R12.3-2026Apr21

NetBrain Required GCP IAM Permissions

Best Practices 1:

Scenario: Discover resources of all the Projects under the Organization.

Permissions assignment approach: Assign all the required permissions (or system roles) under the Organization.

Organization Roles Required:

  • Browser (ID: roles/browser)
  • Compute Organization Security Policy User (ID: roles/compute.orgSecurityPolicyUser)
  • Compute Viewer (ID: roles/compute.viewer)
  • DNS Reader (ID: roles/dns.reader)
  • Logs Viewer (ID: roles/logging.viewer)
  • Monitoring Viewer (ID: roles/monitoring.viewer)
  • Private Logs Viewer (ID: roles/logging.privateLogViewer)
  • Service Usage Viewer (ID: roles/serviceusage.serviceUsageViewer)
  • Cloud Asset Viewer (ID: roles/cloudasset.viewer)

 

Best Practices 2:

Scenario: Discover resources of some Projects under the Organization.

Permissions assignment approach: Assign the Organization required permission or system roles under Organization level. And assign the Project required permission or system roles under Project level.

Organization Role Required:

  • Browser (ID: roles/browser)
  • Compute Organization Security Policy User (ID: roles/compute.orgSecurityPolicyUser)
  • Logs Viewer (ID: roles/logging.viewer)
  • Monitoring Viewer (ID: roles/monitoring.viewer)
  • Private Logs Viewer (ID: roles/logging.privateLogViewer)
  • Service Usage Viewer (ID: roles/serviceusage.serviceUsageViewer)

 

Projects Role Required:

  • Compute Viewer (ID: roles/compute.viewer)
  • DNS Reader (ID: roles/dns.reader)
  • Cloud Asset Viewer (ID: roles/cloudasset.viewer)

Dataproc Viewer (ID: roles/dataproc.viewer)

The principal of these best practices is to ensure the resources discovered by NetBrain should be assigned with IAM permission in the organization-scope or project-scope properly.

Required build-in Role for Org:

  • Browser (ID: roles/browser)
  • Compute Organization Security Policy User (ID: roles/compute.orgSecurityPolicyUser)
  • Logs Viewer (ID: roles/logging.viewer)
  • Monitoring Viewer (ID: roles/monitoring.viewer)
  • Private Logs Viewer (ID: roles/logging.privateLogViewer)
  • Service Usage Viewer (ID: roles/serviceusage.serviceUsageViewer)

 

Required built-in roles for Projects:

  • Compute Viewer (ID: roles/compute.viewer)
  • DNS Reader (ID: roles/dns.reader)
  • Logs Viewer (ID: roles/logging.viewer)
  • Monitoring Viewer (ID: roles/monitoring.viewer)
  • Private Logs Viewer (ID: roles/logging.privateLogViewer)
  • Service Usage Viewer (ID: roles/serviceusage.serviceUsageViewer)
  • Cloud Asset Viewer (ID: roles/cloudasset.viewer)_

 

Appendix GCP Include and Exclude VPCs Discovery