GCP IAM Updates Detected

roles/aiplatform.admin

@@ -137,7 +137,9 @@
     "aiplatform.featureGroups.create",
     "aiplatform.featureGroups.delete",
     "aiplatform.featureGroups.get",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
+    "aiplatform.featureGroups.setIamPolicy",
     "aiplatform.featureGroups.update",
     "aiplatform.featureOnlineStores.create",
     "aiplatform.featureOnlineStores.delete",

roles/aiplatform.featurestoreAdmin

@@ -18,7 +18,9 @@
     "aiplatform.featureGroups.create",
     "aiplatform.featureGroups.delete",
     "aiplatform.featureGroups.get",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
+    "aiplatform.featureGroups.setIamPolicy",
     "aiplatform.featureGroups.update",
     "aiplatform.featureOnlineStores.create",
     "aiplatform.featureOnlineStores.delete",

roles/appmetadata.workspaceMarketplaceAppConfigurationAdmin

@@ -0,0 +1,19 @@
+{
+  "description": "Workspace Marketplace App Configuration Admin",
+  "etag": "AA==",
+  "includedPermissions": [
+    "chat.bots.get",
+    "clientauthconfig.clients.create",
+    "gsuiteaddons.deployments.create",
+    "gsuiteaddons.deployments.delete",
+    "gsuiteaddons.deployments.list",
+    "gsuiteaddons.deployments.update",
+    "resourcemanager.projects.get",
+    "serviceusage.services.get",
+    "workspacemarketplace.appConfiguration.update",
+    "workspacemarketplace.appConfiguration.view"
+  ],
+  "name": "roles/appmetadata.workspaceMarketplaceAppConfigurationAdmin",
+  "stage": "BETA",
+  "title": "Workspace Marketplace App Configuration Admin"
+}

roles/backupdr.backupConfigViewer

@@ -2,6 +2,7 @@
   "description": "Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.",
   "etag": "AA==",
   "includedPermissions": [
+    "backupdr.locations.list",
     "backupdr.resourceBackupConfigs.get",
     "backupdr.resourceBackupConfigs.list"
   ],

roles/cloudaicompanion.user

@@ -7,6 +7,7 @@
     "cloudaicompanion.entitlements.get",
     "cloudaicompanion.instances.completeCode",
     "cloudaicompanion.instances.completeTask",
+    "cloudaicompanion.instances.exportMetrics",
     "cloudaicompanion.instances.generateCode",
     "cloudaicompanion.instances.generateText",
     "cloudaicompanion.licenses.selfAssign",

roles/dataflow.serviceAgent

@@ -1382,6 +1382,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

roles/datafusion.serviceAgent

@@ -434,6 +434,7 @@
     "dns.networks.bindPrivateDNSZone",
     "dns.networks.targetWithPeeringZone",
     "firebase.projects.get",
+    "logging.logEntries.create",
     "monitoring.metricDescriptors.create",
     "monitoring.metricDescriptors.get",
     "monitoring.metricDescriptors.list",
@@ -587,6 +588,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

roles/dataproc.serviceAgent

@@ -338,9 +338,7 @@
     "resourcemanager.hierarchyNodes.listEffectiveTags",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list",
-    "servicemanagement.services.bind",
     "serviceusage.quotas.get",
-    "serviceusage.services.enable",
     "serviceusage.services.get",
     "serviceusage.services.list",
     "serviceusage.services.use",
@@ -366,6 +364,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

roles/discoveryengine.notebookEditor

@@ -0,0 +1,7 @@
+{
+  "description": "Grants read and write access to a Cloud NotebookLM Notebook.",
+  "etag": "AA==",
+  "name": "roles/discoveryengine.notebookEditor",
+  "stage": "BETA",
+  "title": "Cloud NotebookLM Notebook Editor"
+}

roles/discoveryengine.notebookLmOwner

@@ -0,0 +1,13 @@
+{
+  "description": "Grants full access to Cloud NotebookLM resources.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "discoveryengine.aclConfigs.get",
+    "discoveryengine.aclConfigs.update",
+    "resourcemanager.projects.get",
+    "resourcemanager.projects.list"
+  ],
+  "name": "roles/discoveryengine.notebookLmOwner",
+  "stage": "BETA",
+  "title": "Cloud NotebookLM Admin"
+}

