此页面由 Cloud Translation API 翻译。

使用 IAM 进行访问权限控制

本页面介绍您在 Cloud Marketplace 上购买和管理商业产品所需的 Identity and Access Management (IAM) 角色和权限。

借助 IAM，您可以通过定义谁（身份）对哪些资源具有哪种访问权限（角色）来管理访问权限控制。对于 Cloud Marketplace 上的商业应用，您的 Google Cloud 组织中的用户需要 IAM 角色，才能注册 Cloud Marketplace 方案和更改结算方案。

准备工作

如需使用 gcloud 授予 Cloud Marketplace 角色和权限，请安装 gcloud CLI。或者，您也可以使用 Google Cloud 控制台授予角色。

用于购买和管理产品的 IAM 角色

我们建议您为从 Cloud Marketplace 购买服务的用户分配 Billing Administrator (roles/billing.admin) IAM 角色。

用户如需访问这些服务，必须至少具有 Project Viewer (roles/viewer) 角色。

如果您需要更精细地控制用户权限，则可以使用要授予的权限创建自定义角色。

IAM 角色和权限列表

您可以为用户授予以下一个或多个 IAM 角色。根据您向用户授予的角色，您还必须将角色分配给 Google Cloud 结算账号、组织或项目。如需了解详情，请参阅向用户授予 IAM 角色部分。

