Roles and permissions

Google Cloud offers Identity and Access Management (IAM) to let you provide more granular access to specific Google Cloud resources and prevent access to other resources. This page describes the roles and permissions for Data Transfer Essentials.

IAM lets you adopt the security principle of least privilege so that you need to grant only the necessary access to your resources.

Roles are collections of IAM permissions. To make permissions available to principals, including users, groups, and service accounts, you grant roles to the principals. You can control who has what permissions to which resources by setting IAM policies. IAM policies grant specific roles to principals, thereby giving them certain permissions.

For detailed information about IAM roles, see Roles and permissions.

Predefined roles and permissions for Data Transfer Essentials

Data Transfer Essentials supports IAM permissions at the project level.

The following table lists Data Transfer Essentials IAM roles and the permissions that each role includes.

Roles Permissions
Data Transfer Essentials Config Admin

(roles/networkconnectivity.multicloudDataTransferConfigAdmin)

Grants full control over Data Transfer Essentials resources

 
networkconnectivity.multicloudDataTransferConfigs.*
networkconnectivity.multicloudDataTransferDestinations.*
networkconnectivity.multicloudDataTransferSupportedServices.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Transfer Essentials Config Viewer

(roles/networkconnectivity.multicloudDataTransferConfigViewer)

Grants read-only access to all Data Transfer Essentials resources

 
networkconnectivity.multicloudDataTransferConfigs.get
networkconnectivity.multicloudDataTransferConfigs.list
networkconnectivity.multicloudDataTransferDestinations.get
networkconnectivity.multicloudDataTransferDestinations.list
networkconnectivity.multicloudDataTransferSupportedServices.*
resourcemanager.projects.get
resourcemanager.projects.list
Destination Admin

(roles/networkconnectivity.multicloudDataTransferDestinationAdmin)

Grants full control over Data Transfer Essentials destinations

 
networkconnectivity.multicloudDataTransferDestinations.*
networkconnectivity.multicloudDataTransferSupportedServices.*
resourcemanager.projects.get
resourcemanager.projects.list
Destination Viewer

(roles/networkconnectivity.multicloudDataTransferDestinationViewer)

Grants read-only access to all Data Transfer Essentials destinations

 
networkconnectivity.multicloudDataTransferDestinations.get
networkconnectivity.multicloudDataTransferDestinations.list
networkconnectivity.multicloudDataTransferSupportedServices.*
resourcemanager.projects.get
resourcemanager.projects.list

Ensure that you have the required permissions for the other Google Cloud products that you use with Data Transfer Essentials.

Manage access control

To set access controls at the project level, follow these steps:

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM

  2. Select your project.

  3. Click Grant access.

  4. In the New principals field, enter the email address of a new principal.

  5. Click Add roles, and then select the required role.

  6. Click Save.

  7. Verify that the principal is listed with the role that you granted.

Identify the permissions in a role

To determine whether one or more permissions are included in a role, use one of the following methods: