Configure Analytics Hub roles

This document describes the Analytics Hub user roles and how to grant them to users. For more information, see Analytics Hub roles.

Analytics Hub user roles

The following sections describe the predefined Analytics Hub roles. You can assign these roles to users to perform various tasks on your data exchanges and listings.

Analytics Hub Admin role

To manage data exchanges, Analytics Hub provides the Analytics Hub Admin role (roles/analyticshub.admin) that you can grant for a project or data exchange. This role lets users perform the following tasks:

Create, update, and delete data exchanges.
Create, update, delete, and share listings.
Manage Analytics Hub administrators, listing administrators, publishers, subscribers, and viewers.

Users with this role are referred to as Administrators.

Analytics Hub Publisher and Listing Admin roles

To manage listings, Analytics Hub provides the following predefined roles that you can grant for a project, a data exchange, or a listing:

Analytics Hub Publisher role (roles/analyticshub.publisher), which lets users perform the following tasks:
- Create, update, and delete listings.
- Set IAM policies on listings.
Users with this role are referred to as Publishers.
Analytics Hub Listing Admin role (roles/analyticshub.listingAdmin), which lets users perform the following tasks:
- Update and delete listings.
- Set IAM policies on listings.

Analytics Hub Subscriber and Viewer roles

To view and subscribe to listings, Analytics Hub provides the following predefined roles that you can grant for a project, a data exchange, or a listing:

Analytics Hub Subscriber role (roles/analyticshub.subscriber), which lets users view and subscribe to listings.

Users with this role are referred to as Subscribers.
Analytics Hub Viewer role (roles/analyticshub.viewer), which lets users view listings and data exchange's permissions.

Users with this role are referred to as Viewers.

Analytics Hub Subscription Owner roles

To manage subscriptions, Analytics Hub provides the following predefined role that you can grant at the project level:

Analytics Hub Subscription Owner role (roles/analyticshub.subscriptionOwner), which lets users manage their subscriptions.

Grant Analytics Hub roles

Depending on your need, you can grant the Analytics Hub roles at the following levels of the resource hierarchy:

Project. If you grant users a role for a project, it's applied to all data exchanges and listings that the project contains.
Data exchange. If you grant users a role for a data exchange, then it's applied to all listings that the data exchange contains.
Listing. If you grant users a role for a listing, then it's applied to only that specific listing.

Grant the role for a project

If you want to set IAM policies on a project, you must have the roles/resourcemanager.projectIamAdmin role on that project. To grant the predefined Analytics Hub user roles for a project, follow these steps:

Console

Go to IAM for the project.

Go to IAM
Click Add.
In the New principals field, enter the email address of the identity you want to grant access to. For example:
- Google Account email: test-user@gmail.com
- Google group: admins@googlegroups.com
- Service account: server@example.gserviceaccount.com
- Google Workspace domain: example.com
In the Role list, hold the pointer over Analytics Hub and select one of the following roles:
- Analytics Hub Admin
- Analytics Hub Publisher
- Analytics Hub Listing Admin
- Analytics Hub Subscriber
- Analytics Hub Viewer
Optional: To further control user's access to Google Cloud resources, add conditional role binding.
Save your changes.

You can delete and update administrators for a project through the same IAM panel, explained in the preceding steps.

gcloud

To grant roles at a project level, use the gcloud projects add-iam-policy-binding command:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member='PRINCIPAL' \
    --role='roles/analyticshub.admin'

Replace the following:

PROJECT_ID: the project ID—for example, my-project-1
PRINCIPAL: a valid identity to which you want to grant the role

For example:
- Google Account email: user:user@gmail.com
- Google group: group:admins@googlegroups.com
- Service account: serviceAccount:server@example.gserviceaccount.com
- Google Workspace domain: domain:example.com

API

Read the existing policy with the resource's getIamPolicy method. For projects, use the projects.getIamPolicy method.
```
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
```
Replace PROJECT_ID with the project ID—for example, my-project-1.
To add principals and their associated roles, edit the policy with a text editor. Use the following format to add members:
- user:test-user@gmail.com
- group:admins@example.com
- serviceAccount:test123@example.domain.com
- domain:example.domain.com
For example, to grant the roles/analyticshub.admin role to group:admins@example.com, add the following binding to the policy:
```
{
 "members": [
   "group:admins@example.com"
 ],
 "role":"roles/analyticshub.admin"
}
```
Write the updated policy by using the setIamPolicy method.

