Stay organized with collections
Save and categorize content based on your preferences.
This page describes the roles and permissions used by Cloud Data Fusion
instances with
role-based access control
(RBAC) enabled.
For fine-grained access enforcement at the namespace level and lower, use these
data plane resources and permissions with RBAC.
Resource hierarchy
Cloud Data Fusion resources have the following resource hierarchy:
This figure shows the resource hierarchy in descending order (broadest to
narrowest): Google Cloud project, location, Cloud Data Fusion instance, and
namespaces. Below namespaces, in no order, are connections, secure keys,
pipelines, artifacts (such as plugins, drivers, and applications), and compute
profiles.
The following resources are Cloud Data Fusion data plane
resources that you control with the REST API or in the Cloud Data Fusion
Studio: namespaces, connections, secure keys, pipelines, artifacts, and compute
profiles.
Predefined roles for RBAC
Cloud Data Fusion RBAC includes several predefined roles that you can use:
Instance Access role (datafusion.accessor)
Grants the principal access to a Cloud Data Fusion instance, but not to
any resources within the instance. Use this role in combination with other
namespace-specific roles to provide fine-grained access to namespace.
Viewer role (datafusion.viewer)
Grants access to a principal on a namespace to view pipelines, but not to
author or run pipelines.
Operator role (datafusion.operator)
Grants access to a principal on a namespace to access and run pipelines,
change the compute profile, create compute profiles, or upload artifacts.
Can perform the same actions as a developer, with the exception of
previewing pipelines.
Developer role (datafusion.developer)
Grants access to a principal on a namespace to create and modify limited
resources, such as pipelines, within the namespace.
Editor role (datafusion.editor)
Grants the principal full access to all Cloud Data Fusion resources
under a namespace within a Cloud Data Fusion instance. This role must
be granted in addition to the Instance Accessor role to the principal. With
this role, the principal can create, delete, and modify resources in the
namespace.
Instance Admin role (datafusion.admin)
Grants access to all resources within a Cloud Data Fusion instance.
Assigned through IAM. Not assigned at the namespace level
through RBAC.
Some use cases cannot be implemented using the predefined roles for Cloud Data Fusion. In these cases, create a
custom role.
Examples
The following examples describe how to create custom roles for RBAC:
To create a custom role that only gives access to the secure keys within a
namespace, create a custom role with the datafusion.namespaces.get and
datafusion.secureKeys.* permissions.
To create a custom role that gives read-only access to secure keys, create a
custom role with the datafusion.namespaces.get,
datafusion.secureKeys.getSecret, and datafusion.secureKeys.list
permissions.
Permissions for common actions
A single, predefined permission might not be sufficient to perform the
corresponding action. For example, to update namespace properties, you might
also need datafusion.namespaces.get permission. The following table describes
common actions performed within a Cloud Data Fusion instance and the
required IAM permissions:
Action
Required Permission
Access an Instance
datafusion.instances.get
Create a Namespace
datafusion.namespaces.create
Get a Namespace
datafusion.namespaces.get
Update Namespace Metadata (such as properties)
datafusion.namespaces.get
datafusion.namespaces.update
Delete Namespace (Only with Unrecoverable Reset Enabled)
datafusion.namespaces.get
datafusion.namespaces.delete
View Permissions on Namespace
datafusion.namespaces.getIamPolicy
Grant Permissions on Namespace
datafusion.namespaces.setIamPolicy
Pull Pipelines from Namespace SCM Configuration
datafusion.namespaces.get
datafusion.namespaces.readRepository
datafusion.pipelines.create
Push Pipelines to SCM Repository for Namespace
datafusion.namespaces.get
datafusion.namespaces.writeRepository
Get Namespace SCM Configuration
datafusion.namespaces.get
Update Namespace SCM Configuration
