Halaman ini menjelaskan peran dan izin Identity and Access Management (IAM)
yang Anda perlukan untuk membeli dan mengelola produk komersial di Cloud Marketplace.
Dengan IAM, Anda dapat mengelola kontrol akses dengan menentukan siapa (identitas)
yang memiliki akses apa (peran) untuk resource yang mana. Untuk aplikasi komersial di Cloud Marketplace, pengguna di organisasi Google Cloud Anda memerlukan peran IAM untuk mendaftar ke paket Cloud Marketplace, dan untuk melakukan perubahan pada paket penagihan.
Sebelum memulai
- Untuk memberikan peran dan izin Cloud Marketplace menggunakan
gcloud, instal
gcloud CLI. Jika tidak, Anda dapat
memberikan peran menggunakan konsol Google Cloud.
Peran IAM untuk membeli dan mengelola produk
Sebaiknya Anda menetapkan peran IAM Billing Account Administrator kepada pengguna yang membeli layanan dari Cloud Marketplace.
Pengguna yang ingin mengakses layanan harus memiliki peran Pelihat) setidaknya.
Untuk kontrol yang lebih terperinci atas izin pengguna, Anda dapat
membuat peran khusus dengan izin yang ingin
diberikan.
Persyaratan khusus produk
Untuk menggunakan layanan berikut di project Google Cloud, Anda harus memiliki peran Project Editor:
- Google Cloud Dataprep by Trifacta
- Neo4j Aura Professional
Daftar peran dan izin IAM
Anda dapat memberikan satu atau beberapa peran IAM berikut kepada pengguna.
Bergantung pada peran yang Anda berikan kepada pengguna, Anda juga harus menetapkan peran tersebut
ke akun penagihan, organisasi, atau project Google Cloud. Untuk mengetahui detailnya,
lihat bagian tentang Memberikan peran IAM kepada pengguna.
| Role |
Permissions |
Commerce Business Enablement Configuration Admin
Beta
(roles/commercebusinessenablement.admin)
Admin of Various Provider Configuration resources
|
commercebusinessenablement.leadgenConfig.*
commercebusinessenablement.leadgenConfig.getcommercebusinessenablement.leadgenConfig.update
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.getcommercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.*
commercebusinessenablement.resellerConfig.getcommercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.*
commercebusinessenablement.resellerRestrictions.listcommercebusinessenablement.resellerRestrictions.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Admin
Beta
(roles/commercebusinessenablement.paymentConfigAdmin)
Administration of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.*
commercebusinessenablement.paymentConfig.getcommercebusinessenablement.paymentConfig.update
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Viewer
Beta
(roles/commercebusinessenablement.paymentConfigViewer)
Viewer of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Rebates Admin
Beta
(roles/commercebusinessenablement.rebatesAdmin)
Provides admin access to rebates
|
commercebusinessenablement.operations.*
commercebusinessenablement.operations.cancelcommercebusinessenablement.operations.deletecommercebusinessenablement.operations.getcommercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.*
commercebusinessenablement.refunds.cancelcommercebusinessenablement.refunds.createcommercebusinessenablement.refunds.deletecommercebusinessenablement.refunds.getcommercebusinessenablement.refunds.listcommercebusinessenablement.refunds.startcommercebusinessenablement.refunds.update
|
Commerce Business Enablement Rebates Viewer
Beta
(roles/commercebusinessenablement.rebatesViewer)
Provides read-only access to rebates
|
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
|
Commerce Business Enablement Reseller Discount Admin
Beta
(roles/commercebusinessenablement.resellerDiscountAdmin)
Provides admin access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.getcommercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.*
commercebusinessenablement.resellerDiscountOffers.cancelcommercebusinessenablement.resellerDiscountOffers.createcommercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.*
commercebusinessenablement.resellerPrivateOfferPlans.cancelcommercebusinessenablement.resellerPrivateOfferPlans.createcommercebusinessenablement.resellerPrivateOfferPlans.deletecommercebusinessenablement.resellerPrivateOfferPlans.getcommercebusinessenablement.resellerPrivateOfferPlans.listcommercebusinessenablement.resellerPrivateOfferPlans.publishcommercebusinessenablement.resellerPrivateOfferPlans.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Reseller Discount Viewer
Beta
(roles/commercebusinessenablement.resellerDiscountViewer)
Provides read-only access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.getcommercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Configuration Viewer
Beta
(roles/commercebusinessenablement.viewer)
Viewer of Various Provider Configuration resource
|
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.getcommercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerRestrictions.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Offer Catalog Offers Viewer
Beta
(roles/commerceoffercatalog.offersViewer)
Allows viewing offers
|
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
|
Commerce Organization Governance Admin
Beta
(roles/commerceorggovernance.admin)
Full access to Organization Governance APIs
|
commerceorggovernance.*
commerceorggovernance.collectionRequestApprovals.listcommerceorggovernance.collectionRequestApprovals.reviewcommerceorggovernance.collections.createcommerceorggovernance.collections.deletecommerceorggovernance.collections.getcommerceorggovernance.collections.listcommerceorggovernance.collections.updatecommerceorggovernance.consumerSharingPolicies.getcommerceorggovernance.consumerSharingPolicies.updatecommerceorggovernance.organizationSettings.getcommerceorggovernance.organizationSettings.updatecommerceorggovernance.populateCollectionJobs.createcommerceorggovernance.populateCollectionJobs.listcommerceorggovernance.populateCollectionJobs.runcommerceorggovernance.populateCollectionJobs.updatecommerceorggovernance.services.getcommerceorggovernance.services.listcommerceorggovernance.services.request
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Governed Marketplace User
Beta
(roles/commerceorggovernance.user)
Full access to Governed Marketplace features.