roles/discoveryengine.notebookLmUser

@@ -0,0 +1,11 @@
+{
+  "description": "Grants user-level access to Cloud NotebookLM resources.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "resourcemanager.projects.get",
+    "resourcemanager.projects.list"
+  ],
+  "name": "roles/discoveryengine.notebookLmUser",
+  "stage": "BETA",
+  "title": "Cloud NotebookLM User"
+}

roles/discoveryengine.notebookOwner

@@ -0,0 +1,7 @@
+{
+  "description": "Grants full access to a Cloud NotebookLM Notebook.",
+  "etag": "AA==",
+  "name": "roles/discoveryengine.notebookOwner",
+  "stage": "BETA",
+  "title": "Cloud NotebookLM Notebook Owner"
+}

roles/discoveryengine.notebookViewer

@@ -0,0 +1,7 @@
+{
+  "description": "Grants read-only access to a Cloud NotebookLM Notebook.",
+  "etag": "AA==",
+  "name": "roles/discoveryengine.notebookViewer",
+  "stage": "ALPHA",
+  "title": "Cloud NotebookLM Notebook Viewer"
+}

roles/dlp.serviceAgent

@@ -203,6 +203,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

roles/editor

@@ -180,6 +180,7 @@
     "aiplatform.featureGroups.create",
     "aiplatform.featureGroups.delete",
     "aiplatform.featureGroups.get",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
     "aiplatform.featureGroups.update",
     "aiplatform.featureOnlineStores.create",
@@ -1881,6 +1882,7 @@
     "cloudaicompanion.entitlements.get",
     "cloudaicompanion.instances.completeCode",
     "cloudaicompanion.instances.completeTask",
+    "cloudaicompanion.instances.exportMetrics",
     "cloudaicompanion.instances.generateCode",
     "cloudaicompanion.instances.generateText",
     "cloudaicompanion.licenses.selfAssign",
@@ -9149,6 +9151,8 @@
     "workloadmanager.operations.list",
     "workloadmanager.results.list",
     "workloadmanager.rules.list",
+    "workspacemarketplace.appConfiguration.update",
+    "workspacemarketplace.appConfiguration.view",
     "workstations.operations.get",
     "workstations.workstationClusters.create",
     "workstations.workstationClusters.delete",

roles/firebase.admin

@@ -543,6 +543,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

roles/firebase.developAdmin

@@ -447,6 +447,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

roles/iam.securityAdmin

@@ -38,7 +38,9 @@
     "aiplatform.entityTypes.setIamPolicy",
     "aiplatform.executions.list",
     "aiplatform.extensions.list",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
+    "aiplatform.featureGroups.setIamPolicy",
     "aiplatform.featureOnlineStores.getIamPolicy",
     "aiplatform.featureOnlineStores.list",
     "aiplatform.featureOnlineStores.setIamPolicy",

roles/managedkafka.client

@@ -2,6 +2,7 @@
   "description": "Provides access to connect to the Kafka servers in a cluster, i.e. provides Kafka data plane access. Intended for, e.g., producers and consumers.",
   "etag": "AA==",
   "includedPermissions": [
+    "cloudasset.assets.searchAllResources",
     "managedkafka.clusters.connect",
     "managedkafka.clusters.get",
     "managedkafka.clusters.list",

roles/managedkafka.viewer

@@ -2,6 +2,7 @@
   "description": "Readonly access to Managed Kafka resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "cloudasset.assets.searchAllResources",
     "managedkafka.clusters.get",
     "managedkafka.clusters.list",
     "managedkafka.consumerGroups.get",

roles/oauthconfig.editor

@@ -16,6 +16,12 @@
     "clientauthconfig.clients.listWithSecrets",
     "clientauthconfig.clients.undelete",
     "clientauthconfig.clients.update",
+    "firebase.clients.create",
+    "firebase.clients.get",
+    "firebase.clients.list",
+    "firebase.clients.update",
+    "firebaseappcheck.resourcePolicies.get",
+    "firebaseappcheck.resourcePolicies.update",
     "oauthconfig.clientpolicy.get",
     "oauthconfig.testusers.get",
     "oauthconfig.testusers.update",

