Access control

It is common for multiple team members to collaborate on building an agent. Using roles, you can control access and permissions granted to team members.

If you are using the API, you may also have one or more applications that send requests to an agent. In this case, you can control access with service accounts.

You can control access using either Identity and Access Management (IAM) or the Dialogflow Console. There are some situations in which you must use the Google Cloud Console:

  • The Dialogflow Console provides the Owner/Admin role to the user that created the agent. If you want to change the Owner/Admin, add multiple Owners/Admins for one agent, or remove Owners/Admins for an agent, you need to use the Cloud Console.
  • If you have integrations with other Google Cloud resources, like Cloud Functions, and you don't want to grant full project access to an application, you must assign the Dialogflow API roles (Admin, Client, or Reader) in the Cloud Console for IAM.
  • A subset of IAM roles have corresponding Dialogflow Console roles. If you want to grant a role that does not exist on the Dialogflow Console, you need to use the Cloud Console.

Roles

The following table lists all roles relevant to Dialogflow.

In order to modify access for an agent or delete an agent, you need an Owner/Admin role that provides "full access".

Dialogflow Console role IAM role Permission Summary Permission Detail
Admin Project >
Owner
Grant to project owners that need full access to all Google Cloud and Dialogflow resources:
  • Full access to all Google Cloud project resources using Cloud Console or APIs.
  • Full access to Dialogflow Console to create and edit agents.
  • Can detect intent using API.
See IAM basic role definitions.
Developer Project >
Editor
Grant to project editors that need edit access to all Google Cloud and Dialogflow resources:
  • Edit access to all Cloud project resources using Cloud Console or APIs.
  • Edit access to Dialogflow Console to edit agents.
  • Can detect intent using API.
See IAM basic role definitions.
Reviewer Project >
Viewer
Grant to project viewers that need read access to all Google Cloud and Dialogflow resources:
  • Read access to all Cloud project resources using Cloud Console or APIs.
  • Read access to Dialogflow Console.
  • Cannot detect intent using API.
See IAM basic role definitions.
N/A Project >
Browser
Grant to project browsers that need read access to browse the hierarchy for a project, including the folder, organization, and IAM policy:
  • Read access to Cloud project hierarchy.
  • No access to Dialogflow Console.
  • Cannot detect intent using API.
See IAM project role definitions.
N/A Dialogflow >
Dialogflow API Admin
Grant to Dialogflow API admins that need full access to Dialogflow-specific resources:
  • Full access to Dialogflow using Cloud Console or APIs.
  • Read access to Dialogflow Console.
  • Can detect intent using API.
See Dialogflow IAM role definitions.
N/A Dialogflow >
Dialogflow API Client
Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API:
  • Edit access to Dialogflow using Cloud Console or APIs.
  • No access to Dialogflow Console.
  • Can detect intent using API.
See Dialogflow IAM role definitions.
N/A Dialogflow >
Dialogflow Console Agent Editor
Grant to Dialogflow Console editors that edit existing agents:
  • Full access to Dialogflow using Cloud Console.
  • Edit access to most agent data using Dialogflow Console. Cannot access Inline Editor for Cloud Functions or Google Assistant integration.
  • Can detect intent using API.
See Dialogflow IAM role definitions.
N/A Dialogflow >
Dialogflow API Reader
Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API:
  • Read access to Dialogflow using Cloud Console or APIs.
  • Read access to Dialogflow Console.
  • Cannot detect intent using API.
See Dialogflow IAM role definitions.

Control access with the Cloud Console

You can control access with IAM settings. See the IAM quickstart for detailed instructions on adding, editing, and removing permissions.

To access the settings below, open the IAM page in the Cloud Console.

Add a user or service account member to the project

You can provide permissions to either users or service accounts by adding them as members of your Cloud project. Users are added by providing their email address. Service accounts are also added by providing their associated email address. You need to add service account members when you want to use one service account for multiple projects and agents. To find the email address associated with your service account, see the IAM Service Accounts page in the Cloud Console.

To add a member:

  1. Click the add button at the top of the page.
  2. Enter the member's email address.
  3. Select a role.
  4. Click Save.

Change permissions

  1. Click the edit button for the member.
  2. Select a different role.
  3. Click Save.

Remove a member

  1. Click the delete button for the member.

Control access with the Dialogflow Console

Sharing options are found in the agent's settings. To open the agent sharing settings:

  1. Go to the Dialogflow ES Console.
  2. Select your agent near the top of the left sidebar menu.
  3. Click the settings button next to the agent name.
  4. Click the Share tab. If you do not see the Share tab, it is because you do not have the required Owner/Admin role.

Share tab displaying users with their level of access.

Add a user

  1. Enter the user's email address under Invite New People.
  2. Select a role.
  3. Click Add.
  4. Click Save.

Change permissions

  1. Find the user in the list.
  2. Select a different role.
  3. Click Save.

Remove a user

  1. Find the user in the list.
  2. Click the delete button for the user.
  3. Click Save.

Automatically created service accounts

When you create and work with your agent, Dialogflow creates some service accounts automatically. Visit the IAM service account page to see a list of service accounts for your project. You should not delete, edit, or download keys for any of these service accounts, nor should you use these service accounts to make direct API calls. They are used only by the Dialogflow service to connect to a variety of Google Cloud services used by your agent. You may need to refer to these service accounts by email when configuring certain Dialogflow features. The following table describes some of these service accounts:

IAM email form Purpose
dialogflow-alphanum
@project-id.iam.gserviceaccount.com
Used by the Dialogflow simulator to make calls to the Dialogflow API. This is the service account shown on the agent's general settings page in the Dialogflow Console.
service-project-num
@gcp-sa-dialogflow.iam.gserviceaccount.com
Used to connect your agent to the services that handle integration traffic.
firebase-adminsdk-alphanum
@project-id.iam.gserviceaccount.com
Used to connect your agent to the services that handle Google Assistant integration traffic.
project-id
@appspot.gserviceaccount.com
Used to connect your agent to the services that handle Google Assistant integration traffic.