Ruoli e autorizzazioni

Questa pagina descrive i ruoli e le autorizzazioni Identity and Access Management (IAM) necessari per utilizzare Network Connectivity Center (NCC).

A livello generale, devi disporre di quanto segue:

Tieni presente che se devi lavorare con NCC in una rete VPC condiviso, devi disporre di tutte le autorizzazioni necessarie nel progetto host. Un hub, i relativi spoke e tutte le risorse correlate devono trovarsi nel progetto host.

Per informazioni su come concedere le autorizzazioni, consulta la panoramica di IAM.

Ruoli predefiniti

La tabella seguente descrive i ruoli predefiniti di NCC.

Role Permissions

(roles/networkconnectivity.consumerNetworkAdmin)

Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.

networkconnectivity.serviceConnectionPolicies.*

  • networkconnectivity.serviceConnectionPolicies.create
  • networkconnectivity.serviceConnectionPolicies.delete
  • networkconnectivity.serviceConnectionPolicies.get
  • networkconnectivity.serviceConnectionPolicies.list
  • networkconnectivity.serviceConnectionPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.groupAdmin)

Enables full access to group resources and read-only access to hub and spoke resources

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.*

  • networkconnectivity.groups.acceptSpoke
  • networkconnectivity.groups.acceptSpokeUpdate
  • networkconnectivity.groups.get
  • networkconnectivity.groups.getIamPolicy
  • networkconnectivity.groups.list
  • networkconnectivity.groups.rejectSpoke
  • networkconnectivity.groups.rejectSpokeUpdate
  • networkconnectivity.groups.setIamPolicy
  • networkconnectivity.groups.use

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.gatewayAdvertisedRoutes.*

  • networkconnectivity.gatewayAdvertisedRoutes.create
  • networkconnectivity.gatewayAdvertisedRoutes.delete
  • networkconnectivity.gatewayAdvertisedRoutes.get
  • networkconnectivity.gatewayAdvertisedRoutes.list
  • networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.groups.*

  • networkconnectivity.groups.acceptSpoke
  • networkconnectivity.groups.acceptSpokeUpdate
  • networkconnectivity.groups.get
  • networkconnectivity.groups.getIamPolicy
  • networkconnectivity.groups.list
  • networkconnectivity.groups.rejectSpoke
  • networkconnectivity.groups.rejectSpokeUpdate
  • networkconnectivity.groups.setIamPolicy
  • networkconnectivity.groups.use

networkconnectivity.hubRouteTables.*

  • networkconnectivity.hubRouteTables.get
  • networkconnectivity.hubRouteTables.getIamPolicy
  • networkconnectivity.hubRouteTables.list
  • networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.*

  • networkconnectivity.hubRoutes.get
  • networkconnectivity.hubRoutes.getIamPolicy
  • networkconnectivity.hubRoutes.list
  • networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.*

  • networkconnectivity.hubs.create
  • networkconnectivity.hubs.delete
  • networkconnectivity.hubs.get
  • networkconnectivity.hubs.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.hubs.listSpokes
  • networkconnectivity.hubs.queryStatus
  • networkconnectivity.hubs.setIamPolicy
  • networkconnectivity.hubs.update

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.*

  • networkconnectivity.operations.cancel
  • networkconnectivity.operations.delete
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.hubs.queryStatus

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.multicloudDataTransferConfigAdmin)

Full access to all Multicloud Data Transfer Config resources.

networkconnectivity.multicloudDataTransferConfigs.*

  • networkconnectivity.multicloudDataTransferConfigs.create
  • networkconnectivity.multicloudDataTransferConfigs.delete
  • networkconnectivity.multicloudDataTransferConfigs.get
  • networkconnectivity.multicloudDataTransferConfigs.list
  • networkconnectivity.multicloudDataTransferConfigs.update

networkconnectivity.multicloudDataTransferDestinations.*

  • networkconnectivity.multicloudDataTransferDestinations.create
  • networkconnectivity.multicloudDataTransferDestinations.delete
  • networkconnectivity.multicloudDataTransferDestinations.get
  • networkconnectivity.multicloudDataTransferDestinations.list
  • networkconnectivity.multicloudDataTransferDestinations.update

networkconnectivity.multicloudDataTransferSupportedServices.*

  • networkconnectivity.multicloudDataTransferSupportedServices.get
  • networkconnectivity.multicloudDataTransferSupportedServices.list

networkconnectivity.operations.get

networkconnectivity.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.multicloudDataTransferConfigViewer)

