Service Account Scopes and Custom Roles for Impersonate User

For more information on creating custom roles, refer to Creating and Assigning Custom Roles .

The following table lists the minimum requirements of Service Account Scopes and Custom Roles applied to an Impersonate User for the respective connector operations.

Connector Operation

Service Account Scopes

Impersonate User (Admin Account)

Test Connection

G-Suite

  • https://www.googleapis.com/auth/admin.directory.group

  • https://www.googleapis.com/auth/admin.directory.user

GCP

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

G-Suite

  • Admin Console Privileges – Organizational Units (Read), Users (Read)

  • Admin API Privileges – Organizational Units (Read), Users (Read), Group (Read), Domain Management (only required if managing domain as a user)

GCP

  • (User-defined Custom Role) – cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies, iam.serviceAccounts.list

 

 

 

Refresh Account

Account Aggregation

Partitioning Aggregation

Role related operations (Aggregate Role, Create Account/Enable/Disable/Change Password/Add and Remove) with Role

  • https://www.googleapis.com/auth/admin.directory.group

  • https://www.googleapis.com/auth/admin.directory.user

  • https://www.googleapis.com/auth/admin.directory.rolemanagement

  • https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

Super Admin

Group Aggregation

G-Suite

  • https://www.googleapis.com/auth/admin.directory.group

  • https://www.googleapis.com/auth/apps.groups.settings

  • https://www.googleapis.com/auth/admin.directory.rolemanagement

  • https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

GCP

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

G-Suite

  • Admin API Privileges – Group (Read)

GCP

  • (User-defined Custom Role) – cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies,

Delete group

  • https://www.googleapis.com/auth/admin.directory.group

  • Admin Console Privileges – Groups

  • Admin API Privileges – Group (Delete)

Create and Update Group

G-Suite

  • https://www.googleapis.com/auth/admin.directory.group

  • https://www.googleapis.com/auth/apps.groups.settings

GCP

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

G-Suite

  • Admin Console Privileges – Groups

  • Admin API Privileges – Group (Create and Read)

GCP

  • (User-defined Custom Role) – cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies, resourcemanager.projects.getIamPolicy, resourcemanager.projects.setIamPolicy, resourcemanager.folders.getIamPolicy, resourcemanager.folders.setIamPolicy, resourcemanager.organizations.getIamPolicy, resourcemanager.organizations.setIamPolicy, iam.serviceAccounts.getIamPolicy, iam.serviceAccounts.setIamPolicy

Create Account without Entitlement(s)

G-Suite

  • https://www.googleapis.com/auth/admin.directory.user

GCP

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

 

G-Suite

  • Admin Console Privileges – Organizational Unit (Read), Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users)

  • Admin API Privileges – Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Domain Management (only required if managing domain as a user)

GCP

  • (User-defined Custom Role) – iam.serviceAccounts.create, iam.serviceAccounts.get

 

 

Enable, Disable and Delete Account

Update Account attribute(s) (For accounts without entitlement)

Change Password

Create Account with Entitlement(s)

G-Suite

  • https://www.googleapis.com/auth/admin.directory.group

  • https://www.googleapis.com/auth/apps.groups.settings

  • https://www.googleapis.com/auth/admin.directory.user

  • https://www.googleapis.com/auth/admin.directory.rolemanagement

GCP

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

G-Suite

  • Admin Console Privileges – Organizational Unit (Read), Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Group

  • Admin API Privileges – Groups (Create and Read), Delete, Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users Groups) Cloud Asset Viewer, Project IAM Admin, Folder IAM Admin, Organization Administrator, Service Account Admin

GCP

  • (User-defined Custom Role) – cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies, iam.serviceAccounts.create, iam.serviceAccounts.get, resourcemanager.projects.getIamPolicy, resourcemanager.projects.setIamPolicy, resourcemanager.folders.getIamPolicy, resourcemanager.folders.setIamPolicy, resourcemanager.organizations.get, resourcemanager.organizations.getIamPolicy, resourcemanager.organizations.setIamPolicy, iam.serviceAccounts.getIamPolicy, iam.serviceAccounts.setIamPolicy

