This product is available in Vertex AI, which is the next generation of AI Platform. Migrate your resources to Vertex AI Vizier to get new machine learning features that are unavailable in AI Platform.

Access control with IAM

AI Platform Vizier uses Identity and Access Management (IAM) to manage access to resources. To grant access to a resource, assign one or more roles to a user, group, or service account.

There are three types of IAM roles that can be used in AI Platform Vizier:

Basic roles (Owner, Viewer, and Editor) are common to all Google Cloud services.
Predefined AI Platform Vizier roles give you fine-grained access control to your AI Platform Vizier resources at the project and model levels.
Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization.

This guide focuses on predefined AI Platform Vizier roles, their typical usage, and associated permissions.

Basic roles

The legacy AI Platform Vizier IAM roles are based on the basic roles that are common to all GCP services: Owner, Viewer, and Editor.

The legacy project Editor role is equivalent to the AI Platform Vizier Admin role.

The legacy project Viewer role grants the same permissions as the AI Platform Vizier Viewer role, plus access to send online prediction requests. The advantage to using the AI Platform Vizier Viewer role is that the user gets read-only access to AI Platform Vizier resources.

Predefined roles

Predefined roles grant a set of related permissions. AI Platform Vizier offers predefined roles for your project, and also for individual models, jobs, and operations.

To view a full list of permissions for each role, click on the name of the role.

Project roles

The AI Platform Vizier Admin, Developer, and Viewer roles grant varying levels of access to resources at the project level.

To add, update, or remove these roles in your AI Platform Vizier project, see the documentation on granting, changing, and revoking access.

Role Title Role Name Capabilities

AI Platform Vizier Admin

Role Title	Role Name	Capabilities
AI Platform Vizier Admin	`roles/ml.admin`	Full control of AI Platform Vizier project, and its jobs, operations, models, versions, studies, and trials. Note: The basic project Editor role is equivalent to `roles/ml.admin`.
AI Platform Vizier Developer	`roles/ml.developer`	Create studies and trials. Create training and prediction jobs, models, and versions. Send online prediction requests.
AI Platform Vizier Viewer	`roles/ml.viewer`	Read-only access to AI Platform Vizier resources.

roles/ml.admin

Full control of AI Platform Vizier project, and its jobs, operations, models, versions, studies, and trials.

Note: The basic project Editor role is equivalent to roles/ml.admin.

AI Platform Vizier Developer

roles/ml.developer

Create studies and trials. Create training and prediction jobs, models, and versions. Send online prediction requests.

AI Platform Vizier Viewer

roles/ml.viewer

Read-only access to AI Platform Vizier resources.

Permissions and roles

Refer to this section for a full list of permissions that are granted with each AI Platform Vizier predefined role. If these predefined roles do not meet your needs, use this section as a reference for creating your own custom roles.

Admin role

Role Name Description Permissions

Role Name	Description	Permissions
`roles/ml.admin`	AI Platform Vizier Admin Full access to your AI Platform Vizier project, and its jobs, operations, models, versions, studies, and trials. Note: Migrating to this role from the basic project Editor role is fairly simple. If you previously used the basic Editor role assigned at the project level, you can use this `roles/ml.admin` role to grant exactly the same set of permissions to the user.	`resourcemanager.projects.get` `ml.projects.getConfig` `ml.studies.create` `ml.studies.delete` `ml.studies.get` `ml.studies.list` `ml.trials.create` `ml.trials.update` `ml.trials.delete` `ml.trials.get` `ml.jobs.create` `ml.jobs.list` `ml.jobs.get` `ml.jobs.getIamPolicy` `ml.jobs.setIamPolicy` `ml.jobs.cancel` `ml.operations.list` `ml.operations.get` `ml.operations.cancel` `ml.models.create` `ml.models.list` `ml.models.get` `ml.models.setIamPolicy` `ml.models.getIamPolicy` `ml.models.predict` `ml.models.delete` `ml.models.update` `ml.versions.create` `ml.versions.list` `ml.versions.get` `ml.versions.predict` `ml.versions.delete`

roles/ml.admin

AI Platform Vizier Admin

Full access to your AI Platform Vizier project, and its jobs, operations, models, versions, studies, and trials.