Role Permissions

Role	Permissions
Commerce Business Enablement Configuration Admin ^Beta (`roles/commercebusinessenablement.admin`) Admin of Various Provider Configuration resources	`commercebusinessenablement.leadgenConfig.` `commercebusinessenablement.leadgenConfig.get` `commercebusinessenablement.leadgenConfig.update` `commercebusinessenablement.partnerAccounts.` `commercebusinessenablement.partnerAccounts.get` `commercebusinessenablement.partnerAccounts.list` `commercebusinessenablement.partnerInfo.get` `commercebusinessenablement.resellerConfig.` `commercebusinessenablement.resellerConfig.get` `commercebusinessenablement.resellerConfig.update` `commercebusinessenablement.resellerRestrictions.` `commercebusinessenablement.resellerRestrictions.list` `commercebusinessenablement.resellerRestrictions.update` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Commerce Business Enablement PaymentConfig Admin ^Beta (`roles/commercebusinessenablement.paymentConfigAdmin`) Administration of Payment Configuration resource	`commercebusinessenablement.partnerInfo.get` `commercebusinessenablement.paymentConfig.*` `commercebusinessenablement.paymentConfig.get` `commercebusinessenablement.paymentConfig.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Commerce Business Enablement PaymentConfig Viewer ^Beta (`roles/commercebusinessenablement.paymentConfigViewer`) Viewer of Payment Configuration resource	`commercebusinessenablement.partnerInfo.get` `commercebusinessenablement.paymentConfig.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Commerce Business Enablement Rebates Admin ^Beta (`roles/commercebusinessenablement.rebatesAdmin`) Provides admin access to rebates	`commercebusinessenablement.operations.` `commercebusinessenablement.operations.cancel` `commercebusinessenablement.operations.delete` `commercebusinessenablement.operations.get` `commercebusinessenablement.operations.list` `commercebusinessenablement.partnerInfo.get` `commercebusinessenablement.refunds.` `commercebusinessenablement.refunds.cancel` `commercebusinessenablement.refunds.create` `commercebusinessenablement.refunds.delete` `commercebusinessenablement.refunds.get` `commercebusinessenablement.refunds.list` `commercebusinessenablement.refunds.start` `commercebusinessenablement.refunds.update`
Commerce Business Enablement Rebates Viewer ^Beta (`roles/commercebusinessenablement.rebatesViewer`) Provides read-only access to rebates	`commercebusinessenablement.operations.get` `commercebusinessenablement.operations.list` `commercebusinessenablement.partnerInfo.get` `commercebusinessenablement.refunds.get` `commercebusinessenablement.refunds.list`
Commerce Business Enablement Reseller Discount Admin ^Beta (`roles/commercebusinessenablement.resellerDiscountAdmin`) Provides admin access to reseller discount offers	`commercebusinessenablement.partnerAccounts.` `commercebusinessenablement.partnerAccounts.get` `commercebusinessenablement.partnerAccounts.list` `commercebusinessenablement.partnerInfo.get` `commercebusinessenablement.resellerConfig.get` `commercebusinessenablement.resellerDiscountConfig.get` `commercebusinessenablement.resellerDiscountOffers.` `commercebusinessenablement.resellerDiscountOffers.cancel` `commercebusinessenablement.resellerDiscountOffers.create` `commercebusinessenablement.resellerDiscountOffers.list` `commercebusinessenablement.resellerPrivateOfferPlans.*` `commercebusinessenablement.resellerPrivateOfferPlans.cancel` `commercebusinessenablement.resellerPrivateOfferPlans.create` `commercebusinessenablement.resellerPrivateOfferPlans.delete` `commercebusinessenablement.resellerPrivateOfferPlans.get` `commercebusinessenablement.resellerPrivateOfferPlans.list` `commercebusinessenablement.resellerPrivateOfferPlans.publish` `commercebusinessenablement.resellerPrivateOfferPlans.update` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Commerce Business Enablement Reseller Discount Viewer ^Beta (`roles/commercebusinessenablement.resellerDiscountViewer`) Provides read-only access to reseller discount offers	`commercebusinessenablement.partnerAccounts.*` `commercebusinessenablement.partnerAccounts.get` `commercebusinessenablement.partnerAccounts.list` `commercebusinessenablement.partnerInfo.get` `commercebusinessenablement.resellerConfig.get` `commercebusinessenablement.resellerDiscountConfig.get` `commercebusinessenablement.resellerDiscountOffers.list` `commercebusinessenablement.resellerPrivateOfferPlans.get` `commercebusinessenablement.resellerPrivateOfferPlans.list` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Commerce Business Enablement Configuration Viewer ^Beta (`roles/commercebusinessenablement.viewer`) Viewer of Various Provider Configuration resource	`commercebusinessenablement.leadgenConfig.get` `commercebusinessenablement.partnerAccounts.*` `commercebusinessenablement.partnerAccounts.get` `commercebusinessenablement.partnerAccounts.list` `commercebusinessenablement.partnerInfo.get` `commercebusinessenablement.resellerConfig.get` `commercebusinessenablement.resellerRestrictions.list` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Commerce Offer Catalog Offers Viewer ^Beta (`roles/commerceoffercatalog.offersViewer`) Allows viewing offers	`commerceoffercatalog.*` `commerceoffercatalog.agreements.get` `commerceoffercatalog.agreements.list` `commerceoffercatalog.documents.get` `commerceoffercatalog.documents.list` `commerceoffercatalog.offers.get`
