Funciones y permisos

En esta página, se describen los roles y los permisos de Identity and Access Management (IAM) necesarios para usar Network Connectivity Center (NCC).

En un alto nivel, necesitas lo siguiente:

Permisos de NCC predefinidos, que se describen en Funciones predefinidas.
Los permisos adicionales son los siguientes:
- Si deseas crear radios, necesitas permiso para leer los tipos de recursos de radio relevantes, como se describe en Permiso para crear un radio.
- Si quieres trabajar con NCC en la consola de Google Cloud , necesitas permiso para ver ciertos recursos de red de nube privada virtual (VPC), como se describe en Permiso para usar NCC en la consola de Google Cloud .

Ten en cuenta que, si necesitas trabajar con NCC en una red de VPC compartida, debes tener todos los permisos necesarios en el proyecto host. Un concentrador, sus radios y todos los recursos relacionados deben encontrarse en el proyecto host.

Si deseas obtener información para otorgar permisos, consulta la descripción general de IAM.

Funciones predefinidas

En la siguiente tabla, se describen los roles predefinidos de NCC.

Role Permissions

Role	Permissions
Service Automation Consumer Network Admin (`roles/networkconnectivity.consumerNetworkAdmin`) Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.	`networkconnectivity.serviceConnectionPolicies.*` `networkconnectivity.serviceConnectionPolicies.create` `networkconnectivity.serviceConnectionPolicies.delete` `networkconnectivity.serviceConnectionPolicies.get` `networkconnectivity.serviceConnectionPolicies.list` `networkconnectivity.serviceConnectionPolicies.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Group Admin (`roles/networkconnectivity.groupAdmin`) Enables full access to group resources and read-only access to hub and spoke resources	`networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.groups.` `networkconnectivity.groups.acceptSpoke` `networkconnectivity.groups.acceptSpokeUpdate` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.groups.rejectSpoke` `networkconnectivity.groups.rejectSpokeUpdate` `networkconnectivity.groups.setIamPolicy` `networkconnectivity.groups.use` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Group User (`roles/networkconnectivity.groupUser`) Enables use access on group resources	`networkconnectivity.groups.use`
Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Enables full access to hub and spoke resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.gatewayAdvertisedRoutes.` `networkconnectivity.gatewayAdvertisedRoutes.create` `networkconnectivity.gatewayAdvertisedRoutes.delete` `networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.gatewayAdvertisedRoutes.update` `networkconnectivity.groups.` `networkconnectivity.groups.acceptSpoke` `networkconnectivity.groups.acceptSpokeUpdate` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.groups.rejectSpoke` `networkconnectivity.groups.rejectSpokeUpdate` `networkconnectivity.groups.setIamPolicy` `networkconnectivity.groups.use` `networkconnectivity.hubRouteTables.` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRouteTables.setIamPolicy` `networkconnectivity.hubRoutes.` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubRoutes.setIamPolicy` `networkconnectivity.hubs.` `networkconnectivity.hubs.create` `networkconnectivity.hubs.delete` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.hubs.listSpokes` `networkconnectivity.hubs.queryStatus` `networkconnectivity.hubs.setIamPolicy` `networkconnectivity.hubs.update` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.` `networkconnectivity.operations.cancel` `networkconnectivity.operations.delete` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.` `networkconnectivity.spokes.create` `networkconnectivity.spokes.delete` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `networkconnectivity.spokes.setIamPolicy` `networkconnectivity.spokes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Enables read-only access to hub and spoke resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.hubs.listSpokes` `networkconnectivity.hubs.queryStatus` `networkconnectivity.locations.*` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Full access to all Multicloud Data Transfer Config resources.	`networkconnectivity.multicloudDataTransferConfigs.` `networkconnectivity.multicloudDataTransferConfigs.create` `networkconnectivity.multicloudDataTransferConfigs.delete` `networkconnectivity.multicloudDataTransferConfigs.get` `networkconnectivity.multicloudDataTransferConfigs.list` `networkconnectivity.multicloudDataTransferConfigs.update` `networkconnectivity.multicloudDataTransferDestinations.` `networkconnectivity.multicloudDataTransferDestinations.create` `networkconnectivity.multicloudDataTransferDestinations.delete` `networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferDestinations.update` `networkconnectivity.multicloudDataTransferSupportedServices.*` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Multicloud Data Transfer Config Viewer (`roles/networkconnectivity.multicloudDataTransferConfigViewer`) Read-only access to all Multicloud Data Transfer Config resources.	`networkconnectivity.multicloudDataTransferConfigs.get` `networkconnectivity.multicloudDataTransferConfigs.list` `networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferSupportedServices.*` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Destination Admin (`roles/networkconnectivity.multicloudDataTransferDestinationAdmin`) Access to all Destination resources.	`networkconnectivity.multicloudDataTransferDestinations.` `networkconnectivity.multicloudDataTransferDestinations.create` `networkconnectivity.multicloudDataTransferDestinations.delete` `networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferDestinations.update` `networkconnectivity.multicloudDataTransferSupportedServices.` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Destination Viewer (`roles/networkconnectivity.multicloudDataTransferDestinationViewer`) Read-only access to all Destination resources.	`networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferSupportedServices.*` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Regional Endpoint Admin (`roles/networkconnectivity.regionalEndpointAdmin`) Full access to all Regional Endpoint resources.	`networkconnectivity.regionalEndpoints.*` `networkconnectivity.regionalEndpoints.create` `networkconnectivity.regionalEndpoints.delete` `networkconnectivity.regionalEndpoints.get` `networkconnectivity.regionalEndpoints.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Regional Endpoint Viewer (`roles/networkconnectivity.regionalEndpointViewer`) Read-only access to all Regional Endpoint resources.	`networkconnectivity.regionalEndpoints.get` `networkconnectivity.regionalEndpoints.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`) Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources. Warning: Do not grant service agent roles to any principals except service agents.	`compute.addresses.create` `compute.addresses.createInternal` `compute.addresses.delete` `compute.addresses.deleteInternal` `compute.addresses.get` `compute.addresses.setLabels` `compute.addresses.use` `compute.forwardingRules.create` `compute.forwardingRules.delete` `compute.forwardingRules.get` `compute.forwardingRules.pscCreate` `compute.forwardingRules.pscDelete` `compute.forwardingRules.pscSetLabels` `compute.forwardingRules.pscUpdate` `compute.forwardingRules.setLabels` `compute.instances.get` `compute.interconnectAttachments.get` `compute.networks.get` `compute.networks.updatePolicy` `compute.networks.use` `compute.projects.get` `compute.regionOperations.get` `compute.routers.get` `compute.subnetworks.create` `compute.subnetworks.delete` `compute.subnetworks.get` `compute.subnetworks.getIamPolicy` `compute.subnetworks.list` `compute.subnetworks.setIamPolicy` `compute.subnetworks.use` `compute.vpnTunnels.get` `dns.changes.create` `dns.managedZoneOperations.` `dns.managedZoneOperations.get` `dns.managedZoneOperations.list` `dns.managedZones.create` `dns.managedZones.delete` `dns.managedZones.get` `dns.managedZones.list` `dns.managedZones.update` `dns.networks.bindPrivateDNSZone` `dns.resourceRecordSets.` `dns.resourceRecordSets.create` `dns.resourceRecordSets.delete` `dns.resourceRecordSets.get` `dns.resourceRecordSets.list` `dns.resourceRecordSets.update` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.list` `networkconnectivity.internalRanges.create` `networkconnectivity.internalRanges.delete` `networkconnectivity.internalRanges.get` `networkconnectivity.internalRanges.list` `networkconnectivity.operations.get` `servicedirectory.namespaces.associatePrivateZone` `servicedirectory.namespaces.create` `servicedirectory.namespaces.delete` `servicedirectory.services.create` `servicedirectory.services.delete`
Service Class User (`roles/networkconnectivity.serviceClassUser`) Service Class User uses a ServiceClass	`networkconnectivity.serviceClasses.get` `networkconnectivity.serviceClasses.list` `networkconnectivity.serviceClasses.use` `resourcemanager.projects.get` `resourcemanager.projects.list`
Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps	`networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.serviceClasses.` `networkconnectivity.serviceClasses.create` `networkconnectivity.serviceClasses.delete` `networkconnectivity.serviceClasses.get` `networkconnectivity.serviceClasses.list` `networkconnectivity.serviceClasses.update` `networkconnectivity.serviceClasses.use` `networkconnectivity.serviceConnectionMaps.` `networkconnectivity.serviceConnectionMaps.create` `networkconnectivity.serviceConnectionMaps.delete` `networkconnectivity.serviceConnectionMaps.get` `networkconnectivity.serviceConnectionMaps.list` `networkconnectivity.serviceConnectionMaps.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Enables full access to spoke resources and read-only access to hub resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.gatewayAdvertisedRoutes.` `networkconnectivity.gatewayAdvertisedRoutes.create` `networkconnectivity.gatewayAdvertisedRoutes.delete` `networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.gatewayAdvertisedRoutes.update` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.*` `networkconnectivity.spokes.create` `networkconnectivity.spokes.delete` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `networkconnectivity.spokes.setIamPolicy` `networkconnectivity.spokes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Transport Admin (`roles/networkconnectivity.transportAdmin`) Enables full access to Transport resources	`networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.` `networkconnectivity.operations.cancel` `networkconnectivity.operations.delete` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.remoteTransportProfiles.` `networkconnectivity.remoteTransportProfiles.get` `networkconnectivity.remoteTransportProfiles.list` `networkconnectivity.transports.` `networkconnectivity.transports.create` `networkconnectivity.transports.delete` `networkconnectivity.transports.get` `networkconnectivity.transports.list` `networkconnectivity.transports.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Transport Viewer (`roles/networkconnectivity.transportViewer`) Enables view access to Transport resources	`networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.remoteTransportProfiles.` `networkconnectivity.remoteTransportProfiles.get` `networkconnectivity.remoteTransportProfiles.list` `networkconnectivity.transports.get` `networkconnectivity.transports.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Automation Consumer Network Admin