Read-only access to all Multicloud Data Transfer Config resources.

networkconnectivity.multicloudDataTransferConfigs.get

networkconnectivity.multicloudDataTransferConfigs.list

networkconnectivity.multicloudDataTransferDestinations.get

networkconnectivity.multicloudDataTransferDestinations.list

networkconnectivity.multicloudDataTransferSupportedServices.*

  • networkconnectivity.multicloudDataTransferSupportedServices.get
  • networkconnectivity.multicloudDataTransferSupportedServices.list

networkconnectivity.operations.get

networkconnectivity.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.multicloudDataTransferDestinationAdmin)

Access to all Destination resources.

networkconnectivity.multicloudDataTransferDestinations.*

  • networkconnectivity.multicloudDataTransferDestinations.create
  • networkconnectivity.multicloudDataTransferDestinations.delete
  • networkconnectivity.multicloudDataTransferDestinations.get
  • networkconnectivity.multicloudDataTransferDestinations.list
  • networkconnectivity.multicloudDataTransferDestinations.update

networkconnectivity.multicloudDataTransferSupportedServices.*

  • networkconnectivity.multicloudDataTransferSupportedServices.get
  • networkconnectivity.multicloudDataTransferSupportedServices.list

networkconnectivity.operations.get

networkconnectivity.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.multicloudDataTransferDestinationViewer)

Read-only access to all Destination resources.

networkconnectivity.multicloudDataTransferDestinations.get

networkconnectivity.multicloudDataTransferDestinations.list

networkconnectivity.multicloudDataTransferSupportedServices.*

  • networkconnectivity.multicloudDataTransferSupportedServices.get
  • networkconnectivity.multicloudDataTransferSupportedServices.list

networkconnectivity.operations.get

networkconnectivity.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.regionalEndpointAdmin)

Full access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.*

  • networkconnectivity.regionalEndpoints.create
  • networkconnectivity.regionalEndpoints.delete
  • networkconnectivity.regionalEndpoints.get
  • networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.regionalEndpointViewer)

Read-only access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.get

networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceAgent)

Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.setLabels

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.forwardingRules.pscSetLabels

compute.forwardingRules.pscUpdate

compute.forwardingRules.setLabels

compute.instances.get

compute.interconnectAttachments.get

compute.networks.get

compute.networks.updatePolicy

compute.networks.use

compute.projects.get

compute.regionOperations.get

compute.routers.get

compute.subnetworks.create

compute.subnetworks.delete

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.setIamPolicy

compute.subnetworks.use

compute.vpnTunnels.get

dns.changes.create

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.list

dns.managedZones.update

dns.networks.bindPrivateDNSZone

dns.resourceRecordSets.*

  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.list

networkconnectivity.internalRanges.create

networkconnectivity.internalRanges.delete

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.operations.get

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

(roles/networkconnectivity.serviceClassUser)

Service Class User uses a ServiceClass

networkconnectivity.serviceClasses.get

networkconnectivity.serviceClasses.list

networkconnectivity.serviceClasses.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceProducerAdmin)

Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.serviceClasses.*

  • networkconnectivity.serviceClasses.create
  • networkconnectivity.serviceClasses.delete
  • networkconnectivity.serviceClasses.get
  • networkconnectivity.serviceClasses.list
  • networkconnectivity.serviceClasses.update
  • networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

  • networkconnectivity.serviceConnectionMaps.create
  • networkconnectivity.serviceConnectionMaps.delete
  • networkconnectivity.serviceConnectionMaps.get
  • networkconnectivity.serviceConnectionMaps.list
  • networkconnectivity.serviceConnectionMaps.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.gatewayAdvertisedRoutes.*

  • networkconnectivity.gatewayAdvertisedRoutes.create
  • networkconnectivity.gatewayAdvertisedRoutes.delete
  • networkconnectivity.gatewayAdvertisedRoutes.get
  • networkconnectivity.gatewayAdvertisedRoutes.list
  • networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.transportAdmin)

