Some methods do not have Cloud DLP-specific permissions. Instead,
they use common ones, as the methods can cause billable events, but do not
access any protected cloud resources.
All actions that trigger billable events such as the
projects.content
methods require the serviceusage.services.use permission for the project
that's specified in parent. The roles/editor, roles/owner, and
roles/dlp.user roles contain the required permission or you can define your
own custom roles containing this permission.
This permission ensures you are authorized to bill the project you specify.
Service account
To access both Google Cloud resources and execute calls to
Cloud DLP,
Cloud DLP uses the credentials of the
Cloud Data Loss Prevention Service Agent to authenticate to other APIs. A
service agent is a special type of service account that runs internal Google
processes on your behalf. The service agent is identifiable using the email:
The Cloud Data Loss Prevention Service Agent is automatically granted common
permissions on the project that are needed for inspecting resources and is
listed in the IAM section of the Google Cloud Console. The service agent exists
indefinitely with the project and is only deleted when the project is deleted.
Cloud DLP relies on this service agent, so you should not remove
it.
Job permissions
Permission name
Description
dlp.jobs.create
Create new jobs.
dlp.jobs.cancel
Cancel jobs.
dlp.jobs.delete
Delete jobs.
dlp.jobs.get
Read job objects.
dlp.jobs.list
List jobs.
dlp.jobs.hybridInspect
Make a hybrid inspect call on a hybrid job.
Job trigger permissions
Permission name
Description
dlp.jobTriggers.create
Create new job triggers.
dlp.jobTriggers.delete
Delete job triggers.
dlp.jobTriggers.get
Read job trigger objects.
dlp.jobTriggers.list
List job triggers.
dlp.jobTriggers.update
Update job triggers.
dlp.jobTriggers.hybridInspect
Make a hybrid inspect call on a hybrid trigger.
Inspection template permissions
Permission name
Description
dlp.inspectTemplates.create
Create new inspection templates.
dlp.inspectTemplates.delete
Delete inspection templates.
dlp.inspectTemplates.get
Read inspection template objects.
dlp.inspectTemplates.list
List inspection templates.
dlp.inspectTemplates.update
Update inspection templates.
De-identification template permissions
Permission name
Description
dlp.deidentifyTemplates.create
Create new de-identification templates.
dlp.deidentifyTemplates.delete
Delete de-identification templates.
dlp.deidentifyTemplates.get
Read de-identification template objects.
dlp.deidentifyTemplates.list
List de-identification templates.
dlp.deidentifyTemplates.update
Update de-identification templates.
Data profile permissions
Permission name
Description
dlp.projectDataProfiles.list
List project data profiles.
dlp.projectDataProfiles.get
Read project data profile objects.
dlp.tableDataProfiles.list
List table data profiles.
dlp.tableDataProfiles.get
Read table data profile objects.
dlp.columnDataProfiles.list
List column data profiles.
dlp.columnDataProfiles.get
Read column data profile objects.
Estimate permissions
Permission name
Description
dlp.estimates.get
Read estimate objects.
dlp.estimates.list
List estimate objects.
dlp.estimates.create
Create an estimate object.
dlp.estimates.delete
Delete an estimate object.
dlp.estimates.cancel
Cancel an ongoing estimation.
Stored infoType permissions
Permission name
Description
dlp.storedInfoTypes.create
Create new stored infotypes.
dlp.storedInfoTypes.delete
Delete stored infotypes.
dlp.storedInfoTypes.get
Read stored infotypes.
dlp.storedInfoTypes.list
List stored infotypes.
dlp.storedInfoTypes.update
Update stored infotypes.
Misc permissions
Permission name
Description
dlp.kms.encrypt
De-identify content using encryption tokens persisted in Cloud KMS.
