Dialogflow 控制台为创建代理的用户提供 Agent Admin 角色。此用户会自动获得与代理关联的项目中的 IAM Project Owner 角色。
代理管理员可以在 Dialogflow 控制台中向代理添加开发者和审核员。在 Dialogflow 控制台中授予“开发者”或“审核者”角色后,用户将分别获得 IAM Project Editor 角色或 IAM Project Viewer 角色。如需向代理添加开发者和审核者,您还可以通过在 Google Cloud 控制台中向用户授予相应的 IAM Project Editor 或 IAM Project Viewer 角色来实现。
在以下情况下,您必须使用 Google Cloud 控制台:
如果要更改代理的 Admin、为代理添加多个 Admin,或者为代理移除 Admin,则需要使用 Google Cloud 控制台。
如果您集成了其他 Google Cloud 资源(如 Cloud Functions),并且不希望为应用授予完整项目访问权限,则必须在 Google Cloud 控制台中为 IAM 分配 Dialogflow API 角色(Admin、Client 或 Reader)。
一部分 IAM 角色具有相应的 Dialogflow 控制台角色。
如果要授予 Dialogflow 控制台上不存在的角色,则需要使用 Google Cloud 控制台。
角色
下表列出了与 Dialogflow 相关的常见角色、Dialogflow 控制台角色与 IAM 角色之间的关联,以及权限的详细信息。
您可以通过向用户或服务账号授予项目的角色来向其提供权限。 Google Cloud 添加用户的方法是提供该用户的电子邮件地址。
同样,添加服务账号的方法是提供与该服务账号关联的电子邮件地址。
如果要针对多个项目和代理使用一个服务账号,则需要添加服务账号成员。
如需查找与您的服务账号关联的电子邮件地址,请参阅 Google Cloud 控制台中的 IAM 服务账号页面。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-18。"],[[["\u003cp\u003eRoles are used to control access and permissions for team members and services interacting with an agent, with principals and service accounts being the main entities managed.\u003c/p\u003e\n"],["\u003cp\u003eAccess to Dialogflow agents can be managed through either Identity and Access Management (IAM) in the Google Cloud console or directly within the Dialogflow Console, each offering different levels of granularity.\u003c/p\u003e\n"],["\u003cp\u003eThe Dialogflow Console roles (Admin, Developer, Reviewer) correspond to specific IAM roles (Project Owner, Editor, Viewer), granting varying levels of access from full control to read-only permissions.\u003c/p\u003e\n"],["\u003cp\u003eThe Google Cloud console is necessary for tasks like changing or adding multiple admins, integrating with other Google Cloud resources without full project access, and assigning roles not available in the Dialogflow Console.\u003c/p\u003e\n"],["\u003cp\u003eUsing the detectIntent API method during a conversation requires a role that provides full access, edit access, or session access, enabling the method to perform a write on the session state.\u003c/p\u003e\n"]]],[],null,["# Access control\n\nIt is common for multiple team members to collaborate on building an agent\nand for services to access the agent.\nUsing *roles* , you can control access and permissions granted to\n[principals](/docs/authentication#principal).\n| **Note:** Developers should avoid working on the same agent at the same time. This can cause conflicts when saving and training the agent.\n\nIf you are using the API,\nyou may also have one or more applications that send requests to an agent.\nIn this case, you can control access with\n[service accounts](/dialogflow/docs/quick/setup#auth).\n\nYou can control access using either\n[Identity and Access Management (IAM)](/iam/docs)\nor the [Dialogflow Console](/dialogflow/docs/console).\n\nThe Dialogflow Console provides the Agent Admin role to the user that created\nthe agent. This user automatically gets the IAM Project Owner\nrole in the project associated with the agent.\n\nAgent Admins can add Developers and Reviewers to the agent in the Dialogflow\nConsole. When the Developer or Reviewer role is granted in the Dialogflow\nConsole, the user gets the IAM Project Editor role or\nIAM Project Viewer role respectively. An alternative way to add\nDevelopers and Reviewers to the agent is to grant users the corresponding\nIAM Project Editor or IAM Project Viewer roles in\nthe Google Cloud console.\n\nThere are some situations in which you must use the Google Cloud console:\n\n- If you want to change the Admin, add multiple Admins for one agent, or remove Admins for an agent, you need to use the Google Cloud console.\n- If you have integrations with other Google Cloud resources, like Cloud Functions, and you don't want to grant full project access to an application, you must assign the Dialogflow API roles (Admin, Client, or Reader) in the Google Cloud console for IAM.\n- A subset of IAM roles have corresponding Dialogflow Console roles. If you want to grant a role that does not exist on the Dialogflow Console, you need to use the Google Cloud console.\n\nRoles\n-----\n\nThe following table lists common roles relevant to Dialogflow, the correlation\nbetween the Dialogflow Console roles and the IAM roles, and\ndetails about permissions.\n\nPermission summaries in the table use the following terms:\n\n- **Full access**: Permission to modify access, create, delete, edit, and read any resource.\n- **Edit access**: Permission to create, delete, edit, and read any resource.\n- **Session access**: Permission to call methods for runtime-only resources during a conversation like detecting intent, updating context, updating session entities, or Agent Assist conversation interactions. This access provides a subset of permissions found in full and edit access.\n- **Read access**: Permission to read any resource.\n\n| **Note:** In order to modify access for an agent, you need a role that provides **full access** to the agent. In order to delete an agent with the console, you need a role that provides **full access** to the agent. In order to delete an agent with the API, you need a role that provides **full access** or **edit access** to the agent.\n| **Note:** The [console simulator](/dialogflow/es/docs/console#simulator) calls the detectIntent API method during a conversation. This method performs a write on the session state. In order to use the console or call the API's detectIntent/streamingDetectIntent methods, you need a role that provides **full access** , **edit access** , or **session access**.