Dataplex IAM permissions

Dataplex permissions allow users to perform specific actions on Dataplex services, resources, and operations. For example, the dataplex.datascans.create permission allows a user to create Dataplex data scans in your project. You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.

This document focuses on the IAM permissions relevant to Dataplex. For more information about predefined Dataplex roles and the permissions that they contain, see Dataplex IAM roles.

For a detailed description of IAM and its features, see the IAM documentation.

IAM policy Set and Get permissions

The following table lists the permissions that are required to get and set IAM permissions:

Resource API Method IAM Permission
Entry types GetIamPolicy dataplex.entryTypes.getIamPolicy
Entry types SetIamPolicy dataplex.entryTypes.setIamPolicy
Aspect types GetIamPolicy dataplex.aspectTypes.getIamPolicy
Aspect types SetIamPolicy dataplex.aspectTypes.setIamPolicy
Entry groups GetIamPolicy dataplex.entryGroups.getIamPolicy
Entry groups SetIamPolicy dataplex.entryGroups.setIamPolicy
Lakes GetIamPolicy dataplex.lakes.getIamPolicy
Lakes SetIamPolicy dataplex.lakes.setIamPolicy

Dataplex Catalog permissions

The set of permissions that is required to perform operations on entry types, aspect types, entry groups, and entries depends on whether the resources are system resources or custom resources. System resources are defined by Dataplex, and custom resources are defined by you or your organization.

To perform operations that are related to multiple resources (for example, creating an entry of a particular entry type, or adding an aspect of a particular aspect type to an entry), you might need multiple permissions associated with the resources.

Entry types

To create and manage entry types, you must be granted at least the standard create, get, list, update, and delete permissions.

When you create an entry type, you must be granted permissions to use each aspect type that you want to mark as required for that entry type.

To use an entry type (for example, to create entries of an entry type), you must be granted the use permission on the entry type.

The following table lists the permissions that are required for operating on entry types:

Operation Permissions required for custom entry types
List entry types dataplex.entryTypes.list
Get entry types dataplex.entryTypes.get
Create entry types

dataplex.entryTypes.create

dataplex.aspectTypes.use (for every required aspect type in the entry type)

dataplex.entryGroups.useASPECT_TYPE (for every required system aspect type in the entry type). See the permissions for system aspect types.

Update entry types

dataplex.entryTypes.update

dataplex.aspectTypes.use (for every required aspect type in the entry type)

dataplex.entryGroups.useASPECT_TYPE (for every required system aspect type in the entry type). See the permissions for system aspect types.

Delete entry types

dataplex.entryTypes.delete

dataplex.aspectTypes.use (for required aspect types in the entry types)

dataplex.entryGroups.useASPECT_TYPE (for every required system aspect type in the entry type). See the permissions for system aspect types.

Use entry types

(when creating entries, updating top-level entry fields and required aspect type values)

dataplex.entryTypes.use

dataplex.entries.create or dataplex.entries.update

dataplex.aspectTypes.use (for every aspect created or updated)

Aspect types

To create and manage aspect types, you must be granted the standard create, get, list, update, and delete permissions.

To use an aspect type (for example, to attach it as an optional aspect on an entry), you must be granted the use permission on the aspect type.

Aspect types are categorized into system aspect types and custom aspect types. System aspect types are created by Dataplex and custom aspect types are created by you or your organization. System aspect types are further categorized into usable and read-only. For more information, see Categories of aspect types.

The following table lists the permissions that are required for operating on custom and system aspect types:

Operation Permissions required for custom aspect types Permissions required for usable system aspect types Permissions required for read-only system aspect types
List aspect types dataplex.aspectTypes.list Not applicable (N/A) N/A
Get aspect types dataplex.aspectTypes.get Granted to allUsers Granted to allUsers
Create aspect types dataplex.aspectTypes.create N/A N/A
Update aspect types dataplex.aspectTypes.update N/A N/A
Delete aspect types dataplex.aspectTypes.delete N/A N/A
Set optional aspect type values when creating or updating entries

dataplex.aspectTypes.use

dataplex.entries.create or dataplex.entries.update

dataplex.entryGroups.useASPECT_TYPE. See the permissions for system aspect types.

dataplex.entries.create or dataplex.entries.update

N/A
Set required aspect type values when creating or updating entries

dataplex.aspectTypes.use

dataplex.entryTypes.use

dataplex.entries.create or dataplex.entries.update

dataplex.entryGroups.useASPECT_TYPE. See the permissions for system aspect types.

dataplex.entryTypes.use

dataplex.entries.create or dataplex.entries.update

N/A

Entry groups

To create and manage entry groups, you must be granted the standard create, get, list, update, and delete permissions.

