Access control for tenants

Identity Platform provides Admin APIs to manage your tenants, users, and authentication tokens. You can leverage Identity and Access Management to prevent unwanted access using these APIs.

Granting, changing, and revoking access

Follow these steps to grant a user a role on a tenant resource:

  1. Open the Identity Platform Tenants page in the Google Cloud console.
    Go to the tenants page

  2. Select a tenant from the list.

  3. Switch to the Permissions tab in the info panel on the right.

    Access control pane

  4. Click Add principal to grant a user a new role, or use the list to modify or revoke access for an existing user.

To learn more about access control using IAM, see the IAM documentation. To set the access control policy for a resource, use the setIamPolicy method.

API permissions

This table lists the role required to call each method in the Identity Platform API. The role should be assigned on the tenant resource.

Service Method Role GetOobCode Editor
SetAccountInfo Editor
UploadAccount Editor
DeleteAccount Editor
DownloadAccount Viewer
GetAccountInfo Viewer
QueryUserInfo Viewer SignUp Editor CreateDefaultSupportedIdpConfig Editor
CreateInboundSamlConfig Editor
CreateOAuthIdpConfig Editor
CreateOutboundSamlConfig Editor
DeleteDefaultSupportedIdpConfig Editor
DeleteInboundSamlConfig Editor
DeleteOAuthIdpConfig Editor
DeleteOutboundSamlConfig Editor
GetDefaultSupportedIdpConfig Viewer
GetInboundSamlConfig Viewer
GetOAuthIdpConfig Viewer
GetOutboundSamlConfig Viewer
ListDefaultSupportedIdpConfigs Viewer
ListInboundSamlConfigs Viewer
ListOAuthIdpConfigs Viewer
ListOutboundSamlConfigs Viewer
UpdateDefaultSupportedIdpConfig Editor
UpdateInboundSamlConfig Editor
UpdateOAuthIdpConfig Editor
UpdateOutboundSamlConfig Editor CreateTenant Editor (on the parent project)
DeleteTenant Editor
UpdateTenant Editor
GetTenant Viewer
ListTenants Viewer (on the parent project)