IAM roles and permissions

Predefined roles

The following table describes Identity and Access Management (IAM) roles that are associated with Document AI Warehouse and lists the permissions that are contained in each role. Unless otherwise noted, these roles can be applied either to entire projects or specific documents.

Role Permissions
contentwarehouse.documentCreator resourcemanager.projects.get
resourcemanager.projects.list
contentwarehouse.documentSchemas.get
contentwarehouse.documentSchemas.list
contentwarehouse.documents.create
contentwarehouse.documentViewer resourcemanager.projects.get
resourcemanager.projects.list
contentwarehouse.documentSchemas.get
contentwarehouse.documents.get
contentwarehouse.documents.getIamPolicy
contentwarehouse.documentEditor Role contentwarehouse.documentViewer
contentwarehouse.documents.update
contentwarehouse.documentAdmin Role contentwarehouse.documentEditor
contentwarehouse.documents.create
contentwarehouse.documents.delete
contentwarehouse.documents.setIamPolicy
contentwarehouse.admin Role contentwarehouse.documentAdmin
contentwarehouse.documentSchemas.create
contentwarehouse.documentSchemas.delete
contentwarehouse.ruleSets.create
contentwarehouse.ruleSets.get
contentwarehouse.ruleSets.list
contentwarehouse.ruleSets.update
contentwarehouse.ruleSets.delete

Basic roles

Basic roles are roles that existed prior to IAM. These roles have unique characteristics:

  • Basic roles can only be granted for an entire project, not for individual objects within the project.
  • Basic roles contain additional permissions for other Google Cloud services that are not covered in this section. For a general discussion of the permissions that basic roles grant, see basic roles.
  • In some cases, basic roles can be used as if they were groups, which causes any principal that has the basic role to get additional access for some resources.

Custom roles

You might want to define your own roles that contain bundles of permissions that you specify. To support this, IAM offers custom roles.