Stay organized with collections
Save and categorize content based on your preferences.
Predefined roles
The following table describes Identity and Access Management (IAM)
roles that are
associated with Document AI Warehouse and lists the permissions that are contained in
each role. Unless otherwise noted, these roles can be applied either to entire
projects or specific documents.
Basic roles are roles that existed prior to IAM. These roles have unique
characteristics:
Basic roles can only be granted for an entire project, not for individual
objects within the project.
Basic roles contain additional permissions for other Google Cloud services
that are not covered in this section. For a general discussion of the
permissions that basic roles grant, see
basic roles.
In some cases, basic roles can be used as if they were groups, which causes
any principal that has the basic role to get additional access for some
resources.
Custom roles
You might want to define your own roles that contain bundles of permissions that
you specify. To support this, IAM offers
custom roles.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eDocument AI Warehouse will be discontinued on January 16, 2025, requiring users to migrate their data to an alternative service like Cloud Storage.\u003c/p\u003e\n"],["\u003cp\u003eDocument AI Warehouse offers predefined IAM roles, including \u003ccode\u003econtentwarehouse.documentCreator\u003c/code\u003e, \u003ccode\u003econtentwarehouse.documentViewer\u003c/code\u003e, \u003ccode\u003econtentwarehouse.documentEditor\u003c/code\u003e, \u003ccode\u003econtentwarehouse.documentAdmin\u003c/code\u003e, and \u003ccode\u003econtentwarehouse.admin\u003c/code\u003e, each with specific permissions.\u003c/p\u003e\n"],["\u003cp\u003eBasic roles, which predate IAM, apply only to entire projects and include permissions for other Google Cloud services.\u003c/p\u003e\n"],["\u003cp\u003eCustom roles allow for the creation of user-defined permission sets but are not supported when using document-level access control.\u003c/p\u003e\n"],["\u003cp\u003eThe role \u003ccode\u003econtentwarehouse.documentCreator\u003c/code\u003e is a parent-level role that can only be applied at the project level, whereas other roles may be applied at both the project and document levels.\u003c/p\u003e\n"]]],[],null,["# IAM roles and permissions\n\n| **Caution** : Document AI Warehouse is deprecated and will no longer be available on Google Cloud after January 16, 2025. To safeguard your data, migrate any documents currently saved in Document AI Warehouse to an alternative like Cloud Storage. Verify that your data migration is completed before the discontinuation date to prevent any data loss. See [Deprecations](/document-warehouse/docs/deprecations) for details.\n\n\u003cbr /\u003e\n\nPredefined roles\n----------------\n\nThe following table describes Identity and Access Management (IAM)\n[roles](https://cloud.google.com/iam/docs/understanding-roles) that are\nassociated with Document AI Warehouse and lists the permissions that are contained in\neach role. Unless otherwise noted, these roles can be applied either to entire\nprojects or specific documents.\n\n| **Note:** The role `roles/contentwarehouse.documentCreator` is a parent level role. Under Document AI Warehouse's current [resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy) setting (Organization -\\\u003e Folders -\\\u003e Projects -\\\u003e \\[Locations\\] -\\\u003e Documents), this role will only be applied at the project level and not the document level. All the other roles can be applied at both the project level and the document level.\n\nBasic roles\n-----------\n\nBasic roles are roles that existed prior to IAM. These roles have unique\ncharacteristics:\n\n- Basic roles can only be granted for an entire project, not for individual objects within the project.\n- Basic roles contain additional permissions for other Google Cloud services that are not covered in this section. For a general discussion of the permissions that basic roles grant, see [basic roles](https://cloud.google.com/iam/docs/understanding-roles#basic).\n- In some cases, basic roles can be used as if they were groups, which causes any principal that has the basic role to get additional access for some resources.\n\nCustom roles\n------------\n\nYou might want to define your own roles that contain bundles of permissions that\nyou specify. To support this, IAM offers\n[custom roles](https://cloud.google.com/iam/docs/creating-custom-roles).\n| **Note:** Custom roles are not supported if you choose [Document-level access control](/document-warehouse/docs/manage-access-control#document-level-access-control) mode for your project."]]
