Stay organized with collections
Save and categorize content based on your preferences.
Dataplex defines several
Identity and access management (IAM) roles.
Each predefined role contains a set of IAM permissions that allow
principals to perform certain actions. You can use an IAM policy
to give a principal one or more IAM roles.
IAM also offers the ability to create customized roles. You can
create custom IAM roles and assign the role one
or more permissions. Then, you can grant the new
role to your principals. Use custom roles to create an access
control model that maps directly to your needs, alongside the available
predefined roles.
This document describes the IAM roles relevant to
Dataplex.
For a detailed description of IAM and its features, see the
IAM documentation.
About Dataplex roles
Dataplex IAM roles are a bundle of one or more
permissions. You grant roles to principals to allow them to perform actions on
the Dataplex resources in your project. For example, the
Dataplex Viewer role contains the dataplex.*.get and
dataplex.*.list permissions, which allow users to get and list Dataplex
resources in a project. For more information, see
Dataplex permissions.
You can apply Dataplex roles to any resources in the service
hierarchy, including projects, lakes, and data zones.
Basic roles
You can assign basic roles at the project level by using the IAM
Project roles. The following is the list of permissions associated with
IAM Project roles:
Project Role
Permissions
Project Owner
All Project Editor permissions plus permissions to manage access control for the project (get/set IamPolicy) and to set up project billing
Project Editor
All Project Viewer permissions plus all project permissions for actions that modify state (create, delete, update, use)
Project Viewer
All project permissions for read-only actions that preserve state (get, list)
Predefined roles for Dataplex
Predefined roles contain the permissions that are needed to perform a task or
a group of related tasks.
Note the following:
If you're using Data Catalog, then the
Data Catalog entry access grants aren't carried over to the
universal catalog entries automatically. You must explicitly
grant access to the universal catalog entries before using them.
The Dataplex Administrator, Dataplex Editor, and Dataplex Viewer roles don't
provide access to universal catalog resources.
The Dataplex Catalog Admin, Dataplex Catalog Editor, and Dataplex Catalog
Viewer roles provide access to data catalog resources in
universal catalog, but don't provide access to metastore
resources.
No role grants permissions to add or delete universal catalog
entries from system-defined entry groups, such as @bigquery and @dataplex.
The Dataplex Entry Owner role includes the following:
Grants full access to entry-related operations.
Grants permissions to add aspects of some of the system aspect types,
such as Schema, Generic, Overview, and Contacts.
Grants permissions to create entries of the GenericEntry type.
This role lets you create an entry with an entry type and aspect type, where
the entry type and aspect type are defined in the same project as the entry.
Otherwise, additional Dataplex Entry Type User and Dataplex Aspect Type User
roles must be granted on the projects where the entry type and aspect type
are defined.
When using the LookupEntry method or the SearchEntries method, this role
doesn't grant permissions to read entries that are created from
Google Cloud resources outside of Dataplex, such as
BigQuery entries. To read these entries, you must be granted
permissions on the source system resources. Alternatively, you can read the
entries with only the Dataplex Entry Owner role by using the GetEntry
method.
To search for entries using the SearchEntries method, you must be granted
at least one of the universal catalog (Dataplex Catalog)
IAM roles on the project that is used in the API request.
Permissions on search results are checked independently of the selected project.
The following table lists the Dataplex predefined
roles and the permissions associated with each role.
Role
Permissions
Dataplex Administrator
(roles/dataplex.admin)
Full access to Dataplex resources, except Dataplex Catalog.
cloudasset.assets.analyzeIamPolicy
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.content.*
dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update
dataplex.dataAttributeBindings.*
dataplex.dataAttributeBindings.create
dataplex.dataAttributeBindings.delete
dataplex.dataAttributeBindings.get
dataplex.dataAttributeBindings.getIamPolicy
dataplex.dataAttributeBindings.list
dataplex.dataAttributeBindings.setIamPolicy
dataplex.dataAttributeBindings.update
dataplex.dataAttributes.*
dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataAttributes.setIamPolicy
dataplex.dataAttributes.update
dataplex.dataTaxonomies.*
dataplex.dataTaxonomies.configureDataAccess
dataplex.dataTaxonomies.configureResourceAccess
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
dataplex.dataTaxonomies.setIamPolicy
dataplex.dataTaxonomies.update
dataplex.datascans.*
dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.setIamPolicy
dataplex.datascans.update
dataplex.entities.*
dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update
dataplex.entryGroups.export
dataplex.entryGroups.import
dataplex.environments.*
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.*
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.lakes.update
dataplex.locations.*
dataplex.locations.get
dataplex.locations.list
dataplex.metadataJobs.*
dataplex.metadataJobs.cancel
dataplex.metadataJobs.create
dataplex.metadataJobs.get
dataplex.metadataJobs.list
dataplex.operations.*
dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
dataplex.partitions.*
dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update
dataplex.tasks.*
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.setIamPolicy
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.*
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataplex.zones.update
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Aspect Type Owner
(roles/dataplex.aspectTypeOwner)
Grants access to creating and managing Aspect Types. Does not give the right to create/modify Entries.
