此页面由 Cloud Translation API 翻译。

使用 IAM 控制访问权限

本文档介绍了 Dataform 的访问权限控制选项，并说明了如何查看和授予 Dataform 角色。 Dataform 使用 Identity and Access Management (IAM) 进行访问权限控制。如需详细了解 IAM 中的角色和权限，请参阅了解角色和权限。

预定义的 Dataform 角色

下表列出了授予您对 Dataform 资源的访问权限的预定义角色：

Role Permissions

Role	Permissions
Dataform Admin (`roles/dataform.admin`) Full access to all Dataform resources.	dataform.* dataform.compilationResults.create dataform.compilationResults.get dataform.compilationResults.list dataform.compilationResults.query dataform.locations.get dataform.locations.list dataform.releaseConfigs.create dataform.releaseConfigs.delete dataform.releaseConfigs.get dataform.releaseConfigs.list dataform.releaseConfigs.update dataform.repositories.commit dataform.repositories.computeAccessTokenStatus dataform.repositories.create dataform.repositories.delete dataform.repositories.fetchHistory dataform.repositories.fetchRemoteBranches dataform.repositories.get dataform.repositories.getIamPolicy dataform.repositories.list dataform.repositories.queryDirectoryContents dataform.repositories.readFile dataform.repositories.setIamPolicy dataform.repositories.update dataform.workflowConfigs.create dataform.workflowConfigs.delete dataform.workflowConfigs.get dataform.workflowConfigs.list dataform.workflowConfigs.update dataform.workflowInvocations.cancel dataform.workflowInvocations.create dataform.workflowInvocations.delete dataform.workflowInvocations.get dataform.workflowInvocations.list dataform.workflowInvocations.query dataform.workspaces.commit dataform.workspaces.create dataform.workspaces.delete dataform.workspaces.fetchFileDiff dataform.workspaces.fetchFileGitStatuses dataform.workspaces.fetchGitAheadBehind dataform.workspaces.get dataform.workspaces.getIamPolicy dataform.workspaces.installNpmPackages dataform.workspaces.list dataform.workspaces.makeDirectory dataform.workspaces.moveDirectory dataform.workspaces.moveFile dataform.workspaces.pull dataform.workspaces.push dataform.workspaces.queryDirectoryContents dataform.workspaces.readFile dataform.workspaces.removeDirectory dataform.workspaces.removeFile dataform.workspaces.reset dataform.workspaces.setIamPolicy dataform.workspaces.writeFile resourcemanager.projects.get resourcemanager.projects.list
Code Creator ^Beta (`roles/dataform.codeCreator`) Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.	dataform.locations.* dataform.locations.get dataform.locations.list dataform.repositories.create dataform.repositories.list resourcemanager.projects.get resourcemanager.projects.list
Code Editor ^Beta (`roles/dataform.codeEditor`) Edit access code resources.	dataform.locations.* dataform.locations.get dataform.locations.list dataform.repositories.commit dataform.repositories.computeAccessTokenStatus dataform.repositories.create dataform.repositories.fetchHistory dataform.repositories.fetchRemoteBranches dataform.repositories.get dataform.repositories.getIamPolicy dataform.repositories.list dataform.repositories.queryDirectoryContents dataform.repositories.readFile dataform.workspaces.commit dataform.workspaces.create dataform.workspaces.delete dataform.workspaces.fetchFileDiff dataform.workspaces.fetchFileGitStatuses dataform.workspaces.fetchGitAheadBehind dataform.workspaces.get dataform.workspaces.getIamPolicy dataform.workspaces.installNpmPackages dataform.workspaces.list dataform.workspaces.makeDirectory dataform.workspaces.moveDirectory dataform.workspaces.moveFile dataform.workspaces.pull dataform.workspaces.push dataform.workspaces.queryDirectoryContents dataform.workspaces.readFile dataform.workspaces.removeDirectory dataform.workspaces.removeFile dataform.workspaces.reset dataform.workspaces.writeFile resourcemanager.projects.get resourcemanager.projects.list