Entry groups are categorized into system entry groups, which are created by Dataplex, and custom entry groups, which are created by you or your organization. For more information, see Categories of entry groups.

The following table lists the permissions that are required for operating on entry groups:

Operation Permissions required for custom entry groups Permissions required for system entry groups (starting with @)
Create entry groups dataplex.entryGroups.create N/A
Update entry groups dataplex.entryGroups.update N/A
Delete entry groups dataplex.entryGroups.delete N/A
List entry groups dataplex.entryGroups.list dataplex.entryGroups.list
Get entry groups dataplex.entryGroups.get dataplex.entryGroups.get

Entries

To create and manage entries, you must be granted the standard create, get, list, update, and delete permissions.

Note the following:

  • For lookup (LookupEntry) and search (SearchEntries) methods, the permission from the original source system is required on the entry. For example, if the source is a BigQuery table, you need bigquery.tables.get permission.
  • When you create an entry or update the top-level fields of an entry, you must be granted the use permission on the entry type.
  • When you create, update, or delete a required aspect, you must be granted the use permission on the entry type of an entry, as well as on the underlying aspect type. This is because the required aspects are enforced by the entry type.
  • When you create, update, or delete an optional aspect, you must be granted the use permission on the aspect type of an aspect.
  • When you upsert an entry (UpdateEntry with allow_missing = True), you must be granted the create permission.

For more information about the entry types that entries are based on, see Categories of entry types.

The following table lists the permissions that are required for operating on entries:

Operation Entry based on custom entry type Entry based on usable system entry type Entry based on read-only system entry type
Create entries

dataplex.entries.create

dataplex.entryTypes.use

dataplex.aspectTypes.use (for every aspect created)

dataplex.entryGroups.useASPECT_TYPE (for every aspect of a usable system aspect type created). See the permissions for system aspect types.

dataplex.entries.create

dataplex.entryGroups.useENTRY_TYPE. See the permissions for system entry types.

dataplex.entryGroups.useASPECT_TYPE (for every system aspect created). See the permissions for system aspect types.

dataplex.aspectTypes.use (for every custom aspect created)

N/A
Update entries

dataplex.entries.update

dataplex.entryTypes.use (for updating top-level fields or required aspects)

dataplex.aspectTypes.use (for every aspect updated)

dataplex.entryGroups.useASPECT_TYPE (for every system aspect updated). See the permissions for system aspect types.

dataplex.entries.create (if allow_missing is True)

dataplex.entries.update

dataplex.entryGroups.useENTRY_TYPE (for updating top-level fields or required aspects). See the permissions for system entry types.

dataplex.aspectTypes.use (for every custom aspect updated)

dataplex.entryGroups.useASPECT_TYPE (for every aspect that belongs to system aspect types). See the permissions for system aspect types.

dataplex.entries.create (if allow_missing is True)

dataplex.entries.update

dataplex.aspectTypes.use (for every custom aspect updated)

dataplex.entryGroups.useASPECT_TYPE (for every aspect of a usable system aspect type updated). See the permissions for system aspect types.

Top-level fields and required aspects can't be edited.

List entries dataplex.entries.list dataplex.entries.list dataplex.entries.list
Get entries dataplex.entries.get dataplex.entries.get dataplex.entries.get
Lookup entries

Read permission of the original source system.

For custom entries, this is dataplex.entries.get, because Dataplex is treated as the original source system.

Read permission of the original source system.

For custom entries, this is dataplex.entries.get, because Dataplex is treated as the original source system.

Read permission of the original source system.

For custom entries, this is dataplex.entries.get, because Dataplex is treated as the original source system.

Search entries

Read permission of the original source system.

For custom entries, this is dataplex.entries.get, because Dataplex is treated as the original source system.

Read permission of the original source system.

For custom entries, this is dataplex.entries.get, because Dataplex is treated as the original source system.

Read permission of the original source system.

For custom entries, this is dataplex.entries.get, because Dataplex is treated as the original source system.

