entryGroups.useDefinitionEntryLink
dataplex.entryGroups.useDescriptionsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useQueriesAspect
dataplex.entryGroups.useRefreshCadenceAspect
dataplex.entryGroups.useRelatedEntryLink
dataplex.entryGroups.useSchemaAspect
dataplex.entryGroups.useStorageAspect
dataplex.entryGroups.useSynonymEntryLink
dataplex.entryLinks.create
dataplex.entryLinks.delete
dataplex.entryLinks.get
dataplex.entryLinks.reference
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.update
dataplex.entryTypes.use
dataplex.environments.execute
dataplex.glossaries.create
dataplex.glossaries.delete
dataplex.glossaries.get
dataplex.glossaries.getIamPolicy
dataplex.glossaries.import
dataplex.glossaries.list
dataplex.glossaries.update
dataplex.glossaryCategories.create
dataplex.glossaryCategories.delete
dataplex.glossaryCategories.get
dataplex.glossaryCategories.list
dataplex.glossaryCategories.update
dataplex.glossaryTerms.create
dataplex.glossaryTerms.delete
dataplex.glossaryTerms.get
dataplex.glossaryTerms.list
dataplex.glossaryTerms.update
dataplex.glossaryTerms.use
dataplex.locations.get
dataplex.locations.list
dataplex.metadataJobs.cancel
dataplex.metadataJobs.create
dataplex.metadataJobs.get
dataplex.metadataJobs.list
dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update
dataplex.projects.search

The following permissions will be added to the Dataplex Viewer role (roles/dataplex.viewer):

dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.assets.readData
dataplex.datascans.getData
dataplex.encryptionConfig.get
dataplex.encryptionConfig.list
dataplex.entities.get
dataplex.entities.list
dataplex.entries.get
dataplex.entries.getData
dataplex.entries.list
dataplex.entryGroups.export
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryLinks.get
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.glossaries.get
dataplex.glossaries.getIamPolicy
dataplex.glossaries.list
dataplex.glossaryCategories.get
dataplex.glossaryCategories.list
dataplex.glossaryTerms.get
dataplex.glossaryTerms.list
dataplex.locations.get
dataplex.locations.list
dataplex.metadataJobs.get
dataplex.metadataJobs.list
dataplex.partitions.get
dataplex.partitions.list
dataplex.projects.search

The following permissions will be added to the Dataproc Administrator role (roles/dataproc.admin):

dataproc.agents.create
dataproc.agents.delete
dataproc.agents.get
dataproc.agents.list
dataproc.agents.update
dataproc.tasks.lease
dataproc.tasks.listInvalidatedLeases
dataproc.tasks.reportStatus

The following permissions will be added to the Dataproc Editor role (roles/dataproc.editor):

dataproc.agents.create
dataproc.agents.delete
dataproc.agents.get
dataproc.agents.list
dataproc.agents.update
dataproc.autoscalingPolicies.getIamPolicy
dataproc.clusters.getIamPolicy
dataproc.jobs.getIamPolicy
dataproc.operations.getIamPolicy
dataproc.tasks.lease
dataproc.tasks.listInvalidatedLeases
dataproc.tasks.reportStatus
dataproc.workflowTemplates.getIamPolicy

The following permissions will be added to the Dataproc Viewer role (roles/dataproc.viewer):

dataproc.agents.get
dataproc.agents.list
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.use
dataproc.clusters.getIamPolicy
dataproc.jobs.getIamPolicy
dataproc.operations.getIamPolicy
dataproc.tasks.listInvalidatedLeases
dataproc.workflowTemplates.getIamPolicy

The following permissions will be added to the Cloud Datastore Viewer role (roles/datastore.viewer):

datastore.backupSchedules.get
datastore.backupSchedules.list
datastore.backups.get
datastore.backups.list
datastore.databases.listEffectiveTags
datastore.databases.listTagBindings
datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list
datastore.operations.get
datastore.operations.list
datastore.userCreds.get
datastore.userCreds.list

The following permissions will be added to the Discovery Engine Admin role (roles/discoveryengine.admin):

discoveryengine.accounts.create
discoveryengine.audioOverviews.create
discoveryengine.audioOverviews.delete
discoveryengine.audioOverviews.get
discoveryengine.audioOverviews.getIceConfig
discoveryengine.audioOverviews.sendSdpOffer
discoveryengine.notebooks.create
discoveryengine.notebooks.generateGuide
discoveryengine.notebooks.get
discoveryengine.notebooks.getAnalytics
discoveryengine.notebooks.getIamPolicy
discoveryengine.notebooks.interactSources
discoveryengine.notebooks.list
discoveryengine.notebooks.removeSelf
discoveryengine.notebooks.setIamPolicy
discoveryengine.notebooks.update
discoveryengine.notes.create
discoveryengine.notes.delete
discoveryengine.notes.get
discoveryengine.notes.update
discoveryengine.podcasts.create
discoveryengine.sources.checkFreshness
discoveryengine.sources.create
discoveryengine.sources.delete
discoveryengine.sources.generateDocumentGuide
discoveryengine.sources.get
discoveryengine.sources.refresh
discoveryengine.sources.update

