Security Posture API roles and permissions

This page lists the IAM roles and permissions for Security Posture API. To search through all roles and permissions, see the role and permission index.

Security Posture API roles

Role Permissions

Role	Permissions
Security Posture Admin (`roles/securityposture.admin`) Full access to Security Posture service APIs. Lowest-level resources where you can grant this role: Organization	`orgpolicy.` `orgpolicy.constraints.list` `orgpolicy.customConstraints.create` `orgpolicy.customConstraints.delete` `orgpolicy.customConstraints.get` `orgpolicy.customConstraints.list` `orgpolicy.customConstraints.update` `orgpolicy.policies.create` `orgpolicy.policies.delete` `orgpolicy.policies.list` `orgpolicy.policies.update` `orgpolicy.policy.get` `orgpolicy.policy.set` `resourcemanager.organizations.get` `securitycenter.securityhealthanalyticssettings.` `securitycenter.securityhealthanalyticssettings.calculate` `securitycenter.securityhealthanalyticssettings.get` `securitycenter.securityhealthanalyticssettings.update` `securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.` `securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get` `securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list` `securitycentermanagement.securityHealthAnalyticsCustomModules.create` `securitycentermanagement.securityHealthAnalyticsCustomModules.delete` `securitycentermanagement.securityHealthAnalyticsCustomModules.get` `securitycentermanagement.securityHealthAnalyticsCustomModules.list` `securitycentermanagement.securityHealthAnalyticsCustomModules.update` `securityposture.` `securityposture.locations.get` `securityposture.locations.list` `securityposture.operations.delete` `securityposture.operations.get` `securityposture.operations.list` `securityposture.postureDeployments.create` `securityposture.postureDeployments.delete` `securityposture.postureDeployments.get` `securityposture.postureDeployments.list` `securityposture.postureDeployments.update` `securityposture.postureTemplates.get` `securityposture.postureTemplates.list` `securityposture.postures.create` `securityposture.postures.delete` `securityposture.postures.extract` `securityposture.postures.get` `securityposture.postures.list` `securityposture.postures.update` `securityposture.reports.create` `securityposture.reports.get` `securityposture.reports.list`
Security Posture Deployer (`roles/securityposture.postureDeployer`) Mutate and read permissions to the Posture Deployment resource.	`orgpolicy.` `orgpolicy.constraints.list` `orgpolicy.customConstraints.create` `orgpolicy.customConstraints.delete` `orgpolicy.customConstraints.get` `orgpolicy.customConstraints.list` `orgpolicy.customConstraints.update` `orgpolicy.policies.create` `orgpolicy.policies.delete` `orgpolicy.policies.list` `orgpolicy.policies.update` `orgpolicy.policy.get` `orgpolicy.policy.set` `resourcemanager.organizations.get` `securitycenter.securityhealthanalyticssettings.` `securitycenter.securityhealthanalyticssettings.calculate` `securitycenter.securityhealthanalyticssettings.get` `securitycenter.securityhealthanalyticssettings.update` `securitycentermanagement.securityHealthAnalyticsCustomModules.create` `securitycentermanagement.securityHealthAnalyticsCustomModules.delete` `securitycentermanagement.securityHealthAnalyticsCustomModules.update` `securityposture.operations.get` `securityposture.postureDeployments.*` `securityposture.postureDeployments.create` `securityposture.postureDeployments.delete` `securityposture.postureDeployments.get` `securityposture.postureDeployments.list` `securityposture.postureDeployments.update`
Security Posture Deployments Viewer (`roles/securityposture.postureDeploymentsViewer`) Read only access to the Posture Deployment resource.	`resourcemanager.organizations.get` `securityposture.operations.get` `securityposture.postureDeployments.get` `securityposture.postureDeployments.list`
Security Posture Resource Editor (`roles/securityposture.postureEditor`) Mutate and read permissions to the Posture resource.	`securityposture.operations.get` `securityposture.postures.*` `securityposture.postures.create` `securityposture.postures.delete` `securityposture.postures.extract` `securityposture.postures.get` `securityposture.postures.list` `securityposture.postures.update`
Security Posture Resource Viewer (`roles/securityposture.postureViewer`) Read only access to the Posture resource.	`resourcemanager.organizations.get` `securityposture.operations.get` `securityposture.postures.get` `securityposture.postures.list`
Security Posture Shift-Left Validator (`roles/securityposture.reportCreator`) Create access for Reports, e.g. IaC Validation Report.	`securityposture.operations.get` `securityposture.reports.*` `securityposture.reports.create` `securityposture.reports.get` `securityposture.reports.list`
Security Posture Viewer (`roles/securityposture.viewer`) Read only access to all the SecurityPosture Service resources.	`resourcemanager.organizations.get` `securityposture.operations.get` `securityposture.postureDeployments.get` `securityposture.postureDeployments.list` `securityposture.postureTemplates.*` `securityposture.postureTemplates.get` `securityposture.postureTemplates.list` `securityposture.postures.get` `securityposture.postures.list`

Security Posture Admin

(roles/securityposture.admin)

Full access to Security Posture service APIs.

