Access control

It is common for multiple team members to collaborate on building an agent. Using roles, you can control access and permissions granted to team members.

You can configure access using the Dialogflow CX Console (visit documentation, open console) or by using the Google Cloud Console (visit documentation, open console) with Identity and Access Management (IAM). The Cloud Console is used to add members with IAM roles, while the Dialogflow Console is used to add members with Dialogflow agent roles. Dialogflow agent roles are convenient roles based on IAM roles that restrict access to one agent.

There are some situations in which you must use the Google Cloud Console:

• The Dialogflow CX Console provides the IAM Project Owner role to the user that created the project that owns the agent. This owner has full access to all agents in the project. If you want to change the project owner, you need to use the Cloud Console.
• The Dialogflow agent roles are only used for agent-level access. If you want to configure project-level access, you need to use the Cloud Console.
• A subset of IAM roles have corresponding Dialogflow agent roles. If you want to grant a project-level or agent-level role that does not exist on the Dialogflow CX Console, you need to use the Cloud Console.

If you are using the API, you may also have one or more applications that send requests to an agent. In this case, you can control access with service accounts.

Control access with the Dialogflow CX Console

The Dialogflow CX Console allows you to apply convenient agent roles configured for agent-level sharing. These roles correlate to IAM roles with IAM conditions that limit access to the specific agent.

Dialogflow agent role	Summary	IAM Role
Admin	Provides full access to create, update, query, detect intent, and delete the agent from the console or API.	Dialogflow > Dialogflow API Admin
Reader	Provides read access to query (not detect intent) the agent from the console or API.	Dialogflow > Dialogflow API Reader

Sharing options are found in the agent's settings. To open the agent sharing settings:

1. Open the Dialogflow CX Console.
2. Choose your GCP project.
3. Select your agent.
4. Click Agent Settings.
5. Click the Share tab.

Add a member

1. Enter the email address for the user or group under Invite New People.
2. Select User or Group for the email type.
3. Select a role.
4. Click Add.
5. Click Save.

Change member roles

1. Find the member in the list.
2. Select a different role.
3. Click Save.

Remove a member

1. Find the member in the list.
2. Click the delete delete button for the member.
3. Click Save.

Control access with the Cloud Console

You can control access with IAM settings. See the IAM quickstart for detailed instructions on adding, editing, and removing permissions.

To access the settings below, open the IAM page in the Cloud Console.

Add a user or service account member to the project

You can apply roles to either users or service accounts by adding them as members of your Cloud project. Users are added by providing their email address. Service accounts are also added by providing their associated email address. You need to add service account members when you want to use one service account for multiple projects. To find the email address associated with your service account, see the IAM Service Accounts page in the Cloud Console.

To add a member:

1. Click the add add button at the top of the page.
2. Enter the member's email address.
3. Select a role.
4. Click Save.

Change permissions

1. Click the edit edit button for the member.
2. Select a different role.
3. Click Save.

Remove a member

1. Click the delete delete button for the member.

Add a condition to restrict access to one agent

When adding or editing a member, you can create an IAM condition that restricts access to one agent.

For example:

{
    "expression": "resource.name.startsWith(\"projects/PROJECT_ID/locations/global/agents/AGENT_ID\")",
    "title": "For Dialogflow Agent AGENT_ID"
}

This condition gives you basic access to a specific agent. For example, a service account with this condition can only call the Dialogflow API to access the agent specified in the condition for the project, but not other agents in the project.

To add this condition to a member:

1. Select a member.
2. Click the edit edit button for the member.
3. Click Add condition.
4. In the Title field, enter For Dialogflow Agent AGENT_ID and replace AGENT_ID with your agent ID.
5. You may add any description.
6. Select the Condition Editor to create your condition.
7. Add the expression resource.name.startsWith("projects/PROJECT_ID/locations/global/agents/AGENT_ID"), replacing AGENT_ID with your agent ID and PROJECT_ID with your project ID.
8. Click Save.

IAM roles

The following table lists all IAM roles relevant to Dialogflow CX.

In order to modify access for an agent or delete an agent, you need an IAM Project Owner, IAM Project Editor, or Dialogflow Agent Admin role that provides "full access".

IAM role	Permission Summary	Permission Detail
Project > Owner	Grant to project owners that need full access to all Google Cloud and Dialogflow resources: Full access to all Google Cloud project resources using Cloud Console or APIs. Full access to Dialogflow CX Console to create, edit, and delete agents. Can detect intent using API.	See IAM primitive role definitions.
Project > Editor	Grant to project editors that need edit access to all Google Cloud and Dialogflow resources: Edit access to all Cloud project resources using Cloud Console or APIs. Edit access to Dialogflow CX Console to create, edit, and delete agents. Can detect intent using API.	See IAM primitive role definitions.
Project > Viewer	Grant to project viewers that need read access to all Google Cloud and Dialogflow resources: Read access to all Cloud project resources using Cloud Console or APIs. Read access to Dialogflow CX Console. Cannot detect intent using API.	See IAM primitive role definitions.
Project > Browser	Grant to project browsers that need read access to browse the hierarchy for a project, including the folder, organization, and IAM policy: Read access to Cloud project hierarchy. No access to Dialogflow CX Console. Cannot detect intent using API.	See IAM project role definitions.
Dialogflow > Dialogflow API Admin	Grant to Dialogflow API admins that need full access to Dialogflow-specific resources: Full access to Dialogflow using Cloud Console or APIs. Full access to Dialogflow CX Console. Can detect intent using API.	See Dialogflow IAM role definitions.
Dialogflow > Dialogflow API Client	Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API: Edit access to Dialogflow using Cloud Console or APIs. No access to Dialogflow CX Console. Can detect intent using API.	See Dialogflow IAM role definitions.
Dialogflow > Dialogflow Console Agent Editor	Grant to Dialogflow CX Console editors that edit existing agents: Full access to Dialogflow using Cloud Console. Edit access to most agent data using Dialogflow CX Console. Can detect intent using API.	See Dialogflow IAM role definitions.
Dialogflow > Dialogflow API Reader	Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API: Read access to Dialogflow using Cloud Console or APIs. Read access to Dialogflow CX Console. Cannot detect intent using API.	See Dialogflow IAM role definitions.