datacatalog.migrationConfig.get
dataplex.aspectTypes.*
dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Aspect Type User
(roles/dataplex.aspectTypeUser)
Grants access to use Aspect Types to create/modify Entries with the corresponding aspects.
datacatalog.migrationConfig.get
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Binding Administrator
(roles/dataplex.bindingAdmin)
Full access on DataAttribute Bindig resources.
dataplex.dataAttributeBindings.*
dataplex.dataAttributeBindings.create
dataplex.dataAttributeBindings.delete
dataplex.dataAttributeBindings.get
dataplex.dataAttributeBindings.getIamPolicy
dataplex.dataAttributeBindings.list
dataplex.dataAttributeBindings.setIamPolicy
dataplex.dataAttributeBindings.update
Dataplex Catalog Admin
(roles/dataplex.catalogAdmin)
Has full access to Catalog resources.
datacatalog.migrationConfig.get
dataplex.aspectTypes.*
dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.*
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.export
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.import
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.*
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Catalog Editor
(roles/dataplex.catalogEditor)
Has write access to Catalog resources. Cannot set IAM policies on resources
datacatalog.migrationConfig.get
dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.update
dataplex.entryTypes.use
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Catalog Viewer
(roles/dataplex.catalogViewer)
Has read access to Catalog resources: Entry Groups, Entry Types, Aspect Types, Entry Link Types, Entries and Entry Links. Can view IAM policies on Catalog resources.
datacatalog.migrationConfig.get
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.entries.get
dataplex.entries.list
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Data Owner
(roles/dataplex.dataOwner)
Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.writeData
Dataplex Data Reader
(roles/dataplex.dataReader)
Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.readData
Dataplex DataScan Administrator
(roles/dataplex.dataScanAdmin)
Full access to DataScan resources.
dataplex.datascans.*
dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.setIamPolicy
dataplex.datascans.update
dataplex.operations.get
dataplex.operations.list
Dataplex DataScan Creator
(roles/dataplex.dataScanCreator)
Access to create new DataScan resources.
dataplex.datascans.create
dataplex.datascans.get
dataplex.datascans.list
dataplex.operations.get
Dataplex DataScan DataViewer
(roles/dataplex.dataScanDataViewer)
Read access to DataScan resources and additional contents.
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
Dataplex DataScan Editor
(roles/dataplex.dataScanEditor)
Write access to DataScan resources.
dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.update
dataplex.operations.get
dataplex.operations.list
Dataplex DataScan Viewer
(roles/dataplex.dataScanViewer)
Read access to DataScan resources.
dataplex.datascans.get
dataplex.datascans.getIamPolicy
dataplex.datascans.list
Dataplex Data Writer
(roles/dataplex.dataWriter)
Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.writeData
Dataplex Developer
(roles/dataplex.developer)
Allows running data analytics workloads in a lake.
dataplex.content.*
dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.list
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.update
Dataplex Editor
(roles/dataplex.editor)
Write access to Dataplex resources.
cloudasset.assets.analyzeIamPolicy
dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.update
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.dataAttributeBindings.create
dataplex.dataAttributeBindings.delete
dataplex.dataAttributeBindings.get
dataplex.dataAttributeBindings.getIamPolicy
dataplex.dataAttributeBindings.list
dataplex.dataAttributeBindings.update
dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataAttributes.update
dataplex.dataTaxonomies.configureDataAccess
dataplex.dataTaxonomies.configureResourceAccess
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
dataplex.dataTaxonomies.update
dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.update
dataplex.operations.*
dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.update
Dataplex Encryption Admin
(roles/dataplex.encryptionAdmin)
Gives user permissions to manage encryption config.
