Returns the caller's permissions
If true
, implied permissions are added in the output. For example, if
permission A implies permission B, and the user has permission A, the
output will include both A and B if this is set to true
. If this is
set to false
, B will only be returned if it was assigned to the user
directly.
Success result
User's permissions in the account.
MANAGE_LOGGING: Permission to manage logging integrations, and enable/disable error logging.
MANAGE_AUTH: Permission to manage SSO and password policy.
MANAGE_WORKSPACE_CSE: Permission to manage Workspace CSE configuration.
UNWRAP_WORKSPACE_CSE_PRIVILEGED:
Permission required for Workspace CSE PrivilegedUnwrap API. Note
that UNWRAP_WORKSPACE_CSE
permission in the group where the key is
stored is also required.
MANAGE_ACCOUNT_CLIENT_CONFIGS: Permission to manage account level client configurations.
MANAGE_PLUGIN_CODE_SIGNING_POLICY: Permission to manage plugin code signing policy.
CREATE_ACCOUNT_APPROVAL_POLICY: Permission to create account-level approval policy. Note that updating/deleting the approval policy is protected by the approval policy itself.
SET_APPROVAL_REQUEST_EXPIRY: Permission to set approval request expiry for all approval requests created in the account.
MANAGE_APPROVAL_REQUEST_SETTINGS:
Permission to manage all approval request settings including
approval request expiry. Implies SET_APPROVAL_REQUEST_EXPIRY
.
UPDATE_ACCOUNT_CUSTOM_METADATA_ATTRIBUTES: Permission to update account's custom metadata attributes.
MANAGE_ACCOUNT_SUBSCRIPTION: Permission to manage account subscription (only relevant for SaaS accounts).
MANAGE_ACCOUNT_PROFILE: Permission to update account name, custom logo, and other profile information.
DELETE_ACCOUNT: Permission to delete the account.
CREATE_ADMIN_APPS:
Permission to create administrative apps. Implies GET_ADMIN_APPS
.
UPDATE_ADMIN_APPS:
Permission to update administrative apps. Implies GET_ADMIN_APPS
.
DELETE_ADMIN_APPS:
Permission to delete administrative apps. Implies GET_ADMIN_APPS
.
RETRIEVE_ADMIN_APP_SECRETS:
Permission to retrieve administrative apps' secrets. Note that not
all admin app credentials contain secrets. If an admin app's
credential does not contain any secrets, GET_ADMIN_APPS
permission
is sufficient to call the GetAppCredential
API. Implies
GET_ADMIN_APPS
.
MANAGE_ADMIN_APPS:
Currently implies CREATE_ADMIN_APPS
, UPDATE_ADMIN_APPS
,
DELETE_ADMIN_APPS
, RETRIEVE_ADMIN_APP_SECRETS
and
GET_ADMIN_APPS
permissions.
CREATE_CUSTOM_ROLES:
Permission to create custom user roles. Implies GET_CUSTOM_ROLES
.
UPDATE_CUSTOM_ROLES:
Permission to update custom user roles. Implies GET_CUSTOM_ROLES
.
DELETE_CUSTOM_ROLES:
Permission to delete custom user roles. Implies GET_CUSTOM_ROLES
.
MANAGE_CUSTOM_ROLES:
Currently implies CREATE_CUSTOM_ROLES
, UPDATE_CUSTOM_ROLES
,
DELETE_CUSTOM_ROLES
and GET_CUSTOM_ROLES
permissions.
INVITE_USERS_TO_ACCOUNT:
Permission to invite users to the account. Implies GET_ALL_USERS
.
DELETE_USERS_FROM_ACCOUNT:
Permission to remove users from the account. Implies
GET_ALL_USERS
.
UPDATE_USERS_ACCOUNT_ROLE:
Permission to change users' role in the account. Implies
GET_ALL_USERS
.
UPDATE_USERS_ACCOUNT_ENABLED_STATE:
Permission to enable/disable users in the account. Implies
GET_ALL_USERS
.
MANAGE_ACCOUNT_USERS:
Currently implies INVITE_USERS_TO_ACCOUNT
,
DELETE_USERS_FROM_ACCOUNT
, UPDATE_USERS_ACCOUNT_ROLE
,
UPDATE_USERS_ACCOUNT_ENABLED_STATE
and GET_ALL_USERS
permissions.
CREATE_EXTERNAL_ROLES:
Permission to create external roles. Implies GET_EXTERNAL_ROLES
.
