You can perform the following administrative operations on authorized views and authorized view sets.
Required permissions and roles
To create and manage authorized view sets and authorized views, you need the following IAM permissions.
Authorized view sets:
| Permission | Description |
|---|---|
contactcenterinsights.authorizedViewSet.create |
Create an authorized view set. |
contactcenterinsights.authorizedViewSet.get |
Get details about an authorized view set. |
contactcenterinsights.authorizedViewSet.update |
Update an existing authorized view set. |
contactcenterinsights.authorizedViewSet.delete |
Delete an authorized view set. |
contactcenterinsights.authorizedViewSet.list |
List authorized view sets in a project. |
Authorized views:
| Permission | Description |
|---|---|
contactcenterinsights.authorizedView.create |
Create an authorized view. |
contactcenterinsights.authorizedView.get |
Get details about an authorized view. |
contactcenterinsights.authorizedView.update |
Update an existing authorized view. |
contactcenterinsights.authorizedView.delete |
Delete an authorized view. |
To grant access to authorized views, you need the following permissions:
| Permission | Description |
|---|---|
contactcenterinsights.authorizedView.setIamPolicy |
Set the IAM policy on an authorized view. |
contactcenterinsights.authorizedView.getIamPolicy |
Get the IAM policy on an authorized view. |
Predefined roles
The following predefined IAM roles provide the necessary permissions:
| Role | Description |
|---|---|
roles/contactcenterinsights.editor |
Provides Read and Write access to all Conversational Insights resources. |
roles/contactcenterinsights.admin |
Provides Read and Write access to all Conversational Insights resources. |
Authorized view sets
Authorized view sets group and simplify granting permissions to multiple authorized views.
Create an authorized view set
Read an authorized view set
Update an authorized view set
Delete an authorized view set
List authorized view sets
Authorized views
Authorized views define restricted number of conversations and an agent's or manager's role for them.
Create an authorized view
Read an authorized view
Update an authorized view
Delete an authorized view
List authorized views
Set IAM policy on an authorized view
REST
Setting the IAM policy on an authorized view requires the contactcenterinsights.authorizedView.setIamPolicy permission.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud project ID.
- LOCATION: The location of your Conversational Insights data.
- AUTHORIZED_VIEW_SET_ID: The identifier for the authorized view set.
- AUTHORIZED_VIEW_ID: The identifier for the authorized view.
- PRINCIPAL: The principal (user) to whom you want to grant access.
- ROLE: The role to grant to the user.
HTTP method and URL:
POST https://contactcenterinsights.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/authorizedViewSets/AUTHORIZED_VIEW_SET_ID/authorizedViews/AUTHORIZED_VIEW_ID:setIamPolicy
Request JSON body:
{
"policy": {
"bindings": [
{
"role": "roles/ROLE",
"members": [
"PRINCIPAL"
]
}
]
}
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"version": 1,
"etag": "BwW...",
"bindings": [
{
"role": "roles/ROLE",
"members": [
"PRINCIPAL"
]
}
]
}
Read IAM policy on an authorized view
REST
Reading the IAM policy on an authorized view requires the contactcenterinsights.authorizedView.getIamPolicy permission.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud project ID.
- LOCATION: The location of your Conversational Insights data.
- AUTHORIZED_VIEW_SET_ID: The identifier for the authorized view set.
- AUTHORIZED_VIEW_ID: The identifier for the authorized view.
HTTP method and URL:
GET https://contactcenterinsights.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/authorizedViewSets/AUTHORIZED_VIEW_SET_ID/authorizedViews/AUTHORIZED_VIEW_ID:getIamPolicy
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"version": 1,
"etag": "BwW...",
"bindings": [
{
"role": "roles/ROLE",
"members": [
"PRINCIPAL"
]
}
]
}
Example organization setup
This example demonstrates how to set up authorized views for a simplified organization. This example uses the REST API to create and manage resources in a fictional project named acme-corp.
Acme has the following structure:
- Alice: Alice is the administrator of the project.
- Bob: Bob is the manager.
- Carol: Carol is an agent.
- Dave: Dave is an agent.
Each user has a principal identifier associated with their email address.
- Alice's is
user:admin.alice@acme.com. - Bob's is
user:manager.bob@acme.com. - Carol's is
user:agent.carol@acme.com. - Dave's is
user:agent.dave@acme.com.
