Access control for tenants

Identity Platform provides Admin APIs to manage your tenants, users, and authentication tokens. You can leverage Identity and Access Management to prevent unwanted access using these APIs.

Granting, changing, and revoking access

Follow these steps to grant a user a role on a tenant resource:

  1. Open the Identity Platform Tenants page in the Cloud Console.
    Go to the tenants page

  2. Select a tenant from the list.

  3. Switch to the Permissions tab in the info panel on the right.

    Access control pane

  4. Click Add member to grant a user a new role, or use the list to modify or revoke access for an existing user.

To learn more about access control using IAM, see the IAM documentation.

API permissions

This table lists the role required to call each method in the Identity Platform API. The role should be assigned on the tenant resource.

Service Method Role
google.cloud.identitytoolkit.v1.AccountManagementService GetOobCode Editor
SetAccountInfo Editor
UploadAccount Editor
DeleteAccount Editor
DownloadAccount Viewer
GetAccountInfo Viewer
QueryUserInfo Viewer
google.cloud.identitytoolkit.v1.AuthenticationService SignUp Editor
google.cloud.identitytoolkit.admin.v2.ProjectConfigService CreateDefaultSupportedIdpConfig Editor
CreateInboundSamlConfig Editor
CreateOAuthIdpConfig Editor
CreateOutboundSamlConfig Editor
DeleteDefaultSupportedIdpConfig Editor
DeleteInboundSamlConfig Editor
DeleteOAuthIdpConfig Editor
DeleteOutboundSamlConfig Editor
GetDefaultSupportedIdpConfig Viewer
GetInboundSamlConfig Viewer
GetOAuthIdpConfig Viewer
GetOutboundSamlConfig Viewer
ListDefaultSupportedIdpConfigs Viewer
ListInboundSamlConfigs Viewer
ListOAuthIdpConfigs Viewer
ListOutboundSamlConfigs Viewer
UpdateDefaultSupportedIdpConfig Editor
UpdateInboundSamlConfig Editor
UpdateOAuthIdpConfig Editor
UpdateOutboundSamlConfig Editor
google.cloud.identitytoolkit.admin.v2.TenantManagementService CreateTenant Editor (on the parent project)
DeleteTenant Editor
UpdateTenant Editor
GetTenant Viewer
ListTenants Viewer (on the parent project)