GCP IAM Updates Detected

roles/aiplatform.onlinePredictionServiceAgent

@@ -0,0 +1,25 @@
+{
+  "description": "Gives Vertex AI Online Prediction the permissions it needs to function.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "gkehub.features.get",
+    "gkehub.features.getIamPolicy",
+    "gkehub.features.list",
+    "gkehub.fleet.get",
+    "gkehub.gateway.delete",
+    "gkehub.gateway.generateCredentials",
+    "gkehub.gateway.get",
+    "gkehub.gateway.patch",
+    "gkehub.gateway.post",
+    "gkehub.gateway.put",
+    "gkehub.locations.get",
+    "gkehub.locations.list",
+    "gkehub.memberships.get",
+    "gkehub.memberships.getIamPolicy",
+    "gkehub.memberships.list",
+    "serviceusage.services.get"
+  ],
+  "name": "roles/aiplatform.onlinePredictionServiceAgent",
+  "stage": "GA",
+  "title": "Vertex AI Online Prediction Service Agent"
+}

roles/aiplatform.ragServiceAgent

@@ -1,5 +1,5 @@
 {
-  "description": "Vertex AI Service Agent used by Vertex RAG to access user imported data and Vertex AI in the project",
+  "description": "Vertex AI Service Agent used by Vertex RAG to access user imported data, Vertex AI, Document AI processors in the project",
   "etag": "AA==",
   "includedPermissions": [
     "aiplatform.endpoints.get",
@@ -37,6 +37,9 @@
     "bigquery.tables.restoreSnapshot",
     "bigquery.tables.update",
     "bigquery.tables.updateData",
+    "documentai.processorVersions.processOnline",
+    "documentai.processors.get",
+    "documentai.processors.processOnline",
     "logging.logEntries.create",
     "logging.logEntries.route",
     "storage.buckets.get",

roles/batch.serviceAgent

@@ -253,6 +253,8 @@
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
     "compute.networkEndpointGroups.use",
+    "compute.networkProfiles.get",
+    "compute.networkProfiles.list",
     "compute.networks.get",
     "compute.networks.list",
     "compute.networks.listEffectiveTags",
@@ -349,6 +351,7 @@
     "compute.snapshots.listTagBindings",
     "compute.snapshots.setLabels",
     "compute.snapshots.useReadOnly",
+    "compute.spotAssistants.get",
     "compute.sslCertificates.get",
     "compute.sslCertificates.list",
     "compute.sslCertificates.listEffectiveTags",

roles/chronicle.admin

@@ -81,6 +81,10 @@
     "chronicle.dataTaps.get",
     "chronicle.dataTaps.list",
     "chronicle.dataTaps.update",
+    "chronicle.enrichmentControls.create",
+    "chronicle.enrichmentControls.delete",
+    "chronicle.enrichmentControls.get",
+    "chronicle.enrichmentControls.list",
     "chronicle.entities.batchCreate",
     "chronicle.entities.batchDelete",
     "chronicle.entities.batchValidate",
@@ -175,7 +179,6 @@
     "chronicle.legacies.legacyGetRuleCounts",
     "chronicle.legacies.legacyGetRulesTrends",
     "chronicle.legacies.legacyRunTestRule",
-    "chronicle.legacies.legacySearchAlerts",
     "chronicle.legacies.legacySearchArtifactEvents",
     "chronicle.legacies.legacySearchArtifactIoCDetails",
     "chronicle.legacies.legacySearchAssetEvents",

roles/chronicle.editor

@@ -67,6 +67,8 @@
     "chronicle.dataTaps.get",
     "chronicle.dataTaps.list",
     "chronicle.dataTaps.update",
+    "chronicle.enrichmentControls.get",
+    "chronicle.enrichmentControls.list",
     "chronicle.entities.batchCreate",
     "chronicle.entities.batchDelete",
     "chronicle.entities.batchValidate",
@@ -142,7 +144,6 @@
     "chronicle.legacies.legacyGetRuleCounts",
     "chronicle.legacies.legacyGetRulesTrends",
     "chronicle.legacies.legacyRunTestRule",
-    "chronicle.legacies.legacySearchAlerts",
     "chronicle.legacies.legacySearchArtifactEvents",
     "chronicle.legacies.legacySearchArtifactIoCDetails",
     "chronicle.legacies.legacySearchAssetEvents",