Commerce Organization Governance Admin ^Beta (`roles/commerceorggovernance.admin`) Full access to Organization Governance APIs	`commerceorggovernance.*` `commerceorggovernance.collectionRequestApprovals.list` `commerceorggovernance.collectionRequestApprovals.review` `commerceorggovernance.collections.create` `commerceorggovernance.collections.delete` `commerceorggovernance.collections.get` `commerceorggovernance.collections.list` `commerceorggovernance.collections.update` `commerceorggovernance.consumerSharingPolicies.get` `commerceorggovernance.consumerSharingPolicies.update` `commerceorggovernance.organizationSettings.get` `commerceorggovernance.organizationSettings.update` `commerceorggovernance.populateCollectionJobs.create` `commerceorggovernance.populateCollectionJobs.list` `commerceorggovernance.populateCollectionJobs.run` `commerceorggovernance.populateCollectionJobs.update` `commerceorggovernance.services.get` `commerceorggovernance.services.list` `commerceorggovernance.services.request` `resourcemanager.projects.get` `resourcemanager.projects.list`
Governed Marketplace User ^Beta (`roles/commerceorggovernance.user`) Full access to Governed Marketplace features.	`commerceorggovernance.services.*` `commerceorggovernance.services.get` `commerceorggovernance.services.list` `commerceorggovernance.services.request` `resourcemanager.projects.get` `resourcemanager.projects.list`
Commerce Organization Governance Viewer ^Beta (`roles/commerceorggovernance.viewer`) Full access to Organization Governance read-only APIs.	`commerceorggovernance.collections.get` `commerceorggovernance.collections.list` `commerceorggovernance.consumerSharingPolicies.get` `commerceorggovernance.organizationSettings.get` `commerceorggovernance.populateCollectionJobs.list` `commerceorggovernance.services.get` `commerceorggovernance.services.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Commerce Price Management Events Viewer ^Beta (`roles/commercepricemanagement.eventsViewer`) Allows viewing key events for an offer	`commerceprice.events.*` `commerceprice.events.get` `commerceprice.events.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Commerce Price Management Private Offers Admin ^Beta (`roles/commercepricemanagement.privateOffersAdmin`) Allows managing private offers	`commerceagreementpublishing.` `commerceagreementpublishing.agreements.create` `commerceagreementpublishing.agreements.delete` `commerceagreementpublishing.agreements.get` `commerceagreementpublishing.agreements.list` `commerceagreementpublishing.agreements.update` `commerceagreementpublishing.documents.create` `commerceagreementpublishing.documents.delete` `commerceagreementpublishing.documents.get` `commerceagreementpublishing.documents.list` `commerceagreementpublishing.documents.update` `commerceprice.` `commerceprice.events.get` `commerceprice.events.list` `commerceprice.privateoffers.cancel` `commerceprice.privateoffers.create` `commerceprice.privateoffers.delete` `commerceprice.privateoffers.get` `commerceprice.privateoffers.list` `commerceprice.privateoffers.publish` `commerceprice.privateoffers.sendEmail` `commerceprice.privateoffers.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.get` `serviceusage.services.list`
Commerce Price Management Viewer ^Beta (`roles/commercepricemanagement.viewer`) Allows viewing offers, free trials, skus	`commerceagreementpublishing.agreements.get` `commerceagreementpublishing.agreements.list` `commerceagreementpublishing.documents.get` `commerceagreementpublishing.documents.list` `commerceprice.privateoffers.get` `commerceprice.privateoffers.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.get` `serviceusage.services.list`
Commerce Producer Admin ^Beta (`roles/commerceproducer.admin`) Grants full access to all resources in Cloud Commerce Producer API.	`commercebusinessenablement.partnerInfo.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Commerce Producer Viewer ^Beta (`roles/commerceproducer.viewer`) Grants read access to all resources in Cloud Commerce Producer API.	`commercebusinessenablement.partnerInfo.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Consumer Procurement Entitlement Manager (`roles/consumerprocurement.entitlementManager`) Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project.	`commerceoffercatalog.offers.get` `consumerprocurement.consents.check` `consumerprocurement.consents.grant` `consumerprocurement.consents.list` `consumerprocurement.consents.revoke` `consumerprocurement.entitlements.` `consumerprocurement.entitlements.get` `consumerprocurement.entitlements.list` `consumerprocurement.freeTrials.` `consumerprocurement.freeTrials.create` `consumerprocurement.freeTrials.get` `consumerprocurement.freeTrials.list` `orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.disable` `serviceusage.services.enable` `serviceusage.services.get` `serviceusage.services.list`
