使用 IAM 进行访问权限控制

本页面介绍了 SaaS 运行时角色和权限。

如需使用 SaaS 运行时，您需要确保拥有所需的服务账号。对于这些服务账号，您需要授予所需的权限。如需详细了解服务账号和 SaaS 运行时，请参阅 SaaS 运行时服务账号。 如需详细了解服务账号，请参阅服务账号概览。

如需部署或查看 Terraform 配置中定义的 Google Cloud 资源，您需要向服务账号授予特定于这些资源的权限。这些权限是对使用 SaaS 运行时所需权限的补充。如需查看所有角色及其所含权限的列表，请参阅 Identity and Access Management 基本角色和预定义角色参考文档。

无需服务账号即可查看 SaaS 运行时部署、修订版本和 IAM 政策。

预定义的 SaaS 运行时角色

IAM 提供的预定义角色可以授予对特定 Google Cloud 资源的访问权限，并防止对其他资源进行未经授权的访问。

下表列出了 SaaS Runtime IAM 角色及其具备的权限：

角色	说明	权限
SaaS Runtime Admin (roles/saasservicemgmt.admin)	拥有对所有 SaaS 运行时资源的完整访问权限。	saasservicemgmt.rollouts.create saasservicemgmt.rollouts.update saasservicemgmt.rollouts.delete saasservicemgmt.rolloutKinds.create saasservicemgmt.rolloutKinds.update saasservicemgmt.rolloutKinds.delete saasservicemgmt.releases.create saasservicemgmt.releases.update saasservicemgmt.releases.delete saasservicemgmt.units.create saasservicemgmt.units.update saasservicemgmt.units.delete saasservicemgmt.unitKinds.create saasservicemgmt.unitKinds.update saasservicemgmt.unitKinds.delete saasservicemgmt.unitOperations.create saasservicemgmt.unitOperations.update saasservicemgmt.unitOperations.delete saasservicemgmt.tenants.create saasservicemgmt.tenants.update saasservicemgmt.tenants.delete saasservicemgmt.saas.create saasservicemgmt.saas.update saasservicemgmt.saas.delete resourcemanager.projects.get resourcemanager.projects.list saasservicemgmt.locations.list saasservicemgmt.locations.get saasservicemgmt.rollouts.list saasservicemgmt.rollouts.get saasservicemgmt.rolloutKinds.list saasservicemgmt.rolloutKinds.get saasservicemgmt.releases.list saasservicemgmt.releases.get saasservicemgmt.units.list saasservicemgmt.units.get saasservicemgmt.unitKinds.list saasservicemgmt.unitKinds.get saasservicemgmt.unitOperations.list saasservicemgmt.unitOperations.get saasservicemgmt.tenants.list saasservicemgmt.tenants.get saasservicemgmt.saas.list saasservicemgmt.saas.get
SaaS 运行时查看器 (roles/saasservicemgmt.viewer)	读取 SaaS 运行时资源：版本、发布、发布类型、单元、单元类型、单元操作、SaaS 和租户。	resourcemanager.projects.get resourcemanager.projects.list saasservicemgmt.locations.list saasservicemgmt.locations.get saasservicemgmt.rollouts.list saasservicemgmt.rollouts.get saasservicemgmt.rolloutKinds.list saasservicemgmt.rolloutKinds.get saasservicemgmt.releases.list saasservicemgmt.releases.get saasservicemgmt.units.list saasservicemgmt.units.get saasservicemgmt.unitKinds.list saasservicemgmt.unitKinds.get saasservicemgmt.unitOperations.list saasservicemgmt.unitOperations.get saasservicemgmt.tenants.list saasservicemgmt.tenants.get saasservicemgmt.saas.list saasservicemgmt.saas.get

权限

调用方调用每种方法必须具备的权限列在 REST API 参考中。

后续步骤

• 了解 IAM。
• 详细了解如何在 IAM 中使用条件
• 详细了解 SaaS 运行时服务账号。