Enables full access to Transport resources

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.*

  • networkconnectivity.operations.cancel
  • networkconnectivity.operations.delete
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list

networkconnectivity.remoteTransportProfiles.*

  • networkconnectivity.remoteTransportProfiles.get
  • networkconnectivity.remoteTransportProfiles.list

networkconnectivity.transports.*

  • networkconnectivity.transports.create
  • networkconnectivity.transports.delete
  • networkconnectivity.transports.get
  • networkconnectivity.transports.list
  • networkconnectivity.transports.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.transportViewer)

Enables view access to Transport resources

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.remoteTransportProfiles.*

  • networkconnectivity.remoteTransportProfiles.get
  • networkconnectivity.remoteTransportProfiles.list

networkconnectivity.transports.get

networkconnectivity.transports.list

resourcemanager.projects.get

resourcemanager.projects.list

Autorizzazioni aggiuntive richieste

A seconda delle azioni che devi intraprendere in NCC, potresti aver bisogno delle autorizzazioni descritte nelle sezioni seguenti.

Autorizzazione per creare uno spoke

Per creare uno spoke, devi disporre dell'autorizzazione per leggere il tipo di risorsa dello spoke. Ad esempio:

  • Per gli spoke del tunnel VPN, gli spoke del collegamento VLAN e gli spoke dell'appliance router, devi utilizzare compute.routers.get.
  • Per creare spoke dell'appliance router, devi disporre di compute.instances.get. Inoltre, prima di poter utilizzare uno spoke dell'appliance router, devi configurare il peering tra il router Cloud e l'istanza dell'appliance router. Per stabilire il peering, devi disporre delle seguenti autorizzazioni:
    • compute.instances.use
    • compute.routers.update
  • Per creare spoke di collegamento VLAN, devi compute.interconnectAttachments.get.
  • Per creare spoke del tunnel VPN, devi disporre di compute.vpnTunnels.get.

  • Per creare spoke VPC, devi disporre delle seguenti autorizzazioni:

    • compute.networks.use
    • compute.networks.get

  • Per creare spoke VPC in un progetto diverso dall'hub a cui è associato, devi disporre di networkconnectivity.groups.use.

Autorizzazione per utilizzare NCC nella console Google Cloud

Per utilizzare NCC nella console Google Cloud , devi disporre di un ruolo, ad esempio Visualizzatore rete Compute (roles/compute.networkViewer), che includa le autorizzazioni descritte nella tabella seguente. Per utilizzare queste autorizzazioni, devi prima creare un ruolo personalizzato.

Attività

Autorizzazioni obbligatorie
Accedere alla pagina NCC
  • compute.projects.get
  • compute.networks.get
Accedere alla pagina Aggiungi spoke e utilizzarla
  • compute.networks.list
  • compute.regions.list
  • compute.routers.list
  • compute.zones.list
  • compute.networks.get
Aggiungi uno spoke del collegamento VLAN
  • compute.interconnectAttachments.list
  • compute.interconnectAttachments.get
  • compute.networks.get
  • compute.routers.list
  • compute.routers.get
Aggiungi uno spoke del tunnel VPN
  • compute.forwardingRules.list
  • compute.networks.get
  • compute.routers.get
  • compute.routers.list
  • compute.targetVpnGateways.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
Aggiungere uno spoke dell'appliance router
  • compute.instances.list
  • compute.instances.get
  • compute.networks.get
Aggiungi uno spoke VPC
  • compute.networks.use
  • compute.networks.get
  • compute.subnetworks.list

Protezione delle risorse con Controlli di servizio VPC

Per proteggere ulteriormente le risorse NCC, utilizza i Controlli di servizio VPC.

I Controlli di servizio VPC forniscono alle tue risorse una sicurezza aggiuntiva per contribuire a mitigare il rischio di esfiltrazione di dati. Utilizzando i Controlli di servizio VPC, puoi inserire le risorse NCC all'interno dei perimetri di servizio. I Controlli di servizio VPC proteggono quindi queste risorse dalle richieste provenienti dall'esterno del perimetro.

Per saperne di più sui perimetri di servizio, consulta la pagina Configurazione dei perimetri di servizio della documentazione sui Controlli di servizio VPC.

Passaggi successivi

Per saperne di più sui ruoli del progetto e sulle risorse, consulta la seguente documentazione: Google Cloud