datafusion.namespaces.updateRepositoryMetadata
Set a Service Account for a Namespace
datafusion.namespaces.get
datafusion.namespaces.setServiceAccount
Unset a Service Account for a Namespace
datafusion.namespaces.get
datafusion.namespaces.unsetServiceAccount
Provision a Service Account Credential for a Namespace
datafusion.namespaces.provisionCredential
View a Pipeline Draft
datafusion.namespaces.get
Create/Delete a Pipeline Draft
datafusion.namespaces.get
datafusion.namespaces.update
List Compute Profiles
datafusion.profiles.list
Create a Compute Profile
datafusion.profiles.create
View a Compute Profile
datafusion.profiles.get
Edit a Compute Profile
datafusion.profiles.update
Delete a Compute Profile
datafusion.profiles.delete
Create a Connection
datafusion.namespaces.get
datafusion.pipelineConnections.create
View a Connection
datafusion.namespaces.get
datafusion.pipelineConnections.get
Edit a Connection
datafusion.namespaces.get
datafusion.pipelineConnections.update
Delete a Connection
datafusion.namespaces.get
datafusion.pipelineConnections.delete
Browse, Sample, or View Connection Specifications
datafusion.namespaces.get
datafusion.pipelineConnections.use
List Pipelines
datafusion.namespaces.get
datafusion.pipelines.list
Create Pipeline
datafusion.namespaces.get
datafusion.pipelines.create
View Pipeline
datafusion.namespaces.get
datafusion.pipelines.get
Edit Pipeline
datafusion.namespaces.get
datafusion.pipelines.create
Edit Pipeline Properties
datafusion.namespaces.get
datafusion.pipelines.update
Delete Pipeline
datafusion.namespaces.get
datafusion.pipelines.delete
Preview Pipeline
datafusion.pipelines.preview
Run Pipeline
datafusion.pipelines.execute
Create Schedule
datafusion.pipelines.execute
View Schedule
datafusion.namespaces.get
datafusion.pipelines.get
Change Schedule
datafusion.pipelines.execute
List Secure Keys
datafusion.namespaces.get
datafusion.secureKeys.list
Create Secure Keys
datafusion.namespaces.get
datafusion.secureKeys.update
View Secure Keys
datafusion.namespaces.get
datafusion.secureKeys.getSecret
Delete Secure Keys
datafusion.namespaces.get
datafusion.secureKeys.delete
List Artifacts*
datafusion.namespaces.get
datafusion.artifacts.list
Create an Artifact*
datafusion.namespaces.get
datafusion.artifacts.create
datafusion.artifacts.update
Get an Artifact*
datafusion.namespaces.get
datafusion.artifacts.get
Delete an Artifact*
datafusion.namespaces.get
datafusion.artifacts.delete
Preferences, Tags, and Metadata
Preferences, tags, and metadata are set at the resource level for the
particular resource (datafusion.RESOURCE.update).
Dataset Permissions (Deprecated)
datafusion.namespaces.update
* Artifacts, such as plugins and drivers, are items
that you upload in Cloud Data Fusion for developing pipelines.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eCloud Data Fusion utilizes role-based access control (RBAC) to manage permissions for accessing and manipulating resources, offering fine-grained control at the namespace level.\u003c/p\u003e\n"],["\u003cp\u003eThe resource hierarchy in Cloud Data Fusion starts from the Google Cloud project down to namespaces, and includes data plane resources such as connections, secure keys, pipelines, artifacts, and compute profiles.\u003c/p\u003e\n"],["\u003cp\u003ePredefined RBAC roles in Cloud Data Fusion include Instance Access, Viewer, Operator, Developer, Editor, and Instance Admin, each granting different levels of access to resources within instances and namespaces.\u003c/p\u003e\n"],["\u003cp\u003eCustom roles can be created to address specific access needs not covered by predefined roles, allowing for tailored permissions, such as limiting access to secure keys or providing read-only access to them.\u003c/p\u003e\n"],["\u003cp\u003eIAM roles are less granular than RBAC roles, but take precedence when both are applied to a principal.\u003c/p\u003e\n"]]],[],null,["# RBAC roles and permissions\n\nThis page describes the roles and permissions used by Cloud Data Fusion\ninstances with\n[role-based access control](/data-fusion/docs/concepts/rbac)\n(RBAC) enabled.\n\nFor fine-grained access enforcement at the namespace level and lower, use these\ndata plane resources and permissions with RBAC.