Lowest-level resources where you can grant this role:

Organization

orgpolicy.*

orgpolicy.constraints.list
orgpolicy.customConstraints.create
orgpolicy.customConstraints.delete
orgpolicy.customConstraints.get
orgpolicy.customConstraints.list
orgpolicy.customConstraints.update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set

resourcemanager.organizations.get

securitycenter.securityhealthanalyticssettings.*

securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.securityhealthanalyticssettings.update

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.update

securityposture.*

securityposture.locations.get
securityposture.locations.list
securityposture.operations.delete
securityposture.operations.get
securityposture.operations.list
securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update
securityposture.postureTemplates.get
securityposture.postureTemplates.list
securityposture.postures.create
securityposture.postures.delete
securityposture.postures.extract
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update
securityposture.reports.create
securityposture.reports.get
securityposture.reports.list

Security Posture Deployer

(roles/securityposture.postureDeployer)

Mutate and read permissions to the Posture Deployment resource.

orgpolicy.*

orgpolicy.constraints.list
orgpolicy.customConstraints.create
orgpolicy.customConstraints.delete
orgpolicy.customConstraints.get
orgpolicy.customConstraints.list
orgpolicy.customConstraints.update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set

resourcemanager.organizations.get

securitycenter.securityhealthanalyticssettings.*

securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.securityhealthanalyticssettings.update

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.update

securityposture.operations.get

securityposture.postureDeployments.*

securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update

Security Posture Deployments Viewer

(roles/securityposture.postureDeploymentsViewer)

Read only access to the Posture Deployment resource.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postureDeployments.get

securityposture.postureDeployments.list

Security Posture Resource Editor

(roles/securityposture.postureEditor)

Mutate and read permissions to the Posture resource.

securityposture.operations.get

securityposture.postures.*

securityposture.postures.create
securityposture.postures.delete
securityposture.postures.extract
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update

Security Posture Resource Viewer

(roles/securityposture.postureViewer)

Read only access to the Posture resource.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postures.get

securityposture.postures.list

Security Posture Shift-Left Validator

(roles/securityposture.reportCreator)

Create access for Reports, e.g. IaC Validation Report.

securityposture.operations.get

securityposture.reports.*

securityposture.reports.create
securityposture.reports.get
securityposture.reports.list

Security Posture Viewer

(roles/securityposture.viewer)

Read only access to all the SecurityPosture Service resources.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postureDeployments.get

securityposture.postureDeployments.list

securityposture.postureTemplates.*

securityposture.postureTemplates.get
securityposture.postureTemplates.list

securityposture.postures.get

securityposture.postures.list

Security Posture API permissions

Permission	Included in roles
`securityposture.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Security Posture Admin (`roles/securityposture.admin`)
`securityposture.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Security Posture Admin (`roles/securityposture.admin`)
`securityposture.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Security Posture Admin (`roles/securityposture.admin`)
`securityposture.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`) Security Posture Deployments Viewer (`roles/securityposture.postureDeploymentsViewer`) Security Posture Resource Editor (`roles/securityposture.postureEditor`) Security Posture Resource Viewer (`roles/securityposture.postureViewer`) Security Posture Shift-Left Validator (`roles/securityposture.reportCreator`) Security Posture Viewer (`roles/securityposture.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DSPM Service Agent (`roles/dspm.serviceAgent`)
`securityposture.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Security Posture Admin (`roles/securityposture.admin`)
`securityposture.postureDeployments.create`	Owner (`roles/owner`) Editor (`roles/editor`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DSPM Service Agent (`roles/dspm.serviceAgent`)
`securityposture.postureDeployments.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DSPM Service Agent (`roles/dspm.serviceAgent`)
`securityposture.postureDeployments.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`) Security Posture Deployments Viewer (`roles/securityposture.postureDeploymentsViewer`) Security Posture Viewer (`roles/securityposture.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DSPM Service Agent (`roles/dspm.serviceAgent`)
`securityposture.postureDeployments.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`) Security Posture Deployments Viewer (`roles/securityposture.postureDeploymentsViewer`) Security Posture Viewer (`roles/securityposture.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DSPM Service Agent (`roles/dspm.serviceAgent`)
`securityposture.postureDeployments.update`	Owner (`roles/owner`) Editor (`roles/editor`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Deployer (`roles/securityposture.postureDeployer`)
`securityposture.postureTemplates.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Viewer (`roles/securityposture.viewer`)
`securityposture.postureTemplates.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Viewer (`roles/securityposture.viewer`)
`securityposture.postures.create`	Owner (`roles/owner`) Editor (`roles/editor`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Resource Editor (`roles/securityposture.postureEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DSPM Service Agent (`roles/dspm.serviceAgent`)
`securityposture.postures.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Resource Editor (`roles/securityposture.postureEditor`)
`securityposture.postures.extract`	Owner (`roles/owner`) Editor (`roles/editor`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Resource Editor (`roles/securityposture.postureEditor`)
`securityposture.postures.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Resource Editor (`roles/securityposture.postureEditor`) Security Posture Resource Viewer (`roles/securityposture.postureViewer`) Security Posture Viewer (`roles/securityposture.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DSPM Service Agent (`roles/dspm.serviceAgent`)
`securityposture.postures.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Resource Editor (`roles/securityposture.postureEditor`) Security Posture Resource Viewer (`roles/securityposture.postureViewer`) Security Posture Viewer (`roles/securityposture.viewer`)
`securityposture.postures.update`	Owner (`roles/owner`) Editor (`roles/editor`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Resource Editor (`roles/securityposture.postureEditor`)
`securityposture.reports.create`	Owner (`roles/owner`) Editor (`roles/editor`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Shift-Left Validator (`roles/securityposture.reportCreator`)
`securityposture.reports.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Shift-Left Validator (`roles/securityposture.reportCreator`)
`securityposture.reports.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Security Posture Admin (`roles/securityposture.admin`) Security Posture Shift-Left Validator (`roles/securityposture.reportCreator`)

Security Posture API roles and permissions