This page describes the IAM roles and permissions that are required to set up and use Audit Manager and custom compliance frameworks.
- Audit Manager Admin
(
roles/auditmanager.admin)This role grants the ability to enable auditing on a project or folder, generate an audit scope, and create or view Audit Manager reports.
- Storage Admin
(
roles/storage.admin) or Storage Legacy Bucket Owner (roles/storage.legacyBucketOwner)These roles grant the ability to create, overwrite, and delete storage buckets. Users need to specify a storage bucket when enrolling a resource for auditing.
-
resourcemanager.organizations.setIamPolicyThis additional permission is required to enroll an organization.
-
resourcemanager.folders.setIamPolicyThis additional permission is required to enroll a folder.
- Audit Manager Auditor
(
roles/auditmanager.auditor)This role grants the ability to generate an audit scope, and to create or view Audit Manager reports.
- Storage Legacy Object Reader
(
roles/storage.legacyObjectReader)This role grants users the ability to read storage buckets.
- Audit Manager Custom Compliance Framework Admin
(
roles/auditmanager.ccfAdmin)This role grants the ability to create, read, update, delete, view, and list custom compliance frameworks ( Preview ). This role can only be assigned at the organizational level.
- Audit Manager Custom Compliance Framework Viewer
(
roles/auditmanager.ccfViewer)This role grants the ability to view and list custom compliance frameworks ( Preview ). This role is required to run audits against custom compliance frameworks ( Preview ). This role can only be assigned at the organizational level.
For more information about granting roles, see the IAM documentation .
