Stay organized with collections
Save and categorize content based on your preferences.
This page describes the Identity and Access Management (IAM) roles and permissions needed for
running Firewall Insights.
You can grant users or service accounts permissions or a predefined role, or
you can create a custom role that uses permissions that you specify. The
following table describes the IAM predefined roles and their
associated permissions.
These predefined roles contain
the permissions required to enable APIs and features. To see the exact permissions that are
required, expand the Required permissions section:
Required permissions
The following permissions are required to enable APIs and features:
Enable APIs:
serviceusage.services.enable
Enable shadowed rule or overly permissive rule insights:
recommender.computeFirewallInsightTypeConfigs.update
Before you complete any prerequisites or take any other actions with
Firewall Insights, we recommend that you create or select a
Google Cloud project. Use the following steps:
In the Google Cloud console, go to the Project selector page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Roles and permissions\n\nThis page describes the Identity and Access Management (IAM) roles and permissions needed for\nrunning Firewall Insights.\n\nYou can grant users or service accounts permissions or a predefined role, or\nyou can create a custom role that uses permissions that you specify. The\nfollowing table describes the IAM predefined roles and their\nassociated permissions.\n\nFor more information, see the [IAM\npermissions reference](/iam/docs/permissions-reference).\n\n\n\u003cbr /\u003e\n\nFor more information about project roles and permissions, see the following:\n\n- [Identity and Access Management documentation](/iam/docs)\n- [Compute Engine API documentation](/compute/docs/apis)\n- [Cloud Monitoring API documentation](/monitoring/docs/apis)\n\nGet required roles and permissions\n----------------------------------\n\n\nTo get the permissions that\nyou need to enable APIs and features,\n\nask your administrator to grant you the\nfollowing IAM roles on your project:\n\n- [Service Usage Admin](/iam/docs/roles-permissions/serviceusage#serviceusage.serviceUsageAdmin) (`roles/serviceusage.serviceUsageAdmin`)\n- [Firewall Recommender Admin](/iam/docs/roles-permissions/recommender#recommender.firewallAdmin) (`roles/recommender.firewallAdmin`)\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nThese predefined roles contain\n\nthe permissions required to enable APIs and features. To see the exact permissions that are\nrequired, expand the **Required permissions** section:\n\n\n#### Required permissions\n\nThe following permissions are required to enable APIs and features:\n\n- Enable APIs: ` serviceusage.services.enable`\n- Enable shadowed rule or overly permissive rule insights: ` recommender.computeFirewallInsightTypeConfigs.update`\n\n\nYou might also be able to get\nthese permissions\nwith [custom roles](/iam/docs/creating-custom-roles) or\nother [predefined roles](/iam/docs/roles-overview#predefined).\n\nSelect a project\n----------------\n\nBefore you complete any prerequisites or take any other actions with\nFirewall Insights, we recommend that you create or select a\nGoogle Cloud project. Use the following steps:\n\n1. In the Google Cloud console, go to the **Project selector** page.\n\n [Go to Project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n2. Select or create a Google Cloud project.\n\n3. Make sure that [billing is enabled](/billing/docs/how-to/modify-project) for\n your Google Cloud project.\n\nWhat's next\n-----------\n\n- To complete the setup tasks, see [Enable APIs and features](/network-intelligence-center/docs/firewall-insights/how-to/enable-api-features)."]]
