IAM roles

This topic describes the Identity and Access Management (IAM) roles required to configure Cloud Data Loss Prevention (DLP). Roles limit an authenticated identity's ability to access resources. Only grant an identity the permissions it needs in order to interact with applicable Google Cloud APIs, features, or resources.

Standard roles

The following table describes Identity and Access Management roles that are associated with Cloud DLP, and lists permissions that are contained in each role.

Title Role Description Permissions
DLP Administrator roles/dlp.admin

Full control over objects, including listing, creating, viewing, and deleting objects.

dlp.deidentifyTemplates.*
dlp.inspectTemplates.*
dlp.jobs.*
dlp.jobTriggers.*
dlp.kms.encrypt
dlp.storedInfoTypes.*
DLP De-identify Templates Editor roles/dlp.deidentifyTemplatesEditor Can view and edit DeidentifyTemplate objects. dlp.deidentifyTemplates.*
DLP De-identify Templates Reader roles/dlp.deidentifyTemplatesReader Can view DeidentifyTemplate objects. dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
DLP Inspect Templates Editor roles/dlp.inspectTemplatesEditor Can view and edit InspectTemplate objects. dlp.inspectTemplates.*
DLP Inspect Templates Reader roles/dlp.inspectTemplatesReader Can view InspectTemplate objects. dlp.inspectTemplates.get
dlp.inspectTemplates.list
DLP Jobs Editor roles/dlp.jobsEditor Can view and edit DlpJob objects. dlp.jobs.*
dlp.kms.encrypt
DLP Jobs Reader roles/dlp.jobsReader Can view DlpJob objects. dlp.jobs.get
dlp.jobs.list
DLP Job Triggers Editor roles/dlp.jobTriggersEditor Can view and edit JobTrigger objects. dlp.jobTriggers.*
DLP Job Triggers Reader roles/dlp.jobTriggersReader Can view JobTrigger objects. dlp.jobTriggers.get
dlp.jobTriggers.list
DLP Reader roles/dlp.reader Can view DLP entities, such as jobs and templates. dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobs.get
dlp.jobs.list
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
DLP Stored InfoTypes Editor roles/dlp.storedInfoTypesEditor Can view and edit StoredInfoType objects. dlp.storedInfoTypes.*
DLP Stored InfoTypes Reader roles/dlp.storedInfoTypesReader Can view and use StoredInfoType objects. dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
DLP User roles/dlp.user Inspect, redact, and de-identify content. dlp.kms.encrypt

Custom roles

If you want to define your own roles to contain bundles of permissions that you specify, use custom roles.