Overview of access control
This page describes the access control options that are available to you in Cloud Domains.
Overview
Google Cloud offers Identity and Access Management (IAM), which enables you to give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud Domains API roles. For a detailed description of IAM, see the IAM documentation.
IAM enables you to adopt the security principle of least privilege, so that you grant only the necessary access to your resources.
IAM enables you to control who has what permissions to
which resources by setting IAM policies. To understand role
types, see Role types. IAM
policies grant specific roles to a user, giving the user certain
permissions. For example, a particular user might need to create and modify
the contact settings for a domain. So, you would give that user the
roles/domains.admin role. On the other hand, a user may
only need to view existing resource domains, so they would get a
roles/domains.viewer role. For Cloud Domains, you can configure
both project-level and resource-level access.
Here are some examples of permissions for a viewer role:
- View all domains registered in a project.
- View registration details, for example, DNS, expiry time, etc.
- Search domain availability and get registration parameters.
Here are some examples of permissions for an administrator role:
- Register a new domain.
- Update registration settings, including DNS settings and contact settings.
- Export or transfer the domain registration
For a detailed description of IAM and its features, see the IAM developer's guide. In particular, see Granting, changing, and revoking access.
Enable the Cloud Domains API
To view and assign Cloud Domains IAM roles, you must enable the Cloud Domains API for your project. You cannot see the Cloud Domains roles in the Google Cloud console until you enable the API.
For lists of the permissions and roles that Cloud Domains supports, see the following sections.
Permissions and roles
Permissions
The following table lists the permissions that the caller must have to call each method:
| Method | Required Permission(s) |
|---|---|
| domains.registrations.searchDomains for searching for an available domain | domains.registrations.list |
| domains.registrations.retrieveRegisterParameters for getting parameters to register a new domain | domains.registrations.list |
| domains.registrations.registerDomain for registering a domain | domains.registrations.create |
| domains.registrations.retrieveTransferParameters for getting parameters to transfer in a domain | domains.registrations.list |
| domains.registrations.transferDomain for transferring in a domain | domains.registrations.create |
| domains.registrations.list for listing the registration resources in a project | domains.registrations.list |
| domains.registrations.get for getting the details of a registration resource | domains.registrations.get |
| domains.registrations.update for editing the details of a registration resource | domains.registrations.update |
| domains.registrations.configureManagementSettings for configuring the management settings of a registration resource | domains.registrations.configureManagement |
| domains.registrations.configureDnsSettings for configuring DNS settings of a registration resource | domains.registrations.configureDns |
| domains.registrations.configureContactSettings for configuring the contact settings of a registration resource |
domains.registrations.configureContact |
| domains.registrations.export for exporting a domain | domains.registrations.configureManagement |
| domains.registrations.delete for deleting a domain | domains.registrations.delete |
| domains.registrations.retrieveAuthorizationCode for retrieving the authorization code for a domain transfer | domains.registrations.configureManagement |
| domains.registrations.resetAuthorizationCode for resetting the authorization code for a domain transfer | domains.registrations.configureManagement |
Roles
The following table lists the Cloud Domains API IAM roles with a corresponding list of all the permissions that each role includes. Every permission is applicable to a particular resource type.
| Role | Permissions |
|---|---|
|
Cloud Domains Admin
Full access to Cloud Domains Registrations and related resources. |
|
|
Cloud Domains Viewer
Read-only access to Cloud Domains Registrations and related resources. |
|
Access control using the Google Cloud console
You can use the Google Cloud console to manage access control for your projects.
For detailed instructions, see Granting, changing, and revoking access to resources.
What's next
- To get started using Cloud Domains, see the Quickstart.
- For details about IAM, see the IAM documentation.
- To find solutions for common issues that you might encounter when using Cloud Domains, see Troubleshooting.