diff --git a/roles/apihub.admin b/roles/apihub.admin
index c0b21e31..67e32d49 100644
--- a/roles/apihub.admin
+++ b/roles/apihub.admin
@@ -2,25 +2,6 @@
   "description": "Full access to Cloud API Hub Registry and Runtime resources.",
   "etag": "AA==",
   "includedPermissions": [
-    "apihub.apis.create",
-    "apihub.apis.delete",
-    "apihub.apis.get",
-    "apihub.apis.list",
-    "apihub.apis.update",
-    "apihub.operations.cancel",
-    "apihub.operations.delete",
-    "apihub.operations.get",
-    "apihub.operations.list",
-    "apihub.specs.create",
-    "apihub.specs.delete",
-    "apihub.specs.get",
-    "apihub.specs.list",
-    "apihub.specs.update",
-    "apihub.versions.create",
-    "apihub.versions.delete",
-    "apihub.versions.get",
-    "apihub.versions.list",
-    "apihub.versions.update",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],
diff --git a/roles/apihub.viewer b/roles/apihub.viewer
index b1bcdb95..b1071818 100644
--- a/roles/apihub.viewer
+++ b/roles/apihub.viewer
@@ -2,12 +2,6 @@
   "description": "Read-only access to Cloud API Hub Registry resources.",
   "etag": "AA==",
   "includedPermissions": [
-    "apihub.apis.get",
-    "apihub.apis.list",
-    "apihub.specs.get",
-    "apihub.specs.list",
-    "apihub.versions.get",
-    "apihub.versions.list",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],
diff --git a/roles/edgecontainer.clusterServiceAgent b/roles/edgecontainer.clusterServiceAgent
index b0ff2b8d..e0658122 100644
--- a/roles/edgecontainer.clusterServiceAgent
+++ b/roles/edgecontainer.clusterServiceAgent
@@ -2,8 +2,26 @@
   "description": "Grants the Edge Container Cluster Service Account access to manage resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "gkehub.endpoints.connect",
+    "gkehub.features.create",
     "gkehub.features.get",
+    "gkehub.features.list",
+    "gkehub.features.update",
+    "gkehub.fleet.create",
+    "gkehub.fleet.delete",
+    "gkehub.fleet.get",
+    "gkehub.locations.get",
+    "gkehub.locations.list",
+    "gkehub.memberships.create",
+    "gkehub.memberships.delete",
+    "gkehub.memberships.generateConnectManifest",
     "gkehub.memberships.get",
+    "gkehub.memberships.list",
+    "gkehub.memberships.update",
+    "gkehub.operations.cancel",
+    "gkehub.operations.delete",
+    "gkehub.operations.get",
+    "gkehub.operations.list",
     "logging.logEntries.create",
     "monitoring.dashboards.create",
     "monitoring.dashboards.delete",
@@ -37,6 +55,7 @@
     "serviceusage.operations.list",
     "serviceusage.quotas.get",
     "serviceusage.services.get",
+    "serviceusage.services.list",
     "stackdriver.resourceMetadata.write",
     "storage.buckets.create",
     "storage.buckets.get",
diff --git a/roles/editor b/roles/editor
index b489b2de..2672d975 100644
--- a/roles/editor
+++ b/roles/editor
@@ -718,6 +718,25 @@
     "apigeeregistry.versions.getIamPolicy",
     "apigeeregistry.versions.list",
     "apigeeregistry.versions.update",
+    "apihub.apis.create",
+    "apihub.apis.delete",
+    "apihub.apis.get",
+    "apihub.apis.list",
+    "apihub.apis.update",
+    "apihub.operations.cancel",
+    "apihub.operations.delete",
+    "apihub.operations.get",
+    "apihub.operations.list",
+    "apihub.specs.create",
+    "apihub.specs.delete",
+    "apihub.specs.get",
+    "apihub.specs.list",
+    "apihub.specs.update",
+    "apihub.versions.create",
+    "apihub.versions.delete",
+    "apihub.versions.get",
+    "apihub.versions.list",
+    "apihub.versions.update",
     "apikeys.keys.create",
     "apikeys.keys.delete",
     "apikeys.keys.get",
@@ -5078,6 +5097,11 @@
     "gdchardwaremanagement.sites.update",
     "gdchardwaremanagement.skus.get",
     "gdchardwaremanagement.skus.list",
+    "gdchardwaremanagement.zones.create",
