Choose which type of role to use
This page offers guidance on which type of role—predefined, custom, orbasic—you should use to control access to Google Cloud resources.
The following summarizes our recommendations for choosing which type ofrole to use:
- We recommend that you prioritize using predefined roles because they'remanaged by Google and offer a balance of security and convenience.
- If you need a role that closely adheres to the principle of least privilege,and you can't find a predefined role that fits your security requirements,use custom roles.
- Don't use basic roles unless you have no alternative or are using them in atest environment.
When to use predefined roles
Generally, we recommend that youuse predefinedroles instead of basic or custom roles.Predefinedroles give granular access to specificGoogle Cloud resources, are maintained by Google, and are updatedautomatically when new permissions, features, or services are added toGoogle Cloud.
However, there are some cases where you might want to use custom or basicroles. The following sections describe these cases.
When to use custom roles
Unlike predefined roles, custom roles are not maintained by Google. That meanswhen Google Cloud adds new permissions, features, or services, yourcustom roles won't be updated automatically. For this reason, we recommendgranting the most limitedpredefined roles that meetyour needs.
However, it might be appropriate to create and grant custom roles in thefollowing cases:
- A principal needs a permission, but each predefined role that includes thatpermission also includes permissions that the principal doesn't need andshouldn't have.
- You userole recommendations to replace overly permissive rolegrants with more appropriate role grants. In some cases, you might receive arecommendation to create a custom role.
When using custom roles, be aware of the following limits:
- Custom roles can contain up to 3,000 permissions.
- The maximum total size of the title, description, and permission namesfor a custom role is 64 KB.
There are limits to the number of custom roles you can create:
- You can create up to 300 organization-levelcustom roles in your organization.
- You can create up to 300 project-level customroles in each project in your organization.
When to use basic roles
Basic roles include thousands of permissions across all Google Cloud services. In productionenvironments, do not grant basic roles unless there is no alternative. Instead, grant the mostlimitedpredefined roles orcustom roles that meet your needs.
If you need to replace a basic role, you can userolerecommendations to determine which roles togrant instead. You can also use thePolicy Simulator toensure that changing the role won't affect the principal's access.
It might be appropriate to grant basic roles when you want to grant broaderpermissions for a project. This often happens when you're granting permissionsin development or test environments.
What's next
- Learn how tofind the right predefined roles.
- Learn how tocreate custom roles.
- Learn more aboutbasic roles.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-09 UTC.