Migration Center 身分與存取權管理角色和權限

如果您建立 Google Cloud 專案來使用 Migration Center,您已具備啟用 Migration Center 及管理產品資源的所有必要權限。

在專案中新增成員時,您可以使用Identity and Access Management (IAM) 政策,為該成員提供一或多個 IAM 角色,控管成員在 Migration Center 可執行的動作。

本頁面說明您可能想指派給專案成員的一般角色,以及執行各種動作所需的權限。

事前準備

角色和動作

您可以在遷移中心執行三種主要類別的動作:

最佳做法是為專案成員指派角色,並授予執行必要動作所需的最低權限

建立 Migration Center 的額外角色

在為機構成員指派角色之前,請先建立自訂角色,簡化權限管理方式。步驟如下:

  1. 在 Google Cloud 控制台中,依序前往「IAM & Admin」(IAM 與管理) >「Roles」(角色)

    前往「Roles」(角色)

  2. 按一下「建立角色」

  3. 在「建立角色」頁面中,填入下列欄位:

    • 標題:「Migration Center 額外角色」

    • 說明:「Additional roles needed for Migration Center scenarios」(遷移中心情境所需的其他角色)

  4. 按一下「新增權限」

  5. 在權限清單中搜尋並選取下列權限:

    • iam.serviceAccountKeys.list
    • iam.serviceAccounts.list
    • resourcemanager.projects.update
    • serviceusage.services.enable

    然後按一下「新增」,即可新增權限。

  6. 按一下「建立」即可完成。

啟用 Migration Center

您必須先從 Google Cloud 控制台啟用 Migration Center,才能使用這項服務。這項一次性操作包括啟用 API 和選取區域,以儲存資源。

如要取得啟用 Migration Center 所需的權限,請要求管理員在專案中授予您下列 IAM 角色:

如要進一步瞭解如何授予角色,請參閱「管理專案、資料夾和組織的存取權」。

這些預先定義的角色具備啟用 Migration Center 所需的權限。如要查看確切的必要權限,請展開「Required permissions」(必要權限) 部分:

所需權限

如要啟用 Migration Center,必須具備下列權限:

  • migrationcenter.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • rma.*
  • resourcemanager.projects.update
  • serviceusage.services.list
  • serviceusage.services.enable
  • iam.serviceAccountKeys.list
  • iam.serviceAccounts.list
  • resourcemanager.projects.update

您或許還可透過自訂角色或其他預先定義的角色取得這些權限。

管理 Migration Center 資源

管理 Migration Center 資源包括產生費用估算、建立用戶資產評估器,以及移除資產等動作。

如要取得管理 Migration Center 資源所需的權限,請要求管理員授予您專案的下列 IAM 角色:

  • Migration Center 管理員 (migrationcenter.admin)
  • Migration Center 其他角色
  • 檢視者 (viewer)
  • 服務帳戶金鑰管理員 (iam.serviceAccountKeyAdmin)

如要進一步瞭解如何授予角色,請參閱「管理專案、資料夾和組織的存取權」。

這些預先定義的角色具備管理 Migration Center 資源所需的權限。如要查看確切的必要權限,請展開「Required permissions」(必要權限) 部分:

所需權限

如要管理 Migration Center 資源,必須具備下列權限:

  • migrationcenter.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • rma.*
  • serviceusage.services.list
  • iam.serviceAccounts.list
  • iam.serviceAccountKeys.list

您或許還可透過自訂角色或其他預先定義的角色取得這些權限。

查看 Migration Center 資源

如要取得查看 Migration Center 資源所需的權限,請要求管理員在專案中授予您下列 IAM 角色:

  • Migration Center 檢視者 (migrationcenter.viewer)
  • 檢視者 (viewer)
  • 快速遷移評估檢視者 (rma.viewer)

