Control access to Model Garden models

This document explains how to use organization policies to centrally control access to models in Model Garden.

For example, you can create a policy to restrict users in your production environments to an approved set of Google and third-party models. You can define this policy at the organization, folder, or project level. The policy applies to all principals within that resource and can't be configured on a per-user basis. For more information, see Introduction to the Organization Policy Service.

This document describes the following:

  • Policy evaluations: Learn how policies are merged and evaluated across the resource hierarchy.
  • Policy details: Understand the different policy types and how to specify models and actions.
  • Set a policy: Find instructions for setting a policy using the Google Cloud console or the Google Cloud CLI.
  • Example policies: Review sample policies for common use cases like creating allowlists or denylists.

Policy evaluations

When a policy is evaluated, all applicable policies that contribute to a resource are merged. An explicit deny value always takes precedence over an explicit allow value.

For example, if a folder policy denies a model and a project policy within that folder allows the same model, access to the model is denied at the project level. The explicit deny at the folder level takes precedence. However, if you configure the project policy to override parent policies, access to the model is allowed.

For more information, see Understanding hierarchy evaluation.

Considerations

  • The Model Garden organization policy applies only to models in Model Garden, not to models registered in the Vertex AI Model Registry.
  • An organization policy can't exceed a total of 500 allowed and denied values.
  • In a custom policy, you must specify each model individually. You can't use wildcards or group models by publisher (for example, you can't deny all third-party models with a single entry).

Policy details

When you set a policy, you can choose from several approaches to control access. The following table compares the available policy types.

Policy Type Description Use Case
Allow all models Permits access to all models and actions. This is the default behavior if no policy is set. When no access restrictions are needed for a specific organization, folder, or project.
Deny all models Blocks access to all models and actions. To completely restrict the use of Model Garden models within a specific resource scope.
Custom allow policy Explicitly lists the models and actions that are permitted. All other models and actions are implicitly denied. To create an "allowlist" of approved models and actions that users can access.
Custom deny policy Explicitly lists the models and actions that are blocked. All other models and actions are implicitly allowed. To create a "denylist" to prevent the use of specific, unapproved models or actions.

To specify models in a custom policy, use the following format, which includes the model and a specific action:

publishers/PUBLISHER/models/MODEL_NAME:ACTION

Where:

  • PUBLISHER: The name of the publisher who owns the model.
  • MODEL_NAME: The name of the model to allow or deny.
  • ACTION: The model action to include in the policy.

For example, to define a policy rule for predictions with the Gemini 2.0 Flash model, specify publishers/google/models/gemini-2.0-flash-001:predict.

The fully qualified ID, publishers/PUBLISHER/models/MODEL_NAME, is also known as the model ID. You can find the model ID on a model's card in the Model Garden.

Model actions

You can allow or deny the following actions for each model:

  • predict: Make online and batch predictions against a model with a managed API (model as a service).
  • deploy: Deploy models on Google Cloud. This action applies to models without a managed API, such as those deployed using one-click deployment in the Google Cloud console.
  • tune: Tune models.

Set a policy

You can set a Model Garden policy using the Google Cloud console or the Google Cloud CLI. The constraint name is vertexai.allowedModels.

For detailed instructions, see the following Resource Manager documentation:

Example policies

The following examples show policies in the YAML format used by the gcloud CLI.

In each example, replace ORGANIZATION_ID with your Google Cloud organization ID.

Deny a set of models (denylist)

This policy denies specific model actions. All other models and actions are implicitly allowed.

name: organizations/ORGANIZATION_ID/policies/vertexai.allowedModels
spec:
  rules:
    values:
      deniedValues:
      - publishers/meta/models/llama3:deploy
      - publishers/google/models/gemini-2.0-flash-001:tune
      - publishers/hf-google/models/gemma-2b:deploy

Allow a set of models (allowlist)

This policy allows specific model actions. All other models and actions are implicitly denied.

name: organizations/ORGANIZATION_ID/policies/vertexai.allowedModels
spec:
  rules:
    values:
      allowedValues:
      - publishers/meta/models/llama3:deploy
      - publishers/google/models/gemini-2.0-flash-001:tune
      - publishers/hf-google/models/gemma-2b:deploy

What's next

Learn about Model Garden and its offerings.