roles/owner

@@ -188,7 +188,9 @@
     "aiplatform.featureGroups.create",
     "aiplatform.featureGroups.delete",
     "aiplatform.featureGroups.get",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
+    "aiplatform.featureGroups.setIamPolicy",
     "aiplatform.featureGroups.update",
     "aiplatform.featureOnlineStores.create",
     "aiplatform.featureOnlineStores.delete",
@@ -2036,6 +2038,7 @@
     "cloudaicompanion.entitlements.get",
     "cloudaicompanion.instances.completeCode",
     "cloudaicompanion.instances.completeTask",
+    "cloudaicompanion.instances.exportMetrics",
     "cloudaicompanion.instances.generateCode",
     "cloudaicompanion.instances.generateText",
     "cloudaicompanion.licenses.selfAssign",
@@ -9168,6 +9171,16 @@
     "retail.experiments.loadExperimentLookerDashboard",
     "retail.experiments.queryTrafficMetrics",
     "retail.experiments.update",
+    "retail.merchantControls.approverDelete",
+    "retail.merchantControls.approverGet",
+    "retail.merchantControls.approverList",
+    "retail.merchantControls.approverUpdate",
+    "retail.merchantControls.creatorCreate",
+    "retail.merchantControls.creatorDelete",
+    "retail.merchantControls.creatorGet",
+    "retail.merchantControls.creatorList",
+    "retail.merchantControls.creatorSubmit",
+    "retail.merchantControls.creatorUpdate",
     "retail.models.create",
     "retail.models.delete",
     "retail.models.get",
@@ -10392,6 +10405,8 @@
     "workloadmanager.operations.list",
     "workloadmanager.results.list",
     "workloadmanager.rules.list",
+    "workspacemarketplace.appConfiguration.update",
+    "workspacemarketplace.appConfiguration.view",
     "workstations.operations.get",
     "workstations.workstationClusters.create",
     "workstations.workstationClusters.createTagBinding",

roles/retail.merchantApprover

@@ -0,0 +1,7 @@
+{
+  "description": "Grants access and approval rights to MerchantControls in the merchant console.",
+  "etag": "AA==",
+  "name": "roles/retail.merchantApprover",
+  "stage": "ALPHA",
+  "title": "Retail Merchant Approver"
+}

roles/retail.merchantCreator

@@ -0,0 +1,15 @@
+{
+  "description": "Grants access to own MerchantControls in the merchant console.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "retail.merchantControls.creatorCreate",
+    "retail.merchantControls.creatorDelete",
+    "retail.merchantControls.creatorGet",
+    "retail.merchantControls.creatorList",
+    "retail.merchantControls.creatorSubmit",
+    "retail.merchantControls.creatorUpdate"
+  ],
+  "name": "roles/retail.merchantCreator",
+  "stage": "BETA",
+  "title": "Retail Merchant Creator"
+}

roles/storage.admin

@@ -41,6 +41,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",

roles/viewer

@@ -79,6 +79,7 @@
     "aiplatform.extensions.get",
     "aiplatform.extensions.list",
     "aiplatform.featureGroups.get",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
     "aiplatform.featureOnlineStores.get",
     "aiplatform.featureOnlineStores.getIamPolicy",
@@ -959,6 +960,7 @@
     "cloudaicompanion.entitlements.get",
     "cloudaicompanion.instances.completeCode",
     "cloudaicompanion.instances.completeTask",
+    "cloudaicompanion.instances.exportMetrics",
     "cloudaicompanion.instances.generateCode",
     "cloudaicompanion.instances.generateText",
     "cloudaicompanion.operations.get",
@@ -4610,6 +4612,7 @@
     "workloadmanager.operations.list",
     "workloadmanager.results.list",
     "workloadmanager.rules.list",
+    "workspacemarketplace.appConfiguration.view",
     "workstations.operations.get",
     "workstations.workstationClusters.get",
     "workstations.workstationClusters.list",

roles/visualinspection.serviceAgent

@@ -137,7 +137,9 @@
     "aiplatform.featureGroups.create",
     "aiplatform.featureGroups.delete",
     "aiplatform.featureGroups.get",
+    "aiplatform.featureGroups.getIamPolicy",
     "aiplatform.featureGroups.list",
+    "aiplatform.featureGroups.setIamPolicy",
     "aiplatform.featureGroups.update",
     "aiplatform.featureOnlineStores.create",
     "aiplatform.featureOnlineStores.delete",
@@ -459,6 +461,7 @@
     "storage.buckets.list",
     "storage.buckets.listEffectiveTags",
     "storage.buckets.listTagBindings",
+    "storage.buckets.relocate",
     "storage.buckets.restore",
     "storage.buckets.setIamPolicy",
     "storage.buckets.setIpFilter",