\n\nResource hierarchy\n------------------\n\nCloud Data Fusion resources have the following resource hierarchy:\n\nThis figure shows the resource hierarchy in descending order (broadest to\nnarrowest): Google Cloud project, location, Cloud Data Fusion instance, and\nnamespaces. Below namespaces, in no order, are connections, secure keys,\npipelines, artifacts (such as plugins, drivers, and applications), and compute\nprofiles.\n\nThe following resources are Cloud Data Fusion [data plane](/data-fusion/docs/concepts/overview#data-fusion-studio)\nresources that you control with the REST API or in the Cloud Data Fusion\nStudio: namespaces, connections, secure keys, pipelines, artifacts, and compute\nprofiles.\n\nPredefined roles for RBAC\n-------------------------\n\nCloud Data Fusion RBAC includes several predefined roles that you can use:\n\nInstance Access role (`datafusion.accessor`)\n: Grants the principal access to a Cloud Data Fusion instance, but not to\n any resources within the instance. Use this role in combination with other\n namespace-specific roles to provide fine-grained access to namespace.\n\nViewer role (`datafusion.viewer`)\n: Grants access to a principal on a namespace to view pipelines, but not to\n author or run pipelines.\n\nOperator role (`datafusion.operator`)\n: Grants access to a principal on a namespace to access and run pipelines,\n change the compute profile, create compute profiles, or upload artifacts.\n Can perform the same actions as a developer, with the exception of\n previewing pipelines.\n\nDeveloper role (`datafusion.developer`)\n: Grants access to a principal on a namespace to create and modify limited\n resources, such as pipelines, within the namespace.\n\nEditor role (`datafusion.editor`)\n: Grants the principal full access to all Cloud Data Fusion resources\n under a namespace within a Cloud Data Fusion instance. This role must\n be granted in addition to the Instance Accessor role to the principal. With\n this role, the principal can create, delete, and modify resources in the\n namespace.\n\nInstance Admin role (`datafusion.admin`)\n: Grants access to all resources within a Cloud Data Fusion instance.\n Assigned through IAM. Not assigned at the namespace level\n through RBAC.\n| **Note:** A Cloud Data Fusion IAM role contains a number of permissions. They're less granular than RBAC roles. A combination of IAM and RBAC permissions are applied to each principal. IAM roles also have precedence over RBAC roles\n\n^\\*^ The principal must have the Data Fusion Admin IAM role, not the Instance Admin RBAC role.\n\n\u003cbr /\u003e\n\nFor a complete list of permissions included in Cloud Data Fusion's\npredefined role, see\n[Cloud Data Fusion predefined roles](/iam/docs/understanding-roles#cloud-data-fusion-roles).\n\nCustom roles for RBAC\n---------------------\n\nSome use cases cannot be implemented using the predefined roles for Cloud Data Fusion. In these cases, create a\n[custom role](/iam/docs/creating-custom-roles).\n\n### Examples\n\nThe following examples describe how to create custom roles for RBAC:\n\n- To create a custom role that only gives access to the secure keys within a\n namespace, create a custom role with the `datafusion.namespaces.get` and\n `datafusion.secureKeys.*` permissions.\n\n- To create a custom role that gives read-only access to secure keys, create a\n custom role with the `datafusion.namespaces.get`,\n `datafusion.secureKeys.getSecret`, and `datafusion.secureKeys.list`\n permissions.\n\nPermissions for common actions\n------------------------------\n\nA single, predefined permission might not be sufficient to perform the\ncorresponding action. For example, to update namespace properties, you might\nalso need `datafusion.namespaces.get` permission. The following table describes\ncommon actions performed within a Cloud Data Fusion instance and the\nrequired IAM permissions:\n\n^\\*^ Artifacts, such as plugins and drivers, are items that you upload in Cloud Data Fusion for developing pipelines.\n\n\u003cbr /\u003e\n\nWhat's next\n-----------\n\n- Learn more about [RBAC](/data-fusion/docs/concepts/rbac) in Cloud Data Fusion."]]