 

 

Add/Remove Entitlements

Update Account attribute(s) (For accounts with entitlement)

Delta Aggregation for Account

G-Suite

  • https://www.googleapis.com/auth/admin.directory.group

  • https://www.googleapis.com/auth/apps.groups.settings

  • https://www.googleapis.com/auth/admin.directory.user

  • https://www.googleapis.com/auth/admin.reports.audit.readonly

GCP

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

G-Suite

  • Admin Console Privileges – Organizational Unit (Read) Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Security (Reports), Groups

  • Admin API Privileges – Groups (Create and Read), Update, Delete (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Groups, Domain Management(only required if managing domain as a user)

GCP

  • (User-defined Custom Role) – cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies, iam.serviceAccounts.list

Delta Aggregation for Group

G-Suite

  • https://www.googleapis.com/auth/admin.directory.group

  • https://www.googleapis.com/auth/apps.groups.settings

  • https://www.googleapis.com/auth/admin.reports.audit.readonly

GCP

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

G-Suite

  • Admin Console Privileges – Organizational Unit (Read), Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Security (Reports), Groups

  • Admin API Privileges – Groups (Create and Read), Update, Delete, Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Groups

GCP

  • (User-defined Custom Role) – cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies

Delete Data Transfer

  • https://www.googleapis.com/auth/admin.directory.group

  • https://www.googleapis.com/auth/admin.directory.user

  • Admin Console PrivilegesOrganizational Unit (Read), Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Delete

  • Admin API Privileges – Groups (Create and Read), Update, Delete, Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Delete Data Transfer

Delegated Admins

  • https://www.googleapis.com/auth/admin.directory.group

  • https://www.googleapis.com/auth/admin.directory.user

  • https://www.googleapis.com/auth/gmail.settings.sharing

  • https://www.googleapis.com/auth/gmail.settings.basic

  • https://mail.google.com/

  • https://www.googleapis.com/auth/gmail.modify

  • https://www.googleapis.com/auth/gmail.readonly

  • Admin Console Privileges – Organizational Unit (Read), Users (Create and Read), Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), Gmail (Settings), Groups

  • Admin API Privileges – Groups (Create and Read), Update, Update (Rename Users, Move Users, Reset Password, Force Password Change, Add/Remove Aliases, Suspend Users), User Management, Group Admin, Gmail (Settings)

Agent Aggregation

GCP

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

GCP

  • (User-defined Custom Role)

    • aiplatform.agents.get

    • aiplatform.agents.list

    • cloudasset.assets.searchAllResources

    • cloudasset.assets.searchAllIamPolicies

Aggregation for Folder and Project

GCP

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

GCP

  • (User-defined Custom Role) –cloudasset.assets.searchAllResources and cloudasset.assets.searchAllIamPolicies

Aggregation for IAM Role

GCP 

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

GCP

  • (User-defined Custom Role) –cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies, iam.roles.list, resourcemanager.projects.list

Create/Update/Delete IAM Roles

GCP

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

GCP

  • (User-defined Custom Role) –iam.roles.create, iam.roles.update, iam.roles.delete, iam.roles.get, iam.roles.list

Aggregation for IAM Resource Permission

GCP

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

GCP

  • (User-defined Custom Role) –cloudasset.assets.searchAllResources, iam.roles.list, resourcemanager.projects.list, resourcemanager.organizations.getIamPolicy, iam.serviceAccounts.getIamPolicy , resourcemanager.folders.getIamPolicy, resourcemanager.projects.getIamPolicy

To manage all operations on domain as Account type in GCP

G-Suite

  • https://www.googleapis.com/auth/admin.directory.domain

G-Suite

  • Admin API Privileges – Domain Management