Roles and permissions

This page describes the Identity and Access Management (IAM) roles and permissions needed to access Cloud Network Insights. For a detailed description of IAM, see the Identity and Access Management documentation.

You can grant users or service accounts permissions or predefined roles, or you can create a custom role that uses permissions that you specify.

You might need to run the add-iam-policy command in the Google Cloud CLI to grant Cloud Network Insights roles to users.

The roles granted to users in Google Cloud are replicated in AppNeta. If you can edit Cloud Network Insights resources in the Google Cloud console, you can edit them in AppNeta.

Roles

This section describes how to use predefined and custom roles when granting permissions for Cloud Network Insights.

Predefined roles for Cloud Network Insights

Cloud Network Insights has the following predefined roles that allow you to either modify all Cloud Network Insights resources or view the resources:

Cloud Network Insights Editor (roles/networkmanagement.cloudNetworkInsightsEditor)
Cloud Network Insights Viewer (roles/networkmanagement.cloudNetworkInsightsViewer)

If you want to grant users the ability to view Cloud Network Insights in projects where it is already enabled, you can grant users one of the following predefined roles:

Cloud Network Management Viewer (roles/networkmanagement.Viewer)
Cloud Network Insights Viewer (roles/networkmanagement.cloudNetworkInsightsViewer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

Cloud Network Insights roles

The following tables describe the IAM predefined roles and their associated permissions for Cloud Network Insights.

For more information, see the IAM permissions reference.

Role Permissions

Role	Permissions
Cloud Network Insights Editor (`roles/networkmanagement.cloudNetworkInsightsEditor`) Full access to Cloud Network Insights resources. Lowest-level resources where you can grant this role: Project	networkmanagement.providers.get networkmanagement.providers.list networkmanagement.providers.generateProviderAccessToken networkmanagement.providers.create networkmanagement.providers.delete networkmanagement.providers.downloadConfig networkmanagement.monitoringPoints.get networkmanagement.monitoringPoints.list networkmanagement.networkPaths.get networkmanagement.networkPaths.list networkmanagement.webPaths.get networkmanagement.webPaths.list productrequirementsservice.requirements.record productrequirementsservice.requirements.check
Cloud Network Insights Viewer (`roles/networkmanagement.cloudNetworkInsightsViewer`) Read-only access to Cloud Network Insights resources. Lowest-level resources where you can grant this role: Project	networkmanagement.providers.get networkmanagement.providers.list networkmanagement.providers.generateProviderAccessToken networkmanagement.monitoringPoints.get networkmanagement.monitoringPoints.list networkmanagement.networkPaths.get networkmanagement.networkPaths.list networkmanagement.webPaths.get networkmanagement.webPaths.list productrequirementsservice.requirements.check

Cloud Network Insights Editor

(


roles/networkmanagement.cloudNetworkInsightsEditor

)

Full access to Cloud Network Insights resources.
Lowest-level resources where you can grant this role:

Project

networkmanagement.providers.get
networkmanagement.providers.list
networkmanagement.providers.generateProviderAccessToken
networkmanagement.providers.create
networkmanagement.providers.delete
networkmanagement.providers.downloadConfig
networkmanagement.monitoringPoints.get
networkmanagement.monitoringPoints.list
networkmanagement.networkPaths.get
networkmanagement.networkPaths.list
networkmanagement.webPaths.get
networkmanagement.webPaths.list
productrequirementsservice.requirements.record
productrequirementsservice.requirements.check

Cloud Network Insights Viewer

(roles/networkmanagement.cloudNetworkInsightsViewer)

Read-only access to Cloud Network Insights resources.
Lowest-level resources where you can grant this role:

Project

networkmanagement.providers.get
networkmanagement.providers.list
networkmanagement.providers.generateProviderAccessToken
networkmanagement.monitoringPoints.get
networkmanagement.monitoringPoints.list
networkmanagement.networkPaths.get
networkmanagement.networkPaths.list
networkmanagement.webPaths.get
networkmanagement.webPaths.list
productrequirementsservice.requirements.check

Alerts and logs roles

The following table describes the IAM predefined roles and their associated permissions to view or manage alerts and logs based on Cloud Network Insights data. Users also need either the Cloud Network Insights Viewer or Editor role.

Role	Permissions
Logs Viewer (`roles/logging.viewer`) Provides access to view logs. Lowest-level resources where you can grant this role: View	logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logScopes.get logging.logScopes.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.operations.get logging.operations.list logging.queries.getShared logging.queries.listShared logging.queries.usePrivate logging.sinks.get logging.sinks.list logging.usage.get logging.views.get logging.views.list observability.scopes.get resourcemanager.projects.get
Logs Configuration Writer (`roles/logging.configWriter`) Create alerting policies. Lowest-level resources where you can grant this role: View	logging.buckets.create logging.buckets.createTagBinding logging.buckets.delete logging.buckets.deleteTagBinding logging.buckets.get logging.buckets.list logging.buckets.listEffectiveTags logging.buckets.listTagBindings logging.buckets.undelete logging.buckets.update logging.exclusions.* logging.links.* logging.locations.* logging.logMetrics.* logging.logScopes.* logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.notificationRules.* logging.operations.* logging.settings.* logging.sinks.* logging.sqlAlerts.* logging.views.create logging.views.delete logging.views.get logging.views.getIamPolicy logging.views.list logging.views.update observability.scopes.get resourcemanager.projects.get resourcemanager.projects.list
Monitoring NotificationChannel Editor Beta (`roles/monitoring.notificationChannelEditor`) Create an alerting policy that is tied to a notification.	monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify
Monitoring AlertPolicy Viewer (`roles/monitoring.alertPolicyViewer`) View alerting policies.	monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.alertPolicies.listEffectiveTags monitoring.alertPolicies.listTagBindings
Monitoring AlertPolicy Editor (`roles/monitoring.alertPolicyEditor`) Edit alerting policies.	monitoring.alertPolicies.*

Roles and permissions Stay organized with collections Save and categorize content based on your preferences.

Roles

Predefined roles for Cloud Network Insights

Cloud Network Insights roles

Cloud Network Insights Editor

Cloud Network Insights Viewer

Alerts and logs roles

Logs Viewer

Logs Configuration Writer

Monitoring NotificationChannel Editor Beta

Monitoring AlertPolicy Viewer

Monitoring AlertPolicy Editor

Roles and permissions