Cloud Infrastructure Entitlement Management (CIEM) roles and permissions

This page lists the IAM roles and permissions for Cloud Infrastructure Entitlement Management (CIEM). To search through all roles and permissions, see the role and permission index.

Cloud Infrastructure Entitlement Management (CIEM) roles

Cloud Infrastructure Entitlement Management (CIEM) offers the following service agent roles. Service agent roles should only be granted to service agents.

Role Permissions

Role	Permissions
CIEM Service Agent (`roles/ciem.serviceAgent`) Gives CIEM Service Account permission to access GCP resources Warning: Do not grant service agent roles to any principals except service agents.	`cloudasset.assets.exportIamPolicy` `cloudasset.assets.exportResource` `resourcemanager.organizations.get`

CIEM Service Agent

(roles/ciem.serviceAgent)

Gives CIEM Service Account permission to access GCP resources

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportResource

resourcemanager.organizations.get

Cloud Infrastructure Entitlement Management (CIEM) permissions

There are no IAM permissions for this service.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-04-10 UTC.

Cloud Infrastructure Entitlement Management (CIEM) roles and permissions Stay organized with collections Save and categorize content based on your preferences.