SYNC_EXTERNAL_ROLES:
Permission to synchronize external roles. Implies
GET_EXTERNAL_ROLES
.
DELETE_EXTERNAL_ROLES:
Permission to delete external roles. Implies GET_EXTERNAL_ROLES
.
MANAGE_EXTERNAL_ROLES:
Currently implies CREATE_EXTERNAL_ROLES
, SYNC_EXTERNAL_ROLES
,
DELETE_EXTERNAL_ROLES
and GET_EXTERNAL_ROLES
permissions.
CREATE_ACCOUNT_SOBJECT_POLICIES: Permission to create various account-level security object policies including cryptographic policy, key metadata policy and key history policy.
UPDATE_ACCOUNT_SOBJECT_POLICIES: Permission to update various account-level security object policies including cryptographic policy, key metadata policy and key history policy.
DELETE_ACCOUNT_SOBJECT_POLICIES: Permission to delete various account-level security object policies including cryptographic policy, key metadata policy and key history policy.
MANAGE_ACCOUNT_SOBJECT_POLICIES:
Currently implies CREATE_ACCOUNT_SOBJECT_POLICIES
,
UPDATE_ACCOUNT_SOBJECT_POLICIES
, and
DELETE_ACCOUNT_SOBJECT_POLICIES
permissions.
CREATE_CHILD_ACCOUNTS:
Permission to create child accounts. Note that this is only
applicable to SaaS accounts with reseller subscription. Implies
GET_CHILD_ACCOUNTS
.
UPDATE_CHILD_ACCOUNTS:
Permission to update child accounts. Note that this is only
applicable to SaaS accounts with reseller subscription. Implies
GET_CHILD_ACCOUNTS
.
DELETE_CHILD_ACCOUNTS:
Permission to delete child accounts. Note that this is only
applicable to SaaS accounts with reseller subscription. Implies
GET_CHILD_ACCOUNTS
.
CREATE_CHILD_ACCOUNT_USERS:
Permission to create users in child accounts. Note that this is only
applicable to SaaS accounts with reseller subscription. Implies
GET_CHILD_ACCOUNTS
and GET_CHILD_ACCOUNT_USERS
.
GET_CHILD_ACCOUNTS: Permission to get child accounts. Note that this is only applicable to SaaS accounts with reseller subscription.
GET_CHILD_ACCOUNT_USERS: Permission to get child account users. Note that this is only applicable to SaaS accounts with reseller subscription.
MANAGE_CHILD_ACCOUNTS:
Currently implies CREATE_CHILD_ACCOUNTS
, UPDATE_CHILD_ACCOUNTS
,
DELETE_CHILD_ACCOUNTS
, CREATE_CHILD_ACCOUNT_USERS
,
GET_CHILD_ACCOUNTS
, and GET_CHILD_ACCOUNT_USERS
permissions.
CREATE_LOCAL_GROUPS: Permission to create new local groups.
CREATE_EXTERNAL_GROUPS: Permission to create new group backed by external HSM/KMS.
ALLOW_QUORUM_REVIEWER: Controls if the user can act as an approval policy reviewer.
ALLOW_KEY_CUSTODIAN: Controls if the user can act as a key custodian.
GET_ALL_APPROVAL_REQUESTS: Grants read access to all approval requests in the account. Note that there is a related group-level permission that is restricted to approval requests related to one group.
GET_ADMIN_APPS: Permission to get administrative apps.
GET_CUSTOM_ROLES: Permission to get custom user roles.
GET_EXTERNAL_ROLES: Permission to get external roles.
GET_ALL_USERS: Permission to get all users. Note that users can always get themselves.
GET_ACCOUNT_USAGE: Grants access to accounts::GetAccountUsage API.
MANAGE_KEY_EXPIRY_ALERTS: Permission to manage key expiry alert configurations.
MANAGE_REPLICATION:
Permission to modify an account's purpose
field (e.g., changing a
replication account's settings), or to call any APIs involving
replication credentials. If the account is not a replication account,
this permission has no effect.
User's permissions in all groups. Note that this will only be returned if the user has one or more all-groups roles.
CREATE_GROUP_APPROVAL_POLICY:
Permission to create group-level approval policy. Note that
updating/deleting the approval policy is protected by the approval
policy itself. Implies GET_GROUP
.