Consumer Procurement Entitlement Viewer (`roles/consumerprocurement.entitlementViewer`) Allows inspecting entitlements and service states for a consumer project.	`commerceoffercatalog.offers.get` `consumerprocurement.consents.check` `consumerprocurement.consents.list` `consumerprocurement.entitlements.*` `consumerprocurement.entitlements.get` `consumerprocurement.entitlements.list` `consumerprocurement.freeTrials.get` `consumerprocurement.freeTrials.list` `orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.get` `serviceusage.services.list`
Consumer Procurement Events Viewer (`roles/consumerprocurement.eventsViewer`) Allows viewing key events for an offer	`consumerprocurement.events.*` `consumerprocurement.events.get` `consumerprocurement.events.list`
Consumer Procurement Order Administrator (`roles/consumerprocurement.orderAdmin`) Allows managing purchases.	`billing.accounts.get` `billing.accounts.getIamPolicy` `billing.accounts.list` `billing.accounts.redeemPromotion` `billing.credits.list` `billing.resourceAssociations.create` `commerceoffercatalog.` `commerceoffercatalog.agreements.get` `commerceoffercatalog.agreements.list` `commerceoffercatalog.documents.get` `commerceoffercatalog.documents.list` `commerceoffercatalog.offers.get` `consumerprocurement.accounts.` `consumerprocurement.accounts.create` `consumerprocurement.accounts.delete` `consumerprocurement.accounts.get` `consumerprocurement.accounts.list` `consumerprocurement.consents.check` `consumerprocurement.consents.grant` `consumerprocurement.consents.list` `consumerprocurement.consents.revoke` `consumerprocurement.events.` `consumerprocurement.events.get` `consumerprocurement.events.list` `consumerprocurement.orderAttributions.` `consumerprocurement.orderAttributions.get` `consumerprocurement.orderAttributions.list` `consumerprocurement.orderAttributions.update` `consumerprocurement.orders.*` `consumerprocurement.orders.cancel` `consumerprocurement.orders.get` `consumerprocurement.orders.list` `consumerprocurement.orders.modify` `consumerprocurement.orders.place`
Consumer Procurement Order Viewer (`roles/consumerprocurement.orderViewer`) Allows inspecting purchases.	`billing.accounts.get` `billing.accounts.getIamPolicy` `billing.accounts.list` `billing.credits.list` `commerceoffercatalog.*` `commerceoffercatalog.agreements.get` `commerceoffercatalog.agreements.list` `commerceoffercatalog.documents.get` `commerceoffercatalog.documents.list` `commerceoffercatalog.offers.get` `consumerprocurement.accounts.get` `consumerprocurement.accounts.list` `consumerprocurement.consents.check` `consumerprocurement.consents.list` `consumerprocurement.orderAttributions.get` `consumerprocurement.orderAttributions.list` `consumerprocurement.orders.get` `consumerprocurement.orders.list`
Consumer Procurement Administrator (`roles/consumerprocurement.procurementAdmin`) Allows managing purchases, consents at both billing account and project level.	`billing.accounts.get` `billing.accounts.getIamPolicy` `billing.accounts.list` `billing.accounts.redeemPromotion` `billing.credits.list` `billing.resourceAssociations.create` `commerceoffercatalog.` `commerceoffercatalog.agreements.get` `commerceoffercatalog.agreements.list` `commerceoffercatalog.documents.get` `commerceoffercatalog.documents.list` `commerceoffercatalog.offers.get` `consumerprocurement.` `consumerprocurement.accounts.create` `consumerprocurement.accounts.delete` `consumerprocurement.accounts.get` `consumerprocurement.accounts.list` `consumerprocurement.consents.allowProjectGrant` `consumerprocurement.consents.check` `consumerprocurement.consents.grant` `consumerprocurement.consents.list` `consumerprocurement.consents.revoke` `consumerprocurement.entitlements.get` `consumerprocurement.entitlements.list` `consumerprocurement.events.get` `consumerprocurement.events.list` `consumerprocurement.freeTrials.create` `consumerprocurement.freeTrials.get` `consumerprocurement.freeTrials.list` `consumerprocurement.orderAttributions.get` `consumerprocurement.orderAttributions.list` `consumerprocurement.orderAttributions.update` `consumerprocurement.orders.cancel` `consumerprocurement.orders.get` `consumerprocurement.orders.list` `consumerprocurement.orders.modify` `consumerprocurement.orders.place` `orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.disable` `serviceusage.services.enable` `serviceusage.services.get` `serviceusage.services.list`
Consumer Procurement Viewer (`roles/consumerprocurement.procurementViewer`) Allows inspecting purchases, consents and entitlements and service states for a consumer project.	`billing.accounts.get` `billing.accounts.getIamPolicy` `billing.accounts.list` `billing.credits.list` `commerceoffercatalog.` `commerceoffercatalog.agreements.get` `commerceoffercatalog.agreements.list` `commerceoffercatalog.documents.get` `commerceoffercatalog.documents.list` `commerceoffercatalog.offers.get` `consumerprocurement.accounts.get` `consumerprocurement.accounts.list` `consumerprocurement.consents.check` `consumerprocurement.consents.list` `consumerprocurement.entitlements.` `consumerprocurement.entitlements.get` `consumerprocurement.entitlements.list` `consumerprocurement.freeTrials.get` `consumerprocurement.freeTrials.list` `consumerprocurement.orderAttributions.get` `consumerprocurement.orderAttributions.list` `consumerprocurement.orders.get` `consumerprocurement.orders.list` `orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.get` `serviceusage.services.list`

