Organization Policy Service roles and permissions

This page lists the IAM roles and permissions for Organization Policy Service. To search through all roles and permissions, see the role and permission index.

Organization Policy Service roles

Role Permissions

Role	Permissions
Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies. Lowest-level resources where you can grant this role: Organization	`cloudasset.assets.analyzeOrgPolicy` `cloudasset.assets.exportResource` `cloudasset.assets.listResource` `cloudasset.assets.searchAllResources` `orgpolicy.` `orgpolicy.constraints.list` `orgpolicy.customConstraints.create` `orgpolicy.customConstraints.delete` `orgpolicy.customConstraints.get` `orgpolicy.customConstraints.list` `orgpolicy.customConstraints.update` `orgpolicy.policies.create` `orgpolicy.policies.delete` `orgpolicy.policies.list` `orgpolicy.policies.update` `orgpolicy.policy.get` `orgpolicy.policy.set` `policysimulator.orgPolicyViolations.list` `policysimulator.orgPolicyViolationsPreviews.` `policysimulator.orgPolicyViolationsPreviews.create` `policysimulator.orgPolicyViolationsPreviews.get` `policysimulator.orgPolicyViolationsPreviews.list` `recommender.orgPolicyInsights.` `recommender.orgPolicyInsights.get` `recommender.orgPolicyInsights.list` `recommender.orgPolicyInsights.update` `recommender.orgPolicyRecommendations.` `recommender.orgPolicyRecommendations.get` `recommender.orgPolicyRecommendations.list` `recommender.orgPolicyRecommendations.update`
Organization Policy Viewer (`roles/orgpolicy.policyViewer`) Provides access to view Organization Policies on resources. Lowest-level resources where you can grant this role: Project	`orgpolicy.constraints.list` `orgpolicy.customConstraints.get` `orgpolicy.customConstraints.list` `orgpolicy.policies.list` `orgpolicy.policy.get`

Organization Policy Administrator

(roles/orgpolicy.policyAdmin)

Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.

Lowest-level resources where you can grant this role:

Organization

cloudasset.assets.analyzeOrgPolicy

cloudasset.assets.exportResource

cloudasset.assets.listResource

cloudasset.assets.searchAllResources

orgpolicy.*

orgpolicy.constraints.list
orgpolicy.customConstraints.create
orgpolicy.customConstraints.delete
orgpolicy.customConstraints.get
orgpolicy.customConstraints.list
orgpolicy.customConstraints.update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set

policysimulator.orgPolicyViolations.list

policysimulator.orgPolicyViolationsPreviews.*

policysimulator.orgPolicyViolationsPreviews.create
policysimulator.orgPolicyViolationsPreviews.get
policysimulator.orgPolicyViolationsPreviews.list

recommender.orgPolicyInsights.*

recommender.orgPolicyInsights.get
recommender.orgPolicyInsights.list
recommender.orgPolicyInsights.update

recommender.orgPolicyRecommendations.*

recommender.orgPolicyRecommendations.get
recommender.orgPolicyRecommendations.list
recommender.orgPolicyRecommendations.update

Organization Policy Viewer

(roles/orgpolicy.policyViewer)

Provides access to view Organization Policies on resources.

Lowest-level resources where you can grant this role:

Project

orgpolicy.constraints.list

orgpolicy.customConstraints.get

orgpolicy.customConstraints.list

orgpolicy.policies.list

orgpolicy.policy.get

Organization Policy Service permissions

Permission	Included in roles
`orgpolicy.constraints.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) Folder Admin (`roles/resourcemanager.folderAdmin`) Folder Creator (`roles/resourcemanager.folderCreator`) Folder Editor (`roles/resourcemanager.folderEditor`) Folder Viewer (`roles/resourcemanager.folderViewer`) Organization Administrator (`roles/resourcemanager.organizationAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`orgpolicy.customConstraints.create`	Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.customConstraints.delete`	Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.customConstraints.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) OrgPolicy Simulator Admin (`roles/policysimulator.orgPolicyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.customConstraints.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) OrgPolicy Simulator Admin (`roles/policysimulator.orgPolicyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.customConstraints.update`	Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.policies.create`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.policies.delete`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.policies.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) OrgPolicy Simulator Admin (`roles/policysimulator.orgPolicyAdmin`) Folder Admin (`roles/resourcemanager.folderAdmin`) Folder Creator (`roles/resourcemanager.folderCreator`) Folder Editor (`roles/resourcemanager.folderEditor`) Folder Viewer (`roles/resourcemanager.folderViewer`) Organization Administrator (`roles/resourcemanager.organizationAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Assured Workloads Service Agent (`roles/assuredworkloads.serviceAgent`)
`orgpolicy.policies.update`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`orgpolicy.policy.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Assured Workloads Reader (`roles/assuredworkloads.reader`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Consumer Procurement Entitlement Manager (`roles/consumerprocurement.entitlementManager`) Consumer Procurement Entitlement Viewer (`roles/consumerprocurement.entitlementViewer`) Consumer Procurement Administrator (`roles/consumerprocurement.procurementAdmin`) Consumer Procurement Viewer (`roles/consumerprocurement.procurementViewer`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Organization Policy Viewer (`roles/orgpolicy.policyViewer`) OrgPolicy Simulator Admin (`roles/policysimulator.orgPolicyAdmin`) Folder Admin (`roles/resourcemanager.folderAdmin`) Folder Creator (`roles/resourcemanager.folderCreator`) Folder Editor (`roles/resourcemanager.folderEditor`) Folder Viewer (`roles/resourcemanager.folderViewer`) Organization Administrator (`roles/resourcemanager.organizationAdmin`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`) API Keys Admin (`roles/serviceusage.apiKeysAdmin`) Storage Admin (`roles/storage.admin`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Workload Manager Admin (`roles/workloadmanager.admin`) Workload Manager Evaluation Admin (`roles/workloadmanager.evaluationAdmin`) Workload Manager Evaluation Viewer (`roles/workloadmanager.evaluationViewer`) Workload Manager Viewer (`roles/workloadmanager.viewer`) Workload Manager Worker (`roles/workloadmanager.worker`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Assured Workloads Service Agent (`roles/assuredworkloads.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Health Analytics Service Agent (`roles/securitycenter.securityHealthAnalyticsServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`orgpolicy.policy.set`	Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Organization Policy Administrator (`roles/orgpolicy.policyAdmin`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)

Organization Policy Service roles and permissions