There are three types of IAM roles in Google Cloud VMware Engine.

• Basic role: There are three roles that fall under this type – Owner, Editor, and Viewer. These roles are also known as “primitive roles” because they existed in Google Cloud prior to IAM. Basic roles are not recommended in production environments as they include thousands of permissions across various Google Cloud resources.

• Predefined role: There are hundreds of predefined roles that give granular access to certain Google Cloud resources. Predefined roles are created and maintained by Google, and they are designed to support common use cases. A Google Cloud service called Recommender generates role recommendations to help organizations quickly navigate between various predefined roles.

• Custom role: Organizations can choose to create custom roles to truly enforce the principle of least privilege since they can provide granular permissions with custom roles. However, some IAM permissions are not supported in custom roles so organizations should check the Google Cloud documentation on support level for permissions in custom roles before building custom roles.

Access to the Google Cloud VMware Engine portal is given by roles and these roles are applied to the Google Cloud VMware Engine resources at the project level. Therefore, different roles cannot be given per individual private cloud if a project contains multiple private clouds.

When creating an SDDC, Google provides 5 vSphere solution users. There are also pre-definedsolution user roles for certain supported solutions, such as VMware Site Recovery Manager (SRM), VMware Aria Automation, Zerto, and Veeam. These solution user roles are given elevated privileges in vCenter required for solution installations. The elevated privileges are valid for up to 24 hours.