Controle de acesso com o IAM

Nesta página, descrevemos como controlar o acesso à API Discovery Engine e permissões para recursos do Vertex AI Agent Builder usando o Identity and Access Management (IAM).

Visão geral

O Google Cloud oferece o IAM, que permite atribuir um acesso mais granular a recursos específicos do Google Cloud e evita a outros recursos. Nesta página, descrevemos a política de IAM do Vertex AI Agent Builder e permissões de segurança. Para uma descrição detalhada do Google Cloud IAM, consulte a documentação do IAM.

O Vertex AI Agent Builder oferece um conjunto de papéis predefinidos projetados para ajudar você a controlar o acesso aos recursos do Vertex AI Agent Builder. Também é possível criar seus próprios papéis personalizados caso aqueles predefinidos não forneçam os conjuntos de permissões necessárias. Além disso, quanto mais antigos, os papéis básicos (Editor, Leitor e Proprietário) também estão disponíveis para você, embora não forneçam o mesmo controle refinado para papéis do Vertex AI Agent Builder. Em particular, os papéis básicos fornecem acesso a recursos no Google Cloud, e não apenas para o Vertex AI Agent Builder. Consulte a documentação sobre papéis básicos para mais informações.

Papéis predefinidos

O Vertex AI Agent Builder fornece alguns papéis predefinidos que podem ser usados permissões mais refinadas aos principais. O papel concedido a um principal controla quais ações ele pode tomar. Os principais podem ser indivíduos, grupos ou contas de serviço.

Conceda diversos papéis ao mesmo principal. Também é possível alterar os papéis concedidos a um principal a qualquer momento, desde que você tenha permissões para isso.

Os papéis mais amplos incluem os definidos de maneira mais restrita. Por exemplo, o papel Editor do Discovery Engine inclui todas as permissões do papel de leitor do Discovery Engine, além das permissões de adição do papel Editor do Discovery Engine. Da mesma forma, o papel Administrador do Discovery Engine inclui do papel Editor do Discovery Engine, além das permissões permissões.

Os papéis básicos, como Proprietário, Editor e leitor, fornecem permissões no Google Cloud. Os papéis específicos da Vertex AI Agent Builder fornecem apenas Permissões do Vertex AI Agent Builder, exceto para as seguintes que são necessárias para uso geral do Google Cloud:

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
  • serviceusage.services.get

A tabela a seguir lista os papéis do IAM do Vertex AI Agent Builder com uma lista correspondente de todas as permissões de cada papel.

Papel Permissões

(roles/discoveryengine.admin)

Concede acesso total a todos os recursos de discoveryengine.