UPDATE_GROUP_EXTERNAL_LINKS:
Permission to update external HSM/KMS configurations. Note that this
is only useful for groups backed by external HSM/KMS. Implies
GET_GROUP
.
MANAGE_GROUP_CLIENT_CONFIGS:
Permission to manage group-level client configurations. Implies
GET_GROUP
.
UPDATE_GROUP_PROFILE:
Permission to update name, description and custom metadata of the
group. Implies GET_GROUP
.
DELETE_GROUP:
Permission to delete the group. Implies GET_GROUP
.
MAP_EXTERNAL_ROLES_FOR_APPS:
Permission to map external roles to DSM groups for apps authorized
through LDAP. Implies GET_GROUP
.
MAP_EXTERNAL_ROLES_FOR_USERS:
Permission to map external roles to DSM groups for users authorized
through LDAP. Implies GET_GROUP
.
MAP_EXTERNAL_ROLES:
Currently implies MAP_EXTERNAL_ROLES_FOR_APPS
,
MAP_EXTERNAL_ROLES_FOR_USERS
, and GET_GROUP
permissions.
ADD_USERS_TO_GROUP: Permission to add users to the group.
DELETE_USERS_FROM_GROUP: Permission to remove users from the group.
UPDATE_USERS_GROUP_ROLE: Permission to change users' role in the group.
MANAGE_GROUP_USERS:
Currently implies ADD_USERS_TO_GROUP
, DELETE_USERS_FROM_GROUP
,
and UPDATE_USERS_GROUP_ROLE
permissions.
CREATE_GROUP_SOBJECT_POLICIES:
Permission to create various group-level security object policies
including cryptographic policy, key metadata policy and key history
policy. Implies GET_GROUP
.
UPDATE_GROUP_SOBJECT_POLICIES:
Permission to update various group-level security object policies
including cryptographic policy, key metadata policy and key history
policy. Implies GET_GROUP
.
DELETE_GROUP_SOBJECT_POLICIES:
Permission to delete various group-level security object policies
including cryptographic policy, key metadata policy and key history
policy. Implies GET_GROUP
.
MANAGE_GROUP_SOBJECT_POLICIES:
Currently implies CREATE_GROUP_SOBJECT_POLICIES
,
UPDATE_GROUP_SOBJECT_POLICIES
, DELETE_GROUP_SOBJECT_POLICIES
,
and GET_GROUP
permissions.
CREATE_GROUP_CUSTODIAN_POLICY:
Permission to create key custodian policy for the group. Implies
GET_GROUP
.
UPDATE_GROUP_CUSTODIAN_POLICY:
Permission to update group's key custodian policy. Implies
GET_GROUP
.
DELETE_GROUP_CUSTODIAN_POLICY:
Permission to delete group's key custodian policy. Implies
GET_GROUP
.
MANAGE_GROUP_CUSTODIAN_POLICY:
Currently implies CREATE_GROUP_CUSTODIAN_POLICY
,
UPDATE_GROUP_CUSTODIAN_POLICY
, DELETE_GROUP_CUSTODIAN_POLICY
,
and GET_GROUP
permissions.
CREATE_APPS:
Permission to create cryptographic apps. Implies GET_APPS
.
UPDATE_APPS:
Permission to update cryptographic apps. Implies GET_APPS
.
RETRIEVE_APP_SECRETS:
Permission to retrieve cryptographic apps' secrets. Note that not
all cryptographic app credentials contain secrets. If a
cryptographic app's credential does not contain any secrets,
GET_APPS
permission is sufficient to call the GetAppCredential
API. Implies GET_APPS
.
DELETE_APPS:
Permission to delete cryptographic apps. Implies GET_APPS
.
MANAGE_APPS:
Currently implies CREATE_APPS
, UPDATE_APPS
,
RETRIEVE_APP_SECRETS
, DELETE_APPS
, and GET_APPS
permissions.
CREATE_PLUGINS:
Permission to create plugins. Implies GET_PLUGINS
.