\n\nControl access with the Google Cloud console\n--------------------------------------------\n\nYou can control access with [IAM](/iam/docs) settings.\nSee the [IAM quickstart](/iam/docs/grant-role-console)\nfor detailed instructions on adding, editing, and removing permissions.\n\nTo access the settings below, open the\n[IAM](https://console.cloud.google.com/iam-admin/iam) page in the Google Cloud console.\n\n### Add a user or service account to the project\n\nYou can provide permissions to either users or service accounts\nby granting them roles on your Google Cloud project.\nUsers are added by providing their email address.\nService accounts are also added by providing their associated email address.\nYou need to add service account members when you want to use one service account for multiple projects and agents.\nTo find the email address associated with your service account, see the IAM\n[Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts) page in the Google Cloud console.\n\nTo add a member:\n\n1. Click the add add button at the top of the page.\n2. Enter the member's email address.\n3. Select a role.\n4. Click **Save**.\n\n### Change permissions\n\n1. Click the edit edit button for the member.\n2. Select a different role.\n3. Click **Save**.\n\n### Remove a member\n\n1. Click the delete delete button for the member.\n\nControl access with the Dialogflow Console\n------------------------------------------\n\nSharing options are found in the agent's settings.\nTo open the agent sharing settings:\n\n1. Go to the [Dialogflow ES console](https://dialogflow.cloud.google.com).\n2. Select your agent near the top of the left sidebar menu.\n3. Click the settings settings button next to the agent name.\n4. Click the **Share** tab. If you do not see the **Share** tab, it is because you do not have the required Agent Admin role.\n\n### Add a user\n\n1. Enter the user's email address under **Invite New People**.\n2. Select a role.\n3. Click **Add**.\n4. Click **Save**.\n\n### Change permissions\n\n1. Find the user in the list.\n2. Select a different role.\n3. Click **Save**.\n\n### Remove a user\n\n1. Find the user in the list.\n\n | **Note:** If a user is listed with a prefix of `deleted:user:`, this user has been removed from your organization. The Dialogflow console cannot remove this user. You must [use the Cloud Console](#gcp-console) to remove this user.\n2. Click the delete clear button for the user.\n\n3. Click **Save**.\n\n| **Note:** After you grant or change permissions, there may be a delay before the changes take effect.\n\nAutomatically created service accounts\n--------------------------------------\n\nWhen you create and work with your agent,\nDialogflow creates some [service agents](/iam/docs/service-account-types#service-agents)\nautomatically.\n\nTo see the roles granted to these service agents, enable the **Include Google-provided role grants**\noption on the\n[IAM page](https://console.cloud.google.com/iam-admin/iam).\n\nYou should not delete, edit, or download keys for any of these service agents,\nnor should you use these service agents to make direct API calls.\nThey are used only by the Dialogflow service to connect to a variety\nof Google Cloud services used by your agent.\nYou may need to refer to these service agents by email when\nconfiguring certain Dialogflow features.\n\nThe following table describes some of these service agents:\n\nTransfer admin role\n-------------------\n\nIn order to transfer the admin role of an agent,\nthe existing admin needs to [follow steps](#gcp-add) above to add a new admin.\nOnce the new admin accepts the granted role,\nit is safe to remove the old admin.\n\nIf the existing admin no longer works at your organization,\nand you need the admin role transferred to another employee,\nyou have two options:\n\n- An administrator of the [organization](/resource-manager/docs/cloud-platform-resource-hierarchy) associated with the agent's project has permissions to modify the agent admin.\n- If you have read permissions for the agent, you can export the agent and import to an agent where the desired employee is admin. This may create downtime for a live production agent while the agent is migrated and any integrations are updated.\n\nOAuth\n-----\n\nIf you are using Google client libraries to access Dialogflow,\nyou do not need to use\n[OAuth](https://developers.google.com/identity/protocols/oauth2)\ndirectly, because these libraries handle the implementation for you.\nHowever, if you are implementing your own client,\nyou may need to implement your own OAuth flow.\nAccess to the Dialogflow API requires one of the following OAuth scopes:\n\n- `https://www.googleapis.com/auth/cloud-platform` (access to all project resources)\n- `https://www.googleapis.com/auth/dialogflow` (access to Dialogflow resources)\n\nRequests that involve Cloud Storage access\n------------------------------------------\n\nSome Dialogflow requests access objects in\n[Cloud Storage](/storage/docs)\nfor reading or writing data.\nWhen you call one of these requests,\nDialogflow accesses the Cloud Storage data on the caller's behalf.\nThis means that your request authentication must have permissions\nto access Dialogflow as well as the Cloud Storage objects.\n\nWhen using a Google client library and IAM roles,\nsee the\n[Cloud Storage access control guide](/storage/docs/access-control)\nfor information on Cloud Storage roles.\n\nWhen implementing your own client and using [OAuth](#oauth),\nyou must use the following OAuth scope:\n\n- `https://www.googleapis.com/auth/cloud-platform` (access to all project resources)"]]