discoveryengine.*

  • discoveryengine.aclConfigs.get
  • discoveryengine.aclConfigs.update
  • discoveryengine.analytics.acquireDashboardSession
  • discoveryengine.analytics.refreshDashboardSessionTokens
  • discoveryengine.answers.get
  • discoveryengine.branches.get
  • discoveryengine.branches.list
  • discoveryengine.cmekConfigs.get
  • discoveryengine.cmekConfigs.list
  • discoveryengine.cmekConfigs.update
  • discoveryengine.collections.delete
  • discoveryengine.collections.get
  • discoveryengine.collections.list
  • discoveryengine.completionConfigs.completeQuery
  • discoveryengine.completionConfigs.get
  • discoveryengine.completionConfigs.update
  • discoveryengine.controls.create
  • discoveryengine.controls.delete
  • discoveryengine.controls.get
  • discoveryengine.controls.list
  • discoveryengine.controls.update
  • discoveryengine.conversations.converse
  • discoveryengine.conversations.create
  • discoveryengine.conversations.delete
  • discoveryengine.conversations.get
  • discoveryengine.conversations.list
  • discoveryengine.conversations.update
  • discoveryengine.dataStores.completeQuery
  • discoveryengine.dataStores.create
  • discoveryengine.dataStores.delete
  • discoveryengine.dataStores.enrollSolutions
  • discoveryengine.dataStores.get
  • discoveryengine.dataStores.list
  • discoveryengine.dataStores.trainCustomModel
  • discoveryengine.dataStores.update
  • discoveryengine.documentProcessingConfigs.get
  • discoveryengine.documentProcessingConfigs.update
  • discoveryengine.documents.batchGetDocumentsMetadata
  • discoveryengine.documents.create
  • discoveryengine.documents.delete
  • discoveryengine.documents.get
  • discoveryengine.documents.import
  • discoveryengine.documents.list
  • discoveryengine.documents.purge
  • discoveryengine.documents.update
  • discoveryengine.engines.create
  • discoveryengine.engines.delete
  • discoveryengine.engines.get
  • discoveryengine.engines.list
  • discoveryengine.engines.pause
  • discoveryengine.engines.resume
  • discoveryengine.engines.tune
  • discoveryengine.engines.update
  • discoveryengine.evaluations.create
  • discoveryengine.evaluations.get
  • discoveryengine.evaluations.list
  • discoveryengine.groundingConfigs.check
  • discoveryengine.locations.estimateDataSize
  • discoveryengine.models.create
  • discoveryengine.models.delete
  • discoveryengine.models.get
  • discoveryengine.models.list
  • discoveryengine.models.pause
  • discoveryengine.models.resume
  • discoveryengine.models.tune
  • discoveryengine.models.update
  • discoveryengine.operations.get
  • discoveryengine.operations.list
  • discoveryengine.projects.get
  • discoveryengine.projects.provision
  • discoveryengine.projects.reportConsentChange
  • discoveryengine.rankingConfigs.rank
  • discoveryengine.sampleQueries.create
  • discoveryengine.sampleQueries.delete
  • discoveryengine.sampleQueries.get
  • discoveryengine.sampleQueries.import
  • discoveryengine.sampleQueries.list
  • discoveryengine.sampleQueries.update
  • discoveryengine.sampleQuerySets.create
  • discoveryengine.sampleQuerySets.delete
  • discoveryengine.sampleQuerySets.get
  • discoveryengine.sampleQuerySets.list
  • discoveryengine.sampleQuerySets.update
  • discoveryengine.schemas.create
  • discoveryengine.schemas.delete
  • discoveryengine.schemas.get
  • discoveryengine.schemas.list
  • discoveryengine.schemas.preview
  • discoveryengine.schemas.update
  • discoveryengine.schemas.validate
  • discoveryengine.servingConfigs.answer
  • discoveryengine.servingConfigs.create
  • discoveryengine.servingConfigs.delete
  • discoveryengine.servingConfigs.get
  • discoveryengine.servingConfigs.list
  • discoveryengine.servingConfigs.recommend
  • discoveryengine.servingConfigs.search
  • discoveryengine.servingConfigs.update
  • discoveryengine.sessions.create
  • discoveryengine.sessions.delete
  • discoveryengine.sessions.get
  • discoveryengine.sessions.list
  • discoveryengine.sessions.update
  • discoveryengine.siteSearchEngines.batchVerifyTargetSites
  • discoveryengine.siteSearchEngines.disableAdvancedSiteSearch
  • discoveryengine.siteSearchEngines.enableAdvancedSiteSearch
  • discoveryengine.siteSearchEngines.fetchDomainVerificationStatus
  • discoveryengine.siteSearchEngines.get
  • discoveryengine.siteSearchEngines.recrawlUris
  • discoveryengine.suggestionDenyListEntries.import
  • discoveryengine.suggestionDenyListEntries.purge
  • discoveryengine.targetSites.batchCreate
  • discoveryengine.targetSites.create
  • discoveryengine.targetSites.delete
  • discoveryengine.targetSites.get
  • discoveryengine.targetSites.list
  • discoveryengine.targetSites.update
  • discoveryengine.userEvents.create
  • discoveryengine.userEvents.fetchStats
  • discoveryengine.userEvents.import
  • discoveryengine.userEvents.purge
  • discoveryengine.widgetConfigs.get
  • discoveryengine.widgetConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/discoveryengine.editor)

Concede acesso de leitura e gravação a todos os recursos do Discovery Engine.

discoveryengine.aclConfigs.get

discoveryengine.analytics.*

  • discoveryengine.analytics.acquireDashboardSession
  • discoveryengine.analytics.refreshDashboardSessionTokens

discoveryengine.answers.get

discoveryengine.branches.*

  • discoveryengine.branches.get
  • discoveryengine.branches.list

discoveryengine.cmekConfigs.get

discoveryengine.cmekConfigs.list

discoveryengine.collections.get

discoveryengine.collections.list

discoveryengine.completionConfigs.completeQuery

discoveryengine.completionConfigs.get

discoveryengine.controls.get

discoveryengine.controls.list

discoveryengine.conversations.*

  • discoveryengine.conversations.converse
  • discoveryengine.conversations.create
  • discoveryengine.conversations.delete
  • discoveryengine.conversations.get
  • discoveryengine.conversations.list
  • discoveryengine.conversations.update

discoveryengine.dataStores.completeQuery

discoveryengine.dataStores.get

discoveryengine.dataStores.list

discoveryengine.documentProcessingConfigs.get

discoveryengine.documents.batchGetDocumentsMetadata

discoveryengine.documents.create

discoveryengine.documents.delete

discoveryengine.documents.get

discoveryengine.documents.import

discoveryengine.documents.list

discoveryengine.documents.update

discoveryengine.engines.get

discoveryengine.engines.list

discoveryengine.engines.pause

discoveryengine.engines.resume

discoveryengine.engines.tune

discoveryengine.evaluations.get

discoveryengine.evaluations.list

discoveryengine.groundingConfigs.check

discoveryengine.models.*

  • discoveryengine.models.create
  • discoveryengine.models.delete
  • discoveryengine.models.get
  • discoveryengine.models.list
  • discoveryengine.models.pause
  • discoveryengine.models.resume
  • discoveryengine.models.tune
  • discoveryengine.models.update