For creating a plugin, following group permissions are also required
in each group plugin is being added, to prevent privilege escalation:
CREATE_SOBJECTS
, EXPORT_SOBJECTS
, COPY_SOBJECTS
,
WRAP_SOBJECTS
, UNWRAP_SOBJECTS
, ENCAPSULATE_SOBJECTS
, DECAPSULATE_SOBJECTS
,
DERIVE_SOBJECTS
, TRANSFORM_SOBJECTS
, UPDATE_SOBJECTS_ENABLED_STATE
,
ROTATE_SOBJECTS
, DELETE_SOBJECTS
, REVOKE_SOBJECTS
, ACTIVATE_SOBJECTS
,
MOVE_SOBJECTS
, UPDATE_KEY_OPS
, UPDATE_SOBJECT_POLICIES
, UPDATE_SOBJECTS_PROFILE
,
GET_GROUP
, GET_SOBJECTS
, GET_APPS
, GET_PLUGINS
, GET_AUDIT_LOGS
Following account permissions are required as well:
GET_ALL_USERS
UPDATE_PLUGINS:
Permission to update plugins. Implies GET_PLUGINS
.
For updating a plugin, following group permissions are also required
in each group plugin is being added, to prevent privilege escalation:
CREATE_SOBJECTS
, EXPORT_SOBJECTS
, COPY_SOBJECTS
, WRAP_SOBJECTS
, UNWRAP_SOBJECTS
,
ENCAPSULATE_SOBJECTS
, DECAPSULATE_SOBJECTS
, UPDATE_SOBJECTS_ENABLED_STATE
,
ROTATE_SOBJECTS
, DELETE_SOBJECTS
, REVOKE_SOBJECTS
, ACTIVATE_SOBJECTS
,
MOVE_SOBJECTS
, UPDATE_KEY_OPS
, UPDATE_SOBJECT_POLICIES
, UPDATE_SOBJECTS_PROFILE
,
GET_GROUP
, GET_SOBJECTS
, GET_APPS
, GET_PLUGINS
, GET_AUDIT_LOGS
Following account permissions are required as well while adding
new groups:
GET_ALL_USERS
INVOKE_PLUGINS:
Permission to invoke plugins. Implies GET_PLUGINS
.
DELETE_PLUGINS:
Permission to delete plugins. Implies GET_PLUGINS
.
MANAGE_PLUGINS:
Currently implies CREATE_PLUGINS
, UPDATE_PLUGINS
,
INVOKE_PLUGINS
, DELETE_PLUGINS
, and GET_PLUGINS
permissions.
CREATE_SOBJECTS:
Permission to create security objects. This permission is required
for APIs that result in creation of a new security object including:
Generate, Import, Unwrap. Also required in destination group when
moving a key to a different group or when copying a key. Implies
GET_SOBJECTS
.
EXPORT_SOBJECTS:
Permission to export security objects. This permission is required
for Export, ExportByComponents, Copy (depending on destination
group), Restore, and Wrap (for wrapped security object) APIs.
Implies GET_SOBJECTS
.
COPY_SOBJECTS:
Permission to copy security objects. This permission is required in
the source group when calling the Copy API. Implies GET_SOBJECTS
.
WRAP_SOBJECTS:
Permission to wrap security objects. This permission is required in
the wrapping security object's group. Implies GET_SOBJECTS
.
UNWRAP_SOBJECTS:
Permission to unwrap security objects. This permission is required
in the unwrapping security object's group. Implies GET_SOBJECTS
.
DERIVE_SOBJECTS:
Permission to derive other security objects. Implies GET_SOBJECTS
.
TRANSFORM_SOBJECTS:
Permission to transform security objects. Implies GET_SOBJECTS
.
UPDATE_SOBJECTS_ENABLED_STATE:
Permission to enable/disable security objects. Implies
GET_SOBJECTS
.
ROTATE_SOBJECTS:
Permission to rotate (a.k.a. "rekey") security objects. Implies
GET_SOBJECTS
.
DELETE_SOBJECTS:
Permission to delete security objects. Implies GET_SOBJECTS
.
DESTROY_SOBJECTS:
Permission to destroy security objects. Implies GET_SOBJECTS
.
REVOKE_SOBJECTS:
Permission to revoke security objects, i.e. mark security objects as
deactivated or compromised. Implies GET_SOBJECTS
.
ACTIVATE_SOBJECTS:
Permission to activate security objects. Implies GET_SOBJECTS
.
REVERT_SOBJECTS:
Permission to revert changes to security objects. Implies
GET_SOBJECTS
.
DELETE_KEY_MATERIAL:
Permission to delete key material including removing the private key
part of an asymmetric key pair and removing key material of security
objects backed by external HSM/KMS. Implies GET_SOBJECTS
.
MOVE_SOBJECTS:
Permission to move security objects. This permission is required for
changing the group of a security object in the source group. Note
that changing the group of a security object also requires
CREATE_SOBJECTS
permission in the destination group. Implies
GET_SOBJECTS
.
