Dataplex permissions allow users to perform specific actions on
Dataplex services, resources, and operations. For example,
the dataplex.datascans.create permission allows a user to create
Dataplex data scans in your project. You don't directly give users
permissions; instead, you grant them roles, which have one or more permissions
bundled within them.
This document focuses on the IAM permissions relevant to Dataplex. For more information about predefined Dataplex roles and the permissions that they contain, see Dataplex IAM roles.
Before you begin
Read the IAM documentation.
IAM policy Set and Get permissions
The following table lists the permissions that are required to get and set IAM permissions:
| Resource | API Method | IAM Permission |
|---|---|---|
| Entry types | GetIamPolicy | dataplex.entryTypes.getIamPolicy |
| Entry types | SetIamPolicy | dataplex.entryTypes.setIamPolicy |
| Aspect types | GetIamPolicy | dataplex.aspectTypes.getIamPolicy |
| Aspect types | SetIamPolicy | dataplex.aspectTypes.setIamPolicy |
| Entry groups | GetIamPolicy | dataplex.entryGroups.getIamPolicy |
| Entry groups | SetIamPolicy | dataplex.entryGroups.setIamPolicy |
| Lakes | GetIamPolicy | dataplex.lakes.getIamPolicy |
| Lakes | SetIamPolicy | dataplex.lakes.setIamPolicy |
Dataplex Catalog permissions
The set of permissions that is required to perform operations on entry types, aspect types, entry groups, and entries depends on whether the resources are system resources or custom resources. System resources are defined by Dataplex, and custom resources are defined by you or your organization.
To perform operations that are related to multiple resources (for example, creating an entry of a particular entry type, or adding an aspect of a particular aspect type to an entry), you might need multiple permissions associated with the resources.
Entry types
To create and manage entry types, you must be granted at least the standard
create, get, list, update, and delete permissions.
When you create an entry type, you must be granted permissions to use each aspect type that you want to mark as required for that entry type.
To use an entry type (for example, to create entries of an entry type), you must
be granted the use permission on the entry type.
The following table lists the permissions that are required for operating on entry types:
| Operation | Permissions required for custom entry types |
|---|---|
| List entry types | dataplex.entryTypes.list |
| Get entry types | dataplex.entryTypes.get |
| Create entry types |
|
| Update entry types |
|
| Delete entry types |
|
|
Use entry types (when creating entries, updating top-level entry fields and required aspect type values) |
|
Aspect types
To create and manage aspect types, you must be granted the standard create,
get, list, update, and delete permissions.
To use an aspect type (for example, to attach it as an optional aspect on an
entry), you must be granted the use permission on the aspect type.
Aspect types are categorized into system aspect types and custom aspect types. System aspect types are created by Dataplex and custom aspect types are created by you or your organization. System aspect types are further categorized into usable and read-only. For more information, see Categories of aspect types.
The following table lists the permissions that are required for operating on custom and system aspect types:
| Operation | Permissions required for custom aspect types | Permissions required for usable system aspect types | Permissions required for read-only system aspect types |
|---|---|---|---|
| List aspect types | dataplex.aspectTypes.list |
Not applicable (N/A) | N/A |
| Get aspect types | dataplex.aspectTypes.get |
Granted to allUsers |
Granted to allUsers |
| Create aspect types | dataplex.aspectTypes.create |
N/A | N/A |
| Update aspect types | dataplex.aspectTypes.update |
N/A | N/A |
| Delete aspect types | dataplex.aspectTypes.delete |
N/A | N/A |
| Set optional aspect type values when creating or updating entries |
|
|
N/A |
| Set required aspect type values when creating or updating entries |
|
|
N/A |
Entry groups
To create and manage entry groups, you must be granted the standard create,
get, list, update, and delete permissions.
Entry groups are categorized into system entry groups, which are created by Dataplex, and custom entry groups, which are created by you or your organization. For more information, see Categories of entry groups.
The following table lists the permissions that are required for operating on entry groups:
| Operation | Permissions required for custom entry groups | Permissions required for system entry groups (starting with @) |
|---|---|---|
| Create entry groups | dataplex.entryGroups.create |
N/A |
| Update entry groups | dataplex.entryGroups.update |
N/A |
| Delete entry groups | dataplex.entryGroups.delete |
N/A |
| List entry groups | dataplex.entryGroups.list |
dataplex.entryGroups.list |
| Get entry groups | dataplex.entryGroups.get |
dataplex.entryGroups.get |
Entries
To create and manage entries, you must be granted the standard create,
get, list, update, and delete permissions.
Note the following:
- For lookup (
LookupEntry) and search (SearchEntries) methods, the permission from the original source system is required on the entry. For example, if the source is a BigQuery table, you needbigquery.tables.getpermission. - When you create an entry or update the top-level fields of an entry, you
must be granted the
usepermission on the entry type. - When you create, update, or delete a required aspect, you must be granted
the
usepermission on the entry type of an entry, as well as on the underlying aspect type. This is because the required aspects are enforced by the entry type. - When you create, update, or delete an optional aspect, you must be granted
the
usepermission on the aspect type of an aspect. - When you upsert an entry (
UpdateEntrywithallow_missing = True), you must be granted thecreatepermission.
For more information about the entry types that entries are based on, see Categories of entry types.