Code Owner ^Beta (`roles/dataform.codeOwner`) Full access to code resources.	dataform.locations.* dataform.locations.get dataform.locations.list dataform.repositories.* dataform.repositories.commit dataform.repositories.computeAccessTokenStatus dataform.repositories.create dataform.repositories.delete dataform.repositories.fetchHistory dataform.repositories.fetchRemoteBranches dataform.repositories.get dataform.repositories.getIamPolicy dataform.repositories.list dataform.repositories.queryDirectoryContents dataform.repositories.readFile dataform.repositories.setIamPolicy dataform.repositories.update dataform.workspaces.* dataform.workspaces.commit dataform.workspaces.create dataform.workspaces.delete dataform.workspaces.fetchFileDiff dataform.workspaces.fetchFileGitStatuses dataform.workspaces.fetchGitAheadBehind dataform.workspaces.get dataform.workspaces.getIamPolicy dataform.workspaces.installNpmPackages dataform.workspaces.list dataform.workspaces.makeDirectory dataform.workspaces.moveDirectory dataform.workspaces.moveFile dataform.workspaces.pull dataform.workspaces.push dataform.workspaces.queryDirectoryContents dataform.workspaces.readFile dataform.workspaces.removeDirectory dataform.workspaces.removeFile dataform.workspaces.reset dataform.workspaces.setIamPolicy dataform.workspaces.writeFile resourcemanager.projects.get resourcemanager.projects.list
Code Viewer ^Beta (`roles/dataform.codeViewer`) Read-only access to all code resources.	dataform.locations.* dataform.locations.get dataform.locations.list dataform.repositories.computeAccessTokenStatus dataform.repositories.fetchHistory dataform.repositories.fetchRemoteBranches dataform.repositories.get dataform.repositories.getIamPolicy dataform.repositories.list dataform.repositories.queryDirectoryContents dataform.repositories.readFile dataform.workspaces.fetchFileDiff dataform.workspaces.fetchFileGitStatuses dataform.workspaces.fetchGitAheadBehind dataform.workspaces.get dataform.workspaces.getIamPolicy dataform.workspaces.list dataform.workspaces.queryDirectoryContents dataform.workspaces.readFile resourcemanager.projects.get resourcemanager.projects.list
Dataform Editor (`roles/dataform.editor`) Edit access to Workspaces and Read-only access to Repositories.	dataform.compilationResults.* dataform.compilationResults.create dataform.compilationResults.get dataform.compilationResults.list dataform.compilationResults.query dataform.locations.* dataform.locations.get dataform.locations.list dataform.releaseConfigs.get dataform.releaseConfigs.list dataform.repositories.computeAccessTokenStatus dataform.repositories.fetchHistory dataform.repositories.fetchRemoteBranches dataform.repositories.get dataform.repositories.getIamPolicy dataform.repositories.list dataform.repositories.queryDirectoryContents dataform.repositories.readFile dataform.workflowConfigs.get dataform.workflowConfigs.list dataform.workflowInvocations.* dataform.workflowInvocations.cancel dataform.workflowInvocations.create dataform.workflowInvocations.delete dataform.workflowInvocations.get dataform.workflowInvocations.list dataform.workflowInvocations.query dataform.workspaces.commit dataform.workspaces.create dataform.workspaces.delete dataform.workspaces.fetchFileDiff dataform.workspaces.fetchFileGitStatuses dataform.workspaces.fetchGitAheadBehind dataform.workspaces.get dataform.workspaces.getIamPolicy dataform.workspaces.installNpmPackages dataform.workspaces.list dataform.workspaces.makeDirectory dataform.workspaces.moveDirectory dataform.workspaces.moveFile dataform.workspaces.pull dataform.workspaces.push dataform.workspaces.queryDirectoryContents dataform.workspaces.readFile dataform.workspaces.removeDirectory dataform.workspaces.removeFile dataform.workspaces.reset dataform.workspaces.writeFile resourcemanager.projects.get resourcemanager.projects.list
Dataform Viewer (`roles/dataform.viewer`) Read-only access to all Dataform resources.	dataform.compilationResults.get dataform.compilationResults.list dataform.compilationResults.query dataform.locations.* dataform.locations.get dataform.locations.list dataform.releaseConfigs.get dataform.releaseConfigs.list dataform.repositories.computeAccessTokenStatus dataform.repositories.fetchHistory dataform.repositories.fetchRemoteBranches dataform.repositories.get dataform.repositories.getIamPolicy dataform.repositories.list dataform.repositories.queryDirectoryContents dataform.repositories.readFile dataform.workflowConfigs.get dataform.workflowConfigs.list dataform.workflowInvocations.get dataform.workflowInvocations.list dataform.workflowInvocations.query dataform.workspaces.fetchFileDiff dataform.workspaces.fetchFileGitStatuses dataform.workspaces.fetchGitAheadBehind dataform.workspaces.get dataform.workspaces.getIamPolicy dataform.workspaces.list dataform.workspaces.queryDirectoryContents dataform.workspaces.readFile resourcemanager.projects.get resourcemanager.projects.list

