This topic describes the Identity and Access Management (IAM) roles required to configure Cloud Data Loss Prevention (DLP). Roles limit an authenticated identity's ability to access resources. Only grant an identity the permissions it needs in order to interact with applicable Google Cloud APIs, features, or resources.
Standard roles
The following table describes Identity and Access Management roles that are associated with Cloud DLP, and lists permissions that are contained in each role.
| Title | Role | Description | Permissions |
|---|---|---|---|
| DLP Administrator | roles/dlp.admin |
Full control over objects, including listing, creating, viewing, and deleting objects. |
dlp.deidentifyTemplates.* |
dlp.inspectTemplates.* |
|||
dlp.jobs.* |
|||
dlp.jobTriggers.* |
|||
dlp.kms.encrypt |
|||
dlp.storedInfoTypes.* | |||
| DLP De-identify Templates Editor | roles/dlp.deidentifyTemplatesEditor |
Can view and edit DeidentifyTemplate objects. |
dlp.deidentifyTemplates.* |
| DLP De-identify Templates Reader | roles/dlp.deidentifyTemplatesReader |
Can view DeidentifyTemplate objects. |
dlp.deidentifyTemplates.get |
dlp.deidentifyTemplates.list |
|||
| DLP Inspect Templates Editor | roles/dlp.inspectTemplatesEditor |
Can view and edit InspectTemplate objects. |
dlp.inspectTemplates.* |
| DLP Inspect Templates Reader | roles/dlp.inspectTemplatesReader |
Can view InspectTemplate objects. |
dlp.inspectTemplates.get |
dlp.inspectTemplates.list |
|||
| DLP Jobs Editor | roles/dlp.jobsEditor |
Can view and edit DlpJob objects. |
dlp.jobs.* |
dlp.kms.encrypt |
|||
| DLP Jobs Reader | roles/dlp.jobsReader |
Can view DlpJob objects. |
dlp.jobs.get |
dlp.jobs.list |
|||
| DLP Job Triggers Editor | roles/dlp.jobTriggersEditor |
Can view and edit JobTrigger objects. |
dlp.jobTriggers.* |
| DLP Job Triggers Reader | roles/dlp.jobTriggersReader |
Can view JobTrigger objects. |
dlp.jobTriggers.get |
dlp.jobTriggers.list |
|||
| DLP Reader | roles/dlp.reader |
Can view DLP entities, such as jobs and templates. | dlp.deidentifyTemplates.get |
dlp.deidentifyTemplates.list | |||
dlp.inspectTemplates.get | |||
dlp.inspectTemplates.list | |||
dlp.jobTriggers.get | |||
dlp.jobTriggers.list | |||
dlp.jobs.get | |||
dlp.jobs.list | |||
dlp.storedInfoTypes.get | |||
dlp.storedInfoTypes.list | |||
| DLP Stored InfoTypes Editor | roles/dlp.storedInfoTypesEditor |
Can view and edit StoredInfoType objects. |
dlp.storedInfoTypes.* |
| DLP Stored InfoTypes Reader | roles/dlp.storedInfoTypesReader |
Can view and use StoredInfoType objects. |
dlp.storedInfoTypes.get |
dlp.storedInfoTypes.list |
|||
| DLP User | roles/dlp.user |
Inspect, redact, and de-identify content. | dlp.kms.encrypt |
Custom roles
If you want to define your own roles to contain bundles of permissions that you specify, use custom roles.