Stay organized with collections
Save and categorize content based on your preferences.
The following table describes Identity and Access Management (IAM) roles
that are associated with Enterprise Knowledge Graph and lists the permissions that are
contained in each role. Unless otherwise noted, these roles can be applied
either to entire projects or specific processors.
Basic roles are roles that existed prior to IAM. These roles have
unique characteristics:
Basic roles can only be granted for an entire project, not for individual
buckets within the project. Like other roles that you grant for a project,
basic roles apply to all buckets and objects in the project.
Basic roles contain additional permissions for other Google Cloud
services that are not covered in this section. For a general discussion of the permissions that basic roles grant, see basic roles.
In some cases, basic roles can be used as if they were groups, which causes
any principal that has the basic role to get additional access for some
resources.
A basic role can be used as if it were a group when granting roles for
buckets.
A basic role can be used as if it were a group when setting ACLs on
objects.
For a discussion of additional access that principals with basic roles
typically gain due to this behavior, see
modifiable behavior.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eEnterprise Knowledge Graph offers three primary IAM roles: Administrator, Editor, and Viewer, each granting different levels of access to resources.\u003c/p\u003e\n"],["\u003cp\u003eThe Administrator role (\u003ccode\u003eroles/enterpriseknowledgegraph.admin\u003c/code\u003e) provides full access to all Enterprise Knowledge Graph resources.\u003c/p\u003e\n"],["\u003cp\u003eThe Editor role (\u003ccode\u003eroles/enterpriseknowledgegraph.editor\u003c/code\u003e) allows for using all resources, as well as creating, canceling, and deleting entity reconciliation jobs.\u003c/p\u003e\n"],["\u003cp\u003eThe Viewer role (\u003ccode\u003eroles/enterpriseknowledgegraph.viewer\u003c/code\u003e) enables the viewing of all resources and entity reconciliation jobs, but not modification.\u003c/p\u003e\n"],["\u003cp\u003eBasic roles, which predate IAM, can only be granted at the project level and may provide additional access to other Google Cloud services, sometimes acting like a group when managing buckets or setting ACLs.\u003c/p\u003e\n"]]],[],null,["# IAM roles for Enterprise Knowledge Graph\n\nThe following table describes Identity and Access Management (IAM) roles\nthat are associated with Enterprise Knowledge Graph and lists the permissions that are\ncontained in each role. Unless otherwise noted, these roles can be applied\neither to entire projects or specific processors.\n\nBasic roles\n-----------\n\nBasic roles are roles that existed prior to IAM. These roles have\nunique characteristics:\n\n- Basic roles can only be granted for an entire project, not for individual\n buckets within the project. Like other roles that you grant for a project,\n basic roles apply to all buckets and objects in the project.\n\n- Basic roles contain additional permissions for other Google Cloud\n services that are not covered in this section. For a general discussion of the permissions that basic roles grant, see [basic roles](/iam/docs/understanding-roles#basic).\n\n- In some cases, basic roles can be used as if they were groups, which causes\n any principal that has the basic role to get additional access for some\n resources.\n\n - A basic role can be used as if it were a group when granting roles for\n buckets.\n\n - A basic role can be used as if it were a group when setting ACLs on\n objects.\n\n For a discussion of additional access that principals with basic roles\n typically gain due to this behavior, see\n [modifiable behavior](#basic-roles-modifiable).\n\nWhat's next\n-----------\n\n- Learn about each [IAM permission for Enterprise Knowledge Graph](/enterprise-knowledge-graph/docs/access-control/iam-permissions).\n\n- For a reference of other Google Cloud roles, see [Understanding Roles](/iam/docs/understanding-roles)."]]