+    "gdchardwaremanagement.zones.delete",
+    "gdchardwaremanagement.zones.get",
+    "gdchardwaremanagement.zones.list",
+    "gdchardwaremanagement.zones.update",
     "genomics.datasets.create",
     "genomics.datasets.delete",
     "genomics.datasets.get",
diff --git a/roles/gdchardwaremanagement.admin b/roles/gdchardwaremanagement.admin
index 625fe259..6fba2e2c 100644
--- a/roles/gdchardwaremanagement.admin
+++ b/roles/gdchardwaremanagement.admin
@@ -33,11 +33,6 @@
     "gdchardwaremanagement.sites.update",
     "gdchardwaremanagement.skus.get",
     "gdchardwaremanagement.skus.list",
-    "gdchardwaremanagement.zones.create",
-    "gdchardwaremanagement.zones.delete",
-    "gdchardwaremanagement.zones.get",
-    "gdchardwaremanagement.zones.list",
-    "gdchardwaremanagement.zones.update",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],
diff --git a/roles/gdchardwaremanagement.reader b/roles/gdchardwaremanagement.reader
index 4e1fd9f6..de347afc 100644
--- a/roles/gdchardwaremanagement.reader
+++ b/roles/gdchardwaremanagement.reader
@@ -20,8 +20,6 @@
     "gdchardwaremanagement.sites.list",
     "gdchardwaremanagement.skus.get",
     "gdchardwaremanagement.skus.list",
-    "gdchardwaremanagement.zones.get",
-    "gdchardwaremanagement.zones.list",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"
   ],
diff --git a/roles/iam.securityAdmin b/roles/iam.securityAdmin
index 07c98905..a08b37dc 100644
--- a/roles/iam.securityAdmin
+++ b/roles/iam.securityAdmin
@@ -165,6 +165,10 @@
     "apigeeregistry.versions.getIamPolicy",
     "apigeeregistry.versions.list",
     "apigeeregistry.versions.setIamPolicy",
+    "apihub.apis.list",
+    "apihub.operations.list",
+    "apihub.specs.list",
+    "apihub.versions.list",
     "apikeys.keys.list",
     "appengine.instances.list",
     "appengine.memcache.list",
@@ -1197,6 +1201,7 @@
     "gdchardwaremanagement.orders.list",
     "gdchardwaremanagement.sites.list",
     "gdchardwaremanagement.skus.list",
+    "gdchardwaremanagement.zones.list",
     "genomics.datasets.getIamPolicy",
     "genomics.datasets.list",
     "genomics.datasets.setIamPolicy",
diff --git a/roles/iam.securityReviewer b/roles/iam.securityReviewer
index 82103f2f..2f3abef8 100644
--- a/roles/iam.securityReviewer
+++ b/roles/iam.securityReviewer
@@ -150,6 +150,10 @@
     "apigeeregistry.specs.list",
     "apigeeregistry.versions.getIamPolicy",
     "apigeeregistry.versions.list",
+    "apihub.apis.list",
+    "apihub.operations.list",
+    "apihub.specs.list",
+    "apihub.versions.list",
     "apikeys.keys.list",
     "appengine.instances.list",
     "appengine.memcache.list",
@@ -1043,6 +1047,7 @@
     "gdchardwaremanagement.orders.list",
     "gdchardwaremanagement.sites.list",
     "gdchardwaremanagement.skus.list",
+    "gdchardwaremanagement.zones.list",
     "genomics.datasets.getIamPolicy",
     "genomics.datasets.list",
     "genomics.operations.list",
diff --git a/roles/owner b/roles/owner
index 16106bcf..342041a2 100644
--- a/roles/owner
+++ b/roles/owner
@@ -747,6 +747,25 @@
     "apigeeregistry.versions.list",
     "apigeeregistry.versions.setIamPolicy",
     "apigeeregistry.versions.update",
+    "apihub.apis.create",
+    "apihub.apis.delete",
+    "apihub.apis.get",
+    "apihub.apis.list",
+    "apihub.apis.update",
+    "apihub.operations.cancel",
+    "apihub.operations.delete",
+    "apihub.operations.get",
+    "apihub.operations.list",
+    "apihub.specs.create",
+    "apihub.specs.delete",
+    "apihub.specs.get",
+    "apihub.specs.list",
+    "apihub.specs.update",
+    "apihub.versions.create",
+    "apihub.versions.delete",
+    "apihub.versions.get",
+    "apihub.versions.list",
+    "apihub.versions.update",
     "apikeys.keys.create",
     "apikeys.keys.delete",
