AI Platform Vizier uses Identity and Access Management (IAM) to manage access to resources. To grant access to a resource, assign one or more roles to a user, group, or service account.
There are three types of IAM roles that can be used in AI Platform Vizier:
Basic roles (Owner, Viewer, and Editor) are common to all Google Cloud services.
Predefined AI Platform Vizier roles give you fine-grained access control to your AI Platform Vizier resources at the project and model levels.
Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization.
This guide focuses on predefined AI Platform Vizier roles, their typical usage, and associated permissions.
Basic roles
The legacy AI Platform Vizier IAM roles are based on the basic roles that are common to all GCP services: Owner, Viewer, and Editor.
The legacy project Editor role is equivalent to the AI Platform Vizier Admin role.
The legacy project Viewer role grants the same permissions as the AI Platform Vizier Viewer role, plus access to send online prediction requests. The advantage to using the AI Platform Vizier Viewer role is that the user gets read-only access to AI Platform Vizier resources.
Predefined roles
Predefined roles grant a set of related permissions. AI Platform Vizier offers predefined roles for your project, and also for individual models, jobs, and operations.
To view a full list of permissions for each role, click on the name of the role.
Project roles
The AI Platform Vizier Admin, Developer, and Viewer roles grant varying levels of access to resources at the project level.
To add, update, or remove these roles in your AI Platform Vizier project, see the documentation on granting, changing, and revoking access.
Role Title | Role Name | Capabilities |
---|---|---|
AI Platform Vizier Admin |
Full control of AI Platform Vizier project, and its jobs, operations, models, versions, studies, and trials. Note: The basic project Editor role is equivalent to
|
|
AI Platform Vizier Developer |
Create studies and trials. Create training and prediction jobs, models, and versions. Send online prediction requests. |
|
AI Platform Vizier Viewer |
Read-only access to AI Platform Vizier resources. |
Permissions and roles
Refer to this section for a full list of permissions that are granted with each AI Platform Vizier predefined role. If these predefined roles do not meet your needs, use this section as a reference for creating your own custom roles.
Admin role
Role Name | Description | Permissions |
---|---|---|
roles/ml.admin
|
AI Platform Vizier Admin
Full access to your AI Platform Vizier project, and its jobs, operations, models, versions, studies, and trials. Note: Migrating to this role from the basic project
Editor role is fairly simple. If you previously used the
basic Editor role assigned at the project level, you can
use this |
|
Developer role
Role Name | Description | Permissions |
---|---|---|
roles/ml.developer
|
Access to create studies and trials; create training and prediction jobs, models, and versions; and send online prediction requests. Note: A developer receives |
|
Viewer role
Role Name | Description | Permissions |
---|---|---|
roles/ml.viewer
|
Read-only access to AI Platform Vizier resources on a particular project. Note: The legacy project Viewer role grants a user the
same permissions as the |
|
Limiting access to AI Platform Vizier
The AI Platform Vizier roles grant access to AI Platform Training and AI Platform Prediction, in addition to AI Platform Vizier. To grant access to only AI Platform Vizier resources, create a custom role with the permissions that you want.
The methods and their respective permissions for AI Platform Vizier are:
Resource | API method | Permission |
---|---|---|
Study | projects.locations.studies.create | ml.studies.create |
projects.locations.studies.delete | ml.studies.delete |
|
projects.locations.studies.get | ml.studies.get |
|
projects.locations.studies.list | ml.studies.list |
|
Trial | projects.locations.studies.trials.suggest | ml.trials.update |
projects.locations.studies.trials.create | ml.trials.create |
|
projects.locations.studies.trials.delete | ml.trials.delete |
|
projects.locations.studies.trials.addMeasurement | ml.trials.update |
|
projects.locations.studies.trials.stop | ml.trials.update |
|
projects.locations.studies.trials.complete | ml.trials.update |
|
projects.locations.studies.trials.get | ml.trials.get |
|
projects.locations.studies.trials.checkEarlyStoppingState | ml.trials.get |
|
projects.locations.studies.trials.list | ml.trials.get |
What's next
- Learn more about IAM and IAM custom roles.
- Create a custom role.
- Get an overview of AI Platform.