IAM permissions mapping between Data Catalog and Dataplex Catalog

This document describes the mapping between Data Catalog permissions and Dataplex Catalog permissions.

For more information, see the following:

Entry groups

The following table provides a detailed mapping between Data Catalog permissions and Dataplex Catalog permissions for common operations on entry groups:

Operation	Required permissions in Data Catalog	Required permissions in Dataplex Catalog
Create entry groups	`datacatalog.entryGroups.create`	`dataplex.entryGroups.create`
Update entry groups	`datacatalog.entryGroups.update`	`dataplex.entryGroups.update`
View details of an entry group	`datacatalog.entryGroups.get`	`dataplex.entryGroups.get`
Delete entry groups	`datacatalog.entryGroups.delete`	`dataplex.entryGroups.delete`

For more information about entry groups, see entry groups in Data Catalog and entry groups in Dataplex Catalog.

Entries

The following table provides a detailed mapping between Data Catalog permissions and Dataplex Catalog permissions for common operations on entries:

Operation	Required permissions in Data Catalog	Required permissions in Dataplex Catalog	Notes
Create custom entries	`datacatalog.entries.create`	`dataplex.entries.create` `dataplex.entryTypes.use` (to use entry type to create entries of that type) `dataplex.aspectTypes.use` (to use aspect types to create entries with the corresponding aspects)	Data Catalog doesn't have the notion of entry types. In Data Catalog, you can create tags for an entry only after you create the entry. In Dataplex Catalog, you can create aspects for an entry when you create the entry.
Use reusable system entry types to create entries	Not applicable	Specified permission on the entry group—for example, `dataplex.entryGroups.useENTRY_TYPE`	For more information, see System aspect types and entry types.
View details of a custom entry	`datacatalog.entries.get`	`dataplex.entries.get`	-
View details of a system entry	System-specific permission—for example, `bigquery.tables.get`	`dataplex.entries.get` (for entries.get method) or system-specific permission—for example, `bigquery.tables.get` (for lookupEntry method)	In Dataplex Catalog, you can retrieve an entry using the `entries.get` method or `lookupEntry` method. The difference between these methods is the permissions that are required. The Google Cloud console uses the `lookupEntry` method.
List entries	`datacatalog.entries.list` (for custom entries)	`dataplex.entries.list` (for both system and custom entries)	Data Catalog doesn't support listing system entries. In Dataplex Catalog, system entry groups are valid resources that you can set permissions on.
Perform a search	No permission required for the search action itself	`dataplex.projects.search`	In Data Catalog, you can perform the search without needing special permissions. To perform the search in Dataplex Catalog, you need the `dataplex.projects.search` permission on the project used to perform the search. This project is set using the `name` parameter in the searchEntries method, while the `scope` parameter defines which projects you're searching within. In both Data Catalog and Dataplex Catalog, the search results are subject to system-specific permission checks. You only see the resources that you're authorized to access. For more information about the permissions required to search for entries in Dataplex Catalog, see Dataplex Catalog permissions.
Update fields (other than tags and aspects) in custom entries	`datacatalog.entries.update`	`dataplex.entries.update` `dataplex.entryTypes.use`	The `entryTypes.use` permission in Dataplex Catalog protects the non-aspect fields, such as `entrySource`. For example, you can use this permission to prevent your users from modifying the fields that are set by a managed connectivity pipeline.
Set permission on a specific entry instead of an entry group	Generally not supported. However, you can set permission on a specific entry when updating tags for a system entry. This requires permissions on the source system.	Not supported	IAM policies are created only for entry groups. In Data Catalog, when you update tags for a system entry, you need permissions on the source system. For example, when you update tags for a BigQuery table, you need the `bigquery.tables.updateTag` permission. You can set this permission on a specific entry. In Dataplex Catalog, to update aspects for an entry, you need `dataplex.entries.update`, which can't be set on a specific entry.
Delete entries	`datacatalog.entries.delete`	`dataplex.entries.delete`	-

For more information about entries, see entries in Data Catalog and entries in Dataplex Catalog.

Tag templates and aspect types

The following table provides a detailed mapping between Data Catalog permissions and Dataplex Catalog permissions for common operations on tag templates (in Data Catalog) and aspect types (in Dataplex Catalog).

Operation	Required permissions in Data Catalog	Required permissions in Dataplex Catalog	Notes
Create tag templates or aspect types	`datacatalog.tagTemplates.create`	`dataplex.aspectTypes.create`	-
Update tag templates or aspect types	`datacatalog.tagTemplates.update`	`dataplex.aspectTypes.update`	-
View details of a tag template or an aspect type	`datacatalog.tagTemplates.get`	`dataplex.aspectTypes.get`	-
List all tag templates or aspect types	Not supported	`dataplex.aspectTypes.list`	Data Catalog doesn't support listing tag templates.
Use reusable system aspect types	Not applicable	Specified permission on the entry group instead of `dataplex.aspectTypes.use`. For example, `dataplex.entryGroups.useASPECT_TYPE`.	For more information, see System aspect types and entry types.
Delete tag templates or aspect types	`datacatalog.tagTemplates.delete`	`dataplex.aspectTypes.delete`	-

Tags and aspects

The following table provides a detailed mapping between Data Catalog permissions and Dataplex Catalog permissions for common operations on tags (in Data Catalog) and aspects (in Dataplex Catalog).

Operation Required permissions in Data Catalog Required permissions in Dataplex Catalog Notes

Create, update, and delete tags or aspects

Operation	Required permissions in Data Catalog	Required permissions in Dataplex Catalog	Notes
Create, update, and delete tags or aspects	`datacatalog.entries.updateTag` or service-dependent equivalent—for example, `bigquery.tables.updateTag` `datacatalog.tagTemplates.use`	`dataplex.entries.update` `dataplex.aspectTypes.use`	In Data Catalog, tags are standalone resources from entries. You update tags and entries by using separate methods, and the respective permissions that are required are also separate. In Dataplex Catalog, aspects are stored within entries, not as standalone resources. You update aspects for an entry by updating the entry. This applies to both system and custom entries.
List tags or aspects	`datacatalog.entries.get` (for both public tags and private tags) `datacatalog.tagTemplates.get` (for each private tag. If you don't have access to a tag, it is omitted in the search results.)	`dataplex.entries.get`	In Dataplex Catalog, when you retrieve an entry, its aspects are listed too.

datacatalog.entries.updateTag
or
service-dependent equivalent—for example, bigquery.tables.updateTag

datacatalog.tagTemplates.use

dataplex.entries.update

dataplex.aspectTypes.use

In Data Catalog, tags are standalone resources from entries. You update tags and entries by using separate methods, and the respective permissions that are required are also separate.

In Dataplex Catalog, aspects are stored within entries, not as standalone resources. You update aspects for an entry by updating the entry. This applies to both system and custom entries.

List tags or aspects

datacatalog.entries.get (for both public tags and private tags)

datacatalog.tagTemplates.get (for each private tag. If you don't have access to a tag, it is omitted in the search results.)

dataplex.entries.get

In Dataplex Catalog, when you retrieve an entry, its aspects are listed too.

What's next

Learn more about Dataplex IAM roles and permissions.
Learn more about Dataplex Catalog.