|
commerceorggovernance.services.*
commerceorggovernance.services.getcommerceorggovernance.services.listcommerceorggovernance.services.request
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Organization Governance Viewer
Beta
(roles/commerceorggovernance.viewer)
Full access to Organization Governance read-only APIs.
|
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.organizationSettings.get
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.services.get
commerceorggovernance.services.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Events Viewer
Beta
(roles/commercepricemanagement.eventsViewer)
Allows viewing key events for an offer
|
commerceprice.events.*
commerceprice.events.getcommerceprice.events.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Private Offers Admin
Beta
(roles/commercepricemanagement.privateOffersAdmin)
Allows managing private offers
|
commerceagreementpublishing.*
commerceagreementpublishing.agreements.createcommerceagreementpublishing.agreements.deletecommerceagreementpublishing.agreements.getcommerceagreementpublishing.agreements.listcommerceagreementpublishing.agreements.updatecommerceagreementpublishing.documents.createcommerceagreementpublishing.documents.deletecommerceagreementpublishing.documents.getcommerceagreementpublishing.documents.listcommerceagreementpublishing.documents.update
commerceprice.*
commerceprice.events.getcommerceprice.events.listcommerceprice.privateoffers.cancelcommerceprice.privateoffers.createcommerceprice.privateoffers.deletecommerceprice.privateoffers.getcommerceprice.privateoffers.listcommerceprice.privateoffers.publishcommerceprice.privateoffers.sendEmailcommerceprice.privateoffers.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Price Management Viewer
Beta
(roles/commercepricemanagement.viewer)
Allows viewing offers, free trials, skus
|
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceprice.privateoffers.get
commerceprice.privateoffers.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Producer Admin
Beta
(roles/commerceproducer.admin)
Grants full access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Producer Viewer
Beta
(roles/commerceproducer.viewer)
Grants read access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Consumer Procurement Entitlement Manager
(roles/consumerprocurement.entitlementManager)
Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer
project.
|
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
consumerprocurement.freeTrials.*
consumerprocurement.freeTrials.createconsumerprocurement.freeTrials.getconsumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Entitlement Viewer
(roles/consumerprocurement.entitlementViewer)
Allows inspecting entitlements and service states for a consumer project.
|
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Events Viewer
(roles/consumerprocurement.eventsViewer)
Allows viewing key events for an offer
|
consumerprocurement.events.*
consumerprocurement.events.getconsumerprocurement.events.list
|
Consumer Procurement License Pool Editor
(roles/consumerprocurement.licensePoolEditor)
Allows managing license pools and license assignments.
|
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assignconsumerprocurement.licensePools.enumerateLicensedUsersconsumerprocurement.licensePools.getconsumerprocurement.licensePools.unassignconsumerprocurement.licensePools.update
|
Consumer Procurement License Pool Viewer
(roles/consumerprocurement.licensePoolViewer)
Allows viewing license pools and license assignments.
|
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
|
Consumer Procurement Order Administrator
(roles/consumerprocurement.orderAdmin)
Allows managing purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
consumerprocurement.accounts.*
consumerprocurement.accounts.createconsumerprocurement.accounts.deleteconsumerprocurement.accounts.getconsumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.events.*
consumerprocurement.events.getconsumerprocurement.events.list
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assignconsumerprocurement.licensePools.enumerateLicensedUsersconsumerprocurement.licensePools.getconsumerprocurement.licensePools.unassignconsumerprocurement.licensePools.update
consumerprocurement.orderAttributions.*
consumerprocurement.orderAttributions.getconsumerprocurement.orderAttributions.listconsumerprocurement.orderAttributions.update
consumerprocurement.orders.*
consumerprocurement.orders.cancelconsumerprocurement.orders.getconsumerprocurement.orders.listconsumerprocurement.orders.modifyconsumerprocurement.orders.place
|
Consumer Procurement Order Viewer
(roles/consumerprocurement.orderViewer)
Allows inspecting purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
|
Consumer Procurement Administrator
(roles/consumerprocurement.procurementAdmin)
Allows managing purchases, consents at both billing account and project level.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
consumerprocurement.*
consumerprocurement.accounts.createconsumerprocurement.accounts.deleteconsumerprocurement.accounts.getconsumerprocurement.accounts.listconsumerprocurement.consents.allowProjectGrantconsumerprocurement.consents.checkconsumerprocurement.consents.grantconsumerprocurement.consents.listconsumerprocurement.consents.revokeconsumerprocurement.entitlements.getconsumerprocurement.entitlements.listconsumerprocurement.events.getconsumerprocurement.events.listconsumerprocurement.freeTrials.createconsumerprocurement.freeTrials.getconsumerprocurement.freeTrials.listconsumerprocurement.licensePools.assignconsumerprocurement.licensePools.enumerateLicensedUsersconsumerprocurement.licensePools.getconsumerprocurement.licensePools.unassignconsumerprocurement.licensePools.updateconsumerprocurement.orderAttributions.getconsumerprocurement.orderAttributions.listconsumerprocurement.orderAttributions.updateconsumerprocurement.orders.cancelconsumerprocurement.orders.getconsumerprocurement.orders.listconsumerprocurement.orders.modifyconsumerprocurement.orders.place
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Viewer
(roles/consumerprocurement.procurementViewer)
Allows inspecting purchases, consents and entitlements and service states for a consumer project.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Memberikan peran IAM kepada pengguna
Dari peran dalam tabel di atas, peran consumerprocurement.orderAdmin dan consumerprocurement.orderViewer harus ditetapkan di tingkat akun penagihan atau organisasi, dan peran consumerprocurement.entitlementManager dan consumerprocurement.entitlementViewer harus ditetapkan di tingkat project atau organisasi.
