Access control with IAM

By default, all Google Cloud projects come with a single user, the original project creator. No other users have access to the project, and therefore, access to Dataplex resources, until a user is added as a project member or is bound to a specific resource. This page describes the ways you can add new users to your project and how to set access control for your Dataplex resources.

IAM overview

Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM also lets you control who (identity) has what (roles) permission to which resources by setting IAM policies. IAM policies grant specific role(s) to a project member, giving the identity certain permissions. For example, for a given resource, such as a project, you can assign the roles/dataplex.admin role to a Google Account and that account can control Dataplex resources in the project, but cannot manage other resources. You can also use IAM to manage the basic roles granted to project team members.

Access control options for users

To give users the ability to create and manage your Dataplex resources, you can add users as team members to your project or to specific resources and grant them permissions using IAM roles.

A team member can be an individual user with a valid Google Account, a Google Group, a service account, or a Google Workspace domain. When you add a team member to a project or to a resource, you specify which roles to grant them. IAM provides three types of roles: predefined roles, basic roles, and custom roles.

For more information about the capabilities of each Dataplex role, and API methods that a specific role grants permission to, see Dataplex IAM roles.

For other member types, such as service accounts and groups, refer to the Policy binding reference.

Service accounts

Dataplex uses a service account that has been granted the necessary permissions to access resources managed within a lake. This service account is automatically granted permissions in the project containing a lake instance. You must explicitly grant it permissions to other projects and resources that you want to add to and manage within a lake.

The service account in Dataplex is of the following format:

service-CUSTOMER_PROJECT_NUMBER@gcp-sa-dataplex.iam.gserviceaccount.com

CUSTOMER_PROJECT_NUMBER is the project where you have enabled the Dataplex API.

You must grant the Dataplex Service Agent (roles/dataplex.serviceAgent) access to the underlying assets that you add to a lake or data zone.

IAM policies for resources

Dataplex adds a virtual hierarchy on top of base storage resources such as Cloud Storage buckets and BigQuery datasets. Dataplex propagates IAM policies assigned to the lake down to data zone assets and finally to the resources pointed to by these assets. Policies are added to those already in existence on the base storage resource (Cloud Storage bucket and BigQuery dataset).

An IAM policy lets you manage IAM roles on those resources instead of, or in addition to, managing roles at the project level. This gives you flexibility to apply the principle of least privilege, which is to grant access only to the specific resources that collaborators need to do their work.

Resources also inherit the policies of their parent resources. If you set a policy at the project level, it's inherited by all its child resources. The effective policy for a resource is the union of the policy set at that resource and the policy inherited from higher up in the hierarchy. For more information, read about the IAM policy hierarchy.

You can get and set IAM policies using the Google Cloud console, the IAM API, or the Google Cloud CLI.

What's next?