Data Security Posture Management roles and permissions

This page lists the IAM roles and permissions for Data Security Posture Management. Tosearch through all roles and permissions, see therole andpermission index.

Data Security Posture Management roles

RolePermissions

Data Security Posture Management Admin

(roles/dspm.admin)

Full access to Data Security Posture Management resources.

dspm.*

  • dspm.locations.computeAggregation
  • dspm.locations.fetchDataGovernanceAnalytics
  • dspm.locations.fetchDspmGovernedProjects
  • dspm.locations.fetchGovernedResourceMetrics
  • dspm.locations.fetchLineageConnections
  • dspm.locations.get
  • dspm.locations.list
  • dspm.operations.cancel
  • dspm.operations.delete
  • dspm.operations.get
  • dspm.operations.list

resourcemanager.organizations.get

DSPM Service Agent

(roles/dspm.serviceAgent)

Gives DSPM Service Account access to consumer resources.

Warning: Do not grant service agent roles to any principals exceptservice agents.

aiplatform.artifacts.list

aiplatform.contexts.list

aiplatform.dataItems.list

aiplatform.datasets.get

aiplatform.datasets.list

aiplatform.endpoints.list

aiplatform.entityTypes.list

aiplatform.executions.list

aiplatform.metadataSchemas.list

aiplatform.modelEvaluations.list

aiplatform.models.list

aiplatform.trainingPipelines.list

aiplatform.tuningJobs.list

bigquery.datasets.createTagBinding

bigquery.datasets.deleteTagBinding

bigquery.datasets.listEffectiveTags

bigquery.datasets.listTagBindings

bigquery.jobs.create

bigquery.tables.createTagBinding

bigquery.tables.deleteTagBinding

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.listEffectiveTags

bigquery.tables.listTagBindings

cloudasset.assets.exportResource

cloudasset.assets.listResource

cloudasset.assets.queryResource

cloudasset.assets.searchAllResources

cloudasset.feeds.create

cloudasset.feeds.delete

cloudasset.feeds.update

cloudsecuritycompliance.cloudControlDeployments.create

cloudsecuritycompliance.cloudControlDeployments.delete

cloudsecuritycompliance.cloudControlDeployments.get

cloudsecuritycompliance.cloudControlDeployments.list

cloudsecuritycompliance.cloudControls.get

cloudsecuritycompliance.cloudControls.list

cloudsecuritycompliance.frameworkDeployments.create

cloudsecuritycompliance.frameworkDeployments.delete

cloudsecuritycompliance.frameworkDeployments.get

cloudsecuritycompliance.frameworkDeployments.list

cloudsecuritycompliance.frameworks.get

resourcemanager.folders.getIamPolicy

resourcemanager.hierarchyNodes.*

  • resourcemanager.hierarchyNodes.createTagBinding
  • resourcemanager.hierarchyNodes.deleteTagBinding
  • resourcemanager.hierarchyNodes.listEffectiveTags
  • resourcemanager.hierarchyNodes.listTagBindings

resourcemanager.organizations.getIamPolicy

resourcemanager.projects.getIamPolicy

resourcemanager.tagKeys.create

resourcemanager.tagKeys.delete

resourcemanager.tagKeys.get

resourcemanager.tagKeys.getIamPolicy

resourcemanager.tagKeys.list

resourcemanager.tagKeys.update

resourcemanager.tagValueBindings.*

  • resourcemanager.tagValueBindings.create
  • resourcemanager.tagValueBindings.delete

resourcemanager.tagValues.create

resourcemanager.tagValues.delete

resourcemanager.tagValues.get

resourcemanager.tagValues.getIamPolicy

resourcemanager.tagValues.list

resourcemanager.tagValues.update

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.update

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securityposture.operations.get

securityposture.postureDeployments.create

securityposture.postureDeployments.delete

securityposture.postureDeployments.get

securityposture.postureDeployments.list

securityposture.postures.create

securityposture.postures.get

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

Data Security Posture Management Viewer

(roles/dspm.viewer)