discoveryengine.operations.*

  • discoveryengine.operations.get
  • discoveryengine.operations.list

discoveryengine.projects.get

discoveryengine.rankingConfigs.rank

discoveryengine.sampleQueries.*

  • discoveryengine.sampleQueries.create
  • discoveryengine.sampleQueries.delete
  • discoveryengine.sampleQueries.get
  • discoveryengine.sampleQueries.import
  • discoveryengine.sampleQueries.list
  • discoveryengine.sampleQueries.update

discoveryengine.sampleQuerySets.*

  • discoveryengine.sampleQuerySets.create
  • discoveryengine.sampleQuerySets.delete
  • discoveryengine.sampleQuerySets.get
  • discoveryengine.sampleQuerySets.list
  • discoveryengine.sampleQuerySets.update

discoveryengine.schemas.get

discoveryengine.schemas.list

discoveryengine.schemas.preview

discoveryengine.schemas.validate

discoveryengine.servingConfigs.answer

discoveryengine.servingConfigs.get

discoveryengine.servingConfigs.list

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.sessions.*

  • discoveryengine.sessions.create
  • discoveryengine.sessions.delete
  • discoveryengine.sessions.get
  • discoveryengine.sessions.list
  • discoveryengine.sessions.update

discoveryengine.siteSearchEngines.get

discoveryengine.targetSites.get

discoveryengine.targetSites.list

discoveryengine.userEvents.create

discoveryengine.userEvents.fetchStats

discoveryengine.userEvents.import

discoveryengine.widgetConfigs.*

  • discoveryengine.widgetConfigs.get
  • discoveryengine.widgetConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/discoveryengine.user)

Concede acesso de usuário aos recursos do Discovery Engine.

discoveryengine.answers.get

discoveryengine.servingConfigs.answer

discoveryengine.servingConfigs.search

discoveryengine.sessions.get

(roles/discoveryengine.viewer)

Concede acesso de leitura a todos os recursos do Discovery Engine.

discoveryengine.aclConfigs.get

discoveryengine.analytics.*

  • discoveryengine.analytics.acquireDashboardSession
  • discoveryengine.analytics.refreshDashboardSessionTokens

discoveryengine.answers.get

discoveryengine.branches.*

  • discoveryengine.branches.get
  • discoveryengine.branches.list

discoveryengine.cmekConfigs.get

discoveryengine.cmekConfigs.list

discoveryengine.collections.get

discoveryengine.collections.list

discoveryengine.completionConfigs.completeQuery

discoveryengine.completionConfigs.get

discoveryengine.controls.get

discoveryengine.controls.list

discoveryengine.conversations.converse

discoveryengine.conversations.get

discoveryengine.conversations.list

discoveryengine.dataStores.completeQuery

discoveryengine.dataStores.get

discoveryengine.dataStores.list

discoveryengine.documentProcessingConfigs.get

discoveryengine.documents.batchGetDocumentsMetadata

discoveryengine.documents.get

discoveryengine.documents.list

discoveryengine.engines.get

discoveryengine.engines.list

discoveryengine.evaluations.get

discoveryengine.evaluations.list

discoveryengine.groundingConfigs.check

discoveryengine.models.get

discoveryengine.models.list

discoveryengine.operations.*

  • discoveryengine.operations.get
  • discoveryengine.operations.list

discoveryengine.projects.get

discoveryengine.rankingConfigs.rank

discoveryengine.sampleQueries.get

discoveryengine.sampleQueries.list

discoveryengine.sampleQuerySets.get

discoveryengine.sampleQuerySets.list

discoveryengine.schemas.get

discoveryengine.schemas.list

discoveryengine.schemas.preview

discoveryengine.schemas.validate

discoveryengine.servingConfigs.answer

discoveryengine.servingConfigs.get

discoveryengine.servingConfigs.list

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.sessions.get

discoveryengine.sessions.list

discoveryengine.siteSearchEngines.get

discoveryengine.targetSites.get

discoveryengine.targetSites.list

discoveryengine.userEvents.fetchStats

discoveryengine.widgetConfigs.get

resourcemanager.projects.get

resourcemanager.projects.list

Gerenciar o IAM do Vertex AI Agent Builder

É possível receber e definir políticas de permissão e papéis do IAM usando o Google Cloud do Cloud. Para mais informações, consulte Gerenciar o acesso a projetos, pastas e organizações.

A seguir