(roles/networkconnectivity.consumerNetworkAdmin)

Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.

networkconnectivity.serviceConnectionPolicies.*

networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

Group Admin

(roles/networkconnectivity.groupAdmin)

Enables full access to group resources and read-only access to hub and spoke resources

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.*

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.acceptSpokeUpdate
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.rejectSpokeUpdate
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

Group User

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

Hub & Spoke Admin

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.gatewayAdvertisedRoutes.*

networkconnectivity.gatewayAdvertisedRoutes.create
networkconnectivity.gatewayAdvertisedRoutes.delete
networkconnectivity.gatewayAdvertisedRoutes.get
networkconnectivity.gatewayAdvertisedRoutes.list
networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.groups.*

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.acceptSpokeUpdate
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.rejectSpokeUpdate
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use

networkconnectivity.hubRouteTables.*

networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.*

networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.*

networkconnectivity.hubs.create
networkconnectivity.hubs.delete
networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.hubs.listSpokes
networkconnectivity.hubs.queryStatus
networkconnectivity.hubs.setIamPolicy
networkconnectivity.hubs.update

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.*

networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list

networkconnectivity.spokes.*

networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Hub & Spoke Viewer

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.hubs.queryStatus

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

Multicloud Data Transfer Config Admin

(roles/networkconnectivity.multicloudDataTransferConfigAdmin)

Full access to all Multicloud Data Transfer Config resources.

networkconnectivity.multicloudDataTransferConfigs.*

networkconnectivity.multicloudDataTransferConfigs.create
networkconnectivity.multicloudDataTransferConfigs.delete
networkconnectivity.multicloudDataTransferConfigs.get
networkconnectivity.multicloudDataTransferConfigs.list
networkconnectivity.multicloudDataTransferConfigs.update

networkconnectivity.multicloudDataTransferDestinations.*

networkconnectivity.multicloudDataTransferDestinations.create
networkconnectivity.multicloudDataTransferDestinations.delete
networkconnectivity.multicloudDataTransferDestinations.get
networkconnectivity.multicloudDataTransferDestinations.list
networkconnectivity.multicloudDataTransferDestinations.update

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

networkconnectivity.operations.get

networkconnectivity.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Multicloud Data Transfer Config Viewer

(roles/networkconnectivity.multicloudDataTransferConfigViewer)

Read-only access to all Multicloud Data Transfer Config resources.

