Cloud DLP IAM permissions

IAM Permisions

Common permissions

Some methods do not have Cloud DLP-specific permissions. Instead, they use common ones, as the methods can cause billable events, but do not access any protected cloud resources.

All actions that trigger billable events such as the projects.content methods require the serviceusage.services.use permission for the project that's specified in parent. The roles/editor, roles/owner, and roles/dlp.user roles contain the required permission or you can define your own custom roles containing this permission.

This permission ensures you are authorized to bill the project you specify.

Service account

When the Cloud DLP is enabled, a service account is added to the project.

To access both Google Cloud Platform resources and execute calls to Cloud DLP by means of a JobTrigger, Cloud DLP uses the credentials of the Google APIs service account to authenticate to other APIs. The Google APIs service account is designed specifically to run internal Google processes on your behalf. The service account is identifiable using the email:

service-[PROJECT_NUMBER]@dlp-api.iam.gserviceaccount.com

The Google APIs service account is automatically granted common permissions on the project needed for inspecting resources and is listed in the IAM section of the Google Cloud Platform console. The service account exists indefinitely with the project and is only deleted when the project is deleted. Since Cloud DLP relies on this service account, it is not recommended that you remove it.

Job permissions

Permission name	Description
`dlp.jobs.create`	Create new jobs.
`dlp.jobs.cancel`	Cancel jobs.
`dlp.jobs.delete`	Delete jobs.
`dlp.jobs.get`	Read job objects.
`dlp.jobs.list`	List jobs.

Job trigger permissions

Permission name	Description
`dlp.jobTriggers.create`	Create new job triggers.
`dlp.jobTriggers.cancel`	Cancel job triggers.
`dlp.jobTriggers.delete`	Delete job triggers.
`dlp.jobTriggers.get`	Read job trigger objects.
`dlp.jobTriggers.list`	List job triggers.

Inspect template permissions

Permission name	Description
`dlp.inspectTemplates.create`	Create new inspect templates.
`dlp.inspectTemplates.delete`	Delete inspect templates.
`dlp.inspectTemplates.get`	Read template objects.
`dlp.inspectTemplates.list`	List inspect templates.
`dlp.inspectTemplates.update`	Update inspect templates.

De-identify template permissions

Permission name	Description
`dlp.deidentifyTemplates.create`	Create new de-identify templates.
`dlp.deidentifyTemplates.delete`	Delete de-identify templates.
`dlp.deidentifyTemplates.get`	Read template objects.
`dlp.deidentifyTemplates.list`	List de-identify templates.
`dlp.deidentifyTemplates.update`	Update de-identify templates.

Stored infoType permissions

Permission name	Description
`dlp.storedInfoTypes.create`	Create new stored infotypes.
`dlp.storedInfoTypes.delete`	Delete stored infotypess.
`dlp.storedInfoTypes.get`	Read stored infotypes.
`dlp.storedInfoTypes.list`	List stored infotypess.
`dlp.storedInfoTypes.update`	Update stored infotypess.

Misc permissions

Permission name	Description
`dlp.kms.encrypt`	De-identify content using encryption tokens persisted in Cloud KMS.

Was this page helpful? Let us know how we did:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated January 18, 2019.