Dataplex IAM roles

Dataplex defines several Identity and access management (IAM) roles. Each predefined role contains a set of IAM permissions that allow principals to perform certain actions. You can use an IAM policy to give a principal one or more IAM roles.

Identity and Access Management (IAM) also offers the ability to create customized IAM roles. You can create custom IAM roles and assign the role one or more permissions. Then, you can grant the new role to your principals. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles.

This document focuses on the IAM roles relevant to Dataplex.

Before you begin

  • Read the IAM documentation.

Dataplex roles

Identity and Access Management (IAM) Dataplex roles are a bundle of one or more permissions. You grant roles to principals to allow them to perform actions on the Dataplex resources in your project. For example, the Dataplex Viewer role contains the dataplex.*.get and dataplex.*.list permissions, which allow a user to get and list Dataplex services, resources, and operations in a project.

Dataplex roles can be applied to any resources in the service hierarchy, including projects, lakes, and data zones.

Basic roles

You can assign basic roles at the project level by using the IAM Project roles. Here is a summary of the permissions associated with IAM Project roles:

Project Role Permissions
Project Owner All Project Editor permissions plus permissions to manage access control for the project (get/set IamPolicy) and to set up project billing
Project Editor All Project Viewer permissions plus all project permissions for actions that modify state (create, delete, update, use)
Project Viewer All project permissions for read-only actions that preserve state (get, list)

Predefined roles

The following table lists the Dataplex predefined (or curated) roles and the permissions associated with each role:

Role ID Permissions
roles/dataplex.admin dataplex.*.create
roles/dataplex.editor dataplex.*.create
roles/dataplex.viewer dataplex.*.get


  • "*" signifies resource types, such as "lakes" or "zones." Some permissions are not defined on certain resource types.
  • The dataplex.admin role grants full access to all Dataplex resources, including IAM policy administration.
  • The dataplex.editor role grants read and write access to all Dataplex resources.
  • The dataplex.viewer role grants read access to all Dataplex resources.

Data roles

Dataplex defines the following three IAM roles that are intended to be applied to any resource managed by Dataplex:

Data role Capabilities Justification
roles/dataplex.dataOwner All permissions on the managed resource. And all permissions on all child resources (regardless of the resource type). Data owners can update resource metadata, grant higher granularity permissions (for example, on child tables of a BigQuery dataset), and create child resources, in addition to various other permissions. They have complete ownership of the resource.
roles/dataplex.dataReader Ability to read data in the managed resource and its children. And ability to read metadata of the managed resource and its children. Enables ability to read data and metadata.
roles/dataplex.dataWriter Ability to create/update/delete data (not metadata). Enables core Dataplex user journeys.

What's next