Organization Policy Service roles and permissions

This page lists the IAM roles and permissions for Organization Policy Service. To search through all roles and permissions, see the role and permission index.

Organization Policy Service roles

Role Permissions

Role	Permissions
Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies. Lowest-level resources where you can grant this role: Organization	`cloudasset.assets.analyzeOrgPolicy` `cloudasset.assets.exportResource` `cloudasset.assets.listResource` `cloudasset.assets.searchAllResources` `orgpolicy.` `orgpolicy.constraints.list` `orgpolicy.customConstraints.create` `orgpolicy.customConstraints.delete` `orgpolicy.customConstraints.get` `orgpolicy.customConstraints.list` `orgpolicy.customConstraints.update` `orgpolicy.policies.create` `orgpolicy.policies.delete` `orgpolicy.policies.list` `orgpolicy.policies.update` `orgpolicy.policy.get` `orgpolicy.policy.set` `policysimulator.orgPolicyViolations.list` `policysimulator.orgPolicyViolationsPreviews.` `policysimulator.orgPolicyViolationsPreviews.create` `policysimulator.orgPolicyViolationsPreviews.get` `policysimulator.orgPolicyViolationsPreviews.list` `recommender.orgPolicyInsights.` `recommender.orgPolicyInsights.get` `recommender.orgPolicyInsights.list` `recommender.orgPolicyInsights.update` `recommender.orgPolicyRecommendations.` `recommender.orgPolicyRecommendations.get` `recommender.orgPolicyRecommendations.list` `recommender.orgPolicyRecommendations.update`
Organization Policy Viewer (`roles/orgpolicy.policyViewer`) Provides access to view Organization Policies on resources. Lowest-level resources where you can grant this role: Project	`orgpolicy.constraints.list` `orgpolicy.customConstraints.get` `orgpolicy.customConstraints.list` `orgpolicy.policies.list` `orgpolicy.policy.get`

Organization Policy Administrator

(roles/orgpolicy.policyAdmin)

Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.

Lowest-level resources where you can grant this role:

Organization

cloudasset.assets.analyzeOrgPolicy

cloudasset.assets.exportResource

cloudasset.assets.listResource

cloudasset.assets.searchAllResources

orgpolicy.*

orgpolicy.constraints.list
orgpolicy.customConstraints.create
orgpolicy.customConstraints.delete
orgpolicy.customConstraints.get
orgpolicy.customConstraints.list
orgpolicy.customConstraints.update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set

policysimulator.orgPolicyViolations.list

policysimulator.orgPolicyViolationsPreviews.*

policysimulator.orgPolicyViolationsPreviews.create
policysimulator.orgPolicyViolationsPreviews.get
policysimulator.orgPolicyViolationsPreviews.list

recommender.orgPolicyInsights.*

recommender.orgPolicyInsights.get
recommender.orgPolicyInsights.list
recommender.orgPolicyInsights.update

recommender.orgPolicyRecommendations.*

recommender.orgPolicyRecommendations.get
recommender.orgPolicyRecommendations.list
recommender.orgPolicyRecommendations.update

Organization Policy Viewer

(roles/orgpolicy.policyViewer)

Provides access to view Organization Policies on resources.

Lowest-level resources where you can grant this role:

Project

orgpolicy.constraints.list

orgpolicy.customConstraints.get

orgpolicy.customConstraints.list

orgpolicy.policies.list

orgpolicy.policy.get

Organization Policy Service permissions

Permission	Included in roles
`orgpolicy.constraints.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) Folder Admin (`roles/resourcemanager.folderAdmin`) Organization Administrator (`roles/resourcemanager.organizationAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Folder Creator (`roles/resourcemanager.folderCreator`) Folder Editor (`roles/resourcemanager.folderEditor`) Folder Viewer (`roles/resourcemanager.folderViewer`) Security Posture Deployer (`roles/securityposture.postureDeployer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`)
`orgpolicy.customConstraints.create`	Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.customConstraints.delete`	Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.customConstraints.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) Security Posture Admin (`roles/securityposture.admin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) OrgPolicy Simulator Admin (`roles/policysimulator.orgPolicyAdmin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.customConstraints.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) Security Posture Admin (`roles/securityposture.admin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) OrgPolicy Simulator Admin (`roles/policysimulator.orgPolicyAdmin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.customConstraints.update`	Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.policies.create`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.policies.delete`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.policies.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) Folder Admin (`roles/resourcemanager.folderAdmin`) Organization Administrator (`roles/resourcemanager.organizationAdmin`) Security Posture Admin (`roles/securityposture.admin`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) OrgPolicy Simulator Admin (`roles/policysimulator.orgPolicyAdmin`) Folder Creator (`roles/resourcemanager.folderCreator`) Folder Editor (`roles/resourcemanager.folderEditor`) Folder Viewer (`roles/resourcemanager.folderViewer`) Security Posture Deployer (`roles/securityposture.postureDeployer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Assured Workloads Service Agent (`roles/assuredworkloads.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`)
`orgpolicy.policies.update`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.policy.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) Folder Admin (`roles/resourcemanager.folderAdmin`) Organization Administrator (`roles/resourcemanager.organizationAdmin`) Security Posture Admin (`roles/securityposture.admin`) API Keys Admin (`roles/serviceusage.apiKeysAdmin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Workload Manager Admin (`roles/workloadmanager.admin`) Workload Manager Viewer (`roles/workloadmanager.viewer`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Consumer Procurement Entitlement Manager (`roles/consumerprocurement.entitlementManager`) Consumer Procurement Entitlement Viewer (`roles/consumerprocurement.entitlementViewer`) Consumer Procurement Administrator (`roles/consumerprocurement.procurementAdmin`) Consumer Procurement Viewer (`roles/consumerprocurement.procurementViewer`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Gemini Cloud Assist User (`roles/geminicloudassist.user`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) OrgPolicy Simulator Admin (`roles/policysimulator.orgPolicyAdmin`) Folder Creator (`roles/resourcemanager.folderCreator`) Folder Editor (`roles/resourcemanager.folderEditor`) Folder Viewer (`roles/resourcemanager.folderViewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Security Posture Deployer (`roles/securityposture.postureDeployer`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`) Workload Manager Evaluation Admin (`roles/workloadmanager.evaluationAdmin`) Workload Manager Evaluation Viewer (`roles/workloadmanager.evaluationViewer`) Workload Manager Worker (`roles/workloadmanager.worker`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Assured Workloads Service Agent (`roles/assuredworkloads.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Health Analytics Service Agent (`roles/securitycenter.securityHealthAnalyticsServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`orgpolicy.policy.set`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)

Organization Policy Service roles and permissions