Model Armor roles and permissions

This page lists the IAM roles and permissions for Model Armor. To search through all roles and permissions, see the role and permission index.

Model Armor roles

Role Permissions

Role	Permissions
Model Armor Admin (`roles/modelarmor.admin`) Grants full access to all modelarmor resources. Intended for administrators & owners.	`modelarmor.locations.` `modelarmor.locations.get` `modelarmor.locations.list` `modelarmor.templates.` `modelarmor.templates.create` `modelarmor.templates.delete` `modelarmor.templates.get` `modelarmor.templates.list` `modelarmor.templates.update` `modelarmor.templates.useToSanitizeInput` `modelarmor.templates.useToSanitizeModelResponse` `modelarmor.templates.useToSanitizeOutput` `modelarmor.templates.useToSanitizeUserPrompt` `resourcemanager.projects.get` `resourcemanager.projects.list`
Model Armor Viewer (`roles/modelarmor.viewer`) Grants read access to all model armor resources. Intended for viewers.	`modelarmor.locations.*` `modelarmor.locations.get` `modelarmor.locations.list` `modelarmor.templates.get` `modelarmor.templates.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Model Armor Callout User ^Beta (`roles/modelarmor.calloutUser`) Grants access to use Model Armor Callout service. Intended for users & applications which plan to use Model Armor Callout service.	`modelarmor.callouts.invoke` `modelarmor.locations.*` `modelarmor.locations.get` `modelarmor.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Model Armor Floor Setting Admin (`roles/modelarmor.floorSettingsAdmin`) Grants full access to all Model Armor Floor Setting resources. Intended for administrators & owners.	`modelarmor.floorSettings.` `modelarmor.floorSettings.computeEffectiveFloorSetting` `modelarmor.floorSettings.get` `modelarmor.floorSettings.update` `modelarmor.locations.` `modelarmor.locations.get` `modelarmor.locations.list` `resourcemanager.folders.get` `resourcemanager.folders.list` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Model Armor Floor Setting Viewer (`roles/modelarmor.floorSettingsViewer`) Grants read access to all Model Armor Floor Setting resources. Intended for viewers.	`modelarmor.floorSettings.get` `modelarmor.locations.*` `modelarmor.locations.get` `modelarmor.locations.list` `resourcemanager.folders.get` `resourcemanager.folders.list` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Model Armor User (`roles/modelarmor.user`) Grants access to sanitize APIs for templates. Intended for users & applications which plan to use a template.	`modelarmor.locations.*` `modelarmor.locations.get` `modelarmor.locations.list` `modelarmor.templates.useToSanitizeInput` `modelarmor.templates.useToSanitizeModelResponse` `modelarmor.templates.useToSanitizeOutput` `modelarmor.templates.useToSanitizeUserPrompt` `resourcemanager.projects.get` `resourcemanager.projects.list`

Model Armor Admin

(roles/modelarmor.admin)

Grants full access to all modelarmor resources. Intended for administrators & owners.

modelarmor.locations.*

modelarmor.locations.get
modelarmor.locations.list

modelarmor.templates.*

modelarmor.templates.create
modelarmor.templates.delete
modelarmor.templates.get
modelarmor.templates.list
modelarmor.templates.update
modelarmor.templates.useToSanitizeInput
modelarmor.templates.useToSanitizeModelResponse
modelarmor.templates.useToSanitizeOutput
modelarmor.templates.useToSanitizeUserPrompt

resourcemanager.projects.get

resourcemanager.projects.list

Model Armor Viewer

(roles/modelarmor.viewer)

Grants read access to all model armor resources. Intended for viewers.

modelarmor.locations.*

modelarmor.locations.get
modelarmor.locations.list

modelarmor.templates.get

modelarmor.templates.list

resourcemanager.projects.get

resourcemanager.projects.list

Model Armor Callout User ^Beta

(roles/modelarmor.calloutUser)

Grants access to use Model Armor Callout service. Intended for users & applications which plan to use Model Armor Callout service.

modelarmor.callouts.invoke

modelarmor.locations.*

modelarmor.locations.get
modelarmor.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Model Armor Floor Setting Admin

(roles/modelarmor.floorSettingsAdmin)

Grants full access to all Model Armor Floor Setting resources. Intended for administrators & owners.

modelarmor.floorSettings.*

modelarmor.floorSettings.computeEffectiveFloorSetting
modelarmor.floorSettings.get
modelarmor.floorSettings.update

modelarmor.locations.*

modelarmor.locations.get
modelarmor.locations.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Model Armor Floor Setting Viewer

(roles/modelarmor.floorSettingsViewer)

Grants read access to all Model Armor Floor Setting resources. Intended for viewers.

modelarmor.floorSettings.get

modelarmor.locations.*

modelarmor.locations.get
modelarmor.locations.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Model Armor User

(roles/modelarmor.user)

Grants access to sanitize APIs for templates. Intended for users & applications which plan to use a template.

