At the Project level, assign the Owner role to administrator accounts, the Editor role to read/write accounts, and the Viewer role to read-only accounts.

Utilize predefined IAM roles for Cloud Storage and BigQuery that match the required access levels. Assign users to these roles based on their access needs for each service.

At the Organization level, grant the Owner role to administrator accounts, the Editor role to read/write accounts, and the Viewer role to read-only accounts.

Develop three custom IAM roles with tailored policies for the necessary access levels in Cloud Storage and BigQuery. Then, assign users to the appropriate custom roles.