Predefined roles
The following table describes Identity and Access Management (IAM) roles that are associated with Document AI Warehouse and lists the permissions that are contained in each role. Unless otherwise noted, these roles can be applied either to entire projects or specific documents.
| Role | Permissions |
|---|---|
contentwarehouse.documentCreator
|
resourcemanager.projects.get resourcemanager.projects.list contentwarehouse.documentSchemas.get contentwarehouse.documentSchemas.list contentwarehouse.documents.create |
contentwarehouse.documentViewer
|
resourcemanager.projects.get resourcemanager.projects.list contentwarehouse.documentSchemas.get contentwarehouse.documents.get contentwarehouse.documents.getIamPolicy |
contentwarehouse.documentEditor
|
Role
contentwarehouse.documentViewer
contentwarehouse.documents.update |
contentwarehouse.documentAdmin
|
Role
contentwarehouse.documentEditor
contentwarehouse.documents.create contentwarehouse.documents.delete contentwarehouse.documents.setIamPolicy |
contentwarehouse.admin
|
Role
contentwarehouse.documentAdmin contentwarehouse.documentSchemas.create contentwarehouse.documentSchemas.delete contentwarehouse.ruleSets.create contentwarehouse.ruleSets.get contentwarehouse.ruleSets.list contentwarehouse.ruleSets.update contentwarehouse.ruleSets.delete |
Basic roles
Basic roles are roles that existed prior to IAM. These roles have unique characteristics:
- Basic roles can only be granted for an entire project, not for individual objects within the project.
- Basic roles contain additional permissions for other Google Cloud services that are not covered in this section. For a general discussion of the permissions that basic roles grant, see basic roles.
- In some cases, basic roles can be used as if they were groups, which causes any principal that has the basic role to get additional access for some resources.
Custom roles
You might want to define your own roles that contain bundles of permissions that you specify. To support this, IAM offers custom roles.