     "apikeys.keys.get",
@@ -6006,6 +6025,11 @@
     "gdchardwaremanagement.sites.update",
     "gdchardwaremanagement.skus.get",
     "gdchardwaremanagement.skus.list",
+    "gdchardwaremanagement.zones.create",
+    "gdchardwaremanagement.zones.delete",
+    "gdchardwaremanagement.zones.get",
+    "gdchardwaremanagement.zones.list",
+    "gdchardwaremanagement.zones.update",
     "genomics.datasets.create",
     "genomics.datasets.delete",
     "genomics.datasets.get",
@@ -7573,6 +7597,7 @@
     "privilegedaccessmanager.grants.get",
     "privilegedaccessmanager.grants.list",
     "privilegedaccessmanager.grants.revoke",
+    "privilegedaccessmanager.locations.checkOnboardingStatus",
     "privilegedaccessmanager.locations.get",
     "privilegedaccessmanager.locations.list",
     "privilegedaccessmanager.operations.delete",
diff --git a/roles/privilegedaccessmanager.approver b/roles/privilegedaccessmanager.approver
new file mode 100644
index 00000000..69851cea
--- /dev/null
+++ b/roles/privilegedaccessmanager.approver
@@ -0,0 +1,14 @@
+{
+  "description": "Access to Approve/Deny Privileged Access Manager Grants.",
+  "etag": "AA==",
+  "includedPermissions": [
+    "privilegedaccessmanager.entitlements.get",
+    "privilegedaccessmanager.grants.approve",
+    "privilegedaccessmanager.grants.deny",
+    "privilegedaccessmanager.grants.get",
+    "privilegedaccessmanager.grants.list"
+  ],
+  "name": "roles/privilegedaccessmanager.approver",
+  "stage": "BETA",
+  "title": "Privileged Access Manager Approver"
+}
diff --git a/roles/privilegedaccessmanager.requester b/roles/privilegedaccessmanager.requester
new file mode 100644
index 00000000..aa27d82a
--- /dev/null
+++ b/roles/privilegedaccessmanager.requester
@@ -0,0 +1,7 @@
+{
+  "description": "Access to request Privileged Access Manager Grants.",
+  "etag": "AA==",
+  "name": "roles/privilegedaccessmanager.requester",
+  "stage": "BETA",
+  "title": "Privileged Access Manager Requester"
+}
diff --git a/roles/privilegedaccessmanager.serviceAgent b/roles/privilegedaccessmanager.serviceAgent
deleted file mode 100644
index 1c16209f..00000000
--- a/roles/privilegedaccessmanager.serviceAgent
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  "description": "Gives privileged access manager service account access to modify IAM policies on GCP resources",
-  "etag": "AA==",
-  "includedPermissions": [
-    "resourcemanager.folders.get",
-    "resourcemanager.folders.getIamPolicy",
-    "resourcemanager.folders.setIamPolicy",
-    "resourcemanager.organizations.get",
-    "resourcemanager.organizations.getIamPolicy",
-    "resourcemanager.organizations.setIamPolicy",
-    "resourcemanager.projects.get",
-    "resourcemanager.projects.getIamPolicy",
-    "resourcemanager.projects.setIamPolicy"
-  ],
-  "name": "roles/privilegedaccessmanager.serviceAgent",
-  "stage": "ALPHA",
-  "title": "Privileged Access Manager Service Agent"
-}
diff --git a/roles/viewer b/roles/viewer
index 242ca6a3..f4f1064a 100644
--- a/roles/viewer
+++ b/roles/viewer
@@ -330,6 +330,14 @@
     "apigeeregistry.versions.get",
     "apigeeregistry.versions.getIamPolicy",
     "apigeeregistry.versions.list",
+    "apihub.apis.get",
+    "apihub.apis.list",
+    "apihub.operations.get",
+    "apihub.operations.list",
+    "apihub.specs.get",
+    "apihub.specs.list",
+    "apihub.versions.get",
+    "apihub.versions.list",
     "apikeys.keys.get",
     "apikeys.keys.getKeyString",
     "apikeys.keys.list",
@@ -2487,6 +2495,8 @@
     "gdchardwaremanagement.sites.list",
     "gdchardwaremanagement.skus.get",
     "gdchardwaremanagement.skus.list",
+    "gdchardwaremanagement.zones.get",
+    "gdchardwaremanagement.zones.list",
     "genomics.datasets.get",
     "genomics.datasets.list",
     "genomics.operations.get",