Metadata job permissions

The following table lists the permissions that are required for working with metadata jobs:

Operation IAM permission
Create metadata jobs

dataplex.metadataJobs.create

dataplex.entryTypes.use (for custom entry types in the job's scope)

dataplex.entryTypes.useENTRY_TYPE (for every system entry type in the job's scope). See the permissions for system entry types.

dataplex.aspectTypes.use (for custom aspect types in the job's scope)

dataplex.aspectTypes.useASPECT_TYPE (for every system aspect type in the job's scope). See the permissions for system aspect types.

dataplex.entryGroups.import (for entry groups in the job's scope)

Get metadata jobs

dataplex.metadataJobs.get

List metadata jobs

dataplex.metadataJobs.list

Cancel metadata jobs

dataplex.metadataJobs.cancel

System aspect types and entry types

Each system-defined aspect type and system-defined entry type has its own IAM permissions. These permissions use a format like dataplex.entryGroups.useASPECT_TYPE or dataplex.entryGroups.useENTRY_TYPE. For example, the permission for the overview system aspect type is dataplex.entryGroups.useOverviewAspect.

The following table lists the permissions that apply to system-defined aspect types and entry types.

Resource IAM permission
schema (system aspect type) dataplex.entryGroups.useSchemaAspect
contacts (system aspect type) dataplex.entryGroups.useContactsAspect
overview (system aspect type) dataplex.entryGroups.useOverviewAspect
generic (system aspect type) dataplex.entryGroups.useGenericAspect
generic (system entry type) dataplex.entryGroups.useGenericEntry

Lake, zone, and asset permissions

The following table lists the permissions that are required for operating on lakes, zones, and assets:

API Method IAM Permission
CreateLake dataplex.lakes.create
UpdateLake dataplex.lakes.update
DeleteLake dataplex.lakes.delete
ListLakes dataplex.lakes.list
GetLake dataplex.lakes.get
ListLakeActions dataplex.lakeActions.list
CreateZone dataplex.zones.create
UpdateZone dataplex.zones.update
DeleteZone dataplex.zones.delete
ListZones dataplex.zones.list
GetZone dataplex.zones.get
ListZoneActions dataplex.zoneActions.list
CreateAsset dataplex.assets.create
UpdateAsset dataplex.assets.update
DeleteAsset dataplex.assets.delete
ListAssets dataplex.assets.list
GetAsset dataplex.assets.get
ListAssetActions dataplex.assetActions.list

Task permissions

The following table lists the permissions that are required for operating on tasks:

API Method IAM Permission
CreateTask dataplex.tasks.create
UpdateTask dataplex.tasks.update
DeleteTask dataplex.tasks.delete
ListTasks dataplex.tasks.list
GetTask dataplex.tasks.get
ListJobs dataplex.tasks.get
GetJob dataplex.tasks.get
CancelJob dataplex.tasks.cancel

Environment permissions

The following table lists the permissions that are required for operating on environments:

API Method IAM Permission
CreateEnvironment dataplex.environments.create
UpdateEnvironment dataplex.environments.update
DeleteEnvironment dataplex.environments.delete
ListEnvironments dataplex.environments.list
GetEnvironment dataplex.environments.get
CreateContent dataplex.content.create
UpdateContent dataplex.content.update
DeleteContent dataplex.content.delete
ListContent dataplex.content.list
GetContent dataplex.content.get
ListSessions dataplex.environments.get

Metadata permissions

The following table lists the permissions that are required for operating on entities and partitions:

API Method IAM Permission
CreateEntity dataplex.entities.create
UpdateEntity dataplex.entities.update
DeleteEntity dataplex.entities.delete
GetEntity dataplex.entities.get
ListEntities dataplex.entities.list
CreatePartition dataplex.partitions.create
UpdatePartition dataplex.partitions.update
DeletePartition dataplex.partitions.delete
GetPartition dataplex.partitions.get
ListPartitions dataplex.partitions.list

Data scan permissions

The following table lists the permissions that are required for operating on data scans:

API Method IAM Permission
CreateDataScan dataplex.datascans.create
UpdateDataScan dataplex.datascans.update
DeleteDataScan dataplex.datascans.delete
ListDataScans dataplex.datascans.list
GetDataScan (basic view) dataplex.datascans.get
GetDataScan (full view) dataplex.datascans.getData
ListDataScanJobs dataplex.datascans.get
GetDataScanJob (basic view) dataplex.datascans.get
GetDataScanJob (full view) dataplex.datascans.getData
RunDataScan dataplex.datascans.run