UPDATE_KEY_OPS:
Permission to update key operations of security objects. Implies
GET_SOBJECTS
.
UPDATE_SOBJECT_POLICIES:
Permission to update individual security objects' policies. This
permission allows updating RSA options, as well as Google access
reason policy (for use with Google EKM APIs) defined on the security
object itself. Implies GET_SOBJECTS
.
UPDATE_SOBJECTS_PROFILE:
Permission to update name, description, custom metadata, key links
(currently only create parent link), and publish public key settings
of security objects. Implies GET_SOBJECTS
.
SCAN_EXTERNAL_SOBJECTS:
Permission to scan for security objects in external HSM/KMS. Implies
GET_SOBJECTS
.
RESTORE_EXTERNAL_SOBJECTS:
Permission to restore key material of security objects backed by
external HSM/KMS. Note that calling the Restore API needs this
permission in the destination group as well as EXPORT_SOBJECTS
permission in the source group (where the object was copied from
originally). Implies GET_SOBJECTS
.
WRAP_WORKSPACE_CSE: Permission to call Workspace CSE Wrap API.
UNWRAP_WORKSPACE_CSE: Permission to call Workspace CSE Unwrap API.
WORKSPACE_CSE:
GET_GROUP: Permission to get information about the group.
GET_SOBJECTS: Permission to get security objects stored in the group.
GET_APPS: Permission to get cryptographic apps in the group.
GET_PLUGINS: Permission to get plugin in the group.
GET_GROUP_APPROVAL_REQUESTS: Permission to get approval requests related to the group.
GET_AUDIT_LOGS: Permission to get audit logs related to the group.
MANAGE_GROUP_WRAPPING_KEY: Permission to update or remove wrapping key of the group
ENCAPSULATE_SOBJECTS:
Permission to encapsulate security objects. Implies CREATE_SOBJECTS
.
DECAPSULATE_SOBJECTS:
Permission to decapsulate security objects. Implies CREATE_SOBJECTS
.
User's permissions in groups.
CREATE_GROUP_APPROVAL_POLICY:
Permission to create group-level approval policy. Note that
updating/deleting the approval policy is protected by the approval
policy itself. Implies GET_GROUP
.
UPDATE_GROUP_EXTERNAL_LINKS:
Permission to update external HSM/KMS configurations. Note that this
is only useful for groups backed by external HSM/KMS. Implies
GET_GROUP
.
MANAGE_GROUP_CLIENT_CONFIGS:
Permission to manage group-level client configurations. Implies
GET_GROUP
.
UPDATE_GROUP_PROFILE:
Permission to update name, description and custom metadata of the
group. Implies GET_GROUP
.
DELETE_GROUP:
Permission to delete the group. Implies GET_GROUP
.
MAP_EXTERNAL_ROLES_FOR_APPS:
Permission to map external roles to DSM groups for apps authorized
through LDAP. Implies GET_GROUP
.
MAP_EXTERNAL_ROLES_FOR_USERS:
Permission to map external roles to DSM groups for users authorized
through LDAP. Implies GET_GROUP
.
MAP_EXTERNAL_ROLES:
Currently implies MAP_EXTERNAL_ROLES_FOR_APPS
,
MAP_EXTERNAL_ROLES_FOR_USERS
, and GET_GROUP
permissions.
ADD_USERS_TO_GROUP: Permission to add users to the group.
DELETE_USERS_FROM_GROUP: Permission to remove users from the group.
UPDATE_USERS_GROUP_ROLE: Permission to change users' role in the group.
MANAGE_GROUP_USERS:
Currently implies ADD_USERS_TO_GROUP
, DELETE_USERS_FROM_GROUP
,
and UPDATE_USERS_GROUP_ROLE
permissions.
CREATE_GROUP_SOBJECT_POLICIES:
Permission to create various group-level security object policies
including cryptographic policy, key metadata policy and key history
policy. Implies GET_GROUP
.
UPDATE_GROUP_SOBJECT_POLICIES:
Permission to update various group-level security object policies
including cryptographic policy, key metadata policy and key history
policy. Implies GET_GROUP
.
DELETE_GROUP_SOBJECT_POLICIES:
Permission to delete various group-level security object policies
including cryptographic policy, key metadata policy and key history
policy. Implies GET_GROUP
.
