Halaman ini menjelaskan peran dan izin Identity and Access Management (IAM) yang Anda perlukan untuk membeli dan mengelola produk komersial di Cloud Marketplace.
Dengan IAM, Anda dapat mengelola kontrol akses dengan menentukan siapa (identitas) yang memiliki akses (peran) untuk resource mana. Untuk aplikasi komersial di Cloud Marketplace, pengguna di organisasi Google Cloud Anda memerlukan peran IAM untuk mendaftar ke paket Cloud Marketplace, dan untuk membuat perubahan pada paket penagihan.
Sebelum memulai
- Untuk memberikan peran dan izin Cloud Marketplace menggunakan
gcloud, instal gcloud CLI. Jika tidak, Anda dapat memberikan peran menggunakan Konsol Google Cloud.
Peran IAM untuk membeli dan mengelola produk
Sebaiknya tetapkan peran IAM Administrator Penagihan (roles/billing.admin) kepada pengguna yang membeli layanan dari Cloud Marketplace.
Pengguna yang ingin mengakses layanan setidaknya harus memiliki peran Project Viewer (roles/viewer).
Jika memerlukan kontrol yang lebih terperinci atas izin pengguna, Anda dapat membuat peran khusus dengan izin yang ingin diberikan.
Daftar peran dan izin IAM
Anda dapat memberikan satu atau beberapa peran IAM berikut kepada pengguna.
Bergantung pada peran yang diberikan kepada pengguna, Anda juga harus menetapkan peran tersebut ke akun, organisasi, atau project penagihan Google Cloud. Untuk mengetahui detailnya,
lihat bagian Memberikan peran IAM kepada pengguna.
| Role |
Permissions |
Commerce Business Enablement Configuration Admin
Beta
(roles/commercebusinessenablement.admin)
Admin of Various Provider Configuration resources
|
commercebusinessenablement.leadgenConfig.*
commercebusinessenablement.leadgenConfig.getcommercebusinessenablement.leadgenConfig.update
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.getcommercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.*
commercebusinessenablement.resellerConfig.getcommercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.*
commercebusinessenablement.resellerRestrictions.listcommercebusinessenablement.resellerRestrictions.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Admin
Beta
(roles/commercebusinessenablement.paymentConfigAdmin)
Administration of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.*
commercebusinessenablement.paymentConfig.getcommercebusinessenablement.paymentConfig.update
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Viewer
Beta
(roles/commercebusinessenablement.paymentConfigViewer)
Viewer of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Rebates Admin
Beta
(roles/commercebusinessenablement.rebatesAdmin)
Provides admin access to rebates
|
commercebusinessenablement.operations.*
commercebusinessenablement.operations.cancelcommercebusinessenablement.operations.deletecommercebusinessenablement.operations.getcommercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.*
commercebusinessenablement.refunds.cancelcommercebusinessenablement.refunds.createcommercebusinessenablement.refunds.deletecommercebusinessenablement.refunds.getcommercebusinessenablement.refunds.listcommercebusinessenablement.refunds.startcommercebusinessenablement.refunds.update
|
Commerce Business Enablement Rebates Viewer
Beta
(roles/commercebusinessenablement.rebatesViewer)
Provides read-only access to rebates
|
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
|
Commerce Business Enablement Reseller Discount Admin
Beta
(roles/commercebusinessenablement.resellerDiscountAdmin)
Provides admin access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.getcommercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.*
commercebusinessenablement.resellerDiscountOffers.cancelcommercebusinessenablement.resellerDiscountOffers.createcommercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.*
commercebusinessenablement.resellerPrivateOfferPlans.cancelcommercebusinessenablement.resellerPrivateOfferPlans.createcommercebusinessenablement.resellerPrivateOfferPlans.deletecommercebusinessenablement.resellerPrivateOfferPlans.getcommercebusinessenablement.resellerPrivateOfferPlans.listcommercebusinessenablement.resellerPrivateOfferPlans.publishcommercebusinessenablement.resellerPrivateOfferPlans.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Reseller Discount Viewer
Beta
(roles/commercebusinessenablement.resellerDiscountViewer)
Provides read-only access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.getcommercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Configuration Viewer
Beta
(roles/commercebusinessenablement.viewer)
Viewer of Various Provider Configuration resource
|
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.getcommercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerRestrictions.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Offer Catalog Offers Viewer
Beta
(roles/commerceoffercatalog.offersViewer)
Allows viewing offers
|
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
|
Commerce Organization Governance Admin
Beta
(roles/commerceorggovernance.admin)
Full access to Organization Governance APIs
|
commerceorggovernance.*
commerceorggovernance.collectionRequestApprovals.listcommerceorggovernance.collectionRequestApprovals.reviewcommerceorggovernance.collections.createcommerceorggovernance.collections.deletecommerceorggovernance.collections.getcommerceorggovernance.collections.listcommerceorggovernance.collections.updatecommerceorggovernance.consumerSharingPolicies.getcommerceorggovernance.consumerSharingPolicies.updatecommerceorggovernance.organizationSettings.getcommerceorggovernance.organizationSettings.updatecommerceorggovernance.populateCollectionJobs.createcommerceorggovernance.populateCollectionJobs.listcommerceorggovernance.populateCollectionJobs.runcommerceorggovernance.populateCollectionJobs.updatecommerceorggovernance.services.getcommerceorggovernance.services.listcommerceorggovernance.services.request
resourcemanager.projects.get
resourcemanager.projects.list
|
Governed Marketplace User
Beta
(roles/commerceorggovernance.user)
Full access to Governed Marketplace features.