Untuk memberikan peran kepada pengguna menggunakan gcloud, jalankan salah satu perintah berikut:
Organisasi
Anda harus memiliki peran resourcemanager.organizationAdmin untuk menetapkan peran di tingkat organisasi.
gcloud organizations add-iam-policy-binding organization-id \
--member=member --role=role-id
Nilai placeholder adalah:
- organization-id: ID numerik organisasi tempat Anda memberikan
peran.
- member: Pengguna yang aksesnya Anda berikan.
- role-id: ID peran, dari tabel sebelumnya.
Akun penagihan
Anda harus memiliki peran billing.admin
untuk menetapkan peran di tingkat akun penagihan.
gcloud beta billing accounts set-iam-policy account-id \
policy-file
Nilai placeholder adalah:
- account-id: ID akun penagihan, yang
dapat Anda dapatkan dari halaman Kelola akun penagihan.
- policy-file: File kebijakan IAM,
dalam format JSON atau YAML. File kebijakan harus berisi ID peran dari
tabel sebelumnya, dan pengguna yang Anda tetapkan peran.
Project
Anda harus memiliki peran resourcemanager.folderAdmin untuk menetapkan peran di tingkat project.
gcloud projects add-iam-policy-binding project-id \
--member=member --role=role-id
Nilai placeholder adalah:
- project-id: Project tempat Anda memberikan
peran.
- member: Pengguna yang aksesnya Anda berikan.
- role-id: ID peran, dari tabel sebelumnya.
Untuk memberikan peran kepada pengguna menggunakan Konsol Google Cloud, lihat dokumentasi IAM tentang Memberikan, mengubah, dan mencabut akses untuk pengguna.
Menggunakan peran kustom dengan Cloud Marketplace
Jika menginginkan kontrol terperinci atas izin yang Anda berikan kepada pengguna, Anda dapat
membuat peran khusus dengan izin
yang ingin Anda berikan.
Jika Anda membuat peran kustom untuk pengguna yang membeli layanan dari Cloud Marketplace, peran tersebut harus menyertakan izin berikut untuk akun penagihan yang mereka gunakan untuk membeli layanan:
Mengakses situs partner dengan Single Sign-On (SSO)
Produk Marketplace tertentu mendukung Single Sign-on (SSO) ke situs
eksternal partner. Pengguna yang diberi otorisasi dalam organisasi memiliki akses ke
tombol "KELOLA DI PENYEDIA" di halaman detail produk. Tombol
ini mengarahkan pengguna ke situs partner. Dalam beberapa kasus, pengguna
akan diminta untuk "Login dengan Google". Dalam kasus lain, pengguna login dalam
konteks akun bersama.
Untuk mengakses kemampuan SSO, pengguna membuka halaman detail produk, lalu memilih project yang sesuai. Project harus ditautkan ke akun penagihan tempat paket telah dibeli. Untuk mengetahui detail tentang pengelolaan paket Marketplace, lihat Mengelola paket penagihan.
Selain itu, pengguna harus memiliki izin IAM yang memadai dalam project yang dipilih. Untuk sebagian besar produk, roles/consumerprocurement.entitlementManager (atau
roles/editor
peran dasar) saat ini diperlukan.
Izin minimal untuk produk tertentu
Produk berikut dapat beroperasi pada kumpulan izin yang berbeda untuk mengakses
kemampuan SSO:
- Apache Kafka di Confluent Cloud
- DataStax Astra untuk Apache Cassandra
- Elastic Cloud
- Neo4j Aura Professional
- Redis Enterprise Cloud
Untuk produk ini, Anda dapat menggunakan izin minimal berikut:
consumerprocurement.entitlements.getconsumerprocurement.entitlements.listserviceusage.services.getserviceusage.services.listresourcemanager.projects.get
Izin ini biasanya diberikan dengan peran
roles/consumerprocurement.entitlementManager atau
roles/consumerprocurement.entitlementViewer.