Each agent has an agent_id which corresponds to the Conversation.agent_id field for their conversations.
- Carol's is
agent-carol. - Dave's is
agent-dave.
Requirements
Each user requires the following levels of access:
- Administrator Access: As the administrator, Alice has full access to all data and resources.
- Manager Access: As the manager, Bob can create, edit, and view conversations and analyses for their respective teams.
- Agent Access: As the agents, Carol and Dave can only view conversations and analyses they participated in.
Step 1: Grant project access
Add all users to the project and grant them roles/browser. This role allows them to view the project and its resources.
Grant project browser to users
The following code illustrates how you could grant the browser role to each member of Acme.
gcloud projects add-iam-policy-binding acme-corp \
--member="user:admin.alice@acme.com" \
--role="roles/browser"
gcloud projects add-iam-policy-binding acme-corp \
--member="user:manager.bob@acme.com" \
--role="roles/browser"
gcloud projects add-iam-policy-binding acme-corp \
--member="user:agent.carol@acme.com" \
--role="roles/browser"
gcloud projects add-iam-policy-binding acme-corp \
--member="user:agent.dave@acme.com" \
--role="roles/browser"
For more information, see Grant a single role.
You can also use Google Groups to manage access to your project. Instead of granting permissions to individual users, you can grant roles/browser to a group. For example, you could create a group called project-browsers@acme.com and add Bob to this group. Then, you could grant roles/browser role to this group. For more information, see Google Groups.
Step 2: Grant project level permissions to an administrator
Grant your administrator roles/contactcenterinsights.admin at the project level. For example, Alice is the administrator at Acme, so she'd gain full access to all the resources with this role.
Grant the Admin role
The following code illustrates how you could grant Alice the Admin role:
gcloud projects add-iam-policy-binding acme-corp \
--member="user:admin.alice@acme.com" \
--role="roles/contactcenterinsights.admin"
Step 3: Create authorized view sets
Create two authorized view sets to group the authorized views for managers and agents.
Create an editor authorized view set
Create a viewer authorized view set
Step 4: Grant project-level permissions to authorized view sets
Authorized views are resources with built-in identities and require permissions to access {product_name} data. To give authorized views the ability to access conversations and operations, grant them the following roles:
roles/contactcenterinsights.editorfor all authorized views in theeditor-view-setroles/contactcenterinsights.viewerfor all authorized views in theviewer-view-set
Grant the editor role to editor-view-set
REST
This example grantsroles/contactcenterinsights.editor to editor-view-set.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
Request JSON body:
{
"policy": {
"bindings": [
{
"role": "roles/contactcenterinsights.editor",
"members": [
"principalSet://contactcenterinsights.googleapis.com/projects/PROJECT_ID/type/AuthorizedView/ancestor.name/authorizedViewSets/editor-view-set"
]
}
]
}
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"version": 1,
"etag": "BwWq8Wq588M=",
"bindings": [
{
"role": "roles/contactcenterinsights.editor",
"members": [
"principalSet://contactcenterinsights.googleapis.com/projects/PROJECT_ID/type/AuthorizedView/ancestor.name/authorizedViewSets/editor"
]
}
]
}
Grant the viewer role to viewer-view-set
REST
This example grants theroles/contactcenterinsights.viewer role to the viewer-view-set authorized view set.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
Request JSON body:
{
"policy": {
"bindings": [
{
"role": "roles/contactcenterinsights.viewer",
"members": [
"principalSet://contactcenterinsights.googleapis.com/projects/PROJECT_ID/type/AuthorizedView/ancestor.name/authorizedViewSets/reader-view-set"
]
}
]
}
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"version": 1,
"etag": "BwWq8Wq588M=",
"bindings": [
{
"role": "roles/contactcenterinsights.viewer",
"members": [
"principalSet://contactcenterinsights.googleapis.com/projects/PROJECT_ID/type/AuthorizedView/ancestor.name/authorizedViewSets/viewer"
]
}
]
}
Step 5: Create authorized views
Create an authorized view for each manager and agent, and apply the appropriate filters.
Create a manager's authorized view
Grant the Authorized Editor role to a manager
Create an agent's authorized view
Grant the Authorized Viewer role to an agent
Create another agent's authorized view
Grant Authorized Viewer role to another agent