The following table lists the permissions that are required for operating on entries:
| Operation | Entry based on custom entry type | Entry based on usable system entry type | Entry based on read-only system entry type |
|---|---|---|---|
| Create entries |
|
|
N/A |
| Update entries |
|
|
Top-level fields and required aspects can't be edited. |
| List entries | dataplex.entries.list |
dataplex.entries.list |
dataplex.entries.list |
| Get entries | dataplex.entries.get |
dataplex.entries.get |
dataplex.entries.get |
| Lookup entries |
Read permission of the original source system. For custom entries, this is |
Read permission of the original source system. For custom entries, this is |
Read permission of the original source system. For custom entries, this is |
| Search entries |
Read permission of the original source system. For custom entries, this is |
Read permission of the original source system. For custom entries, this is |
Read permission of the original source system. For custom entries, this is |
Metadata job permissions
The following table lists the permissions that are required for working with metadata jobs:
| Operation | IAM permission |
|---|---|
| Create metadata jobs |
|
| Get metadata jobs |
|
| List metadata jobs |
|
| Cancel metadata jobs |
|
System aspect types and entry types
Each system-defined aspect type and system-defined entry type has its own IAM
permissions. These permissions use a format like
dataplex.entryGroups.useASPECT_TYPE or
dataplex.entryGroups.useENTRY_TYPE. For example, the
permission for the overview system aspect type is
dataplex.entryGroups.useOverviewAspect.
The following table lists the permissions that apply to system-defined aspect types and entry types.
| Resource | IAM permission |
|---|---|
schema (system aspect type) |
dataplex.entryGroups.useSchemaAspect |
contacts (system aspect type) |
dataplex.entryGroups.useContactsAspect |
overview (system aspect type) |
dataplex.entryGroups.useOverviewAspect |
generic (system aspect type) |
dataplex.entryGroups.useGenericAspect |
generic (system entry type) |
dataplex.entryGroups.useGenericEntry |
Lake, zone, and asset permissions
The following table lists the permissions that are required for operating on lakes, zones, and assets:
| API Method | IAM Permission |
|---|---|
| CreateLake | dataplex.lakes.create |
| UpdateLake | dataplex.lakes.update |
| DeleteLake | dataplex.lakes.delete |
| ListLakes | dataplex.lakes.list |
| GetLake | dataplex.lakes.get |
| ListLakeActions | dataplex.lakeActions.list |
| CreateZone | dataplex.zones.create |
| UpdateZone | dataplex.zones.update |
| DeleteZone | dataplex.zones.delete |
| ListZones | dataplex.zones.list |
| GetZone | dataplex.zones.get |
| ListZoneActions | dataplex.zoneActions.list |
| CreateAsset | dataplex.assets.create |
| UpdateAsset | dataplex.assets.update |
| DeleteAsset | dataplex.assets.delete |
| ListAssets | dataplex.assets.list |
| GetAsset | dataplex.assets.get |
| ListAssetActions | dataplex.assetActions.list |
Task permissions
The following table lists the permissions that are required for operating on tasks:
| API Method | IAM Permission |
|---|---|
| CreateTask | dataplex.tasks.create |
| UpdateTask | dataplex.tasks.update |
| DeleteTask | dataplex.tasks.delete |
| ListTasks | dataplex.tasks.list |
| GetTask | dataplex.tasks.get |
| ListJobs | dataplex.tasks.get |
| GetJob | dataplex.tasks.get |
| CancelJob | dataplex.tasks.cancel |
Environment permissions
The following table lists the permissions that are required for operating on environments:
| API Method | IAM Permission |
|---|---|
| CreateEnvironment | dataplex.environments.create |
| UpdateEnvironment | dataplex.environments.update |
| DeleteEnvironment | dataplex.environments.delete |
| ListEnvironments | dataplex.environments.list |
| GetEnvironment | dataplex.environments.get |
| CreateContent | dataplex.content.create |
| UpdateContent | dataplex.content.update |
| DeleteContent | dataplex.content.delete |
| ListContent | dataplex.content.list |
| GetContent | dataplex.content.get |
| ListSessions | dataplex.environments.get |
Metadata permissions
The following table lists the permissions that are required for operating on entities and partitions:
| API Method | IAM Permission |
|---|---|
| CreateEntity | dataplex.entities.create |
| UpdateEntity | dataplex.entities.update |
| DeleteEntity | dataplex.entities.delete |
| GetEntity | dataplex.entities.get |
| ListEntities | dataplex.entities.list |
| CreatePartition | dataplex.partitions.create |
| UpdatePartition | dataplex.partitions.update |
| DeletePartition | dataplex.partitions.delete |
| GetPartition | dataplex.partitions.get |
| ListPartitions | dataplex.partitions.list |
Data scan permissions
The following table lists the permissions that are required for operating on data scans:
| API Method | IAM Permission |
|---|---|
| CreateDataScan | dataplex.datascans.create |
| UpdateDataScan | dataplex.datascans.update |
| DeleteDataScan | dataplex.datascans.delete |
| ListDataScans | dataplex.datascans.list |
| GetDataScan (basic view) | dataplex.datascans.get |
| GetDataScan (full view) | dataplex.datascans.getData |
| ListDataScanJobs | dataplex.datascans.get |
| GetDataScanJob (basic view) | dataplex.datascans.get |
| GetDataScanJob (full view) | dataplex.datascans.getData |
| RunDataScan | dataplex.datascans.run |