The following permissions will be added to the Discovery Engine Editor role (roles/discoveryengine.editor):

discoveryengine.accounts.create
discoveryengine.aclConfigs.update
discoveryengine.alertPolicies.create
discoveryengine.alertPolicies.update
discoveryengine.assistants.create
discoveryengine.assistants.delete
discoveryengine.assistants.update
discoveryengine.audioOverviews.create
discoveryengine.audioOverviews.delete
discoveryengine.audioOverviews.get
discoveryengine.audioOverviews.getIceConfig
discoveryengine.audioOverviews.sendSdpOffer
discoveryengine.cmekConfigs.update
discoveryengine.collections.delete
discoveryengine.completionConfigs.update
discoveryengine.controls.create
discoveryengine.controls.delete
discoveryengine.controls.update
discoveryengine.dataConnectors.startConnectorRun
discoveryengine.dataConnectors.update
discoveryengine.dataStores.create
discoveryengine.dataStores.delete
discoveryengine.dataStores.enrollSolutions
discoveryengine.dataStores.update
discoveryengine.documentProcessingConfigs.update
discoveryengine.documents.purge
discoveryengine.engines.create
discoveryengine.engines.delete
discoveryengine.engines.getIamPolicy
discoveryengine.engines.update
discoveryengine.evaluations.create
discoveryengine.licenseConfigs.create
discoveryengine.licenseConfigs.update
discoveryengine.locations.estimateDataSize
discoveryengine.locations.exchangeAuthCredentials
discoveryengine.locations.getConnectorSource
discoveryengine.locations.listConnectorSources
discoveryengine.locations.setUpDataConnector
discoveryengine.notebooks.create
discoveryengine.notebooks.generateGuide
discoveryengine.notebooks.get
discoveryengine.notebooks.getAnalytics
discoveryengine.notebooks.getIamPolicy
discoveryengine.notebooks.interactSources
discoveryengine.notebooks.list
discoveryengine.notebooks.removeSelf
discoveryengine.notebooks.update
discoveryengine.notes.create
discoveryengine.notes.delete
discoveryengine.notes.get
discoveryengine.notes.update
discoveryengine.podcasts.create
discoveryengine.projects.provision
discoveryengine.projects.reportConsentChange
discoveryengine.schemas.create
discoveryengine.schemas.delete
discoveryengine.schemas.update
discoveryengine.servingConfigs.create
discoveryengine.servingConfigs.delete
discoveryengine.servingConfigs.update
discoveryengine.siteSearchEngines.batchVerifyTargetSites
discoveryengine.siteSearchEngines.disableAdvancedSiteSearch
discoveryengine.siteSearchEngines.enableAdvancedSiteSearch
discoveryengine.siteSearchEngines.fetchDomainVerificationStatus
discoveryengine.siteSearchEngines.recrawlUris
discoveryengine.sitemaps.create
discoveryengine.sitemaps.delete
discoveryengine.sitemaps.fetch
discoveryengine.sources.checkFreshness
discoveryengine.sources.create
discoveryengine.sources.delete
discoveryengine.sources.generateDocumentGuide
discoveryengine.sources.get
discoveryengine.sources.refresh
discoveryengine.sources.update
discoveryengine.suggestionDenyListEntries.import
discoveryengine.suggestionDenyListEntries.purge
discoveryengine.targetSites.batchCreate
discoveryengine.targetSites.create
discoveryengine.targetSites.delete
discoveryengine.targetSites.update
discoveryengine.userEvents.purge
discoveryengine.userStores.batchUpdateUserLicenses
discoveryengine.userStores.listUserLicenses