For example, to set a policy at the project level, use the project.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.
```
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
```
Replace the PROJECT_ID with the project ID.

Grant the role for a data exchange

To grant the role for a data exchange, follow these steps:

Console

In the Google Cloud console, go to the Analytics Hub page.

Go to Analytics Hub
Click the data exchange name for which you want to set permissions.
Click Set permissions.
To add principals, click Add principal.
In the New principals field, add the emails to which you want to grant access.
For Select a role, hold the pointer over Analytics Hub, and then select one of the following Identity and Access Management (IAM) roles:
- Analytics Hub Admin
- Analytics Hub Publisher
- Analytics Hub Listing Admin
- Analytics Hub Subscriber
- Analytics Hub Viewer
Click Save.

API

Read the existing policy with the listing getIamPolicy method by using the projects.locations.dataExchanges.getIamPolicy method:
```
POST https://analyticshub.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/dataExchanges/DATAEXCHANGE_ID:getIamPolicy
```
Replace the following:
- PROJECT_ID: the project ID—for example, my-project-1.
- LOCATION: the location for your data exchange.
- DATAEXCHANGE_ID: the data exchange ID.
Analytics Hub returns the current policy.
To add or remove members and their associated Identity and Access Management (IAM) roles, edit the policy with a text editor. Use the following format to add members:
- user:test-user@gmail.com
- group:admins@example.com
- serviceAccount:test123@example.domain.com
- domain:example.domain.com
For example, to grant the roles/analyticshub.subscriber role to group:subscribers@example.com, add the following binding to the policy:
```
{
 "members": [
   "group:subscribers@example.com"
 ],
 "role":"roles/analyticshub.subscriber"
}
```
Write the updated policy by using the projects.locations.dataExchanges.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.
```
POST https://analyticshub.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/dataExchanges/DATAEXCHANGE_ID:setIamPolicy
```
In the body of the request, provide the listing details. If the request is successful, then the response body contains details of the listing.

You can delete and update roles for a data exchange through the same IAM panel, explained in the preceding steps.

Grant the role for a listing

To grant the role for a listing, follow these steps:

Console

In the Google Cloud console, go to the Analytics Hub page.

Go to Analytics Hub
Click the data exchange name that contains the listing.
Click the listing for which you want to add users.
Click Set permissions.
To add principals, click Add principal.
In the New principals field, add the emails of the identity to which you want to grant access.
For Select a role, hold the pointer over Analytics Hub and then select one of the following roles:
- Analytics Hub Admin
- Analytics Hub Publisher
- Analytics Hub Listing Admin
- Analytics Hub Subscriber
- Analytics Hub Viewer
Click Save.

API

Read the existing policy with the listing getIamPolicy method by using the projects.locations.dataExchanges.listings.getIamPolicy method:
```
POST https://analyticshub.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/dataExchanges/DATAEXCHANGE_ID/listings/LISTING_ID:getIamPolicy
```
Replace the following:
- PROJECT_ID: the project ID—for example, my-project-1.
- LOCATION: the location of the data exchange that contains the listing.
- DATAEXCHANGE_ID: the data exchange ID.
- LISTING_ID: the listing ID.
Analytics Hub returns the current policy.
To add or remove members and their associated Identity and Access Management (IAM) roles, edit the policy with a text editor. Use the following format to add members:
- user:test-user@gmail.com
- group:admins@example.com
- serviceAccount:test123@example.domain.com
- domain:example.domain.com
For example, to grant the roles/analyticshub.publisher role to group:publishers@example.com, add the following binding to the policy:
```
{
 "members": [
   "group:publishers@example.com"
 ],
 "role":"roles/analyticshub.publisher"
}
```
Write the updated policy by using the projects.locations.dataExchanges.listings.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.
```
POST https://analyticshub.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/dataExchanges/DATAEXCHANGE_ID/listings/LISTING-ID:setIamPolicy
```
In the body of the request, provide the listing details. If the request is successful, then the response body contains details of the listing.

You can delete and update roles for a listing through the same IAM panel, explained in the preceding steps.

What's next

Read about IAM.
Learn about BigQuery IAM roles.
See a list of Analytics Hub IAM roles.
Learn about Analytics Hub.
Learn how to manage data exchanges.
Learn how to manage listings.
Learn how to view and subscribe to listings.
Learn about Analytics Hub audit logging.