roles/chronicle.limitedViewer

@@ -58,7 +58,6 @@
     "chronicle.legacies.legacyFindUdmEvents",
     "chronicle.legacies.legacyGetAlert",
     "chronicle.legacies.legacyGetFinding",
-    "chronicle.legacies.legacySearchAlerts",
     "chronicle.legacies.legacySearchArtifactEvents",
     "chronicle.legacies.legacySearchArtifactIoCDetails",
     "chronicle.legacies.legacySearchAssetEvents",

roles/chronicle.restrictedDataAccessViewer

@@ -68,6 +68,8 @@
     "chronicle.operations.list",
     "chronicle.operations.streamSearch",
     "chronicle.operations.wait",
+    "chronicle.preferenceSets.get",
+    "chronicle.preferenceSets.update",
     "chronicle.referenceLists.get",
     "chronicle.referenceLists.list",
     "chronicle.referenceLists.verifyReferenceList",
@@ -80,6 +82,11 @@
     "chronicle.rules.list",
     "chronicle.rules.listRevisions",
     "chronicle.rules.verifyRuleText",
+    "chronicle.searchQueries.create",
+    "chronicle.searchQueries.delete",
+    "chronicle.searchQueries.get",
+    "chronicle.searchQueries.list",
+    "chronicle.searchQueries.update",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

roles/chronicle.viewer

@@ -40,6 +40,8 @@
     "chronicle.dataTables.list",
     "chronicle.dataTaps.get",
     "chronicle.dataTaps.list",
+    "chronicle.enrichmentControls.get",
+    "chronicle.enrichmentControls.list",
     "chronicle.entities.find",
     "chronicle.entities.findRelatedEntities",
     "chronicle.entities.get",
@@ -103,7 +105,6 @@
     "chronicle.legacies.legacyGetRuleCounts",
     "chronicle.legacies.legacyGetRulesTrends",
     "chronicle.legacies.legacyRunTestRule",
-    "chronicle.legacies.legacySearchAlerts",
     "chronicle.legacies.legacySearchArtifactEvents",
     "chronicle.legacies.legacySearchArtifactIoCDetails",
     "chronicle.legacies.legacySearchAssetEvents",

roles/chroniclesm.viewer

@@ -3,6 +3,7 @@
   "etag": "AA==",
   "includedPermissions": [
     "chroniclesm.gcpAssociations.get",
+    "chroniclesm.gcpAssociations.list",
     "chroniclesm.gcpLogFlowFilters.get",
     "chroniclesm.gcpSettings.get"
   ],

roles/cloudaicompanion.serviceAgent

@@ -1,5 +1,5 @@
 {
-  "description": "Gives Cloud AI Companion components the proper permissions to function.",
+  "description": "Gives Gemini for Google Cloud components the proper permissions to function.",
   "etag": "AA==",
   "includedPermissions": [
     "cloudaicompanion.codeRepositoryIndexes.get",
@@ -29,5 +29,5 @@
   ],
   "name": "roles/cloudaicompanion.serviceAgent",
   "stage": "GA",
-  "title": "Cloud AI Companion Service Agent"
+  "title": "Gemini for Google Cloud Service Agent"
 }

roles/cloudaicompanion.user

@@ -9,6 +9,7 @@
     "cloudaicompanion.instances.completeTask",
     "cloudaicompanion.instances.generateCode",
     "cloudaicompanion.instances.generateText",
+    "cloudaicompanion.licenses.selfAssign",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],

roles/cloudtpu.serviceAgent

@@ -381,6 +381,8 @@
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
     "compute.networkEndpointGroups.use",
+    "compute.networkProfiles.get",
+    "compute.networkProfiles.list",
     "compute.networks.access",
     "compute.networks.addPeering",
     "compute.networks.create",
@@ -598,6 +600,7 @@
     "compute.snapshots.setIamPolicy",
     "compute.snapshots.setLabels",
     "compute.snapshots.useReadOnly",
+    "compute.spotAssistants.get",
     "compute.sslCertificates.get",
     "compute.sslCertificates.list",
     "compute.sslCertificates.listEffectiveTags",
@@ -632,6 +635,7 @@
     "compute.subnetworks.update",
     "compute.subnetworks.use",
     "compute.subnetworks.useExternalIp",
+    "compute.subnetworks.usePeerMigration",
     "compute.targetGrpcProxies.create",
     "compute.targetGrpcProxies.createTagBinding",
     "compute.targetGrpcProxies.delete",