如要進一步瞭解如何授予角色,請參閱「管理專案、資料夾和組織的存取權」。

這些預先定義的角色具備查看 Migration Center 資源所需的權限。如要查看確切的必要權限,請展開「Required permissions」(必要權限) 部分:

所需權限

如要查看 Migration Center 資源,必須具備下列權限:

  • migrationcenter.assets.get
  • migrationcenter.assets.list
  • migrationcenter.groups.get
  • migrationcenter.groups.list
  • migrationcenter.importJobs.get
  • migrationcenter.importJobs.list
  • migrationcenter.locations.*
  • migrationcenter.operations.get
  • migrationcenter.operations.list
  • migrationcenter.sources.get
  • migrationcenter.sources.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • rma.annotations.get
  • rma.collectors.get
  • rma.collectors.list
  • rma.locations.*
  • rma.operations.get
  • rma.operations.list

您或許還可透過自訂角色或其他預先定義的角色取得這些權限。

角色和權限

下表列出 Migration Center 提供的角色和權限。

Migration Center 角色和權限

Role Permissions

(roles/migrationcenter.admin)

Full access to Migration Center all resources.

migrationcenter.*

  • migrationcenter.assets.delete
  • migrationcenter.assets.get
  • migrationcenter.assets.list
  • migrationcenter.assets.reportFrames
  • migrationcenter.assets.update
  • migrationcenter.assetsExportJobs.create
  • migrationcenter.assetsExportJobs.delete
  • migrationcenter.assetsExportJobs.get
  • migrationcenter.assetsExportJobs.list
  • migrationcenter.assetsExportJobs.run
  • migrationcenter.discoveryClients.create
  • migrationcenter.discoveryClients.delete
  • migrationcenter.discoveryClients.get
  • migrationcenter.discoveryClients.list
  • migrationcenter.discoveryClients.sendHeartbeat
  • migrationcenter.discoveryClients.update
  • migrationcenter.errorFrames.get
  • migrationcenter.errorFrames.list
  • migrationcenter.groups.create
  • migrationcenter.groups.delete
  • migrationcenter.groups.get
  • migrationcenter.groups.list
  • migrationcenter.groups.update
  • migrationcenter.importDataFiles.create
  • migrationcenter.importDataFiles.delete
  • migrationcenter.importDataFiles.get
  • migrationcenter.importDataFiles.list
  • migrationcenter.importJobs.create
  • migrationcenter.importJobs.delete
  • migrationcenter.importJobs.get
  • migrationcenter.importJobs.list
  • migrationcenter.importJobs.update
  • migrationcenter.locations.get
  • migrationcenter.locations.list
  • migrationcenter.operations.cancel
  • migrationcenter.operations.delete
  • migrationcenter.operations.get
  • migrationcenter.operations.list
  • migrationcenter.preferenceSets.create
  • migrationcenter.preferenceSets.delete
  • migrationcenter.preferenceSets.get
  • migrationcenter.preferenceSets.list
  • migrationcenter.preferenceSets.update
  • migrationcenter.relations.get
  • migrationcenter.relations.list
  • migrationcenter.reportConfigs.create
  • migrationcenter.reportConfigs.delete
  • migrationcenter.reportConfigs.get
  • migrationcenter.reportConfigs.list
  • migrationcenter.reports.create
  • migrationcenter.reports.delete
  • migrationcenter.reports.get
  • migrationcenter.reports.list
  • migrationcenter.settings.get
  • migrationcenter.settings.update
  • migrationcenter.sources.create
  • migrationcenter.sources.delete
  • migrationcenter.sources.get
  • migrationcenter.sources.list
  • migrationcenter.sources.update

resourcemanager.projects.get

resourcemanager.projects.list

rma.*

  • rma.annotations.create
  • rma.annotations.get
  • rma.collectors.create
  • rma.collectors.delete
  • rma.collectors.get
  • rma.collectors.list
  • rma.collectors.update
  • rma.locations.get
  • rma.locations.list
  • rma.operations.cancel
  • rma.operations.delete
  • rma.operations.get
  • rma.operations.list

serviceusage.quotas.get

(roles/migrationcenter.viewer)