MANAGE_GROUP_SOBJECT_POLICIES:
Currently implies CREATE_GROUP_SOBJECT_POLICIES
,
UPDATE_GROUP_SOBJECT_POLICIES
, DELETE_GROUP_SOBJECT_POLICIES
,
and GET_GROUP
permissions.
CREATE_GROUP_CUSTODIAN_POLICY:
Permission to create key custodian policy for the group. Implies
GET_GROUP
.
UPDATE_GROUP_CUSTODIAN_POLICY:
Permission to update group's key custodian policy. Implies
GET_GROUP
.
DELETE_GROUP_CUSTODIAN_POLICY:
Permission to delete group's key custodian policy. Implies
GET_GROUP
.
MANAGE_GROUP_CUSTODIAN_POLICY:
Currently implies CREATE_GROUP_CUSTODIAN_POLICY
,
UPDATE_GROUP_CUSTODIAN_POLICY
, DELETE_GROUP_CUSTODIAN_POLICY
,
and GET_GROUP
permissions.
CREATE_APPS:
Permission to create cryptographic apps. Implies GET_APPS
.
UPDATE_APPS:
Permission to update cryptographic apps. Implies GET_APPS
.
RETRIEVE_APP_SECRETS:
Permission to retrieve cryptographic apps' secrets. Note that not
all cryptographic app credentials contain secrets. If a
cryptographic app's credential does not contain any secrets,
GET_APPS
permission is sufficient to call the GetAppCredential
API. Implies GET_APPS
.
DELETE_APPS:
Permission to delete cryptographic apps. Implies GET_APPS
.
MANAGE_APPS:
Currently implies CREATE_APPS
, UPDATE_APPS
,
RETRIEVE_APP_SECRETS
, DELETE_APPS
, and GET_APPS
permissions.
CREATE_PLUGINS:
Permission to create plugins. Implies GET_PLUGINS
.
For creating a plugin, following group permissions are also required
in each group plugin is being added, to prevent privilege escalation:
CREATE_SOBJECTS
, EXPORT_SOBJECTS
, COPY_SOBJECTS
,
WRAP_SOBJECTS
, UNWRAP_SOBJECTS
, ENCAPSULATE_SOBJECTS
, DECAPSULATE_SOBJECTS
,
DERIVE_SOBJECTS
, TRANSFORM_SOBJECTS
, UPDATE_SOBJECTS_ENABLED_STATE
,
ROTATE_SOBJECTS
, DELETE_SOBJECTS
, REVOKE_SOBJECTS
, ACTIVATE_SOBJECTS
,
MOVE_SOBJECTS
, UPDATE_KEY_OPS
, UPDATE_SOBJECT_POLICIES
, UPDATE_SOBJECTS_PROFILE
,
GET_GROUP
, GET_SOBJECTS
, GET_APPS
, GET_PLUGINS
, GET_AUDIT_LOGS
Following account permissions are required as well:
GET_ALL_USERS
UPDATE_PLUGINS:
Permission to update plugins. Implies GET_PLUGINS
.
For updating a plugin, following group permissions are also required
in each group plugin is being added, to prevent privilege escalation:
CREATE_SOBJECTS
, EXPORT_SOBJECTS
, COPY_SOBJECTS
, WRAP_SOBJECTS
, UNWRAP_SOBJECTS
,
ENCAPSULATE_SOBJECTS
, DECAPSULATE_SOBJECTS
, UPDATE_SOBJECTS_ENABLED_STATE
,
ROTATE_SOBJECTS
, DELETE_SOBJECTS
, REVOKE_SOBJECTS
, ACTIVATE_SOBJECTS
,
MOVE_SOBJECTS
, UPDATE_KEY_OPS
, UPDATE_SOBJECT_POLICIES
, UPDATE_SOBJECTS_PROFILE
,
GET_GROUP
, GET_SOBJECTS
, GET_APPS
, GET_PLUGINS
, GET_AUDIT_LOGS
Following account permissions are required as well while adding
new groups:
GET_ALL_USERS
INVOKE_PLUGINS:
Permission to invoke plugins. Implies GET_PLUGINS
.
DELETE_PLUGINS:
Permission to delete plugins. Implies GET_PLUGINS
.
MANAGE_PLUGINS:
Currently implies CREATE_PLUGINS
, UPDATE_PLUGINS
,
INVOKE_PLUGINS
, DELETE_PLUGINS
, and GET_PLUGINS
permissions.