Commerce Business Enablement Configuration Admin ^Beta

(roles/commercebusinessenablement.admin)

Admin of Various Provider Configuration resources

commercebusinessenablement.leadgenConfig.*

commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.leadgenConfig.update

commercebusinessenablement.partnerAccounts.*

commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.*

commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerConfig.update

commercebusinessenablement.resellerRestrictions.*

commercebusinessenablement.resellerRestrictions.list
commercebusinessenablement.resellerRestrictions.update

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Business Enablement PaymentConfig Admin ^Beta

(roles/commercebusinessenablement.paymentConfigAdmin)

Administration of Payment Configuration resource

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.paymentConfig.*

commercebusinessenablement.paymentConfig.get
commercebusinessenablement.paymentConfig.update

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Business Enablement PaymentConfig Viewer ^Beta

(roles/commercebusinessenablement.paymentConfigViewer)

Viewer of Payment Configuration resource

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.paymentConfig.get

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Business Enablement Rebates Admin ^Beta

(roles/commercebusinessenablement.rebatesAdmin)

Provides admin access to rebates

commercebusinessenablement.operations.*

commercebusinessenablement.operations.cancel
commercebusinessenablement.operations.delete
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.refunds.*

commercebusinessenablement.refunds.cancel
commercebusinessenablement.refunds.create
commercebusinessenablement.refunds.delete
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
commercebusinessenablement.refunds.start
commercebusinessenablement.refunds.update

Commerce Business Enablement Rebates Viewer ^Beta

(roles/commercebusinessenablement.rebatesViewer)

Provides read-only access to rebates

commercebusinessenablement.operations.get

commercebusinessenablement.operations.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.refunds.get

commercebusinessenablement.refunds.list

Commerce Business Enablement Reseller Discount Admin ^Beta

(roles/commercebusinessenablement.resellerDiscountAdmin)

Provides admin access to reseller discount offers

commercebusinessenablement.partnerAccounts.*

commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerDiscountConfig.get

commercebusinessenablement.resellerDiscountOffers.*

commercebusinessenablement.resellerDiscountOffers.cancel
commercebusinessenablement.resellerDiscountOffers.create
commercebusinessenablement.resellerDiscountOffers.list

commercebusinessenablement.resellerPrivateOfferPlans.*

commercebusinessenablement.resellerPrivateOfferPlans.cancel
commercebusinessenablement.resellerPrivateOfferPlans.create
commercebusinessenablement.resellerPrivateOfferPlans.delete
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
commercebusinessenablement.resellerPrivateOfferPlans.publish
commercebusinessenablement.resellerPrivateOfferPlans.update

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Business Enablement Reseller Discount Viewer ^Beta

(roles/commercebusinessenablement.resellerDiscountViewer)

Provides read-only access to reseller discount offers

commercebusinessenablement.partnerAccounts.*

commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerDiscountConfig.get

commercebusinessenablement.resellerDiscountOffers.list

commercebusinessenablement.resellerPrivateOfferPlans.get

commercebusinessenablement.resellerPrivateOfferPlans.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Business Enablement Configuration Viewer ^Beta

