Service Account Scopes and Custom Roles for Impersonate User

Creating Custom Roles

The following table lists the minimum requirements of Service Account Scopes and Custom Roles applied to an Impersonate User for the respective connector operations.

Connector Operation	Service Account Scopes	Impersonate User
Test Connection	G-Suite https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	G-Suite Admin Console Privileges – Organizational Units (Read), Users (Read) Admin API Privileges – Organizational Units (Read), Users (Read), Group (Read), Domain Management (only required if managing domain as a user) GCP (User-defined Custom Role) – cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies, iam.serviceAccounts.list
Refresh Account
Account Aggregation
Partitioning Aggregation
Role related operations (Aggregate Role, Create Account/Enable/Disable/Change Password/Add and Remove) with Role	https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.rolemanagement https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly	Super Admin
Group Aggregation	G-Suite https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.rolemanagement https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	G-Suite Admin API Privileges – Group (Read) GCP (User-defined Custom Role) – cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies,
Delete group	https://www.googleapis.com/auth/admin.directory.group	Admin Console Privileges – Groups Admin API Privileges – Group (Delete)
Create and Update Group	G-Suite https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/apps.groups.settings GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	G-Suite Admin Console Privileges – Groups Admin API Privileges – Group (Create and Read) GCP (User-defined Custom Role) – cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies, resourcemanager.projects.getIamPolicy, resourcemanager.projects.setIamPolicy, resourcemanager.folders.getIamPolicy, resourcemanager.folders.setIamPolicy, resourcemanager.organizations.getIamPolicy, resourcemanager.organizations.setIamPolicy, iam.serviceAccounts.getIamPolicy, iam.serviceAccounts.setIamPolicy
Create Account without Entitlement(s)	G-Suite https://www.googleapis.com/auth/admin.directory.user GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	G-Suite Admin Console Privileges – Organizational Unit (Read), Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users) Admin API Privileges – Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Domain Management (only required if managing domain as a user) GCP (User-defined Custom Role) – iam.serviceAccounts.create, iam.serviceAccounts.get
Enable, Disable and Delete Account
Update Account attribute(s) (For accounts without entitlement)
Change Password
Create Account with Entitlement(s)	G-Suite https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.rolemanagement GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	G-Suite Admin Console Privileges – Organizational Unit (Read), Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Group Admin API Privileges – Groups (Create and Read), Delete, Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users Groups) Cloud Asset Viewer, Project IAM Admin, Folder IAM Admin, Organization Administrator, Service Account Admin GCP (User-defined Custom Role) – cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies, iam.serviceAccounts.create, iam.serviceAccounts.get, resourcemanager.projects.getIamPolicy, resourcemanager.projects.setIamPolicy, resourcemanager.folders.getIamPolicy, resourcemanager.folders.setIamPolicy, resourcemanager.organizations.get, resourcemanager.organizations.getIamPolicy, resourcemanager.organizations.setIamPolicy, iam.serviceAccounts.getIamPolicy, iam.serviceAccounts.setIamPolicy
Add/Remove Entitlements
Update Account attribute(s) (For accounts with entitlement)
Delta Aggregation for Account	G-Suite https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.reports.audit.readonly GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	G-Suite Admin Console Privileges – Organizational Unit (Read) Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Security (Reports), Groups Admin API Privileges – Groups (Create and Read), Update, Delete (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Groups, Domain Management(only required if managing domain as a user) GCP (User-defined Custom Role) – cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies, iam.serviceAccounts.list
Delta Aggregation for Group	G-Suite https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.reports.audit.readonly GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	G-Suite Admin Console Privileges – Organizational Unit (Read), Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Security (Reports), Groups Admin API Privileges – Groups (Create and Read), Update, Delete, Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Groups GCP (User-defined Custom Role) – cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies
Delete Data Transfer	https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user	Admin Console Privileges –Organizational Unit (Read), Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Delete Admin API Privileges – Groups (Create and Read), Update, Delete, Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Delete Data Transfer
Delegated Admins	https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/gmail.settings.sharing https://www.googleapis.com/auth/gmail.settings.basic https://mail.google.com/ https://www.googleapis.com/auth/gmail.modify https://www.googleapis.com/auth/gmail.readonly	Admin Console Privileges – Organizational Unit (Read), Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Gmail (Settings), Groups Admin API Privileges – Groups (Create and Read), Update, Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), User Management, Group Admin, Gmail (Settings)
Aggregation for Folder and Project	GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	GCP (User-defined Custom Role) –cloudasset.assets.searchAllResources and cloudasset.assets.searchAllIamPolicies
Aggregation for IAM Role	GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	GCP (User-defined Custom Role) –cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies, iam.roles.list, resourcemanager.projects.list
Create/Update/Delete IAM Roles	GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	GCP (User-defined Custom Role) –iam.roles.create, iam.roles.update, iam.roles.delete, iam.roles.get, iam.roles.list
Aggregation for IAM Resource Permission	GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	GCP (User-defined Custom Role) –cloudasset.assets.searchAllResources, iam.roles.list, resourcemanager.projects.list, resourcemanager.organizations.getIamPolicy, iam.serviceAccounts.getIamPolicy , resourcemanager.folders.getIamPolicy, resourcemanager.projects.getIamPolicy
To manage all operations on domain as Account type in GCP	G-Suite https://www.googleapis.com/auth/admin.directory.domain	G-Suite Admin API Privileges – Domain Management

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Service Account Scopes and Custom Roles for Impersonate User

Creating Custom Roles

Documentation Feedback