dataplex.encryptionConfig.*
dataplex.encryptionConfig.create
dataplex.encryptionConfig.delete
dataplex.encryptionConfig.get
dataplex.encryptionConfig.list
dataplex.encryptionConfig.update
dataplex.operations.get
dataplex.operations.list
Dataplex Entry Group Exporter
(roles/dataplex.entryGroupExporter)
Grants access to export this entry group for Metadata Job processing.
dataplex.entryGroups.export
dataplex.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Group Importer
(roles/dataplex.entryGroupImporter)
Grants access to import this entry group for Metadata Job processing.
dataplex.entryGroups.get
dataplex.entryGroups.import
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Group Owner
(roles/dataplex.entryGroupOwner)
Owns Entry Groups and Entries inside of them.
datacatalog.migrationConfig.get
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.*
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.export
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.import
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry and EntryLink Owner
(roles/dataplex.entryOwner)
Owns Metadata Entries and EntryLinks.
datacatalog.migrationConfig.get
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update
dataplex.entryGroups.get
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Type Owner
(roles/dataplex.entryTypeOwner)
Grants access to creating and managing Entry Types. Does not give the right to create/modify Entries.
datacatalog.migrationConfig.get
dataplex.entryTypes.*
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Type User
(roles/dataplex.entryTypeUser)
Grants access to use Entry Types to create/modify Entries of those types.
datacatalog.migrationConfig.get
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Metadata Job Owner
(roles/dataplex.metadataJobOwner)
Grants access to creating and managing Metadata Jobs. Does not give the right to create/modify Entry Groups.
dataplex.metadataJobs.*
dataplex.metadataJobs.cancel
dataplex.metadataJobs.create
dataplex.metadataJobs.get
dataplex.metadataJobs.list
dataplex.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Metadata Job Viewer
(roles/dataplex.metadataJobViewer)
Read access to Metadata Job resources.
dataplex.metadataJobs.get
dataplex.metadataJobs.list
dataplex.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Metadata Reader
(roles/dataplex.metadataReader)
Read only access to metadata.
dataplex.assets.get
dataplex.assets.list
dataplex.entities.get
dataplex.entities.list
dataplex.partitions.get
dataplex.partitions.list
dataplex.zones.get
dataplex.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Metadata Writer
(roles/dataplex.metadataWriter)
Write and Read access to metadata.
dataplex.assets.get
dataplex.assets.list
dataplex.entities.*
dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update
dataplex.partitions.*
dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update
dataplex.zones.get
dataplex.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Security Administrator
(roles/dataplex.securityAdmin)
Permissions configure ResourceAccess and DataAccess Specs on Data Attributes.
dataplex.dataTaxonomies.configureDataAccess
dataplex.dataTaxonomies.configureResourceAccess
Dataplex Storage Data Owner
(roles/dataplex.storageDataOwner)
Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.datasets.get
bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Dataplex Storage Data Reader
(roles/dataplex.storageDataReader)
Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.datasets.get
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
storage.buckets.get
storage.objects.get
storage.objects.list
Dataplex Storage Data Writer
(roles/dataplex.storageDataWriter)
Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.tables.updateData
storage.objects.create
storage.objects.delete
storage.objects.update
Dataplex Taxonomy Administrator
(roles/dataplex.taxonomyAdmin)
Full access to DataTaxonomy, DataAttribute resources.
dataplex.dataAttributes.*
dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataAttributes.setIamPolicy
dataplex.dataAttributes.update
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
dataplex.dataTaxonomies.setIamPolicy
dataplex.dataTaxonomies.update
Dataplex Taxonomy Viewer
(roles/dataplex.taxonomyViewer)
Read access on DataTaxonomy, DataAttribute resources.
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
Dataplex Viewer
(roles/dataplex.viewer)
Read access to Dataplex resources.
cloudasset.assets.analyzeIamPolicy
dataplex.assetActions.list
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.dataAttributeBindings.get
dataplex.dataAttributeBindings.getIamPolicy
dataplex.dataAttributeBindings.list
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
dataplex.datascans.get
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.lakeActions.list
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.operations.get
dataplex.operations.list
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.zoneActions.list
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
Predefined roles for data lineage
To access the lineage for any universal catalog entry, you need
access to the entry in Dataplex. To access the
universal catalog entry, you need a viewer role on the corresponding
system resource or the
Dataplex Catalog Viewer role
(roles/dataplex.catalogViewer) on the project that stores the
universal catalog entry. This section describes roles that are required to
view the lineage.