(roles/commercebusinessenablement.viewer)

Viewer of Various Provider Configuration resource

commercebusinessenablement.leadgenConfig.get

commercebusinessenablement.partnerAccounts.*

commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerRestrictions.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Offer Catalog Offers Viewer ^Beta

(roles/commerceoffercatalog.offersViewer)

Allows viewing offers

commerceoffercatalog.*

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get

Commerce Organization Governance Admin ^Beta

(roles/commerceorggovernance.admin)

Full access to Organization Governance APIs

commerceorggovernance.*

commerceorggovernance.collectionRequestApprovals.list
commerceorggovernance.collectionRequestApprovals.review
commerceorggovernance.collections.create
commerceorggovernance.collections.delete
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.collections.update
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.consumerSharingPolicies.update
commerceorggovernance.organizationSettings.get
commerceorggovernance.organizationSettings.update
commerceorggovernance.populateCollectionJobs.create
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.populateCollectionJobs.run
commerceorggovernance.populateCollectionJobs.update
commerceorggovernance.services.get
commerceorggovernance.services.list
commerceorggovernance.services.request

resourcemanager.projects.get

resourcemanager.projects.list

Governed Marketplace User ^Beta

(roles/commerceorggovernance.user)

Full access to Governed Marketplace features.

commerceorggovernance.services.*

commerceorggovernance.services.get
commerceorggovernance.services.list
commerceorggovernance.services.request

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Organization Governance Viewer ^Beta

(roles/commerceorggovernance.viewer)

Full access to Organization Governance read-only APIs.

commerceorggovernance.collections.get

commerceorggovernance.collections.list

commerceorggovernance.consumerSharingPolicies.get

commerceorggovernance.organizationSettings.get

commerceorggovernance.populateCollectionJobs.list

commerceorggovernance.services.get

commerceorggovernance.services.list

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Price Management Events Viewer ^Beta

(roles/commercepricemanagement.eventsViewer)

Allows viewing key events for an offer

commerceprice.events.*

commerceprice.events.get
commerceprice.events.list

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Price Management Private Offers Admin ^Beta

(roles/commercepricemanagement.privateOffersAdmin)

Allows managing private offers

commerceagreementpublishing.*

commerceagreementpublishing.agreements.create
commerceagreementpublishing.agreements.delete
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.agreements.update
commerceagreementpublishing.documents.create
commerceagreementpublishing.documents.delete
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceagreementpublishing.documents.update

commerceprice.*

commerceprice.events.get
commerceprice.events.list
commerceprice.privateoffers.cancel
commerceprice.privateoffers.create
commerceprice.privateoffers.delete
commerceprice.privateoffers.get
commerceprice.privateoffers.list
commerceprice.privateoffers.publish
commerceprice.privateoffers.sendEmail
commerceprice.privateoffers.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Commerce Price Management Viewer ^Beta

(roles/commercepricemanagement.viewer)

Allows viewing offers, free trials, skus

commerceagreementpublishing.agreements.get

commerceagreementpublishing.agreements.list

commerceagreementpublishing.documents.get

commerceagreementpublishing.documents.list

commerceprice.privateoffers.get

commerceprice.privateoffers.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Commerce Producer Admin ^Beta

(roles/commerceproducer.admin)

Grants full access to all resources in Cloud Commerce Producer API.

commercebusinessenablement.partnerInfo.get

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Producer Viewer ^Beta

(roles/commerceproducer.viewer)

Grants read access to all resources in Cloud Commerce Producer API.

commercebusinessenablement.partnerInfo.get

resourcemanager.projects.get

resourcemanager.projects.list

Consumer Procurement Entitlement Manager

(roles/consumerprocurement.entitlementManager)

Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project.

commerceoffercatalog.offers.get

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.entitlements.*

consumerprocurement.entitlements.get
consumerprocurement.entitlements.list

consumerprocurement.freeTrials.*

consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

Consumer Procurement Entitlement Viewer

(roles/consumerprocurement.entitlementViewer)

