En esta página, se describen las funciones y los permisos de Identity and Access Management (IAM) que necesitas para comprar y administrar soluciones comerciales en Cloud Marketplace.
Para administrar el control de acceso con la IAM, define quién (identidad) tiene qué acceso (función) a qué recurso. En el caso de las apps comerciales de Cloud Marketplace, los usuarios de tu organización de Google Cloud necesitan funciones de IAM para registrarse en los planes de Cloud Marketplace y realizar cambios en los planes de facturación.
Antes de comenzar
- Para otorgar roles y permisos de Cloud Marketplace con
gcloud
, instala la CLI de gcloud. De lo contrario, puedes otorgar roles con la consola de Google Cloud.
Funciones de IAM para la compra y la administración de productos
Te recomendamos que asignes el rol de IAM de Administrador de la cuenta de facturación a los usuarios que compran servicios desde Cloud Marketplace.
Los usuarios que quieran acceder a los servicios deben tener, como mínimo, el rol de visualizador.
Para tener un control más detallado sobre los permisos de los usuarios, puedes crear funciones personalizadas con los permisos que deseas otorgar.
Requisitos específicos del producto
Para usar los siguientes servicios en un proyecto de Google Cloud, debes tener el rol de
Editor de proyectos:
- Google Cloud Dataprep de Trifacta
- Neo4j Aura Professional
Lista de funciones y permisos de IAM
Puedes otorgar a los usuarios una o más de las siguientes funciones de IAM.
Según la función que les otorgues a los usuarios, también debes asignarla a un proyecto, organización cuenta de Facturación de Google Cloud. Para obtener más detalles, consulta la sección sobre Otorga funciones de IAM a los usuarios.
Role |
Permissions |
Commerce Business Enablement Configuration Admin
Beta
(roles/commercebusinessenablement.admin )
Admin of Various Provider Configuration resources
|
commercebusinessenablement.leadgenConfig.*
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.leadgenConfig.update
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.*
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.*
commercebusinessenablement.resellerRestrictions.list
commercebusinessenablement.resellerRestrictions.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Admin
Beta
(roles/commercebusinessenablement.paymentConfigAdmin )
Administration of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.*
commercebusinessenablement.paymentConfig.get
commercebusinessenablement.paymentConfig.update
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Viewer
Beta
(roles/commercebusinessenablement.paymentConfigViewer )
Viewer of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Rebates Admin
Beta
(roles/commercebusinessenablement.rebatesAdmin )
Provides admin access to rebates
|
commercebusinessenablement.operations.*
commercebusinessenablement.operations.cancel
commercebusinessenablement.operations.delete
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.*
commercebusinessenablement.refunds.cancel
commercebusinessenablement.refunds.create
commercebusinessenablement.refunds.delete
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
commercebusinessenablement.refunds.start
commercebusinessenablement.refunds.update
|
Commerce Business Enablement Rebates Viewer
Beta
(roles/commercebusinessenablement.rebatesViewer )
Provides read-only access to rebates
|
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
|
Commerce Business Enablement Reseller Discount Admin
Beta
(roles/commercebusinessenablement.resellerDiscountAdmin )
Provides admin access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.*
commercebusinessenablement.resellerDiscountOffers.cancel
commercebusinessenablement.resellerDiscountOffers.create
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.*
commercebusinessenablement.resellerPrivateOfferPlans.cancel
commercebusinessenablement.resellerPrivateOfferPlans.create
commercebusinessenablement.resellerPrivateOfferPlans.delete
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
commercebusinessenablement.resellerPrivateOfferPlans.publish
commercebusinessenablement.resellerPrivateOfferPlans.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Reseller Discount Viewer
Beta
(roles/commercebusinessenablement.resellerDiscountViewer )
Provides read-only access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Configuration Viewer
Beta
(roles/commercebusinessenablement.viewer )
Viewer of Various Provider Configuration resource
|
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerRestrictions.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Offer Catalog Offers Viewer
Beta
(roles/commerceoffercatalog.offersViewer )
Allows viewing offers
|
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
|
Commerce Organization Governance Admin
Beta
(roles/commerceorggovernance.admin )
Full access to Organization Governance APIs
|
commerceorggovernance.*
commerceorggovernance.collectionRequestApprovals.list
commerceorggovernance.collectionRequestApprovals.review
commerceorggovernance.collections.create
commerceorggovernance.collections.delete
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.collections.update
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.consumerSharingPolicies.update
commerceorggovernance.organizationSettings.get
commerceorggovernance.organizationSettings.update
commerceorggovernance.populateCollectionJobs.create
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.populateCollectionJobs.run
commerceorggovernance.populateCollectionJobs.update
commerceorggovernance.services.get
commerceorggovernance.services.list
commerceorggovernance.services.request
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Governed Marketplace User
Beta
(roles/commerceorggovernance.user )
Full access to Governed Marketplace features.
