Questa pagina descrive i ruoli e le autorizzazioni di Identity and Access Management (IAM) necessari per acquistare e gestire i prodotti commerciali su Cloud Marketplace.
Con IAM, gestisci il controllo dell'accesso definendo chi (identità) ha quale accesso (ruolo) per quale risorsa. Per le app commerciali su Cloud Marketplace, gli utenti della tua organizzazione Google Cloud richiedono i ruoli IAM per registrarsi ai piani di Cloud Marketplace e apportare modifiche ai piani di fatturazione.
Prima di iniziare
- Per concedere i ruoli e le autorizzazioni di Cloud Marketplace utilizzando
gcloud, installa
l'interfaccia a riga di comando gcloud. In caso contrario, puoi concedere i ruoli utilizzando la console Google Cloud.
Ruoli IAM per l'acquisto e la gestione dei prodotti
Ti consigliamo di assegnare il ruolo IAM
Amministratore account di fatturazione
agli utenti che acquistano servizi da
Cloud Marketplace.
Gli utenti che vogliono accedere ai servizi devono disporre almeno del ruolo Visualizzatore.
Per un controllo più granulare sulle autorizzazioni degli utenti, puoi
creare ruoli personalizzati con le autorizzazioni che vuoi
concedere.
Requisiti specifici del prodotto
Per utilizzare i seguenti servizi in un progetto Google Cloud, devi disporre del ruolo
Editor del progetto:
- Google Cloud Dataprep di Trifacta
- Neo4j Aura Professional
Elenco di ruoli e autorizzazioni IAM
Puoi concedere agli utenti uno o più dei seguenti ruoli IAM.
A seconda del ruolo che concedi agli utenti, devi anche assegnarlo a un progetto, a un'organizzazione o a un account di fatturazione Google Cloud. Per maggiori dettagli, consulta la sezione Concedere ruoli IAM agli utenti.
| Role |
Permissions |
Commerce Business Enablement Configuration Admin
Beta
(roles/commercebusinessenablement.admin)
Admin of Various Provider Configuration resources
|
commercebusinessenablement.leadgenConfig.*
commercebusinessenablement.leadgenConfig.getcommercebusinessenablement.leadgenConfig.update
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.getcommercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.*
commercebusinessenablement.resellerConfig.getcommercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.*
commercebusinessenablement.resellerRestrictions.listcommercebusinessenablement.resellerRestrictions.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Admin
Beta
(roles/commercebusinessenablement.paymentConfigAdmin)
Administration of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.*
commercebusinessenablement.paymentConfig.getcommercebusinessenablement.paymentConfig.update
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Viewer
Beta
(roles/commercebusinessenablement.paymentConfigViewer)
Viewer of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Rebates Admin
Beta
(roles/commercebusinessenablement.rebatesAdmin)
Provides admin access to rebates
|
commercebusinessenablement.operations.*
commercebusinessenablement.operations.cancelcommercebusinessenablement.operations.deletecommercebusinessenablement.operations.getcommercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.*
commercebusinessenablement.refunds.cancelcommercebusinessenablement.refunds.createcommercebusinessenablement.refunds.deletecommercebusinessenablement.refunds.getcommercebusinessenablement.refunds.listcommercebusinessenablement.refunds.startcommercebusinessenablement.refunds.update
|
Commerce Business Enablement Rebates Viewer
Beta
(roles/commercebusinessenablement.rebatesViewer)
Provides read-only access to rebates
|
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
|
Commerce Business Enablement Reseller Discount Admin
Beta
(roles/commercebusinessenablement.resellerDiscountAdmin)
Provides admin access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.getcommercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.*
commercebusinessenablement.resellerDiscountOffers.cancelcommercebusinessenablement.resellerDiscountOffers.createcommercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.*
commercebusinessenablement.resellerPrivateOfferPlans.cancelcommercebusinessenablement.resellerPrivateOfferPlans.createcommercebusinessenablement.resellerPrivateOfferPlans.deletecommercebusinessenablement.resellerPrivateOfferPlans.getcommercebusinessenablement.resellerPrivateOfferPlans.listcommercebusinessenablement.resellerPrivateOfferPlans.publishcommercebusinessenablement.resellerPrivateOfferPlans.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Reseller Discount Viewer
Beta
(roles/commercebusinessenablement.resellerDiscountViewer)
Provides read-only access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.getcommercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Configuration Viewer
Beta
(roles/commercebusinessenablement.viewer)
Viewer of Various Provider Configuration resource
|
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.getcommercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerRestrictions.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Offer Catalog Offers Viewer
Beta
(roles/commerceoffercatalog.offersViewer)
Allows viewing offers
|
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
|
Commerce Organization Governance Admin
Beta
(roles/commerceorggovernance.admin)
Full access to Organization Governance APIs
|
commerceorggovernance.*
commerceorggovernance.collectionRequestApprovals.listcommerceorggovernance.collectionRequestApprovals.reviewcommerceorggovernance.collections.createcommerceorggovernance.collections.deletecommerceorggovernance.collections.getcommerceorggovernance.collections.listcommerceorggovernance.collections.updatecommerceorggovernance.consumerSharingPolicies.getcommerceorggovernance.consumerSharingPolicies.updatecommerceorggovernance.organizationSettings.getcommerceorggovernance.organizationSettings.updatecommerceorggovernance.populateCollectionJobs.createcommerceorggovernance.populateCollectionJobs.listcommerceorggovernance.populateCollectionJobs.runcommerceorggovernance.populateCollectionJobs.updatecommerceorggovernance.services.getcommerceorggovernance.services.listcommerceorggovernance.services.request
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Governed Marketplace User
Beta
(roles/commerceorggovernance.user)
Full access to Governed Marketplace features.
