Access control for tenants
Identity Platform provides Admin APIs to manage your tenants, users, and authentication tokens. You can leverage Identity and Access Management to prevent unwanted access using these APIs.
Granting, changing, and revoking access
Follow these steps to grant a user a role on a tenant resource:
Open the Identity Platform Tenants page in the Google Cloud console.
Go to the tenants pageSelect a tenant from the list.
Switch to the Permissions tab in the info panel on the right.
Click Add principal to grant a user a new role, or use the list to modify or revoke access for an existing user.
To learn more about access control using IAM, see the
IAM documentation. To set the access control policy
for a resource, use the setIamPolicy method.
API permissions
This table lists the role required to call each method in the Identity Platform API. The role should be assigned on the tenant resource.
| Service | Method | Role |
|---|---|---|
google.cloud.identitytoolkit.v1.AccountManagementService |
GetOobCode | Editor |
| SetAccountInfo | Editor | |
| UploadAccount | Editor | |
| DeleteAccount | Editor | |
| DownloadAccount | Viewer | |
| GetAccountInfo | Viewer | |
| QueryUserInfo | Viewer | |
google.cloud.identitytoolkit.v1.AuthenticationService |
SignUp | Editor |
google.cloud.identitytoolkit.admin.v2.ProjectConfigService |
CreateDefaultSupportedIdpConfig | Editor |
| CreateInboundSamlConfig | Editor | |
| CreateOAuthIdpConfig | Editor | |
| CreateOutboundSamlConfig | Editor | |
| DeleteDefaultSupportedIdpConfig | Editor | |
| DeleteInboundSamlConfig | Editor | |
| DeleteOAuthIdpConfig | Editor | |
| DeleteOutboundSamlConfig | Editor | |
| GetDefaultSupportedIdpConfig | Viewer | |
| GetInboundSamlConfig | Viewer | |
| GetOAuthIdpConfig | Viewer | |
| GetOutboundSamlConfig | Viewer | |
| ListDefaultSupportedIdpConfigs | Viewer | |
| ListInboundSamlConfigs | Viewer | |
| ListOAuthIdpConfigs | Viewer | |
| ListOutboundSamlConfigs | Viewer | |
| UpdateDefaultSupportedIdpConfig | Editor | |
| UpdateInboundSamlConfig | Editor | |
| UpdateOAuthIdpConfig | Editor | |
| UpdateOutboundSamlConfig | Editor | |
google.cloud.identitytoolkit.admin.v2.TenantManagementService |
CreateTenant | Editor (on the parent project) |
| DeleteTenant | Editor | |
| UpdateTenant | Editor | |
| GetTenant | Viewer | |
| ListTenants | Viewer (on the parent project) |