|
commerceorggovernance.services.*
commerceorggovernance.services.get
commerceorggovernance.services.list
commerceorggovernance.services.request
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Organization Governance Viewer
Beta
(roles/commerceorggovernance.viewer )
Full access to Organization Governance read-only APIs.
|
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.organizationSettings.get
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.services.get
commerceorggovernance.services.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Events Viewer
Beta
(roles/commercepricemanagement.eventsViewer )
Allows viewing key events for an offer
|
commerceprice.events.*
commerceprice.events.get
commerceprice.events.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Private Offers Admin
Beta
(roles/commercepricemanagement.privateOffersAdmin )
Allows managing private offers
|
commerceagreementpublishing.*
commerceagreementpublishing.agreements.create
commerceagreementpublishing.agreements.delete
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.agreements.update
commerceagreementpublishing.documents.create
commerceagreementpublishing.documents.delete
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceagreementpublishing.documents.update
commerceprice.*
commerceprice.events.get
commerceprice.events.list
commerceprice.privateoffers.cancel
commerceprice.privateoffers.create
commerceprice.privateoffers.delete
commerceprice.privateoffers.get
commerceprice.privateoffers.list
commerceprice.privateoffers.publish
commerceprice.privateoffers.sendEmail
commerceprice.privateoffers.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Price Management Viewer
Beta
(roles/commercepricemanagement.viewer )
Allows viewing offers, free trials, skus
|
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceprice.privateoffers.get
commerceprice.privateoffers.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Producer Admin
Beta
(roles/commerceproducer.admin )
Grants full access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Producer Viewer
Beta
(roles/commerceproducer.viewer )
Grants read access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Consumer Procurement Entitlement Manager
(roles/consumerprocurement.entitlementManager )
Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer
project.
|
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.*
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Entitlement Viewer
(roles/consumerprocurement.entitlementViewer )
Allows inspecting entitlements and service states for a consumer project.
|
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Events Viewer
(roles/consumerprocurement.eventsViewer )
Allows viewing key events for an offer
|
consumerprocurement.events.*
consumerprocurement.events.get
consumerprocurement.events.list
|
Consumer Procurement License Pool Editor
(roles/consumerprocurement.licensePoolEditor )
Allows managing license pools and license assignments.
|
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update
|
Consumer Procurement License Pool Viewer
(roles/consumerprocurement.licensePoolViewer )
Allows viewing license pools and license assignments.
|
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
|
Consumer Procurement Order Administrator
(roles/consumerprocurement.orderAdmin )
Allows managing purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.*
consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.events.*
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update
consumerprocurement.orderAttributions.*
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.*
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place
|
Consumer Procurement Order Viewer
(roles/consumerprocurement.orderViewer )
Allows inspecting purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
|
Consumer Procurement Administrator
(roles/consumerprocurement.procurementAdmin )
Allows managing purchases, consents at both billing account and project level.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.*
consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.allowProjectGrant
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Viewer
(roles/consumerprocurement.procurementViewer )
Allows inspecting purchases, consents and entitlements and service states for a consumer project.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Otorga funciones de IAM a los usuarios
A partir de las funciones en la tabla anterior, las funciones consumerprocurement.orderAdmin
y consumerprocurement.orderViewer
se deben asignar a nivel de la organización o de la organización, y las funciones consumerprocurement.entitlementManager
y consumerprocurement.entitlementViewer
se deben asignar a nivel de proyecto o de la organización.