Allows inspecting entitlements and service states for a consumer project.

commerceoffercatalog.offers.get

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.entitlements.*

consumerprocurement.entitlements.get
consumerprocurement.entitlements.list

consumerprocurement.freeTrials.get

consumerprocurement.freeTrials.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Consumer Procurement Events Viewer

(roles/consumerprocurement.eventsViewer)

Allows viewing key events for an offer

consumerprocurement.events.*

consumerprocurement.events.get
consumerprocurement.events.list

Consumer Procurement Order Administrator

(roles/consumerprocurement.orderAdmin)

Allows managing purchases.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

commerceoffercatalog.*

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get

consumerprocurement.accounts.*

consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.events.*

consumerprocurement.events.get
consumerprocurement.events.list

consumerprocurement.orderAttributions.*

consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update

consumerprocurement.orders.*

consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place

Consumer Procurement Order Viewer

(roles/consumerprocurement.orderViewer)

Allows inspecting purchases.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.credits.list

commerceoffercatalog.*

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

Consumer Procurement Administrator

(roles/consumerprocurement.procurementAdmin)

Allows managing purchases, consents at both billing account and project level.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

commerceoffercatalog.*

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get

consumerprocurement.*

consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.allowProjectGrant
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

Consumer Procurement Viewer

(roles/consumerprocurement.procurementViewer)

Allows inspecting purchases, consents and entitlements and service states for a consumer project.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.credits.list

commerceoffercatalog.*

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.entitlements.*

consumerprocurement.entitlements.get
consumerprocurement.entitlements.list

consumerprocurement.freeTrials.get

consumerprocurement.freeTrials.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

向用户授予 IAM 角色

对于上表中的角色，您必须在结算账号或组织级层分配 consumerprocurement.orderAdmin 和 consumerprocurement.orderViewer 角色，必须在项目或组织级层分配 consumerprocurement.entitlementManager 和 consumerprocurement.entitlementViewer 角色。

如需使用 gcloud 为用户授予角色，请运行以下命令之一：

组织

您必须具有 resourcemanager.organizationAdmin 角色才能在组织级层分配角色。

gcloud organizations add-iam-policy-binding organization-id \
--member=member --role=role-id

占位值如下：

organization-id：您要向其授予角色的组织的数字 ID。
member：要向其授予访问权限的用户。
role-id：上表中的角色 ID。

结算账号

您必须具有 billing.admin 角色才能在结算账号级层分配角色。

gcloud beta billing accounts set-iam-policy account-id \
policy-file

占位值如下：

account-id：您的结算账号 ID，您可以从“管理结算账号”页面获得。
policy-file：IAM 政策文件，采用 JSON 或 YAML 格式。政策文件必须包含上表中的角色 ID，以及要为其分配这些角色的用户。

项目

您必须具有 resourcemanager.folderAdmin 角色才能在项目级层分配角色。

gcloud projects add-iam-policy-binding project-id \
--member=member --role=role-id

占位值如下：

project-id：要为其授予角色的项目。
member：要向其授予访问权限的用户。
role-id：上表中的角色 ID。

如需使用 Google Cloud 控制台为用户授予角色，请参阅 IAM 有关授予、更改和撤消用户访问权限的文档。

将自定义角色与 Cloud Marketplace 搭配使用

如果您想精细控制您授予用户的权限，您可以使用授予的权限创建自定义角色。

如果您要为通过以下服务购买服务的用户创建自定义角色该角色必须包含以下结算账号：

billing.accounts.get，通常使用 roles/consumerprocurement.orderAdmin 角色授予。
consumerprocurement.orders.get，通常使用 roles/consumerprocurement.orderAdmin 角色授予。
consumerprocurement.orders.list，通常使用 roles/consumerprocurement.orderAdmin 角色授予。
consumerprocurement.orders.place，通常使用 roles/consumerprocurement.orderAdmin 角色授予。
consumerprocurement.accounts.get，通常使用 roles/consumerprocurement.orderAdmin 角色授予。
consumerprocurement.accounts.list，通常使用 roles/consumerprocurement.orderAdmin 角色授予。
consumerprocurement.accounts.create，通常使用 roles/consumerprocurement.orderAdmin 角色授予。

