Access control with IAM
This page describes the Identity and Access Management (IAM) roles required toconfigure VPC Service Controls.
Required roles
The following table lists the permissions and roles required to create and listaccess policies:
| Action | Required permissions and roles |
|---|---|
| Create an organization-level access policy or scoped policies | Permission: Role that provides the permission: Access Context Manager Editor role ( |
| List an organization-level access policy or scoped policies | Permission:
|
You can only create, list, or delegatescoped policies if you have those permissionsat the organization level. After you create a scoped policy, you can grant permission tomanage the policy by adding IAM bindings on the scoped policy.
Permissions granted at the organization-level apply to all access policies, includingthe organization-level policy and any scoped policies.
Note: Any Access Context Manager permissions granted on folders or projects have no effecton scoped policies as permissions can only be granted at the organization-level or on individual policies.The access control for scoped policies is independent of the projects or folders in their scopes.The following predefined IAM roles provide the necessarypermissions to view or configure service perimeters and access levels:
- Access Context Manager Admin (
roles/accesscontextmanager.policyAdmin) - Access Context Manager Editor (
roles/accesscontextmanager.policyEditor) - Access Context Manager Reader (
roles/accesscontextmanager.policyReader)
To grant one of these roles, usethe Google Cloud console or runone of the following commands in the gcloud CLI. ReplaceORGANIZATION_ID with the ID of your Google Cloudorganization.
Grant Manager Admin role to allow read-write access
gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--member="user:example@customer.org"\--role="roles/accesscontextmanager.policyAdmin"
Grant Manager Editor role to allow read-write access
gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--member="user:example@customer.org"\--role="roles/accesscontextmanager.policyEditor"
Grant Manager Reader role to allow read-only access
gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--member="user:example@customer.org"\--role="roles/accesscontextmanager.policyReader"
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.