Identity and Access Management (IAM)

Stay organized with collections Save and categorize content based on your preferences.

This page describes how you can control Vertex AI Search for commerce access and permissions using Identity and Access Management (IAM).

Overview

Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Vertex AI Search for commerce IAM roles and permissions. For a detailed description of Google Cloud IAM, see the IAM documentation.

Vertex AI Search for commerce provides a set of predefined roles designed to help you easily control access to your Vertex AI Search for commerce resources. You can also create your own custom roles, if the predefined roles do not provide the sets of permissions you need. In addition, the older basic roles (Editor, Viewer, and Owner) are also still available to you, although they do not provide the same fine-grained control as the Vertex AI Search for commerce roles. In particular, the basic roles provide access to resources across Google Cloud rather than just for Vertex AI Search for commerce. See the basic roles documentation for more information.

Predefined roles

The Vertex AI Search for commerce provides some predefined roles you can use to provide finer-grained permissions to principals. The role you grant to a principal controls what actions the principal can take. Principals can be individuals, groups, or service accounts.

You can grant multiple roles to the same principal, and you can change the roles granted to a principal at any time, provided you have the permissions to do so.

The broader roles include the more narrowly defined roles. For example, the Retail Editor role includes all of the permissions of the Retail Viewer role, along with the addition permissions of the Retail Editor role. Likewise, the Retail Admin role includes all of the permissions of the Retail Editor role, along with its additional permissions.

The basic roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Vertex AI Search for commerce provide only Vertex AI Search for commerce permissions, except for the following Google Cloud (Google Cloud) permissions, which are needed for general Google Cloud usage:

• resourcemanager.projects.get
• resourcemanager.projects.list
• serviceusage.services.list
• serviceusage.services.get

The following table lists the predefined roles available for Vertex AI Search for commerce, along with their Vertex AI Search for commerce permissions:

View table

Name	Vertex AI Search for commerce permissions	Description
Project > Owner	All retail permissions	Full access and control for all Google Cloud resources; manage user access and set up billing for a project.
Project > Editor	All retail permissions except the permissions in the Retail Admin role.	Read-write access to all Google Cloud and Vertex AI Search for commerce resources (except the ability to modify permissions and billing).
Project > Viewer	retail.*.get retail.*.list	Read-only access to all Google Cloud resources, including Vertex AI Search for commerce resources.
Retail Admin	retail.retailProjects.acceptDataTerms retail.solutions.enroll retail.products.purge retail.places.purge retail.places.purgeInventoryActivities retail.places.purgeProductPrices retail.places.purgeProductSettings retail.orders.purge retail.products.setSponsorship retail.userEvents.purge retail.userEvents.rejoin retail.attributesConfigs.removeCatalogAttribute retail.attributesConfigs.batchRemoveCatalogAttributes automlrecommendations.events.purge automlrecommendations.events.rejoin This role also includes all permissions in the Retail Editor and Retail Viewer roles.	Full control for all Vertex AI Search for commerce resources.
Retail Editor	retail.catalogs.import retail.catalogs.update retail.products.create retail.products.delete retail.products.update retail.products.import retail.userEvents.create retail.userEvents.import retail.servingConfigs.create retail.servingConfigs.update retail.servingConfigs.delete retail.controls.create retail.controls.update retail.controls.delete retail.controls.import retail.controls.export retail.attributesConfigs.update retail.attributesConfigs.addCatalogAttribute retail.attributesConfigs.importCatalogAttributes retail.attributesConfigs.exportCatalogAttributes retail.attributesConfigs.replaceCatalogAttribute retail.completionConfigs.update retail.models.create retail.models.delete retail.models.update retail.models.pause retail.models.resume retail.loggingConfigs.update retail.alertConfigs.update rretail.merchantCenterAccountLinks.create retail.merchantCenterAccountLinks.delete retail.metrics.writeMetricValue automlrecommendations.apiKeys.create automlrecommendations.apiKeys.delete automlrecommendations.catalogItems.create automlrecommendations.catalogItems.delete automlrecommendations.catalogItems.update automlrecommendations.catalogs.update automlrecommendations.events.create automlrecommendations.placements.create automlrecommendations.placements.delete automlrecommendations.recommendations.create automlrecommendations.recommendations.delete automlrecommendations.recommendations.pause automlrecommendations.recommendations.resume automlrecommendations.recommendations.update This role also includes all permissions in the Retail Viewer role.	Can read all Vertex AI Search for commerce resources and write products, events, and other resources.
Retail Viewer	retail.retailProjects.get retail.attributesConfigs.exportCatalogAttributes retail.catalogs.completeQuery retail.catalogs.listProductAttributes retail.controls.export retail.placements.search retail.placements.predict retail.products.export retail.userEvents.export retail.*.get retail.*.list	Read-only access to all Vertex AI Search for commerce resources.

Migrate permissions from the Recommendations AI API

If you are migrating from the previous Recommendations Engine API to Vertex AI Search for commerce, note that the following predefined roles also include permissions for the previous API.

• Retail Admin: Includes all the permissions of Recommendations Admin, except for apiKeys permissions.
• Retail Editor: Includes all the permissions of Recommendations Editor, as well as catalog.update, and excluding apiKeys permissions.
• Retail Viewer: Includes all the permissions of Recommendations Viewer.

Manage Vertex AI Search for commerce IAM

You can get and set IAM allow policies and IAM roles using the Google Cloud Console, the IAM methods of the API, or Vertex AI Search for commerce. For more information, see Granting, Changing, and Revoking Access.

What's next

• Learn how to grant and revoke access.
• Learn more about IAM.
• Learn more about basic roles.
• Learn more about custom roles.