Cloud Infrastructure Entitlement Management (CIEM) roles and permissions
This page lists the IAM roles and permissions for Cloud Infrastructure Entitlement Management (CIEM). To
search through all roles and permissions, see the role and
permission index.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["This page lists the IAM roles and permissions for Cloud Infrastructure Entitlement Management (CIEM). To\nsearch through all roles and permissions, see the [role and\npermission index](/iam/docs/roles-permissions).\n\nCloud Infrastructure Entitlement Management (CIEM) roles\n\n| Role | Permissions |\n|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|\n| CIEM Service Agent (`roles/``ciem.serviceAgent`) Gives CIEM Service Account permission to access GCP resources | **Warning:** Do not grant service agent roles to any principals except [service agents](/iam/docs/service-agents). | `cloudasset.``assets.``exportIamPolicy` `cloudasset.``assets.``exportResource` `resourcemanager.``organizations.``get` |\n\nCloud Infrastructure Entitlement Management (CIEM) permissions\n\nThere are no IAM permissions for this service."]]
