Overview of access control
This page describes the access control options that are available to you in Cloud Domains.
Google Cloud offers Identity and Access Management (IAM), which enables you to give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud Domains API roles. For a detailed description of IAM, see the IAM documentation.
IAM enables you to adopt the security principle of least privilege, so that you grant only the necessary access to your resources.
IAM enables you to control who has what permissions to
which resources by setting IAM policies. To understand role
types, see Role types. IAM
policies grant specific roles to a user, giving the user certain
permissions. For example, a particular user might need to create and modify
the contact settings for a domain. So, you would give that user the
roles/domains.admin role. On the other hand, a user may
only need to view existing resource domains, so they would get a
roles/domains.viewer role. For Cloud Domains, you can configure
both project-level and resource-level access.
Here are some examples of permissions for a viewer role:
- View all domains registered in a project.
- View registration details, for example, DNS, expiry time, etc.
- Search domain availability and get registration parameters.
Here are some examples of permissions for an administrator role:
- Register a new domain.
- Update registration settings, including DNS settings and contact settings.
- Export or transfer the domain registration
For a detailed description of IAM and its features, see the IAM developer's guide. In particular, see Granting, changing, and revoking access to a project Members.
Enabling the Cloud Domains API
To view and assign Cloud Domains IAM roles, you must enable the Cloud Domains API for your project. You cannot see the Cloud Domains roles in the Cloud Console until you enable the API.
For lists of the permissions and roles that Cloud Domains supports, see the following sections.
Permissions and roles
The following table lists the permissions that the caller must have to call each method:
|domains.registrations.searchDomains for searching for an available domain||
|domains.registrations.retrieveRegisterParameters for getting parameters to register a new domain||
|domains.registrations.registerDomain for registering a domain||
|domains.registrations.list for listing the registration resources in a project||
|domains.registrations.get for getting the details of a registration resource||
|domains.registrations.update for editing the details of a registration resource||
|domains.registrations.configureManagementSettings for configuring the management settings of a registration resource||
|domains.registrations.configureDnsSettings for configuring DNS settings of a registration resource||
|domains.registrations.configureContactSettings for configuring the contact settings of a registration resource||
|domains.registrations.export for exporting a domain||
|domains.registrations.delete for deleting a domain||
|domains.registrations.retrieveAuthorizationCode for retrieving the authorization code for a domain transfer||
|domains.registrations.resetAuthorizationCode for resetting the authorization code for a domain transfer||
||Domains Administrator||Provides read-write access to all registration resources. Can take over a domain implicitly with the ability to update the registration information and transfer the domain.||
||Domains viewer||Has view-only access to projects.||
Access control using the Cloud Console
You can use the Cloud Console to manage access control for your projects.
For detailed instructions, see Granting, changing, and revoking access to resources.