networkconnectivity.multicloudDataTransferConfigs.get

networkconnectivity.multicloudDataTransferConfigs.list

networkconnectivity.multicloudDataTransferDestinations.get

networkconnectivity.multicloudDataTransferDestinations.list

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

networkconnectivity.operations.get

networkconnectivity.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Destination Admin

(roles/networkconnectivity.multicloudDataTransferDestinationAdmin)

Access to all Destination resources.

networkconnectivity.multicloudDataTransferDestinations.*

networkconnectivity.multicloudDataTransferDestinations.create
networkconnectivity.multicloudDataTransferDestinations.delete
networkconnectivity.multicloudDataTransferDestinations.get
networkconnectivity.multicloudDataTransferDestinations.list
networkconnectivity.multicloudDataTransferDestinations.update

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

networkconnectivity.operations.get

networkconnectivity.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Destination Viewer

(roles/networkconnectivity.multicloudDataTransferDestinationViewer)

Read-only access to all Destination resources.

networkconnectivity.multicloudDataTransferDestinations.get

networkconnectivity.multicloudDataTransferDestinations.list

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

networkconnectivity.operations.get

networkconnectivity.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Regional Endpoint Admin

(roles/networkconnectivity.regionalEndpointAdmin)

Full access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.*

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

Regional Endpoint Viewer

(roles/networkconnectivity.regionalEndpointViewer)

Read-only access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.get

networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

Network Connectivity Service Agent

(roles/networkconnectivity.serviceAgent)

Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.setLabels

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.forwardingRules.pscSetLabels

compute.forwardingRules.pscUpdate

compute.forwardingRules.setLabels

compute.instances.get

compute.interconnectAttachments.get

compute.networks.get

compute.networks.updatePolicy

compute.networks.use

compute.projects.get

compute.regionOperations.get

compute.routers.get

compute.subnetworks.create

compute.subnetworks.delete

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.setIamPolicy

compute.subnetworks.use

compute.vpnTunnels.get

dns.changes.create

dns.managedZoneOperations.*

dns.managedZoneOperations.get
dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.list

dns.managedZones.update

dns.networks.bindPrivateDNSZone

dns.resourceRecordSets.*

dns.resourceRecordSets.create
dns.resourceRecordSets.delete
dns.resourceRecordSets.get
dns.resourceRecordSets.list
dns.resourceRecordSets.update

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.list

networkconnectivity.internalRanges.create

networkconnectivity.internalRanges.delete

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.operations.get

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

Service Class User

(roles/networkconnectivity.serviceClassUser)

Service Class User uses a ServiceClass

networkconnectivity.serviceClasses.get

networkconnectivity.serviceClasses.list

networkconnectivity.serviceClasses.use

resourcemanager.projects.get

resourcemanager.projects.list

Service Automation Service Producer Admin

(roles/networkconnectivity.serviceProducerAdmin)

Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.serviceClasses.*

networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update

resourcemanager.projects.get

resourcemanager.projects.list

Spoke Admin

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.gatewayAdvertisedRoutes.*

networkconnectivity.gatewayAdvertisedRoutes.create
networkconnectivity.gatewayAdvertisedRoutes.delete
networkconnectivity.gatewayAdvertisedRoutes.get
networkconnectivity.gatewayAdvertisedRoutes.list
networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Transport Admin

(roles/networkconnectivity.transportAdmin)

Enables full access to Transport resources

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.*

networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list

networkconnectivity.remoteTransportProfiles.*

networkconnectivity.remoteTransportProfiles.get
networkconnectivity.remoteTransportProfiles.list

networkconnectivity.transports.*

networkconnectivity.transports.create
networkconnectivity.transports.delete
networkconnectivity.transports.get
networkconnectivity.transports.list
networkconnectivity.transports.update

resourcemanager.projects.get

resourcemanager.projects.list

Transport Viewer

(roles/networkconnectivity.transportViewer)

Enables view access to Transport resources

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.remoteTransportProfiles.*

networkconnectivity.remoteTransportProfiles.get
networkconnectivity.remoteTransportProfiles.list

networkconnectivity.transports.get

networkconnectivity.transports.list

resourcemanager.projects.get

resourcemanager.projects.list

Permisos adicionales requeridos

Según las acciones que debas realizar en NCC, es posible que necesites los permisos que se describen en las siguientes secciones.