Note: Migrating to this role from the basic project Editor role is fairly simple. If you previously used the basic Editor role assigned at the project level, you can use this roles/ml.admin role to grant exactly the same set of permissions to the user.

resourcemanager.projects.get
ml.projects.getConfig
ml.studies.create
ml.studies.delete
ml.studies.get
ml.studies.list
ml.trials.create
ml.trials.update
ml.trials.delete
ml.trials.get
ml.jobs.create
ml.jobs.list
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.setIamPolicy
ml.jobs.cancel
ml.operations.list
ml.operations.get
ml.operations.cancel
ml.models.create
ml.models.list
ml.models.get
ml.models.setIamPolicy
ml.models.getIamPolicy
ml.models.predict
ml.models.delete
ml.models.update
ml.versions.create
ml.versions.list
ml.versions.get
ml.versions.predict
ml.versions.delete

Developer role

Role Name Description Permissions

Role Name	Description	Permissions
`roles/ml.developer`	Access to create studies and trials; create training and prediction jobs, models, and versions; and send online prediction requests. Note: A developer receives `ml.jobs.cancel` and `ml.jobs.update` permissions on all jobs they create, because creating a job automatically grants them the AI Platform Vizier Job Owner role.	`resourcemanager.projects.get` `ml.projects.getConfig` `ml.studies.create` `ml.studies.delete` `ml.studies.get` `ml.studies.list` `ml.trials.create` `ml.trials.update` `ml.trials.delete` `ml.trials.get` `ml.jobs.create` `ml.jobs.list` `ml.jobs.get` `ml.jobs.getIamPolicy` `ml.operations.list` `ml.operations.get` `ml.models.create` `ml.models.list` `ml.models.get` `ml.models.getIamPolicy` `ml.models.predict` `ml.versions.list` `ml.versions.get` `ml.versions.predict`

roles/ml.developer

Access to create studies and trials; create training and prediction jobs, models, and versions; and send online prediction requests.

Note: A developer receives ml.jobs.cancel and ml.jobs.update permissions on all jobs they create, because creating a job automatically grants them the AI Platform Vizier Job Owner role.

resourcemanager.projects.get
ml.projects.getConfig
ml.studies.create
ml.studies.delete
ml.studies.get
ml.studies.list
ml.trials.create
ml.trials.update
ml.trials.delete
ml.trials.get
ml.jobs.create
ml.jobs.list
ml.jobs.get
ml.jobs.getIamPolicy
ml.operations.list
ml.operations.get
ml.models.create
ml.models.list
ml.models.get
ml.models.getIamPolicy
ml.models.predict
ml.versions.list
ml.versions.get
ml.versions.predict

Viewer role

Role Name Description Permissions

Role Name	Description	Permissions
`roles/ml.viewer`	Read-only access to AI Platform Vizier resources on a particular project. Note: The legacy project Viewer role grants a user the same permissions as the `roles/ml.viewer` role, plus access to send online prediction requests.	`resourcemanager.projects.get` `ml.projects.getConfig` `ml.studies.get` `ml.studies.list` `ml.trials.get` `ml.jobs.list` `ml.jobs.get` `ml.operations.list` `ml.operations.get` `ml.models.list` `ml.models.get` `ml.versions.list` `ml.versions.get`

roles/ml.viewer

Read-only access to AI Platform Vizier resources on a particular project.

Note: The legacy project Viewer role grants a user the same permissions as the roles/ml.viewer role, plus access to send online prediction requests.

resourcemanager.projects.get
ml.projects.getConfig
ml.studies.get
ml.studies.list
ml.trials.get
ml.jobs.list
ml.jobs.get
ml.operations.list
ml.operations.get
ml.models.list
ml.models.get
ml.versions.list
ml.versions.get

Limiting access to AI Platform Vizier

The AI Platform Vizier roles grant access to AI Platform Training and AI Platform Prediction, in addition to AI Platform Vizier. To grant access to only AI Platform Vizier resources, create a custom role with the permissions that you want.

The methods and their respective permissions for AI Platform Vizier are:

Resource	API method	Permission
Study	projects.locations.studies.create	`ml.studies.create`
	projects.locations.studies.delete	`ml.studies.delete`
	projects.locations.studies.get	`ml.studies.get`
	projects.locations.studies.list	`ml.studies.list`
Trial	projects.locations.studies.trials.suggest	`ml.trials.update`
	projects.locations.studies.trials.create	`ml.trials.create`
	projects.locations.studies.trials.delete	`ml.trials.delete`
	projects.locations.studies.trials.addMeasurement	`ml.trials.update`
	projects.locations.studies.trials.stop	`ml.trials.update`
	projects.locations.studies.trials.complete	`ml.trials.update`
	projects.locations.studies.trials.get	`ml.trials.get`
	projects.locations.studies.trials.checkEarlyStoppingState	`ml.trials.get`
	projects.locations.studies.trials.list	`ml.trials.get`

What's next

Learn more about IAM and IAM custom roles.
Create a custom role.
Get an overview of AI Platform.