Access Approval roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for Access Approval. To search through all roles and permissions, see the role and permission index.

Access Approval roles

Role Permissions

Access Approval Approver

(roles/accessapproval.approver)

Ability to view or act on access approval requests and view configuration.

accessapproval.requests.*

accessapproval.requests.approve
accessapproval.requests.dismiss
accessapproval.requests.get
accessapproval.requests.invalidate
accessapproval.requests.list

accessapproval.serviceAccounts.get

accessapproval.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

Access Approval Config Editor

(roles/accessapproval.configEditor)

Ability to update the Access Approval configuration

accessapproval.serviceAccounts.get

accessapproval.settings.*

accessapproval.settings.delete
accessapproval.settings.get
accessapproval.settings.update

resourcemanager.projects.get

resourcemanager.projects.list

Access Approval Invalidator

(roles/accessapproval.invalidator)

Ability to invalidate existing approved approval requests

accessapproval.requests.invalidate

accessapproval.serviceAccounts.get

accessapproval.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

Access Approval Viewer

(roles/accessapproval.viewer)

Ability to view access approval requests and configuration

accessapproval.requests.get

accessapproval.requests.list

accessapproval.serviceAccounts.get

accessapproval.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

Access Approval permissions

Permission	Included in roles
`accessapproval.requests.approve`	Owner (`roles/owner`) Access Approval Approver (`roles/accessapproval.approver`)
`accessapproval.requests.dismiss`	Owner (`roles/owner`) Access Approval Approver (`roles/accessapproval.approver`)
`accessapproval.requests.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Approval Approver (`roles/accessapproval.approver`) Access Approval Viewer (`roles/accessapproval.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Controls Partner Access Approval Service Agent (`roles/cloudcontrolspartner.accessApprovalServiceAgent`)
`accessapproval.requests.invalidate`	Owner (`roles/owner`) Access Approval Approver (`roles/accessapproval.approver`) Access Approval Invalidator (`roles/accessapproval.invalidator`)
`accessapproval.requests.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Approval Approver (`roles/accessapproval.approver`) Access Approval Viewer (`roles/accessapproval.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Controls Partner Access Approval Service Agent (`roles/cloudcontrolspartner.accessApprovalServiceAgent`)
`accessapproval.serviceAccounts.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Approval Approver (`roles/accessapproval.approver`) Access Approval Config Editor (`roles/accessapproval.configEditor`) Access Approval Invalidator (`roles/accessapproval.invalidator`) Access Approval Viewer (`roles/accessapproval.viewer`)
`accessapproval.settings.delete`	Owner (`roles/owner`) Access Approval Config Editor (`roles/accessapproval.configEditor`)
`accessapproval.settings.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Approval Approver (`roles/accessapproval.approver`) Access Approval Config Editor (`roles/accessapproval.configEditor`) Access Approval Invalidator (`roles/accessapproval.invalidator`) Access Approval Viewer (`roles/accessapproval.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`accessapproval.settings.update`	Owner (`roles/owner`) Access Approval Config Editor (`roles/accessapproval.configEditor`)

Access Approval roles and permissions
Stay organized with collections Save and categorize content based on your preferences.