modelarmor.locations.*

modelarmor.locations.get
modelarmor.locations.list

modelarmor.templates.useToSanitizeInput

modelarmor.templates.useToSanitizeModelResponse

modelarmor.templates.useToSanitizeOutput

modelarmor.templates.useToSanitizeUserPrompt

resourcemanager.projects.get

resourcemanager.projects.list

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

Role	Permissions
Model Armor Service Agent (`roles/modelarmor.serviceAgent`) Gives Model Armor Service Account permission to make DLP calls. Warning: Do not grant service agent roles to any principals except service agents.	`dlp.analyzeRiskTemplates.get` `dlp.analyzeRiskTemplates.list` `dlp.deidentifyTemplates.get` `dlp.deidentifyTemplates.list` `dlp.inspectFindings.list` `dlp.inspectTemplates.get` `dlp.inspectTemplates.list` `dlp.jobTriggers.get` `dlp.jobTriggers.list` `dlp.jobs.get` `dlp.jobs.list` `dlp.kms.encrypt` `dlp.locations.*` `dlp.locations.get` `dlp.locations.list` `dlp.storedInfoTypes.get` `dlp.storedInfoTypes.list` `serviceusage.services.use`

Model Armor Service Agent

(roles/modelarmor.serviceAgent)

Gives Model Armor Service Account permission to make DLP calls.

dlp.analyzeRiskTemplates.get

dlp.analyzeRiskTemplates.list

dlp.deidentifyTemplates.get

dlp.deidentifyTemplates.list

dlp.inspectFindings.list

dlp.inspectTemplates.get

dlp.inspectTemplates.list

dlp.jobTriggers.get

dlp.jobTriggers.list

dlp.jobs.get

dlp.jobs.list

dlp.kms.encrypt

dlp.locations.*

dlp.locations.get
dlp.locations.list

dlp.storedInfoTypes.get

dlp.storedInfoTypes.list

serviceusage.services.use

Model Armor permissions

Permission	Included in roles
`modelarmor.callouts.invoke`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Callout User (`roles/modelarmor.calloutUser`)
`modelarmor.floorSettings.computeEffectiveFloorSetting`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Center Admin (`roles/securitycenter.admin`) Support User (`roles/iam.supportUser`) Model Armor Floor Setting Admin (`roles/modelarmor.floorSettingsAdmin`)
`modelarmor.floorSettings.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Center Admin (`roles/securitycenter.admin`) Support User (`roles/iam.supportUser`) Model Armor Floor Setting Admin (`roles/modelarmor.floorSettingsAdmin`) Model Armor Floor Setting Viewer (`roles/modelarmor.floorSettingsViewer`)
`modelarmor.floorSettings.update`	Owner (`roles/owner`) Security Center Admin (`roles/securitycenter.admin`) Model Armor Floor Setting Admin (`roles/modelarmor.floorSettingsAdmin`)
`modelarmor.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Model Armor Admin (`roles/modelarmor.admin`) Model Armor Viewer (`roles/modelarmor.viewer`) Security Center Admin (`roles/securitycenter.admin`) Support User (`roles/iam.supportUser`) Model Armor Callout User (`roles/modelarmor.calloutUser`) Model Armor Floor Setting Admin (`roles/modelarmor.floorSettingsAdmin`) Model Armor Floor Setting Viewer (`roles/modelarmor.floorSettingsViewer`) Model Armor User (`roles/modelarmor.user`)
`modelarmor.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Model Armor Admin (`roles/modelarmor.admin`) Model Armor Viewer (`roles/modelarmor.viewer`) Security Center Admin (`roles/securitycenter.admin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Model Armor Callout User (`roles/modelarmor.calloutUser`) Model Armor Floor Setting Admin (`roles/modelarmor.floorSettingsAdmin`) Model Armor Floor Setting Viewer (`roles/modelarmor.floorSettingsViewer`) Model Armor User (`roles/modelarmor.user`)
`modelarmor.templates.create`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Admin (`roles/modelarmor.admin`) Security Center Admin (`roles/securitycenter.admin`)
`modelarmor.templates.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Admin (`roles/modelarmor.admin`) Security Center Admin (`roles/securitycenter.admin`)
`modelarmor.templates.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Model Armor Admin (`roles/modelarmor.admin`) Model Armor Viewer (`roles/modelarmor.viewer`) Security Center Admin (`roles/securitycenter.admin`) Support User (`roles/iam.supportUser`)
`modelarmor.templates.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Model Armor Admin (`roles/modelarmor.admin`) Model Armor Viewer (`roles/modelarmor.viewer`) Security Center Admin (`roles/securitycenter.admin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`modelarmor.templates.update`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Admin (`roles/modelarmor.admin`) Security Center Admin (`roles/securitycenter.admin`)
`modelarmor.templates.useToSanitizeInput`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Admin (`roles/modelarmor.admin`) Security Center Admin (`roles/securitycenter.admin`) Model Armor User (`roles/modelarmor.user`)
`modelarmor.templates.useToSanitizeModelResponse`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Admin (`roles/modelarmor.admin`) Security Center Admin (`roles/securitycenter.admin`) Model Armor User (`roles/modelarmor.user`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`)
`modelarmor.templates.useToSanitizeOutput`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Admin (`roles/modelarmor.admin`) Security Center Admin (`roles/securitycenter.admin`) Model Armor User (`roles/modelarmor.user`)
`modelarmor.templates.useToSanitizeUserPrompt`	Owner (`roles/owner`) Editor (`roles/editor`) Model Armor Admin (`roles/modelarmor.admin`) Security Center Admin (`roles/securitycenter.admin`) Model Armor User (`roles/modelarmor.user`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`)

Model Armor roles and permissions