CREATE_SOBJECTS:
Permission to create security objects. This permission is required
for APIs that result in creation of a new security object including:
Generate, Import, Unwrap. Also required in destination group when
moving a key to a different group or when copying a key. Implies
GET_SOBJECTS
.
EXPORT_SOBJECTS:
Permission to export security objects. This permission is required
for Export, ExportByComponents, Copy (depending on destination
group), Restore, and Wrap (for wrapped security object) APIs.
Implies GET_SOBJECTS
.
COPY_SOBJECTS:
Permission to copy security objects. This permission is required in
the source group when calling the Copy API. Implies GET_SOBJECTS
.
WRAP_SOBJECTS:
Permission to wrap security objects. This permission is required in
the wrapping security object's group. Implies GET_SOBJECTS
.
UNWRAP_SOBJECTS:
Permission to unwrap security objects. This permission is required
in the unwrapping security object's group. Implies GET_SOBJECTS
.
DERIVE_SOBJECTS:
Permission to derive other security objects. Implies GET_SOBJECTS
.
TRANSFORM_SOBJECTS:
Permission to transform security objects. Implies GET_SOBJECTS
.
UPDATE_SOBJECTS_ENABLED_STATE:
Permission to enable/disable security objects. Implies
GET_SOBJECTS
.
ROTATE_SOBJECTS:
Permission to rotate (a.k.a. "rekey") security objects. Implies
GET_SOBJECTS
.
DELETE_SOBJECTS:
Permission to delete security objects. Implies GET_SOBJECTS
.
DESTROY_SOBJECTS:
Permission to destroy security objects. Implies GET_SOBJECTS
.
REVOKE_SOBJECTS:
Permission to revoke security objects, i.e. mark security objects as
deactivated or compromised. Implies GET_SOBJECTS
.
ACTIVATE_SOBJECTS:
Permission to activate security objects. Implies GET_SOBJECTS
.
REVERT_SOBJECTS:
Permission to revert changes to security objects. Implies
GET_SOBJECTS
.
DELETE_KEY_MATERIAL:
Permission to delete key material including removing the private key
part of an asymmetric key pair and removing key material of security
objects backed by external HSM/KMS. Implies GET_SOBJECTS
.
MOVE_SOBJECTS:
Permission to move security objects. This permission is required for
changing the group of a security object in the source group. Note
that changing the group of a security object also requires
CREATE_SOBJECTS
permission in the destination group. Implies
GET_SOBJECTS
.
UPDATE_KEY_OPS:
Permission to update key operations of security objects. Implies
GET_SOBJECTS
.
UPDATE_SOBJECT_POLICIES:
Permission to update individual security objects' policies. This
permission allows updating RSA options, as well as Google access
reason policy (for use with Google EKM APIs) defined on the security
object itself. Implies GET_SOBJECTS
.
UPDATE_SOBJECTS_PROFILE:
Permission to update name, description, custom metadata, key links
(currently only create parent link), and publish public key settings
of security objects. Implies GET_SOBJECTS
.
SCAN_EXTERNAL_SOBJECTS:
Permission to scan for security objects in external HSM/KMS. Implies
GET_SOBJECTS
.
RESTORE_EXTERNAL_SOBJECTS:
Permission to restore key material of security objects backed by
external HSM/KMS. Note that calling the Restore API needs this
permission in the destination group as well as EXPORT_SOBJECTS
permission in the source group (where the object was copied from
originally). Implies GET_SOBJECTS
.
WRAP_WORKSPACE_CSE: Permission to call Workspace CSE Wrap API.
UNWRAP_WORKSPACE_CSE: Permission to call Workspace CSE Unwrap API.
WORKSPACE_CSE:
GET_GROUP: Permission to get information about the group.
GET_SOBJECTS: Permission to get security objects stored in the group.
GET_APPS: Permission to get cryptographic apps in the group.
GET_PLUGINS: Permission to get plugin in the group.
GET_GROUP_APPROVAL_REQUESTS: Permission to get approval requests related to the group.
GET_AUDIT_LOGS: Permission to get audit logs related to the group.
MANAGE_GROUP_WRAPPING_KEY: Permission to update or remove wrapping key of the group
ENCAPSULATE_SOBJECTS:
Permission to encapsulate security objects. Implies CREATE_SOBJECTS
.
DECAPSULATE_SOBJECTS:
Permission to decapsulate security objects. Implies CREATE_SOBJECTS
.