|
commerceorggovernance.services.*
commerceorggovernance.services.getcommerceorggovernance.services.listcommerceorggovernance.services.request
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Organization Governance Viewer
Beta
(roles/commerceorggovernance.viewer)
Full access to Organization Governance read-only APIs.
|
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.organizationSettings.get
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.services.get
commerceorggovernance.services.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Events Viewer
Beta
(roles/commercepricemanagement.eventsViewer)
Allows viewing key events for an offer
|
commerceprice.events.*
commerceprice.events.getcommerceprice.events.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Private Offers Admin
Beta
(roles/commercepricemanagement.privateOffersAdmin)
Allows managing private offers
|
commerceagreementpublishing.*
commerceagreementpublishing.agreements.createcommerceagreementpublishing.agreements.deletecommerceagreementpublishing.agreements.getcommerceagreementpublishing.agreements.listcommerceagreementpublishing.agreements.updatecommerceagreementpublishing.documents.createcommerceagreementpublishing.documents.deletecommerceagreementpublishing.documents.getcommerceagreementpublishing.documents.listcommerceagreementpublishing.documents.update
commerceprice.*
commerceprice.events.getcommerceprice.events.listcommerceprice.privateoffers.cancelcommerceprice.privateoffers.createcommerceprice.privateoffers.deletecommerceprice.privateoffers.getcommerceprice.privateoffers.listcommerceprice.privateoffers.publishcommerceprice.privateoffers.sendEmailcommerceprice.privateoffers.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Price Management Viewer
Beta
(roles/commercepricemanagement.viewer)
Allows viewing offers, free trials, skus
|
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceprice.privateoffers.get
commerceprice.privateoffers.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Producer Admin
Beta
(roles/commerceproducer.admin)
Grants full access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Producer Viewer
Beta
(roles/commerceproducer.viewer)
Grants read access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Consumer Procurement Entitlement Manager
(roles/consumerprocurement.entitlementManager)
Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer
project.
|
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
consumerprocurement.freeTrials.*
consumerprocurement.freeTrials.createconsumerprocurement.freeTrials.getconsumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Entitlement Viewer
(roles/consumerprocurement.entitlementViewer)
Allows inspecting entitlements and service states for a consumer project.
|
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Events Viewer
(roles/consumerprocurement.eventsViewer)
Allows viewing key events for an offer
|
consumerprocurement.events.*
consumerprocurement.events.getconsumerprocurement.events.list
|
Consumer Procurement License Pool Editor
(roles/consumerprocurement.licensePoolEditor)
Allows managing license pools and license assignments.
|
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assignconsumerprocurement.licensePools.enumerateLicensedUsersconsumerprocurement.licensePools.getconsumerprocurement.licensePools.unassignconsumerprocurement.licensePools.update
|
Consumer Procurement License Pool Viewer
(roles/consumerprocurement.licensePoolViewer)
Allows viewing license pools and license assignments.
