Access control with IAM

Identity and Access Management (IAM) lets you give access to specific resources. To give access to a resource, you grant a specific role to a user, which gives the user certain permissions.

This page lists all Workload Manager IAM roles and the permissions granted by those roles.

Workload Manager roles

Role Permissions

Workload Manager Admin Beta

(roles/workloadmanager.admin)

Full access to Workload Manager all resources.

compute.acceleratorTypes.list

compute.diskTypes.list

compute.machineTypes.list

compute.networks.list

compute.projects.get

compute.regions.list

compute.subnetworks.list

compute.zones.list

dns.managedZones.list

iam.serviceAccounts.list

monitoring.timeSeries.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.values.test

storage.buckets.list

storage.objects.list

workloadmanager.*

  • workloadmanager.actuations.create
  • workloadmanager.actuations.delete
  • workloadmanager.actuations.get
  • workloadmanager.actuations.list
  • workloadmanager.deployments.create
  • workloadmanager.deployments.delete
  • workloadmanager.deployments.get
  • workloadmanager.deployments.list
  • workloadmanager.discoveredprofiles.get
  • workloadmanager.discoveredprofiles.getHealth
  • workloadmanager.discoveredprofiles.list
  • workloadmanager.evaluations.create
  • workloadmanager.evaluations.delete
  • workloadmanager.evaluations.get
  • workloadmanager.evaluations.list
  • workloadmanager.evaluations.run
  • workloadmanager.evaluations.update
  • workloadmanager.executions.delete
  • workloadmanager.executions.get
  • workloadmanager.executions.list
  • workloadmanager.insights.export
  • workloadmanager.insights.listSapSystems
  • workloadmanager.insights.write
  • workloadmanager.locations.get
  • workloadmanager.locations.list
  • workloadmanager.operations.cancel
  • workloadmanager.operations.delete
  • workloadmanager.operations.get
  • workloadmanager.operations.list
  • workloadmanager.results.list
  • workloadmanager.rules.list

Workload Manager Deployment Admin Beta

(roles/workloadmanager.deploymentAdmin)

Full access to Workload Manager deployment resources.

compute.acceleratorTypes.list

compute.diskTypes.list

compute.machineTypes.list

compute.networks.list

compute.projects.get

compute.regions.list

compute.subnetworks.list

compute.zones.list

dns.managedZones.list

iam.serviceAccounts.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.values.test

storage.buckets.list

storage.objects.list

workloadmanager.actuations.*

  • workloadmanager.actuations.create
  • workloadmanager.actuations.delete
  • workloadmanager.actuations.get
  • workloadmanager.actuations.list

workloadmanager.deployments.*

  • workloadmanager.deployments.create
  • workloadmanager.deployments.delete
  • workloadmanager.deployments.get
  • workloadmanager.deployments.list

workloadmanager.locations.*

  • workloadmanager.locations.get
  • workloadmanager.locations.list

workloadmanager.operations.*

  • workloadmanager.operations.cancel
  • workloadmanager.operations.delete
  • workloadmanager.operations.get
  • workloadmanager.operations.list

Workload Manager Deployment Viewer Beta

(roles/workloadmanager.deploymentViewer)

Read-only access to Workload Manager deployment resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.actuations.get

workloadmanager.actuations.list

workloadmanager.deployments.get

workloadmanager.deployments.list

Workload Manager Evaluation Admin Beta

(roles/workloadmanager.evaluationAdmin)

Full access to Workload Manager evaluation resources.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.evaluations.*

  • workloadmanager.evaluations.create
  • workloadmanager.evaluations.delete
  • workloadmanager.evaluations.get
  • workloadmanager.evaluations.list
  • workloadmanager.evaluations.run
  • workloadmanager.evaluations.update

workloadmanager.executions.*

  • workloadmanager.executions.delete
  • workloadmanager.executions.get
  • workloadmanager.executions.list

workloadmanager.locations.*

  • workloadmanager.locations.get
  • workloadmanager.locations.list

workloadmanager.operations.*

  • workloadmanager.operations.cancel
  • workloadmanager.operations.delete
  • workloadmanager.operations.get
  • workloadmanager.operations.list

workloadmanager.results.list

workloadmanager.rules.list

Workload Manager Evaluation Viewer Beta

(roles/workloadmanager.evaluationViewer)

Read-only access to Workload Manager evaluation resources.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.evaluations.get

workloadmanager.evaluations.list

workloadmanager.executions.get

workloadmanager.executions.list

workloadmanager.results.list

workloadmanager.rules.list

Workload Manager Insights Writer Beta

(roles/workloadmanager.insightWriter)

The role used to write data to WLM data warehouse.

workloadmanager.insights.write

Workload Manager Service Agent

(roles/workloadmanager.serviceAgent)

Gives Workload Manager Service Agent access to CAI export functions and Cloud Monitoring.

cloudasset.assets.exportAccessPolicy

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportOrgPolicy

cloudasset.assets.exportResource

cloudasset.assets.listAccessPolicy

cloudasset.assets.listIamPolicy

cloudasset.assets.listOSInventories

cloudasset.assets.listOrgPolicy

cloudasset.assets.listResource

cloudasset.assets.searchAllResources

config.deployments.create

config.deployments.delete

config.deployments.get

config.deployments.list

config.deployments.update

config.locations.*

  • config.locations.get
  • config.locations.list

config.operations.*

  • config.operations.cancel
  • config.operations.delete
  • config.operations.get
  • config.operations.list

config.resources.list

config.revisions.get

config.revisions.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.list

serviceusage.services.use

workloadmanager.insights.export

workloadmanager.insights.listSapSystems

Workload Manager Viewer Beta

(roles/workloadmanager.viewer)