Readonly access to Data Security Posture Management resources.

dspm.locations.*

  • dspm.locations.computeAggregation
  • dspm.locations.fetchDataGovernanceAnalytics
  • dspm.locations.fetchDspmGovernedProjects
  • dspm.locations.fetchGovernedResourceMetrics
  • dspm.locations.fetchLineageConnections
  • dspm.locations.get
  • dspm.locations.list

dspm.operations.get

dspm.operations.list

resourcemanager.organizations.get

Data Security Posture Management permissions

PermissionIncluded in roles

dspm.locations.computeAggregation

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Data Security Posture Management Admin (roles/dspm.admin)

Data Security Posture Management Viewer (roles/dspm.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Security Center Admin (roles/securitycenter.admin)

Security Center Admin Editor (roles/securitycenter.adminEditor)

Security Center Admin Viewer (roles/securitycenter.adminViewer)

dspm.locations.fetchDataGovernanceAnalytics

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Data Security Posture Management Admin (roles/dspm.admin)

Data Security Posture Management Viewer (roles/dspm.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Security Center Admin (roles/securitycenter.admin)

Security Center Admin Editor (roles/securitycenter.adminEditor)

Security Center Admin Viewer (roles/securitycenter.adminViewer)

dspm.locations.fetchDspmGovernedProjects

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Data Security Posture Management Admin (roles/dspm.admin)

Data Security Posture Management Viewer (roles/dspm.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Security Center Admin (roles/securitycenter.admin)

Security Center Admin Editor (roles/securitycenter.adminEditor)

Security Center Admin Viewer (roles/securitycenter.adminViewer)

dspm.locations.fetchGovernedResourceMetrics

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Data Security Posture Management Admin (roles/dspm.admin)

Data Security Posture Management Viewer (roles/dspm.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Security Center Admin (roles/securitycenter.admin)

Security Center Admin Editor (roles/securitycenter.adminEditor)

Security Center Admin Viewer (roles/securitycenter.adminViewer)

dspm.locations.fetchLineageConnections

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Data Security Posture Management Admin (roles/dspm.admin)

Data Security Posture Management Viewer (roles/dspm.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Security Center Admin (roles/securitycenter.admin)

Security Center Admin Editor (roles/securitycenter.adminEditor)

Security Center Admin Viewer (roles/securitycenter.adminViewer)

dspm.locations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Data Security Posture Management Admin (roles/dspm.admin)

Data Security Posture Management Viewer (roles/dspm.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Security Center Admin (roles/securitycenter.admin)

Security Center Admin Editor (roles/securitycenter.adminEditor)

Security Center Admin Viewer (roles/securitycenter.adminViewer)

dspm.locations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Data Security Posture Management Admin (roles/dspm.admin)

Data Security Posture Management Viewer (roles/dspm.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Security Center Admin (roles/securitycenter.admin)

Security Center Admin Editor (roles/securitycenter.adminEditor)

Security Center Admin Viewer (roles/securitycenter.adminViewer)

dspm.operations.cancel

Owner (roles/owner)

Editor (roles/editor)

Data Security Posture Management Admin (roles/dspm.admin)

Security Center Admin (roles/securitycenter.admin)

dspm.operations.delete

Owner (roles/owner)

Editor (roles/editor)

Data Security Posture Management Admin (roles/dspm.admin)

Security Center Admin (roles/securitycenter.admin)

dspm.operations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Data Security Posture Management Admin (roles/dspm.admin)

Data Security Posture Management Viewer (roles/dspm.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Security Center Admin (roles/securitycenter.admin)

Security Center Admin Editor (roles/securitycenter.adminEditor)

Security Center Admin Viewer (roles/securitycenter.adminViewer)

dspm.operations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Data Security Posture Management Admin (roles/dspm.admin)

Data Security Posture Management Viewer (roles/dspm.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Security Center Admin (roles/securitycenter.admin)

Security Center Admin Editor (roles/securitycenter.adminEditor)

Security Center Admin Viewer (roles/securitycenter.adminViewer)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.