Access control

Overview of access control

This page describes the access control options that are available to you in Cloud Domains.

Overview

Google Cloud offers Identity and Access Management (IAM), which enables you to give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud Domains API roles. For a detailed description of IAM, see the IAM documentation.

IAM enables you to adopt the security principle of least privilege, so that you grant only the necessary access to your resources.

IAM enables you to control who has what permissions to which resources by setting IAM policies. To understand role types, see Role types. IAM policies grant specific roles to a user, giving the user certain permissions. For example, a particular user might need to create and modify the contact settings for a domain. So, you would give that user the roles/domains.admin role. On the other hand, a user may only need to view existing resource domains, so they would get a roles/domains.viewer role. For Cloud Domains, you can configure both project-level and resource-level access.

Here are some examples of permissions for a viewer role:

  • View all domains registered in a project.
  • View registration details, for example, DNS, expiry time, etc.
  • Search domain availability and get registration parameters.

Here are some examples of permissions for an administrator role:

  • Register a new domain.
  • Update registration settings, including DNS settings and contact settings.
  • Export or transfer the domain registration

For a detailed description of IAM and its features, see the IAM developer's guide. In particular, see Granting, changing, and revoking access to a project Members.

Enabling the Cloud Domains API

To view and assign Cloud Domains IAM roles, you must enable the Cloud Domains API for your project. You cannot see the Cloud Domains roles in the Cloud Console until you enable the API.

For lists of the permissions and roles that Cloud Domains supports, see the following sections.

Permissions and roles

Permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
domains.registrations.searchDomains for searching for an available domain domains.registrations.list
domains.registrations.retrieveRegisterParameters for getting parameters to register a new domain domains.registrations.list
domains.registrations.registerDomain for registering a domain domains.registrations.create
domains.registrations.list for listing the registration resources in a project domains.registrations.list
domains.registrations.get for getting the details of a registration resource domains.registrations.get
domains.registrations.update for editing the details of a registration resource domains.registrations.update
domains.registrations.configureManagementSettings for configuring the management settings of a registration resource domains.registrations.configureManagement
domains.registrations.configureDnsSettings for configuring DNS settings of a registration resource domains.registrations.configureDns
domains.registrations.configureContactSettings for configuring the contact settings of a registration resource domains.registrations.configureContact
domains.registrations.export for exporting a domain domains.registrations.configureManagement
domains.registrations.delete for deleting a domain domains.registrations.delete
domains.registrations.retrieveAuthorizationCode for retrieving the authorization code for a domain transfer domains.registrations.configureManagement
domains.registrations.resetAuthorizationCode for resetting the authorization code for a domain transfer domains.registrations.configureManagement

Roles

Role Title Description Permissions Lowest resource
roles/domains.admin Domains Administrator Provides read-write access to all registration resources. Can take over a domain implicitly with the ability to update the registration information and transfer the domain.
  • domains.registrations.get
  • domains.registrations.list
  • domains.registrations.create
  • domains.registrations.update
  • domains.registrations.delete
  • domains.registrations.configureContact
  • domains.registrations.configureDns
  • domains.registrations.configureManagement
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • domains.operations.get
  • domains.operations.list
  • domains.registrations.getIamPolicy
  • domains.registrations.setIamPolicy
 Project
roles/domains.viewer Domains viewer Has view-only access to projects.
  • domains.registrations.get
  • domains.registrations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • domains.operations.get
  • domains.operations.list
  • domains.registrations.getIamPolicy
 Project

Access control using the Cloud Console

You can use the Cloud Console to manage access control for your projects.

For detailed instructions, see Granting, changing, and revoking access to resources.

Next steps