Dataform Admin

(roles/dataform.admin)

Full access to all Dataform resources.

dataform.*

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

Code Creator ^Beta

(roles/dataform.codeCreator)

Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

Code Editor ^Beta

(roles/dataform.codeEditor)

Edit access code resources.

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.commit

dataform.repositories.computeAccessTokenStatus

dataform.repositories.create

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workspaces.commit

dataform.workspaces.create

dataform.workspaces.delete

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.installNpmPackages

dataform.workspaces.list

dataform.workspaces.makeDirectory

dataform.workspaces.moveDirectory

dataform.workspaces.moveFile

dataform.workspaces.pull

dataform.workspaces.push

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.removeDirectory

dataform.workspaces.removeFile

dataform.workspaces.reset

dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

Code Owner ^Beta

(roles/dataform.codeOwner)

Full access to code resources.

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.*

dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update

dataform.workspaces.*

dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

Code Viewer ^Beta

(roles/dataform.codeViewer)

Read-only access to all code resources.

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.list

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

resourcemanager.projects.get

resourcemanager.projects.list

Dataform Editor

(roles/dataform.editor)

Edit access to Workspaces and Read-only access to Repositories.

dataform.compilationResults.*

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.releaseConfigs.get

dataform.releaseConfigs.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workflowConfigs.get

dataform.workflowConfigs.list

dataform.workflowInvocations.*

dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query

dataform.workspaces.commit

dataform.workspaces.create

dataform.workspaces.delete

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.installNpmPackages

dataform.workspaces.list

dataform.workspaces.makeDirectory

dataform.workspaces.moveDirectory

dataform.workspaces.moveFile

dataform.workspaces.pull

dataform.workspaces.push

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.removeDirectory

dataform.workspaces.removeFile

dataform.workspaces.reset

dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

Dataform Viewer

(roles/dataform.viewer)

Read-only access to all Dataform resources.

dataform.compilationResults.get

dataform.compilationResults.list

dataform.compilationResults.query

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.releaseConfigs.get

dataform.releaseConfigs.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workflowConfigs.get

dataform.workflowConfigs.list

dataform.workflowInvocations.get

dataform.workflowInvocations.list

dataform.workflowInvocations.query

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.list

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

resourcemanager.projects.get

resourcemanager.projects.list

自定义 Dataform 角色

自定义角色可以包含您指定的任何权限。您可以创建具有执行特定管理操作（例如创建开发工作区或在开发工作区中创建文件和目录）的权限的自定义角色。如需创建自定义角色，请参阅创建和管理自定义角色。

须知事项

登录您的 Google Cloud 帐号。如果您是 Google Cloud 新手，请创建一个帐号来评估我们的产品在实际场景中的表现。新客户还可获享 $300 赠金，用于运行、测试和部署工作负载。

在 Google Cloud Console 中的项目选择器页面上，选择或创建一个 Google Cloud 项目。

转到“项目选择器”

确保您的 Google Cloud 项目已启用结算功能。

启用 BigQuery and Dataform API。

启用 API

在 Google Cloud Console 中的项目选择器页面上，选择或创建一个 Google Cloud 项目。

转到“项目选择器”

确保您的 Google Cloud 项目已启用结算功能。

启用 BigQuery and Dataform API。

启用 API

查看 Dataform 角色

在 Google Cloud 控制台中，执行以下步骤：

转到 IAM 和管理 > 角色页面。

打开“角色”
在过滤条件字段中，选择用于，输入 Dataform，然后按 Enter 键。
点击所列的某个角色，以在右侧窗格中查看该角色的权限。

例如，Dataform Admin 角色拥有对所有 Dataform 资源的完整访问权限。

如需详细了解如何在项目上授予角色，请参阅授予角色。您可以通过这种方式授予预定义角色或自定义角色。

控制对单个代码库的访问权限

如需使用精细权限控制对 Dataform 的访问权限，您可以使用 Dataform API repositories.setIamPolicy 请求在各个代码库上设置 Dataform IAM 角色。

如需在单个 Dataform 代码库上设置 Dataform IAM 角色，请按以下步骤操作：

在终端中，通过访问权限政策传递 Dataform API repositories.setIamPolicy 请求。
在政策中，按以下格式将用户、群组、网域或服务帐号绑定到所选角色：
```
{
"policy":
   {
      "bindings": [
      {
         "role": "roles/ROLE",
         "members": [
            "TYPE:IDENTIFIER",
         ]
      },
      ],
   }
}
```
替换以下内容：
- ROLE：您要针对代码库授予的 Dataform IAM 角色
- TYPE：user、group、domain 或 serviceAccount
- IDENTIFIER：您要向其授予角色的用户、群组、网域或服务帐号
在“IAM”页面中，确保所有用户都可以通过具有 dataform.repositories.list 权限的 Dataform 角色查看 Dataform 代码库的完整列表。
在 IAM 中，确保只有需要所有 Dataform 代码库的完整访问权限的用户才能获得所有代码库的 Dataform Admin 角色。

以下命令将向单个用户授予 sales 代码库的 Dataform Editor 角色的 repositories.setIamPolicy Dataform API 请求：

curl -H "Content-Type: application/json" -X POST -d '{ "policy": { "bindings": [{ "role": "roles/dataform.editor", "members": ["user:sasha@examplepetstore.com"]}] }}' "https://dataform.googleapis.com/v1beta1/projects/examplepetstore/locations/us-central1/repositories/sales:setIamPolicy"

后续步骤

如需详细了解 IAM，请参阅 IAM 概览。
如需详细了解角色和权限，请参阅了解角色。
如需详细了解如何管理对资源的访问权限，请参阅管理对项目、文件夹和组织的访问权限。
如需了解如何向 Dataform 中的表授予 BigQuery 角色，请参阅使用 IAM 控制对各个表的访问权限。

使用 IAM 控制访问权限

预定义的 Dataform 角色

Dataform Admin

Code Creator Beta

Code Editor Beta

Code Owner Beta

Code Viewer Beta

Dataform Editor

Dataform Viewer

自定义 Dataform 角色

须知事项

查看 Dataform 角色

控制对单个代码库的访问权限

后续步骤

Code Creator ^Beta

Code Editor ^Beta

Code Owner ^Beta

Code Viewer ^Beta