Choose which type of role to use
This page offers guidance on which type of role—predefined, custom, or
basic—you should use to control access to Trusted Cloud resources.
When to use predefined roles
In most situations, you should be able to use predefined
roles instead of basic or custom roles. Predefined
roles give granular access to specific
Trusted Cloud resources, are maintained by Google, and are updated
automatically when new permissions, features, or services are added to
Trusted Cloud.
However, there are some cases where you might want to use custom or basic
roles. The following sections describe these cases.
When to use custom roles
Unlike predefined roles, custom roles are not maintained by Google. That means
when Trusted Cloud adds new permissions, features, or services, your
custom roles won't be updated automatically. For this reason, we recommend
granting the most limited predefined roles that meet
your needs.
However, it might be appropriate to create and grant custom roles in the
following cases:
- A principal needs a permission, but each predefined role that includes that
permission also includes permissions that the principal doesn't need and
shouldn't have.
When using custom roles, be aware of the following limits:
When to use basic roles
Basic roles include thousands of permissions across all Trusted Cloud services. In production
environments, do not grant basic roles unless there is no alternative. Instead, grant the most
limited predefined roles or
custom roles that meet your needs.
It might be appropriate to grant basic roles when you want to grant broader
permissions for a project. This often happens when you're granting permissions
in development or test environments.
What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-28 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Choose which type of role to use\n\nThis page offers guidance on which type of role---predefined, custom, or\nbasic---you should use to control access to Google Cloud resources.\n\nWhen to use predefined roles\n----------------------------\n\nIn most situations, you should be able to [use predefined\nroles](/iam/docs/choose-predefined-roles) instead of basic or custom roles. [Predefined\nroles](/iam/docs/understanding-roles#predefined_roles) give granular access to specific\nGoogle Cloud resources, are maintained by Google, and are updated\nautomatically when new permissions, features, or services are added to\nGoogle Cloud.\n\nHowever, there are some cases where you might want to use custom or basic\nroles. The following sections describe these cases.\n\nWhen to use custom roles\n------------------------\n\nUnlike predefined roles, custom roles are not maintained by Google. That means\nwhen Google Cloud adds new permissions, features, or services, your\ncustom roles won't be updated automatically. For this reason, we recommend\ngranting the most limited [predefined roles](/iam/docs/choose-predefined-roles) that meet\nyour needs.\n\nHowever, it might be appropriate to create and grant custom roles in the\nfollowing cases:\n\n- A principal needs a permission, but each predefined role that includes that permission also includes permissions that the principal doesn't need and shouldn't have.\n- You use [role recommendations](/iam/docs/recommender-overview) to replace overly permissive role grants with more appropriate role grants. In some cases, you might receive a [recommendation to create a custom role](/policy-intelligence/docs/role-recommendations-overview#custom-roles).\n\nWhen using custom roles, be aware of the following limits:\n\n- Custom roles can contain up to 3,000 permissions.\n- The maximum total size of the title, description, and permission names for a custom role is 64 KB.\n- There are limits to the number of custom roles you can create:\n\n - You can create up to 300 organization-level custom roles in your organization\n - You can create up to 300 project-level custom roles in each project in your organization.\n\nWhen to use basic roles\n-----------------------\n\n\nBasic roles include thousands of permissions across all Google Cloud services. In production\nenvironments, do not grant basic roles unless there is no alternative. Instead, grant the most\nlimited [predefined roles](/iam/docs/understanding-roles#predefined_roles) or\n[custom roles](/iam/docs/understanding-custom-roles) that meet your needs.\n\nIf you need to replace a basic role, you can use [role\nrecommendations](/iam/docs/recommender-overview) to determine which roles to\ngrant instead. You can also use the [Policy Simulator](/iam/docs/understanding-simulator) to\nensure that changing the role won't affect the principal's access.\n\nIt might be appropriate to grant basic roles when you want to grant broader\npermissions for a project. This often happens when you're granting permissions\nin development or test environments.\n\nWhat's next\n-----------\n\n- Learn how to [find the right predefined roles](/iam/docs/choose-predefined-roles).\n- Learn how to [create custom roles](/iam/docs/creating-custom-roles).\n- Learn more about [basic roles](/iam/docs/roles-overview#basic)."]]
