Standard roles
The following table describes Cloud Identity and Access Management roles that are associated with Cloud DLP, and lists permissions that are contained in each role.
| Role | Description | Permissions |
|---|---|---|
roles/dlp.admin |
Full control over objects, including listing, creating, viewing, and deleting objects |
dlp.inspectTemplates.* |
dlp.deidentifyTemplates.* |
||
dlp.jobs.* |
||
dlp.jobTriggers.* |
||
roles/dlp.jobsEditor |
Can view and edit DlpJob objects. |
dlp.jobs.* |
dlp.kms.encrypt |
||
roles/dlp.jobsReader |
Can view DlpJob objects. |
dlp.jobs.get |
dlp.jobs.list |
||
roles/dlp.jobTriggersEditor |
Can view and edit JobTrigger objects. |
dlp.jobTriggers.* |
roles/dlp.jobTriggersReader |
Can view JobTrigger objects. |
dlp.jobTriggers.get |
dlp.jobTriggers.list |
||
roles/dlp.inspectTemplatesEditor |
Can view and edit InspectTemplate objects. |
dlp.inspectTemplates.* |
roles/dlp.inspectTemplatesReader |
Can view InspectTemplate objects. |
dlp.inspectTemplates.get |
dlp.inspectTemplates.list |
||
roles/dlp.deidentifyTemplatesEditor |
Can view and edit DeidentifyTemplate objects. |
dlp.deidentifyTemplates.* |
roles/dlp.deidentifyTemplatesReader |
Can view DeidentifyTemplate objects. |
dlp.deidentifyTemplates.get |
dlp.deidentifyTemplates.list |
||
roles/dlp.storedInfoTypesEditor |
Can view and edit StoredInfoType objects. |
dlp.storedInfoTypes.* |
roles/dlp.storedInfoTypesReader |
Can view and use StoredInfoType objects. |
dlp.storedInfoTypes.get |
dlp.storedInfoTypes.list |
Custom roles
If you want to define your own roles to contain bundles of permissions that you specify, use custom roles.