Permiso para crear un radio

Si quieres crear un radio, debes tener permiso para leer el tipo de recurso del radio. Por ejemplo:

Para los radios de túnel VPN, los radios de adjunto de VLAN y los radios de dispositivo de router, necesitas compute.routers.get.
Para crear radios de dispositivos de router, necesitas compute.instances.get. Además, antes de poder usar un radio de un dispositivo router, debes configurar el intercambio de tráfico entre Cloud Router y la instancia del dispositivo del router. Para establecer el intercambio de tráfico, necesitas los siguientes permisos:
- compute.instances.use
- compute.routers.update
Para crear radios de adjuntos de VLAN, necesitas compute.interconnectAttachments.get.
Para crear radios de túnel VPN, necesitas compute.vpnTunnels.get.
Para crear radios de VPC, necesitas los siguientes permisos:
- compute.networks.use
- compute.networks.get
Para crear radios de VPC en un proyecto diferente del concentrador con el que está asociado, necesitas networkconnectivity.groups.use.

Permiso para usar NCC en la consola de Google Cloud

Para usar NCC en la Google Cloud consola, necesitas un rol, como Visualizador de red de Compute (roles/compute.networkViewer), que incluya los permisos descritos en la siguiente tabla. Para usar estos permisos, primero debes crear un rol personalizado.

Tarea	Permisos necesarios
Accede a la página de NCC	`compute.projects.get` `compute.networks.get`
Accede a la página de Agregar radios y úsala	`compute.networks.list` `compute.regions.list` `compute.routers.list` `compute.zones.list` `compute.networks.get`
Agrega un radio de adjunto de VLAN	`compute.interconnectAttachments.list` `compute.interconnectAttachments.get` `compute.networks.get` `compute.routers.list` `compute.routers.get`
Agrega un radio de túnel VPN	`compute.forwardingRules.list` `compute.networks.get` `compute.routers.get` `compute.routers.list` `compute.targetVpnGateways.list` `compute.vpnGateways.list` `compute.vpnTunnels.get` `compute.vpnTunnels.list`
Agrega un radio de dispositivo de router	`compute.instances.list` `compute.instances.get` `compute.networks.get`
Agrega un radio de VPC	`compute.networks.use` `compute.networks.get` `compute.subnetworks.list`

Protege recursos con los controles del servicio de VPC

Para proteger aún más tus recursos de NCC, usa los Controles del servicio de VPC.

Los Controles del servicio de VPC brindan seguridad adicional a tus recursos para mitigar el riesgo de robo de datos. Con los Controles del servicio de VPC, puedes colocar recursos de NCC dentro de los perímetros de servicio. Luego, los Controles del servicio de VPC protegen estos recursos de las solicitudes que se originan fuera del perímetro.

Para obtener más información sobre los perímetros de servicio, consulta la página de configuración del perímetro de servicio en la documentación de los Controles del servicio de VPC.

¿Qué sigue?

Para obtener más información sobre los roles de proyecto y los recursos de Google Cloud , consulta la siguiente documentación:

Para comprender los roles y los permisos de IAM, consulta Control de acceso para proyectos mediante IAM.
Para comprender los tipos de roles, consulta Referencia de los roles básicos y predefinidos de la administración de identidades y accesos.
Para obtener información sobre los roles predefinidos, consulta Roles y permisos de IAM de Compute Engine.
Para obtener información sobre la NCC, consulta la Descripción general de la NCC.
Si deseas obtener información para administrar concentradores y radios, consulta Trabaja con concentradores y radios.

Funciones y permisos Organiza tus páginas con colecciones Guarda y categoriza el contenido según tus preferencias.

Funciones predefinidas

Service Automation Consumer Network Admin

Group Admin

Group User

Hub & Spoke Admin

Hub & Spoke Viewer

Multicloud Data Transfer Config Admin

Multicloud Data Transfer Config Viewer

Destination Admin

Destination Viewer

Regional Endpoint Admin

Regional Endpoint Viewer

Network Connectivity Service Agent

Service Class User

Service Automation Service Producer Admin

Spoke Admin

Transport Admin

Transport Viewer

Permisos adicionales requeridos

Permiso para crear un radio

Permiso para usar NCC en la consola de Google Cloud

Protege recursos con los controles del servicio de VPC

¿Qué sigue?

Funciones y permisos