Read-only access to Migration Center all resources.

migrationcenter.assets.get

migrationcenter.assets.list

migrationcenter.assetsExportJobs.get

migrationcenter.assetsExportJobs.list

migrationcenter.discoveryClients.get

migrationcenter.discoveryClients.list

migrationcenter.errorFrames.*

  • migrationcenter.errorFrames.get
  • migrationcenter.errorFrames.list

migrationcenter.groups.get

migrationcenter.groups.list

migrationcenter.importDataFiles.get

migrationcenter.importDataFiles.list

migrationcenter.importJobs.get

migrationcenter.importJobs.list

migrationcenter.locations.*

  • migrationcenter.locations.get
  • migrationcenter.locations.list

migrationcenter.operations.get

migrationcenter.operations.list

migrationcenter.preferenceSets.get

migrationcenter.preferenceSets.list

migrationcenter.relations.*

  • migrationcenter.relations.get
  • migrationcenter.relations.list

migrationcenter.reportConfigs.get

migrationcenter.reportConfigs.list

migrationcenter.reports.get

migrationcenter.reports.list

migrationcenter.settings.get

migrationcenter.sources.get

migrationcenter.sources.list

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.locations.*

  • rma.locations.get
  • rma.locations.list

rma.operations.get

rma.operations.list

serviceusage.quotas.get

(roles/migrationcenter.discoveryClient)

Migration Center Discover Client role

migrationcenter.assets.reportFrames

migrationcenter.discoveryClients.get

migrationcenter.discoveryClients.sendHeartbeat

(roles/migrationcenter.discoveryClientRegistrator)

Registrator of Migration Center Discover Clients

migrationcenter.discoveryClients.create

migrationcenter.discoveryClients.delete

migrationcenter.discoveryClients.update

migrationcenter.operations.get

migrationcenter.sources.create

migrationcenter.sources.delete

resourcemanager.projects.get

resourcemanager.projects.list

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

(roles/migrationcenter.serviceAgent)

Gives Migration Center Service Account access to objects storedin object store and Cloud Migration products.

storage.objects.get

vmmigration.migratingVms.create

快速遷移評估角色和權限

Role Permissions

(roles/rma.admin)

Full access to Rapid Migration Assessment all resources.

resourcemanager.projects.get

resourcemanager.projects.list

rma.*

  • rma.annotations.create
  • rma.annotations.get
  • rma.collectors.create
  • rma.collectors.delete
  • rma.collectors.get
  • rma.collectors.list
  • rma.collectors.update
  • rma.locations.get
  • rma.locations.list
  • rma.operations.cancel
  • rma.operations.delete
  • rma.operations.get
  • rma.operations.list

(roles/rma.viewer)

Read-only access to Rapid Migration Assessment all resources.

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.locations.*

  • rma.locations.get
  • rma.locations.list

rma.operations.get

rma.operations.list

(roles/rma.runner)

Update and Read access to Rapid Migration Assessment all resources.

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.collectors.update

rma.locations.*

  • rma.locations.get
  • rma.locations.list

rma.operations.get

rma.operations.list

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

(roles/rapidmigrationassessment.serviceAgent)

Gives RMA service account access to MC resources.

autoscaling.sites.writeMetrics

cloudasset.assets.exportResource

cloudasset.feeds.create

logging.logEntries.create

migrationcenter.assets.list

migrationcenter.assets.reportFrames

migrationcenter.importJobs.get

migrationcenter.importJobs.list

migrationcenter.sources.*

  • migrationcenter.sources.create
  • migrationcenter.sources.delete
  • migrationcenter.sources.get
  • migrationcenter.sources.list
  • migrationcenter.sources.update

monitoring.metricDescriptors.create

monitoring.metricDescriptors.list

monitoring.timeSeries.create

resourcemanager.projects.get