roles/composer.serviceAgent

@@ -464,6 +464,8 @@
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
     "compute.networkEndpointGroups.use",
+    "compute.networkProfiles.get",
+    "compute.networkProfiles.list",
     "compute.networks.access",
     "compute.networks.addPeering",
     "compute.networks.create",
@@ -681,6 +683,7 @@
     "compute.snapshots.setIamPolicy",
     "compute.snapshots.setLabels",
     "compute.snapshots.useReadOnly",
+    "compute.spotAssistants.get",
     "compute.sslCertificates.get",
     "compute.sslCertificates.list",
     "compute.sslCertificates.listEffectiveTags",
@@ -715,6 +718,7 @@
     "compute.subnetworks.update",
     "compute.subnetworks.use",
     "compute.subnetworks.useExternalIp",
+    "compute.subnetworks.usePeerMigration",
     "compute.targetGrpcProxies.create",
     "compute.targetGrpcProxies.createTagBinding",
     "compute.targetGrpcProxies.delete",

roles/compute.admin

@@ -419,6 +419,8 @@
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
     "compute.networkEndpointGroups.use",
+    "compute.networkProfiles.get",
+    "compute.networkProfiles.list",
     "compute.networks.access",
     "compute.networks.addPeering",
     "compute.networks.create",
@@ -720,6 +722,7 @@
     "compute.snapshots.setIamPolicy",
     "compute.snapshots.setLabels",
     "compute.snapshots.useReadOnly",
+    "compute.spotAssistants.get",
     "compute.sslCertificates.create",
     "compute.sslCertificates.createTagBinding",
     "compute.sslCertificates.delete",
@@ -763,6 +766,7 @@
     "compute.subnetworks.update",
     "compute.subnetworks.use",
     "compute.subnetworks.useExternalIp",
+    "compute.subnetworks.usePeerMigration",
     "compute.targetGrpcProxies.create",
     "compute.targetGrpcProxies.createTagBinding",
     "compute.targetGrpcProxies.delete",

roles/compute.instanceAdmin.v1

@@ -261,6 +261,8 @@
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
     "compute.networkEndpointGroups.use",
+    "compute.networkProfiles.get",
+    "compute.networkProfiles.list",
     "compute.networks.get",
     "compute.networks.list",
     "compute.networks.listEffectiveTags",
@@ -359,6 +361,7 @@
     "compute.snapshots.setIamPolicy",
     "compute.snapshots.setLabels",
     "compute.snapshots.useReadOnly",
+    "compute.spotAssistants.get",
     "compute.sslCertificates.get",
     "compute.sslCertificates.list",
     "compute.sslCertificates.listEffectiveTags",

roles/compute.networkAdmin

@@ -231,6 +231,8 @@
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
     "compute.networkEndpointGroups.use",
+    "compute.networkProfiles.get",
+    "compute.networkProfiles.list",
     "compute.networks.access",
     "compute.networks.addPeering",
     "compute.networks.create",
@@ -451,6 +453,7 @@
     "compute.subnetworks.update",
     "compute.subnetworks.use",
     "compute.subnetworks.useExternalIp",
+    "compute.subnetworks.usePeerMigration",
     "compute.targetGrpcProxies.create",
     "compute.targetGrpcProxies.createTagBinding",
     "compute.targetGrpcProxies.delete",

roles/compute.networkUser

@@ -36,6 +36,8 @@
     "compute.networkAttachments.list",
     "compute.networkAttachments.listEffectiveTags",
     "compute.networkAttachments.listTagBindings",
+    "compute.networkProfiles.get",
+    "compute.networkProfiles.list",
     "compute.networks.access",
     "compute.networks.get",
     "compute.networks.getEffectiveFirewalls",

