As a Database Engineer, you have been tasked with setting up secure connectivity and access control for your organization's Firestore databases. Which of the following IAM roles should be granted to a user who needs to manage Firestore database indexes and security rules, but should not have access to the actual data stored in the databases?