Ruolo Access Context Manager Editor (roles/accesscontextmanager.policyEditor)
Ruolo Lettore Gestore contesto accesso (roles/accesscontextmanager.policyReader)
Puoi creare, elencare o delegare i criteri basati su ambito solo se disponi di queste autorizzazioni
a livello di organizzazione. Dopo aver creato un criterio basato su ambito, puoi concedere l'autorizzazione per gestirlo aggiungendo associazioni IAM al criterio basato su ambito.
Le autorizzazioni concesse a livello di organizzazione si applicano a tutti i criteri di accesso, incluso il criterio a livello di organizzazione e eventuali criteri basati su ambito.
I seguenti ruoli IAM predefiniti forniscono le autorizzazioni necessarie per visualizzare o configurare i perimetri di servizio e i livelli di accesso:
[[["Facile da capire","easyToUnderstand","thumb-up"],["Il problema รจ stato risolto","solvedMyProblem","thumb-up"],["Altra","otherUp","thumb-up"]],[["Difficile da capire","hardToUnderstand","thumb-down"],["Informazioni o codice di esempio errati","incorrectInformationOrSampleCode","thumb-down"],["Mancano le informazioni o gli esempi di cui ho bisogno","missingTheInformationSamplesINeed","thumb-down"],["Problema di traduzione","translationIssue","thumb-down"],["Altra","otherDown","thumb-down"]],["Ultimo aggiornamento 2025-09-01 UTC."],[],[],null,["# Access control with IAM\n\nThis page describes the Identity and Access Management (IAM) roles required to\nconfigure VPC Service Controls.\n\nRequired roles\n--------------\n\nThe following table lists the permissions and roles required to create and list\naccess policies:\n\nYou can only create, list, or delegate [scoped policies](/access-context-manager/docs/scoped-policies) if you have those permissions\nat the organization level. After you create a scoped policy, you can grant permission to\nmanage the policy by adding IAM bindings on the scoped policy.\n\nPermissions granted at the organization-level apply to all access policies, including\nthe organization-level policy and any scoped policies.\n| **Note:** Any Access Context Manager permissions granted on folders or projects have no effect on scoped policies as permissions can only be granted at the organization-level or on individual policies. The access control for scoped policies is independent of the projects or folders in their scopes.\n\nThe following predefined IAM roles provide the necessary\npermissions to view or configure service perimeters and access levels:\n\n- Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`)\n- Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`)\n- Access Context Manager Reader (`roles/accesscontextmanager.policyReader`)\n\nTo grant one of these roles, use [the Google Cloud console](/iam/docs/granting-changing-revoking-access) or run\none of the following commands in the gcloud CLI. Replace\n\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with the ID of your Google Cloud\norganization.\n\n### Grant Manager Admin role to allow read-write access\n\n```bash\ngcloud organizations add-iam-policy-binding ORGANIZATION_ID \\\n --member=\"user:example@customer.org\" \\\n --role=\"roles/accesscontextmanager.policyAdmin\"\n```\n\n### Grant Manager Editor role to allow read-write access\n\n```bash\ngcloud organizations add-iam-policy-binding ORGANIZATION_ID \\\n --member=\"user:example@customer.org\" \\\n --role=\"roles/accesscontextmanager.policyEditor\"\n```\n\n### Grant Manager Reader role to allow read-only access\n\n```bash\ngcloud organizations add-iam-policy-binding ORGANIZATION_ID \\\n --member=\"user:example@customer.org\" \\\n --role=\"roles/accesscontextmanager.policyReader\"\n```"]]