roles/compute.networkViewer

@@ -90,6 +90,8 @@
     "compute.networkAttachments.list",
     "compute.networkAttachments.listEffectiveTags",
     "compute.networkAttachments.listTagBindings",
+    "compute.networkProfiles.get",
+    "compute.networkProfiles.list",
     "compute.networks.get",
     "compute.networks.getEffectiveFirewalls",
     "compute.networks.getRegionEffectiveFirewalls",

roles/compute.viewer

@@ -150,6 +150,8 @@
     "compute.networkEndpointGroups.list",
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
+    "compute.networkProfiles.get",
+    "compute.networkProfiles.list",
     "compute.networks.get",
     "compute.networks.getEffectiveFirewalls",
     "compute.networks.getRegionEffectiveFirewalls",
@@ -265,6 +267,7 @@
     "compute.snapshots.list",
     "compute.snapshots.listEffectiveTags",
     "compute.snapshots.listTagBindings",
+    "compute.spotAssistants.get",
     "compute.sslCertificates.get",
     "compute.sslCertificates.list",
     "compute.sslCertificates.listEffectiveTags",

roles/container.serviceAgent

@@ -426,6 +426,8 @@
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
     "compute.networkEndpointGroups.use",
+    "compute.networkProfiles.get",
+    "compute.networkProfiles.list",
     "compute.networks.access",
     "compute.networks.addPeering",
     "compute.networks.create",
@@ -676,6 +678,7 @@
     "compute.snapshots.setIamPolicy",
     "compute.snapshots.setLabels",
     "compute.snapshots.useReadOnly",
+    "compute.spotAssistants.get",
     "compute.sslCertificates.create",
     "compute.sslCertificates.createTagBinding",
     "compute.sslCertificates.delete",
@@ -719,6 +722,7 @@
     "compute.subnetworks.update",
     "compute.subnetworks.use",
     "compute.subnetworks.useExternalIp",
+    "compute.subnetworks.usePeerMigration",
     "compute.targetGrpcProxies.create",
     "compute.targetGrpcProxies.createTagBinding",
     "compute.targetGrpcProxies.delete",

roles/dataflow.serviceAgent

@@ -493,6 +493,8 @@
     "compute.networkEndpointGroups.listEffectiveTags",
     "compute.networkEndpointGroups.listTagBindings",
     "compute.networkEndpointGroups.use",
+    "compute.networkProfiles.get",
+    "compute.networkProfiles.list",
     "compute.networks.access",
     "compute.networks.addPeering",
     "compute.networks.create",
@@ -748,6 +750,7 @@
     "compute.subnetworks.update",
     "compute.subnetworks.use",
     "compute.subnetworks.useExternalIp",
+    "compute.subnetworks.usePeerMigration",
     "compute.targetGrpcProxies.create",
     "compute.targetGrpcProxies.createTagBinding",
     "compute.targetGrpcProxies.delete",

roles/datafusion.serviceAgent

@@ -221,6 +221,8 @@
     "compute.networkAttachments.listEffectiveTags",
     "compute.networkAttachments.listTagBindings",
     "compute.networkAttachments.update",
+    "compute.networkProfiles.get",
+    "compute.networkProfiles.list",
     "compute.networks.addPeering",
     "compute.networks.get",
     "compute.networks.getEffectiveFirewalls",

roles/dataplex.admin

@@ -53,6 +53,11 @@
     "dataplex.datascans.run",
     "dataplex.datascans.setIamPolicy",
     "dataplex.datascans.update",
+    "dataplex.encryptionConfig.create",
+    "dataplex.encryptionConfig.delete",
+    "dataplex.encryptionConfig.get",
+    "dataplex.encryptionConfig.list",
+    "dataplex.encryptionConfig.update",
     "dataplex.entities.create",
     "dataplex.entities.delete",
     "dataplex.entities.get",

roles/dataplex.encryptionAdmin

@@ -0,0 +1,14 @@
+{
+  "description": "Gives user permissions to manage encryption config.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "dataplex.encryptionConfig.create",
+    "dataplex.encryptionConfig.delete",
+    "dataplex.encryptionConfig.get",
+    "dataplex.encryptionConfig.list",
+    "dataplex.encryptionConfig.update"
+  ],
+  "name": "roles/dataplex.encryptionAdmin",
+  "stage": "BETA",
+  "title": "Dataplex Encryption Admin"
+}