The following permissions will be added to the Discovery Engine Viewer role (roles/discoveryengine.viewer):

discoveryengine.audioOverviews.get
discoveryengine.audioOverviews.getIceConfig
discoveryengine.audioOverviews.sendSdpOffer
discoveryengine.engines.getIamPolicy
discoveryengine.licenseConfigs.get
discoveryengine.licenseConfigs.list
discoveryengine.locations.estimateDataSize
discoveryengine.locations.exchangeAuthCredentials
discoveryengine.locations.getConnectorSource
discoveryengine.locations.listConnectorSources
discoveryengine.notebooks.generateGuide
discoveryengine.notebooks.get
discoveryengine.notebooks.getAnalytics
discoveryengine.notebooks.getIamPolicy
discoveryengine.notebooks.interactSources
discoveryengine.notebooks.list
discoveryengine.notes.get
discoveryengine.sessions.search
discoveryengine.siteSearchEngines.fetchDomainVerificationStatus
discoveryengine.sitemaps.fetch
discoveryengine.sources.checkFreshness
discoveryengine.sources.generateDocumentGuide
discoveryengine.sources.get
discoveryengine.userStores.listUserLicenses

The following permissions will be added to the DNS Administrator role (roles/dns.admin):

dns.managedZones.setIamPolicy

The following permissions will be added to the Firebase Rules Viewer role (roles/firebaserules.viewer):

firebaserules.releases.getExecutable
firebaserules.rulesets.test

The following permissions will be added to the Fleet Admin (formerly GKE Hub Admin) role (roles/gkehub.admin):

gkehub.endpoints.connect
gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.gateway.stream

The following permissions will be added to the Fleet Editor (formerly GKE Hub Editor) role (roles/gkehub.editor):

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.gateway.stream

The following permissions will be added to the Fleet Viewer (formerly GKE Hub Viewer) role (roles/gkehub.viewer):

gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.scopes.getIamPolicy

The following permissions will be added to the IAP Policy Admin role (roles/iap.admin):

iap.projects.getSettings
iap.projects.updateSettings
iap.tunnelDestGroups.accessViaIAP
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.list
iap.tunnelDestGroups.remediate
iap.tunnelDestGroups.update
iap.tunnelInstances.accessViaIAP
iap.tunnelinstances.remediate
iap.web.getSettings
iap.web.updateSettings
iap.webServiceVersions.getSettings
iap.webServiceVersions.remediate
iap.webServiceVersions.updateSettings
iap.webServices.getSettings
iap.webServices.updateSettings
iap.webTypes.getSettings
iap.webTypes.updateSettings

The following permissions will be added to the Cloud License Manager Viewer role (roles/licensemanager.viewer):

licensemanager.configurations.aggregateUsage
licensemanager.configurations.queryLicenseUsage

The following permissions will be added to the Logs Viewer role (roles/logging.viewer):

logging.buckets.copyLogEntries
logging.buckets.listEffectiveTags
logging.buckets.listTagBindings
logging.logEntries.download
logging.notificationRules.get
logging.notificationRules.list
logging.settings.get
logging.views.getIamPolicy
logging.views.listLogs
logging.views.listResourceKeys
logging.views.listResourceValues

The following permissions will be added to the Google Cloud Managed Identities Viewer role (roles/managedidentities.viewer):

managedidentities.domains.checkMigrationPermission
managedidentities.domains.validateTrust

The following permissions will be added to the Cloud Memorystore Memcached Editor role (roles/memcache.editor):

memcache.instances.applySoftwareUpdate
memcache.instances.create
memcache.instances.delete
memcache.instances.rescheduleMaintenance
memcache.instances.upgrade

The following permissions will be added to the Cloud Memorystore Memcached Viewer role (roles/memcache.viewer):

memcache.instances.listEffectiveTags
memcache.instances.listTagBindings

The following permissions will be added to the Dataproc Metastore Admin role (roles/metastore.admin):

metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.setIamPolicy
metastore.databases.update
metastore.services.mutateMetadata
metastore.services.queryMetadata
metastore.services.use
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
metastore.tables.update

The following permissions will be added to the Dataproc Metastore Editor role (roles/metastore.editor):

metastore.backups.getIamPolicy
metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.update
metastore.federations.getIamPolicy
metastore.federations.use
metastore.services.use
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.update

The following permissions will be added to the AI Platform Viewer role (roles/ml.viewer):

ml.jobs.getIamPolicy
ml.models.getIamPolicy
ml.models.predict
ml.versions.predict

The following permissions will be added to the Model Armor Admin role (roles/modelarmor.admin):

modelarmor.callouts.invoke
modelarmor.floorSettings.get
modelarmor.floorSettings.update

The following permission will be added to the Model Armor Viewer role (roles/modelarmor.viewer):

modelarmor.floorSettings.get

The following permissions will be added to the Oracle Database@Google Cloud viewer role (roles/oracledatabase.viewer):

oracledatabase.dbSystemInitialStorageSizes.list
oracledatabase.dbVersions.list
oracledatabase.systemVersions.list