Para otorgar funciones a los usuarios con gcloud
, ejecuta uno de los siguientes comandos:
Organización
Debes tener la función resourcemanager.organizationAdmin
para asignar funciones a nivel de organización.
gcloud organizations add-iam-policy-binding organization-id \
--member=member --role=role-id
Los valores de marcador de posición son los siguientes:
- organization-id: Es el ID numérico de la organización a la que le otorgas el rol.
- member: es el usuario al que le otorgas el acceso.
- role-id: es el ID de la función, que se encuentra en la siguiente tabla.
Cuenta de facturación
Debes tener la función billing.admin
para asignar funciones a nivel de cuenta de facturación.
gcloud beta billing accounts set-iam-policy account-id \
policy-file
Los valores de marcador de posición son los siguientes:
Proyecto
Debes tener la función resourcemanager.folderAdmin
para asignar funciones a nivel de proyecto.
gcloud projects add-iam-policy-binding project-id \
--member=member --role=role-id
Los valores de marcador de posición son los siguientes:
- project-id: es el proyecto al que le otorgas la función.
- member: es el usuario al que le otorgas el acceso.
- role-id: es el ID de la función, que se encuentra en la siguiente tabla.
Para otorgar roles a los usuarios mediante la consola de Google Cloud, consulta la documentación de IAM Otorga, cambia y revoca el acceso a los usuarios.
Usa funciones personalizadas con Cloud Marketplace
Si deseas tener un control detallado de los permisos que otorgas a los usuarios, puedes crear funciones personalizadas con los permisos que deseas otorgar.
Si creas un rol personalizado para usuarios que compran servicios desde Cloud Marketplace, este debe incluir los siguientes permisos para la cuenta de facturación que usan para comprar servicios:
Cómo acceder a los sitios web de los socios con el inicio de sesión único (SSO)
Ciertos productos de Marketplace admiten el inicio de sesión único (SSO) en el sitio web externo de un socio. Los usuarios autorizados de la organización tienen acceso al botón "ADMINISTRAR EN EL PROVEEDOR" en la página de detalles del producto. Este botón dirige a los usuarios al sitio web del socio. En algunos casos, se les solicita a los usuarios que accedan con Google. En otros casos, los usuarios acceden en un contexto de cuenta compartida.
Para acceder a la función de SSO, los usuarios navegan a la página de detalles del producto y seleccionan un proyecto adecuado. El proyecto debe estar vinculado a una cuenta de facturación en la que se haya comprado el plan. Para obtener más información sobre la administración de planes de Marketplace, consulta Administra los planes de facturación.
Además, el usuario debe tener permisos de IAM suficientes en el proyecto seleccionado. Actualmente, para la mayoría de los productos, se requiere el rol básico roles/consumerprocurement.entitlementManager
(o roles/editor
).
Permisos mínimos para productos específicos
Los siguientes productos pueden operar en un conjunto diferente de permisos para acceder a las funciones de SSO:
- Apache Kafka en Confluent Cloud
- DataStax Astra para Apache Cassandra
- Elastic Cloud
- Neo4j Aura Professional
- Redis Enterprise Cloud
Para estos productos, puedes usar los siguientes permisos mínimos:
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
serviceusage.services.get
serviceusage.services.list
resourcemanager.projects.get
Por lo general, estos permisos se otorgan con los roles roles/consumerprocurement.entitlementManager
o roles/consumerprocurement.entitlementViewer
.