This page describes how you can control API access and permissions for Google Agentspace Enterprise resources using Identity and Access Management (IAM).
Overview
Google Cloud offers IAM, which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Agentspace Enterprise IAM roles and permissions. For a detailed description of Google Cloud IAM, see the IAM documentation.
Agentspace Enterprise provides a set of predefined roles designed to help you control access to your Agentspace Enterprise resources. You can also create your own custom roles, if the predefined roles don't provide the sets of permissions you need. In addition, the older basic roles (Editor, Viewer, and Owner) are also still available to you, although they don't provide the same fine-grained control as the Agentspace Enterprise roles. In particular, the basic roles provide access to resources across Google Cloud rather than just for Agentspace Enterprise. See the basic roles documentation for more information.
Predefined roles
Agentspace Enterprise provides some predefined roles that you can use to provide finer-grained permissions to principals. The role you grant to a principal controls what actions the principal can take. Principals can be individuals, groups, or service accounts.
You can grant multiple roles to the same principal, and you can change the roles granted to a principal at any time, provided you have the permissions to do so.
The broader roles include the more narrowly defined roles. For example, the Discovery Engine Editor role includes all of the permissions of the Discovery Engine Viewer role, along with the addition permissions of the Discovery Engine Editor role. Likewise, the Discovery Engine Admin role includes all of the permissions of the Discovery Engine Editor role, along with its additional permissions.
The basic roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Agentspace Enterprise provide only Agentspace Enterprise permissions, except for the following Google Cloud permissions, which are needed for general Google Cloud usage:
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
serviceusage.services.get
The following table lists the Google Agentspace Enterprise IAM roles with a corresponding list of all the permissions for each role.
Role | Permissions |
---|---|
Discovery Engine Admin( Grants full access to all discoveryengine resources. |
|
Discovery Engine Editor( Grants read and write access to all discovery engine resources. |
|
Discovery Engine User( Grants user-level access to Discovery Engine resources. |
|
Discovery Engine Viewer( Grants read access to all discovery engine resources. |
|
Manage Agentspace Enterprise IAM
You can get and set IAM allow policies and IAM roles using the Google Cloud Console. For more information, see Manage access to projects, folders, and organizations.
Grant permissions to admins
As a project owner, you can grant the Discovery Engine Admin
,
Service Usage Consumer
, and Logs Viewer
roles to the users who want to be
administrators.
Follow these steps to add the roles:
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
-
In the New principals field, enter the user identifier. This is typically the email address for a Google Account or a user group.
- Add the roles:
- Click Add another role.
- In the Select a role list, select Discovery Engine admin.
- Repeat the steps a and b to add the Service usage consumer and Logs viewer roles.
- Click Save.
Grant permissions to your users
This section describes how to give your users the
Discovery Engine user
role that they need to access apps.
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
-
In the New principals field, enter the user identifier. This is typically the email address for a Google Account, a user group or the identifier for a user in a workforce identity pool. For details, see Principal identifiers for allow policies.
- Add the role:
- Click Add another role.
- In the Select a role list, select Discovery Engine user.
- Click Save.
To allow users to manage and share apps, grant them the Discovery Engine viewer
role.
What's next
- Learn how to manage access to projects, folders, and organizations.
- Learn more about IAM.
- Learn more about basic roles.
- Learn more about custom roles.