The following permission will be added to the Pub/Sub Editor role (roles/pubsub.editor):

pubsub.schemas.getIamPolicy

The following permissions will be added to the Pub/Sub Viewer role (roles/pubsub.viewer):

pubsub.schemas.attach
pubsub.schemas.getIamPolicy
pubsub.snapshots.seek

The following permissions will be added to the Pub/Sub Lite Viewer role (roles/pubsublite.viewer):

pubsublite.locations.openKafkaStream
pubsublite.subscriptions.subscribe
pubsublite.topics.computeHeadCursor
pubsublite.topics.computeMessageStats
pubsublite.topics.computeTimeCursor
pubsublite.topics.subscribe

The following permissions will be added to the reCAPTCHA Enterprise Admin role (roles/recaptchaenterprise.admin):

recaptchaenterprise.assessments.annotate
recaptchaenterprise.assessments.create
recaptchaenterprise.relatedaccountgroupmemberships.list
recaptchaenterprise.relatedaccountgroups.list

The following permissions will be added to the reCAPTCHA Enterprise Viewer role (roles/recaptchaenterprise.viewer):

recaptchaenterprise.relatedaccountgroupmemberships.list
recaptchaenterprise.relatedaccountgroups.list

The following permissions will be added to the Recommender Viewer role (roles/recommender.viewer):

recommender.costRecommendations.listAll
recommender.costRecommendations.summarizeAll

The following permissions will be added to the Cloud Memorystore Redis Editor role (roles/redis.editor):

redis.backupCollections.create
redis.backupCollections.delete
redis.backups.create
redis.backups.delete
redis.backups.export
redis.clusters.connect
redis.clusters.create
redis.clusters.delete
redis.clusters.rescheduleMaintenance
redis.instances.create
redis.instances.delete
redis.instances.export
redis.instances.getAuthString
redis.instances.import
redis.instances.listEffectiveTags
redis.instances.listTagBindings
redis.instances.rescheduleMaintenance
redis.instances.updateAuth
redis.instances.upgrade

The following permission will be added to the Cloud Memorystore Redis Viewer role (roles/redis.viewer):

redis.backups.export

The following permissions will be added to the Retail Editor role (roles/retail.editor):

retail.attributesConfigs.batchRemoveCatalogAttributes
retail.attributesConfigs.removeCatalogAttribute
retail.products.purge
retail.products.setSponsorship
retail.userEvents.purge
retail.userEvents.rejoin

The following permissions will be added to the Retail Viewer role (roles/retail.viewer):

retail.merchantControls.creatorGet
retail.merchantControls.creatorList
retail.models.pause
retail.models.resume
retail.models.tune

The following permission will be added to the Route Optimization Viewer role (roles/routeoptimization.viewer):

routeoptimization.locations.use

The following permission will be added to the Security Center Management Viewer role (roles/securitycentermanagement.viewer):

securitycentermanagement.securityCommandCenter.checkEligibility

The following permissions will be added to the Security Posture Viewer role (roles/securityposture.viewer):

securityposture.locations.get
securityposture.locations.list
securityposture.operations.list
securityposture.reports.get
securityposture.reports.list

The following permissions will be added to the Cloud Spanner Viewer role (roles/spanner.viewer):

spanner.backupOperations.get
spanner.backupOperations.list
spanner.backupSchedules.get
spanner.backupSchedules.getIamPolicy
spanner.backupSchedules.list
spanner.backups.get
spanner.backups.getIamPolicy
spanner.backups.list
spanner.databaseOperations.get
spanner.databaseOperations.list
spanner.databaseRoles.list
spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.getIamPolicy
spanner.databases.partitionQuery
spanner.databases.partitionRead
spanner.databases.read
spanner.databases.select
spanner.databases.useDataBoost
spanner.instanceConfigOperations.get
spanner.instanceConfigOperations.list
spanner.instanceOperations.get
spanner.instanceOperations.list
spanner.instancePartitionOperations.get
spanner.instancePartitionOperations.list
spanner.instances.getIamPolicy
spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

The following permission will be added to the Speaker ID Editor role (roles/speakerid.editor):

speakerid.settings.get

The following permission will be added to the Speaker ID Viewer role (roles/speakerid.viewer):

speakerid.settings.get

The following permission will be added to the Cloud Speech Editor role (roles/speech.editor):

speech.config.get

The following permissions will be added to the Storage Admin role (roles/storage.admin):

storage.hmacKeys.create
storage.hmacKeys.delete
storage.hmacKeys.get
storage.hmacKeys.list
storage.hmacKeys.update

The following permission will be added to the Visual Inspection AI Solution Editor role (roles/visualinspection.editor):

visualinspection.locations.reportUsageMetrics

The following permission will be added to the Serverless VPC Access Viewer role (roles/vpcaccess.viewer):

vpcaccess.connectors.use