Access control with IAM

AI Platform Vizier uses Identity and Access Management (IAM) to manage access to resources. To grant access to a resource, assign one or more roles to a user, group, or service account.

There are three types of IAM roles that can be used in AI Platform Vizier:

  • Basic roles (Owner, Viewer, and Editor) are common to all Google Cloud services.

  • Predefined AI Platform Vizier roles give you fine-grained access control to your AI Platform Vizier resources at the project and model levels.

  • Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization.

This guide focuses on predefined AI Platform Vizier roles, their typical usage, and associated permissions.

Basic roles

The legacy AI Platform Vizier IAM roles are based on the basic roles that are common to all GCP services: Owner, Viewer, and Editor.

The legacy project Editor role is equivalent to the AI Platform Vizier Admin role.

The legacy project Viewer role grants the same permissions as the AI Platform Vizier Viewer role, plus access to send online prediction requests. The advantage to using the AI Platform Vizier Viewer role is that the user gets read-only access to AI Platform Vizier resources.

Predefined roles

Predefined roles grant a set of related permissions. AI Platform Vizier offers predefined roles for your project, and also for individual models, jobs, and operations.

To view a full list of permissions for each role, click on the name of the role.

Project roles

The AI Platform Vizier Admin, Developer, and Viewer roles grant varying levels of access to resources at the project level.

To add, update, or remove these roles in your AI Platform Vizier project, see the documentation on granting, changing, and revoking access.

Role Title Role Name Capabilities
AI Platform Vizier Admin

roles/ml.admin

Full control of AI Platform Vizier project, and its jobs, operations, models, versions, studies, and trials.

Note: The basic project Editor role is equivalent to roles/ml.admin.

AI Platform Vizier Developer

roles/ml.developer

Create studies and trials. Create training and prediction jobs, models, and versions. Send online prediction requests.

AI Platform Vizier Viewer

roles/ml.viewer

Read-only access to AI Platform Vizier resources.

Permissions and roles

Refer to this section for a full list of permissions that are granted with each AI Platform Vizier predefined role. If these predefined roles do not meet your needs, use this section as a reference for creating your own custom roles.

Admin role

Role Name Description Permissions
roles/ml.admin AI Platform Vizier Admin

Full access to your AI Platform Vizier project, and its jobs, operations, models, versions, studies, and trials.

Note: Migrating to this role from the basic project Editor role is fairly simple. If you previously used the basic Editor role assigned at the project level, you can use this roles/ml.admin role to grant exactly the same set of permissions to the user.

  • resourcemanager.projects.get
  • ml.projects.getConfig
  • ml.studies.create
  • ml.studies.delete
  • ml.studies.get
  • ml.studies.list
  • ml.trials.create
  • ml.trials.update
  • ml.trials.delete
  • ml.trials.get
  • ml.jobs.create
  • ml.jobs.list
  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.jobs.setIamPolicy
  • ml.jobs.cancel
  • ml.operations.list
  • ml.operations.get
  • ml.operations.cancel
  • ml.models.create
  • ml.models.list
  • ml.models.get
  • ml.models.setIamPolicy
  • ml.models.getIamPolicy
  • ml.models.predict
  • ml.models.delete
  • ml.models.update
  • ml.versions.create
  • ml.versions.list
  • ml.versions.get
  • ml.versions.predict
  • ml.versions.delete

Developer role

Role Name Description Permissions
roles/ml.developer

Access to create studies and trials; create training and prediction jobs, models, and versions; and send online prediction requests.

Note: A developer receives ml.jobs.cancel and ml.jobs.update permissions on all jobs they create, because creating a job automatically grants them the AI Platform Vizier Job Owner role.

  • resourcemanager.projects.get
  • ml.projects.getConfig
  • ml.studies.create
  • ml.studies.delete
  • ml.studies.get
  • ml.studies.list
  • ml.trials.create
  • ml.trials.update
  • ml.trials.delete
  • ml.trials.get
  • ml.jobs.create
  • ml.jobs.list
  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.operations.list
  • ml.operations.get
  • ml.models.create
  • ml.models.list
  • ml.models.get
  • ml.models.getIamPolicy
  • ml.models.predict
  • ml.versions.list
  • ml.versions.get
  • ml.versions.predict

Viewer role

Role Name Description Permissions
roles/ml.viewer

Read-only access to AI Platform Vizier resources on a particular project.

Note: The legacy project Viewer role grants a user the same permissions as the roles/ml.viewer role, plus access to send online prediction requests.

  • resourcemanager.projects.get
  • ml.projects.getConfig
  • ml.studies.get
  • ml.studies.list
  • ml.trials.get
  • ml.jobs.list
  • ml.jobs.get
  • ml.operations.list
  • ml.operations.get
  • ml.models.list
  • ml.models.get
  • ml.versions.list
  • ml.versions.get

Limiting access to AI Platform Vizier

The AI Platform Vizier roles grant access to AI Platform Training and AI Platform Prediction, in addition to AI Platform Vizier. To grant access to only AI Platform Vizier resources, create a custom role with the permissions that you want.

The methods and their respective permissions for AI Platform Vizier are:

Resource API method Permission
Study projects.locations.studies.create ml.studies.create
projects.locations.studies.delete ml.studies.delete
projects.locations.studies.get ml.studies.get
projects.locations.studies.list ml.studies.list
Trial projects.locations.studies.trials.suggest ml.trials.update
projects.locations.studies.trials.create ml.trials.create
projects.locations.studies.trials.delete ml.trials.delete
projects.locations.studies.trials.addMeasurement ml.trials.update
projects.locations.studies.trials.stop ml.trials.update
projects.locations.studies.trials.complete ml.trials.update
projects.locations.studies.trials.get ml.trials.get
projects.locations.studies.trials.checkEarlyStoppingState ml.trials.get
projects.locations.studies.trials.list ml.trials.get

What's next