Overview
AML AI uses Identity and Access Management (IAM) for access control.
You can configure access control for the Financial Services API at the project level. For example, you can grant access for developers to list and get all datasets within a project.
For a detailed description of IAM and its features, see the IAM documentation. In particular, see the section on managing IAM policies.
Every AML AI method requires the caller to have the necessary permissions. For more information, see Permissions and Roles.
Permissions
This section lists AML AI operations and their related permissions implemented by IAM.
Required permissions
The following tables list the IAM permissions that are associated with AML AI.
projects.locations method name |
Required permissions |
---|---|
projects.locations.get |
financialservices.locations.get on the specific Google Cloud project |
projects.locations.list |
financialservices.locations.list on the specific Google Cloud project |
instances method name |
Required permissions |
---|---|
instances.create |
financialservices.v1instances.create on the parent location, which is a specific Google Cloud project and data location combination |
instances.delete |
financialservices.v1instances.delete on the instance resource |
instances.get |
financialservices.v1instances.get on the instance resource |
instances.list |
financialservices.v1instances.list on the parent location, which is a specific Google Cloud project and data location combination |
instances.patch |
financialservices.v1instances.update on the instance resource |
instances.importRegisteredParties |
financialservices.v1instances.importRegisteredParties on the instance resource |
instances.exportRegisteredParties |
financialservices.v1instances.exportRegisteredParties on the instance resource |
instances.engineConfigs method name |
Required permissions |
---|---|
instances.engineConfigs.create |
financialservices.v1engineconfigs.create on the parent instance |
instances.engineConfigs.delete |
financialservices.v1engineconfigs.delete on the engine config resource |
instances.engineConfigs.get |
financialservices.v1engineconfigs.get on the engine config resource |
instances.engineConfigs.list |
financialservices.v1engineconfigs.list on the parent instance |
instances.engineConfigs.patch |
financialservices.v1engineconfigs.update on the engine config resource |
instances.engineConfigs.exportMetadata |
financialservices.v1engineconfigs.exportMetadata on the engine config resource |
instances.engineVersions
method name |
Required permissions |
---|---|
instances.engineVersions.get
|
financialservices.v1engineversions.get
on the engine version resource |
instances.engineVersions.list
|
financialservices.v1engineversions.list
on the parent instance |
instances.datasets method name |
Required permissions |
---|---|
instances.datasets.create
|
financialservices.v1datasets.create
on the parent instance |
instances.datasets.delete
|
financialservices.v1datasets.delete
on the dataset resource |
instances.datasets.get
|
financialservices.v1datasets.get on
the dataset resource |
instances.datasets.list
|
financialservices.v1datasets.list
on the parent instance |
instances.datasets.patch
|
financialservices.v1datasets.update
on the dataset resource |
instances.models method name |
Required permissions |
---|---|
instances.models.create |
financialservices.v1models.create on the parent instance |
instances.models.delete |
financialservices.v1models.delete on the model resource |
instances.models.get |
financialservices.v1models.get on the model resource |
instances.models.list |
financialservices.v1models.list on the parent instance |
instances.models.patch |
financialservices.v1models.update on the model resource |
instances.models.exportMetadata |
financialservices.v1models.exportMetadata on the model resource |
instances.backtestResults method name |
Required permissions |
---|---|
instances.backtestResults.create |
financialservices.v1backtests.create on the parent instance |
instances.backtestResults.delete |
financialservices.v1backtests.delete on the backtest result resource |
instances.backtestResults.get |
financialservices.v1backtests.get on the backtest result resource |
instances.backtestResults.list |
financialservices.v1backtests.list on the parent instance |
instances.backtestResults.patch |
financialservices.v1backtests.update on the backtest result resource |
instances.backtestResults.exportMetadata |
financialservices.v1backtests.exportMetadata on the backtest result resource |
instances.predictionResults method name |
Required permissions |
---|---|
instances.predictionResults.create |
financialservices.v1predictions.create on the parent instance |
instances.predictionResults.delete |
financialservices.v1predictions.delete on the prediction result resource |
instances.predictionResults.get |
financialservices.v1predictions.get on the prediction result resource |
instances.predictionResults.list |
financialservices.v1predictions.list on the parent instance |
instances.predictionResults.patch |
financialservices.v1predictions.update on the prediction result resource |
instances.predictionResults.exportMetadata |
financialservices.v1predictions.exportMetadata on the prediction result resource |
The following methods are inherited from google.longrunning.Operations
.
operations method name |
Required permissions |
---|---|
operations.cancel
|
financialservices.operations.cancel
on the specific Google Cloud project |
operations.delete
|
financialservices.operations.delete
on the specific Google Cloud project |
operations.get
|
financialservices.operations.get on
the specific Google Cloud project |
operations.list
|
financialservices.operations.list
on the specific Google Cloud project |
Roles
The following table lists the AML AI IAM roles, including the permissions associated with each role:
IAM role | Permissions |
---|---|
Financial Services Viewer( View access to all Financial Services API resources. |
|
Financial Services Admin( Full access to all Financial Services API resources. |
|
For more information about roles, see IAM basic and predefined roles reference.
Custom roles
If the predefined IAM roles for AML AI don't meet your needs, you can define custom roles. Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization. For more information, see Understanding IAM custom roles.