Read-only access to Workload Manager all resources.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.actuations.get

workloadmanager.actuations.list

workloadmanager.deployments.get

workloadmanager.deployments.list

workloadmanager.discoveredprofiles.*

  • workloadmanager.discoveredprofiles.get
  • workloadmanager.discoveredprofiles.getHealth
  • workloadmanager.discoveredprofiles.list

workloadmanager.evaluations.get

workloadmanager.evaluations.list

workloadmanager.executions.get

workloadmanager.executions.list

workloadmanager.results.list

workloadmanager.rules.list

Workload Manager Worker Beta

(roles/workloadmanager.worker)

The role used by Workload Manager application runners to read and update workloads.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.actuations.*

  • workloadmanager.actuations.create
  • workloadmanager.actuations.delete
  • workloadmanager.actuations.get
  • workloadmanager.actuations.list

workloadmanager.deployments.*

  • workloadmanager.deployments.create
  • workloadmanager.deployments.delete
  • workloadmanager.deployments.get
  • workloadmanager.deployments.list

workloadmanager.discoveredprofiles.*

  • workloadmanager.discoveredprofiles.get
  • workloadmanager.discoveredprofiles.getHealth
  • workloadmanager.discoveredprofiles.list

workloadmanager.evaluations.*

  • workloadmanager.evaluations.create
  • workloadmanager.evaluations.delete
  • workloadmanager.evaluations.get
  • workloadmanager.evaluations.list
  • workloadmanager.evaluations.run
  • workloadmanager.evaluations.update

workloadmanager.executions.*

  • workloadmanager.executions.delete
  • workloadmanager.executions.get
  • workloadmanager.executions.list

workloadmanager.insights.write

workloadmanager.results.list

workloadmanager.rules.list

Workload Manager Workload Viewer Beta

(roles/workloadmanager.workloadViewer)

The role used to view the workload related data.

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.discoveredprofiles.*

  • workloadmanager.discoveredprofiles.get
  • workloadmanager.discoveredprofiles.getHealth
  • workloadmanager.discoveredprofiles.list

Workload Manager permissions

Permission Included in roles

workloadmanager.actuations.create

Owner (roles/owner)

Editor (roles/editor)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.actuations.delete

Owner (roles/owner)

Editor (roles/editor)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.actuations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Deployment Viewer (roles/workloadmanager.deploymentViewer)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.actuations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Deployment Viewer (roles/workloadmanager.deploymentViewer)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.deployments.create

Owner (roles/owner)

Editor (roles/editor)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.deployments.delete

Owner (roles/owner)

Editor (roles/editor)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.deployments.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Deployment Viewer (roles/workloadmanager.deploymentViewer)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.deployments.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Deployment Viewer (roles/workloadmanager.deploymentViewer)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.discoveredprofiles.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

Workload Manager Workload Viewer (roles/workloadmanager.workloadViewer)

workloadmanager.discoveredprofiles.getHealth

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

Workload Manager Workload Viewer (roles/workloadmanager.workloadViewer)

workloadmanager.discoveredprofiles.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

Workload Manager Workload Viewer (roles/workloadmanager.workloadViewer)

workloadmanager.evaluations.create

Owner (roles/owner)

Editor (roles/editor)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.evaluations.delete

Owner (roles/owner)

Editor (roles/editor)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.evaluations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

Workload Manager Evaluation Viewer (roles/workloadmanager.evaluationViewer)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.evaluations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

Workload Manager Evaluation Viewer (roles/workloadmanager.evaluationViewer)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.evaluations.run

Owner (roles/owner)

Editor (roles/editor)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.evaluations.update

Owner (roles/owner)

Editor (roles/editor)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.executions.delete

Owner (roles/owner)

Editor (roles/editor)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.executions.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

Workload Manager Evaluation Viewer (roles/workloadmanager.evaluationViewer)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.executions.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

Workload Manager Evaluation Viewer (roles/workloadmanager.evaluationViewer)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.insights.export

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Service agent roles

workloadmanager.insights.listSapSystems

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Service agent roles

workloadmanager.insights.write

Owner (roles/owner)

Editor (roles/editor)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Insights Writer (roles/workloadmanager.insightWriter)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.locations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

workloadmanager.locations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

workloadmanager.operations.cancel

Owner (roles/owner)

Editor (roles/editor)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

workloadmanager.operations.delete

Owner (roles/owner)

Editor (roles/editor)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

workloadmanager.operations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

workloadmanager.operations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

workloadmanager.results.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

Workload Manager Evaluation Viewer (roles/workloadmanager.evaluationViewer)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

workloadmanager.rules.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Evaluation Admin (roles/workloadmanager.evaluationAdmin)

Workload Manager Evaluation Viewer (roles/workloadmanager.evaluationViewer)

Workload Manager Viewer (roles/workloadmanager.viewer)

Workload Manager Worker (roles/workloadmanager.worker)

What's next

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025年11月24日 UTC.