Lineage viewer role
The Data Lineage Viewer role
(roles/datalineage.viewer) lets you view Dataplex
lineage in the Google Cloud console and read lineage information using
the Data Lineage API. The
runs, and events for a given process are all stored in the same project as the
process. In the case of automated lineage,
the process, runs, and events
are stored in the project in which the job that generated the lineage was
running. This could be for example the project in which a BigQuery job
was running.
You need different roles to view the lineage between assets and to view metadata
of the assets. For the former, you need the
Data Lineage Viewer role (roles/datalineage.viewer).
For the latter, you need the same roles as used for accessing metadata entries
in Dataplex.
Roles to view lineage between two assets
To view lineage between assets, you need the
Data Lineage Viewer role (roles/datalineage.viewer)
on the following projects:
The project in which you're viewing lineage (known as active project),
that is the project in the drop-down at the top of the Google Cloud console or
the project from which API calls are made. This would normally be the
project that contains the resources you will create in
universal catalog or access in other Google Cloud systems
with the API.
The projects in which lineage is recorded (known as compute project).
Lineage is stored in the project in which the corresponding process was
executed, as described earlier. This project can be different from the project
that stores the asset that you're viewing lineage for.
For more information about granting roles, see Manage access.
You might also be able to get the required permissions through
custom roles or other predefined roles.
Depending on the use case, grant the Data Lineage Viewer role (roles/datalineage.viewer)
on the folder or organization level to ensure access to the lineage (see Grant or revoke a single role).
Roles required for data lineage can be granted only through
the Google Cloud CLI.
Roles to view asset metadata when viewing lineage
When metadata about an asset is stored in universal catalog, you only
get to view that metadata if you have a viewer role on the corresponding
system resource
or the Dataplex Catalog Viewer role (roles/dataplex.catalogViewer)
on the project in which the universal catalog entry is stored. You
might have access to assets on the lineage graph or list through appropriate
viewer roles but no access to the lineage between them. This is the case when
you don't have the Data Lineage Viewer role (roles/datalineage.viewer)
on the project in which the lineage was recorded. In this case, the
Data Lineage API and Google Cloud console doesn't show the lineage and
doesn't return an error, to prevent leaking information about the existence of
lineage. Therefore, absence of lineage for an asset does not mean that there is
no lineage for that asset, but that you might not have access to that lineage.
Data Lineage Events Producer role
The Data Lineage Events Producer role
(roles/datalineage.producer) lets users manually record lineage
information using the Data Lineage API.
Data Lineage Editor role
The Data Lineage Editor role
(roles/datalineage.editor) lets users manually modify lineage
information using the Data Lineage API.
Data Lineage Administrator role
The Data Lineage Administrator role
(roles/datalineage.admin) lets users perform all lineage operations
listed in this section.
Data roles
Dataplex defines the following IAM roles
that are intended to be applied to any resource managed by Dataplex.
For more information about the permissions that are associated with each role,
see the Predefined roles section
of this document.
Data role
Capabilities
Justification
Dataplex Data Owner (roles/dataplex.dataOwner)
All permissions on the managed resource. And all permissions on all child resources (regardless of the resource type).
Data owners can update resource metadata, grant higher granularity permissions (for example, on child tables of a BigQuery dataset), and create child resources, in addition to various other permissions. They have complete ownership of the resource.
Dataplex Data Reader (roles/dataplex.dataReader)
Ability to read data in the managed resource and its children. And ability to read metadata of the managed resource and its children.
Enables ability to read data and metadata.
Dataplex Data Writer (roles/dataplex.dataWriter)
Ability to create/update/delete data (not metadata).
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-04-23 UTC."],[[["Dataplex uses IAM roles to manage access to resources, offering both predefined roles with specific permissions and custom roles for tailored access control."],["Project-level roles include Project Owner, Editor, and Viewer, which define basic access levels such as full control, modification, and read-only respectively."],["Dataplex provides numerous predefined roles such as Administrator, Data Owner, Data Reader, Data Writer, and Catalog roles, each designed for specific responsibilities and actions."],["Catalog roles focus on managing metadata within Dataplex, such as Entry Groups and Entries, and do not grant access to system-defined entry groups."],["Data Lineage roles allow for viewing, producing, and modifying lineage information and are only grantable through the Google Cloud CLI, while needing separate viewer roles to see metadata and SQL statements."]]],[]]