|
commerceorggovernance.services.*
commerceorggovernance.services.getcommerceorggovernance.services.listcommerceorggovernance.services.request
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Organization Governance Viewer
Beta
(roles/commerceorggovernance.viewer)
Full access to Organization Governance read-only APIs.
|
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.organizationSettings.get
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.services.get
commerceorggovernance.services.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Events Viewer
Beta
(roles/commercepricemanagement.eventsViewer)
Allows viewing key events for an offer
|
commerceprice.events.*
commerceprice.events.getcommerceprice.events.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Private Offers Admin
Beta
(roles/commercepricemanagement.privateOffersAdmin)
Allows managing private offers
|
commerceagreementpublishing.*
commerceagreementpublishing.agreements.createcommerceagreementpublishing.agreements.deletecommerceagreementpublishing.agreements.getcommerceagreementpublishing.agreements.listcommerceagreementpublishing.agreements.updatecommerceagreementpublishing.documents.createcommerceagreementpublishing.documents.deletecommerceagreementpublishing.documents.getcommerceagreementpublishing.documents.listcommerceagreementpublishing.documents.update
commerceprice.*
commerceprice.events.getcommerceprice.events.listcommerceprice.privateoffers.cancelcommerceprice.privateoffers.createcommerceprice.privateoffers.deletecommerceprice.privateoffers.getcommerceprice.privateoffers.listcommerceprice.privateoffers.publishcommerceprice.privateoffers.sendEmailcommerceprice.privateoffers.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Price Management Viewer
Beta
(roles/commercepricemanagement.viewer)
Allows viewing offers, free trials, skus
|
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceprice.privateoffers.get
commerceprice.privateoffers.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Producer Admin
Beta
(roles/commerceproducer.admin)
Grants full access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Producer Viewer
Beta
(roles/commerceproducer.viewer)
Grants read access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Consumer Procurement Entitlement Manager
(roles/consumerprocurement.entitlementManager)
Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer
project.
|
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
consumerprocurement.freeTrials.*
consumerprocurement.freeTrials.createconsumerprocurement.freeTrials.getconsumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Entitlement Viewer
(roles/consumerprocurement.entitlementViewer)
Allows inspecting entitlements and service states for a consumer project.
|
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Events Viewer
(roles/consumerprocurement.eventsViewer)
Allows viewing key events for an offer
|
consumerprocurement.events.*
consumerprocurement.events.getconsumerprocurement.events.list
|
Consumer Procurement License Pool Editor
(roles/consumerprocurement.licensePoolEditor)
Allows managing license pools and license assignments.
|
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assignconsumerprocurement.licensePools.enumerateLicensedUsersconsumerprocurement.licensePools.getconsumerprocurement.licensePools.unassignconsumerprocurement.licensePools.update
|
Consumer Procurement License Pool Viewer
(roles/consumerprocurement.licensePoolViewer)
Allows viewing license pools and license assignments.
|
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
|
Consumer Procurement Order Administrator
(roles/consumerprocurement.orderAdmin)
Allows managing purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
consumerprocurement.accounts.*
consumerprocurement.accounts.createconsumerprocurement.accounts.deleteconsumerprocurement.accounts.getconsumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.events.*
consumerprocurement.events.getconsumerprocurement.events.list
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assignconsumerprocurement.licensePools.enumerateLicensedUsersconsumerprocurement.licensePools.getconsumerprocurement.licensePools.unassignconsumerprocurement.licensePools.update
consumerprocurement.orderAttributions.*
consumerprocurement.orderAttributions.getconsumerprocurement.orderAttributions.listconsumerprocurement.orderAttributions.update
consumerprocurement.orders.*
consumerprocurement.orders.cancelconsumerprocurement.orders.getconsumerprocurement.orders.listconsumerprocurement.orders.modifyconsumerprocurement.orders.place
|
Consumer Procurement Order Viewer
(roles/consumerprocurement.orderViewer)
Allows inspecting purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
|
Consumer Procurement Administrator
(roles/consumerprocurement.procurementAdmin)
Allows managing purchases, consents at both billing account and project level.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
consumerprocurement.*
consumerprocurement.accounts.createconsumerprocurement.accounts.deleteconsumerprocurement.accounts.getconsumerprocurement.accounts.listconsumerprocurement.consents.allowProjectGrantconsumerprocurement.consents.checkconsumerprocurement.consents.grantconsumerprocurement.consents.listconsumerprocurement.consents.revokeconsumerprocurement.entitlements.getconsumerprocurement.entitlements.listconsumerprocurement.events.getconsumerprocurement.events.listconsumerprocurement.freeTrials.createconsumerprocurement.freeTrials.getconsumerprocurement.freeTrials.listconsumerprocurement.licensePools.assignconsumerprocurement.licensePools.enumerateLicensedUsersconsumerprocurement.licensePools.getconsumerprocurement.licensePools.unassignconsumerprocurement.licensePools.updateconsumerprocurement.orderAttributions.getconsumerprocurement.orderAttributions.listconsumerprocurement.orderAttributions.updateconsumerprocurement.orders.cancelconsumerprocurement.orders.getconsumerprocurement.orders.listconsumerprocurement.orders.modifyconsumerprocurement.orders.place
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Viewer
(roles/consumerprocurement.procurementViewer)
Allows inspecting purchases, consents and entitlements and service states for a consumer project.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Concedere ruoli IAM agli utenti
Tra i ruoli riportati nella tabella sopra, i ruoli consumerprocurement.orderAdmin e consumerprocurement.orderViewer devono essere assegnati a livello di account di fatturazione o di organizzazione, mentre i ruoli consumerprocurement.entitlementManager e consumerprocurement.entitlementViewer devono essere assegnati a livello di progetto o di organizzazione.