通过单点登录 (SSO) 访问合作伙伴网站

某些 Marketplace 产品支持通过单点登录 (SSO) 访问合作伙伴的外部网站。组织内的授权用户可以使用产品详情页面上的“在提供商网站上管理”按钮。点击此按钮后，系统会将用户转到合作伙伴的网站。在某些情况下，系统会提示用户“使用 Google 账号登录”。在其他情况下，用户会通过共享账号上下文登录。

如需使用 SSO 功能，用户需要导航到产品详情页面，然后选择适当的项目。该项目必须与购买该方案的结算账号关联。如需详细了解 Marketplace 方案管理，请参阅管理结算方案。

此外，用户必须在所选项目中拥有足够的 IAM 权限。对于大多数商品，roles/consumerprocurement.entitlementManager（或 roles/editor 基本角色）。

特定产品的最小权限

以下产品可按不同的权限集访问 SSO 功能：

Confluent Cloud 上的 Apache Kafka
适用于 Apache Cassandra 的 DataStax Astra
Elastic Cloud
Neo4j Aura 专业版
Redis Enterprise Cloud

对于这些产品，您可以使用以下最小权限：

consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
serviceusage.services.get
serviceusage.services.list
resourcemanager.projects.get

这些权限通常通过 roles/consumerprocurement.entitlementManager 或 roles/consumerprocurement.entitlementViewer 角色。

使用 IAM 进行访问权限控制

准备工作

用于购买和管理产品的 IAM 角色

IAM 角色和权限列表

Commerce Business Enablement Configuration Admin Beta

Commerce Business Enablement PaymentConfig Admin Beta

Commerce Business Enablement PaymentConfig Viewer Beta

Commerce Business Enablement Rebates Admin Beta

Commerce Business Enablement Rebates Viewer Beta

Commerce Business Enablement Reseller Discount Admin Beta

Commerce Business Enablement Reseller Discount Viewer Beta

Commerce Business Enablement Configuration Viewer Beta

Commerce Offer Catalog Offers Viewer Beta

Commerce Organization Governance Admin Beta

Governed Marketplace User Beta

Commerce Organization Governance Viewer Beta

Commerce Price Management Events Viewer Beta

Commerce Price Management Private Offers Admin Beta

Commerce Price Management Viewer Beta

Commerce Producer Admin Beta

Commerce Producer Viewer Beta

Consumer Procurement Entitlement Manager

Consumer Procurement Entitlement Viewer

Consumer Procurement Events Viewer

Consumer Procurement Order Administrator

Consumer Procurement Order Viewer

Consumer Procurement Administrator

Consumer Procurement Viewer

向用户授予 IAM 角色

组织

结算账号

项目

将自定义角色与 Cloud Marketplace 搭配使用

通过单点登录 (SSO) 访问合作伙伴网站

特定产品的最小权限

Commerce Business Enablement Configuration Admin ^Beta

Commerce Business Enablement PaymentConfig Admin ^Beta

Commerce Business Enablement PaymentConfig Viewer ^Beta

Commerce Business Enablement Rebates Admin ^Beta

Commerce Business Enablement Rebates Viewer ^Beta

Commerce Business Enablement Reseller Discount Admin ^Beta

Commerce Business Enablement Reseller Discount Viewer ^Beta

Commerce Business Enablement Configuration Viewer ^Beta

Commerce Offer Catalog Offers Viewer ^Beta

Commerce Organization Governance Admin ^Beta

Governed Marketplace User ^Beta

Commerce Organization Governance Viewer ^Beta

Commerce Price Management Events Viewer ^Beta

Commerce Price Management Private Offers Admin ^Beta

Commerce Price Management Viewer ^Beta

Commerce Producer Admin ^Beta

Commerce Producer Viewer ^Beta