Service Account Scopes and Built-in Roles for Impersonate User

The following table lists the minimum requirements of Service Account Scopes and Built-in Roles applied to an Impersonate User for the respective connector operations:

Connector Operation	Service Account Scopes	Impersonate User
Test Connection	https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user	No Role
Role related operations(Aggregate Role, Add and Remove Role)	https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.rolemanagement https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly	Super Admin
Create Account with Role	https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.rolemanagement https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly	Super Admin
Refresh Account	G-Suite https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	G-Suite User Management Admin, Groups Admin GCP Cloud Asset Viewer, Service account user, Project IAM Admin, Folder IAM Admin, Organization Administrator (only required if organization level access managed), Service Account Admin, User Management, and Group Admin
Account Aggregation
Create Account with Entitlement(s)
Update Account attribute(s) (For accounts with entitlement)
Add and Remove Entitlement(s)
Partitioning Aggregation
Group Aggregation	G-Suite https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/apps.groups.settings GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	G-Suite Group Admin GCP Cloud Asset Viewer, Organization Administrator (only required if organization level access is managed), Service Account Admin, Folder IAM Admin, and Project IAM Admin
Create and Update Group	G-Suite https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/apps.groups.settings GCP https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/iam
Create Account without Entitlement(s)	G-Suite https://www.googleapis.com/auth/admin.directory.user GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	G-Suite User Management Admin, Super Admin (only required if managing domain as a user) GCP Service Account Admin
Enable, Disable, and Delete Account
Update Account attribute(s) (For accounts without entitlement)
Change Password
Delta Aggregation for Account	G-Suite https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.reports.audit.readonly GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	G-Suite User Management Admin, Groups Admin, Custom Role (Reports), Super Admin (only required if managing domain as a user) GCP Cloud Asset Viewer
Delta Aggregation for Group	G-Suite https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.reports.audit.readonly GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	G-Suite Groups Admin and Custom Role (Reports) GCP Cloud Asset Viewer
Delete Data Transfer	https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user	User Management, Group Admin, and Data Transfer
DelegatedAdmins	https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/gmail.settings.sharing https://www.googleapis.com/auth/gmail.settings.basic https://mail.google.com/ https://www.googleapis.com/auth/gmail.modify https://www.googleapis.com/auth/gmail.readonly	User Management, Group Admin, and Gmail (Settings)
Aggregation for Folder and Project	GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	GCP Cloud Asset Viewer
Aggregation for IAM Role	GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	GCP Cloud Asset Viewer and Organization Role Viewer
Create, Update, and Delete IAM Roles	GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	GCP Organization Role Administrator
IAM Resource Permission	GCP https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform	GCP Cloud Asset Viewer, Organization Role Viewer, Organization Administrator (only required if managing Organization level access), Service Account Admin, Folder IAM Admin, and Project IAM Admin
To manage all operations on domain as Account type in GCP	https://www.googleapis.com/auth/admin.directory.domain	Super Admin

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Service Account Scopes and Built-in Roles for Impersonate User

Documentation Feedback