Per concedere i ruoli agli utenti utilizzando gcloud, esegui uno dei seguenti comandi:
Organizzazione
Per assegnare i ruoli a livello di organizzazione, devi disporre del ruolo resourcemanager.organizationAdmin.
gcloud organizations add-iam-policy-binding organization-id \
--member=member --role=role-id
I valori segnaposto sono:
- organization-id: l'ID numerico dell'organizzazione per cui concedi il ruolo.
- member: l'utente a cui stai concedendo l'accesso.
- role-id: l'ID ruolo della tabella precedente.
Account di fatturazione
Per assegnare i ruoli a livello di account di fatturazione, devi disporre del ruolo billing.admin.
gcloud beta billing accounts set-iam-policy account-id \
policy-file
I valori segnaposto sono:
Progetto
Per assegnare i ruoli a livello di progetto, devi disporre del ruolo resourcemanager.folderAdmin.
gcloud projects add-iam-policy-binding project-id \
--member=member --role=role-id
I valori segnaposto sono:
- project-id: il progetto per cui concedi il ruolo.
- member: l'utente a cui stai concedendo l'accesso.
- role-id: l'ID ruolo della tabella precedente.
Per concedere i ruoli agli utenti utilizzando la console Google Cloud, consulta la documentazione IAM su Concessione, modifica e revoca dell'accesso per gli utenti.
Utilizzo di ruoli personalizzati con Cloud Marketplace
Se vuoi un controllo granulare sulle autorizzazioni concesse agli utenti, puoi
creare ruoli personalizzati con le autorizzazioni
che vuoi concedere.
Se stai creando un ruolo personalizzato per gli utenti che acquistano servizi da Cloud Marketplace, il ruolo deve includere le seguenti autorizzazioni per l'account di fatturazione utilizzato per acquistare i servizi:
Accedere ai siti web dei partner con il Single Sign-On (SSO)
Alcuni prodotti del marketplace supportano il Single Sign-On (SSO) per accedere al sito web esterno di un partner. Gli utenti autorizzati all'interno dell'organizzazione hanno accesso a un pulsante "Gestisci sul provider" nella pagina dei dettagli del prodotto. Questo pulsante indirizza gli utenti al sito web del partner. In alcuni casi, agli utenti viene chiesto di "Accedere con Google". In altri casi, gli utenti hanno eseguito l'accesso in un
contesto di account condiviso.
Per accedere alla funzionalità SSO, gli utenti devono andare alla pagina dei dettagli del prodotto e selezionare un progetto appropriato. Il progetto deve essere collegato a un account di fatturazione in cui è stato acquistato il piano. Per informazioni dettagliate sulla gestione dei piani del Marketplace, consulta Gestire i piani di fatturazione.
Inoltre, l'utente deve disporre di autorizzazioni IAM sufficienti all'interno del progetto selezionato. Per la maggior parte dei prodotti, al momento è richiesto il ruolo roles/consumerprocurement.entitlementManager (o
roles/editor
ruolo di base).
Autorizzazioni minime per prodotti specifici
I seguenti prodotti possono operare su un insieme diverso di autorizzazioni per accedere alle funzionalità di SSO:
- Apache Kafka su Confluent Cloud
- DataStax Astra per Apache Cassandra
- Elastic Cloud
- Neo4j Aura Professional
- Redis Enterprise Cloud
Per questi prodotti, puoi utilizzare le seguenti autorizzazioni minime:
consumerprocurement.entitlements.getconsumerprocurement.entitlements.listserviceusage.services.getserviceusage.services.listresourcemanager.projects.get
In genere, queste autorizzazioni vengono concesse con i ruoli roles/consumerprocurement.entitlementManager o roles/consumerprocurement.entitlementViewer.
