Stay organized with collections
Save and categorize content based on your preferences.
This page describes the Identity and Access Management (IAM) roles required to
configure VPC Service Controls.
Required roles
The following table lists the permissions and roles required to create and list
access policies:
Action
Required permissions and roles
Create an organization-level access policy or scoped policies
Permission: accesscontextmanager.policies.create
Role that provides the permission: Access Context Manager Editor role
(roles/accesscontextmanager.policyEditor)
List an organization-level access policy or scoped policies
Permission: accesscontextmanager.policies.list
Roles that provides the permission:
Access Context Manager Editor role (roles/accesscontextmanager.policyEditor)
Access Context Manager Reader role (roles/accesscontextmanager.policyReader)
You can only create, list, or delegate scoped policies if you have those permissions
at the organization level. After you create a scoped policy, you can grant permission to
manage the policy by adding IAM bindings on the scoped policy.
Permissions granted at the organization-level apply to all access policies, including
the organization-level policy and any scoped policies.
The following predefined IAM roles provide the necessary
permissions to view or configure service perimeters and access levels:
To grant one of these roles, use the Google Cloud console or run
one of the following commands in the gcloud CLI. Replace
ORGANIZATION_ID with the ID of your Google Cloud
organization.
Grant Manager Admin role to allow read-write access
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Access control with IAM\n\nThis page describes the Identity and Access Management (IAM) roles required to\nconfigure VPC Service Controls.\n\nRequired roles\n--------------\n\nThe following table lists the permissions and roles required to create and list\naccess policies:\n\nYou can only create, list, or delegate [scoped policies](/access-context-manager/docs/scoped-policies) if you have those permissions\nat the organization level. After you create a scoped policy, you can grant permission to\nmanage the policy by adding IAM bindings on the scoped policy.\n\nPermissions granted at the organization-level apply to all access policies, including\nthe organization-level policy and any scoped policies.\n| **Note:** Any Access Context Manager permissions granted on folders or projects have no effect on scoped policies as permissions can only be granted at the organization-level or on individual policies. The access control for scoped policies is independent of the projects or folders in their scopes.\n\nThe following predefined IAM roles provide the necessary\npermissions to view or configure service perimeters and access levels:\n\n- Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`)\n- Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`)\n- Access Context Manager Reader (`roles/accesscontextmanager.policyReader`)\n\nTo grant one of these roles, use [the Google Cloud console](/iam/docs/granting-changing-revoking-access) or run\none of the following commands in the gcloud CLI. Replace\n\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with the ID of your Google Cloud\norganization.\n\n### Grant Manager Admin role to allow read-write access\n\n```bash\ngcloud organizations add-iam-policy-binding ORGANIZATION_ID \\\n --member=\"user:example@customer.org\" \\\n --role=\"roles/accesscontextmanager.policyAdmin\"\n```\n\n### Grant Manager Editor role to allow read-write access\n\n```bash\ngcloud organizations add-iam-policy-binding ORGANIZATION_ID \\\n --member=\"user:example@customer.org\" \\\n --role=\"roles/accesscontextmanager.policyEditor\"\n```\n\n### Grant Manager Reader role to allow read-only access\n\n```bash\ngcloud organizations add-iam-policy-binding ORGANIZATION_ID \\\n --member=\"user:example@customer.org\" \\\n --role=\"roles/accesscontextmanager.policyReader\"\n```"]]