|
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
|
Consumer Procurement Order Administrator
(roles/consumerprocurement.orderAdmin)
Allows managing purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
consumerprocurement.accounts.*
consumerprocurement.accounts.createconsumerprocurement.accounts.deleteconsumerprocurement.accounts.getconsumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.events.*
consumerprocurement.events.getconsumerprocurement.events.list
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assignconsumerprocurement.licensePools.enumerateLicensedUsersconsumerprocurement.licensePools.getconsumerprocurement.licensePools.unassignconsumerprocurement.licensePools.update
consumerprocurement.orderAttributions.*
consumerprocurement.orderAttributions.getconsumerprocurement.orderAttributions.listconsumerprocurement.orderAttributions.update
consumerprocurement.orders.*
consumerprocurement.orders.cancelconsumerprocurement.orders.getconsumerprocurement.orders.listconsumerprocurement.orders.modifyconsumerprocurement.orders.place
|
Consumer Procurement Order Viewer
(roles/consumerprocurement.orderViewer)
Allows inspecting purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
|
Consumer Procurement Administrator
(roles/consumerprocurement.procurementAdmin)
Allows managing purchases, consents at both billing account and project level.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
consumerprocurement.*
consumerprocurement.accounts.createconsumerprocurement.accounts.deleteconsumerprocurement.accounts.getconsumerprocurement.accounts.listconsumerprocurement.consents.allowProjectGrantconsumerprocurement.consents.checkconsumerprocurement.consents.grantconsumerprocurement.consents.listconsumerprocurement.consents.revokeconsumerprocurement.entitlements.getconsumerprocurement.entitlements.listconsumerprocurement.events.getconsumerprocurement.events.listconsumerprocurement.freeTrials.createconsumerprocurement.freeTrials.getconsumerprocurement.freeTrials.listconsumerprocurement.licensePools.assignconsumerprocurement.licensePools.enumerateLicensedUsersconsumerprocurement.licensePools.getconsumerprocurement.licensePools.unassignconsumerprocurement.licensePools.updateconsumerprocurement.orderAttributions.getconsumerprocurement.orderAttributions.listconsumerprocurement.orderAttributions.updateconsumerprocurement.orders.cancelconsumerprocurement.orders.getconsumerprocurement.orders.listconsumerprocurement.orders.modifyconsumerprocurement.orders.place
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Viewer
(roles/consumerprocurement.procurementViewer)
Allows inspecting purchases, consents and entitlements and service states for a consumer project.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.getcommerceoffercatalog.agreements.listcommerceoffercatalog.documents.getcommerceoffercatalog.documents.listcommerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.getconsumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Memberikan peran IAM kepada pengguna
Dari peran dalam tabel di atas, peran consumerprocurement.orderAdmin dan consumerprocurement.orderViewer harus ditetapkan di tingkat akun penagihan atau organisasi, dan peran consumerprocurement.entitlementManager serta consumerprocurement.entitlementViewer harus ditetapkan di level project atau organisasi.
Untuk memberikan peran kepada pengguna menggunakan gcloud, jalankan salah satu perintah berikut:
Organisasi
Anda harus memiliki peran resourcemanager.organizationAdmin
untuk menetapkan peran di tingkat organisasi.
gcloud organizations add-iam-policy-binding organization-id \
--member=member --role=role-id
Nilai placeholdernya adalah:
- organization-id: ID numerik organisasi yang Anda beri peran.
- member: Pengguna yang Anda beri akses.
- role-id: ID peran, dari tabel sebelumnya.
Akun penagihan
Anda harus memiliki peran billing.admin
untuk menetapkan peran di tingkat akun penagihan.
gcloud beta billing accounts set-iam-policy account-id \
policy-file
Nilai placeholdernya adalah:
- account-id: ID akun penagihan Anda, yang dapat diperoleh dari halaman Kelola akun penagihan.
- policy-file: File kebijakan IAM, dalam format JSON atau YAML. File kebijakan harus berisi ID peran dari tabel sebelumnya, dan pengguna yang diberi peran.
Project
Anda harus memiliki peran resourcemanager.folderAdmin untuk menetapkan peran di level project.
gcloud projects add-iam-policy-binding project-id \
--member=member --role=role-id
Nilai placeholdernya adalah:
- project-id: Project yang Anda beri peran.
- member: Pengguna yang Anda beri akses.
- role-id: ID peran, dari tabel sebelumnya.
Untuk memberikan peran kepada pengguna yang menggunakan Google Cloud Console, lihat dokumentasi IAM tentang Memberikan, mengubah, dan mencabut akses untuk pengguna.
Menggunakan peran khusus dengan Cloud Marketplace
Jika menginginkan kontrol terperinci atas izin yang diberikan kepada pengguna, Anda dapat membuat peran khusus dengan izin yang ingin diberikan.
Jika Anda membuat peran khusus untuk pengguna yang membeli layanan dari
Cloud Marketplace, peran tersebut harus menyertakan izin berikut untuk
akun penagihan yang mereka gunakan untuk membeli layanan:
Mengakses situs partner dengan Single Sign-on (SSO)
Produk Marketplace tertentu mendukung Single Sign-on (SSO) ke situs eksternal partner. Pengguna yang diotorisasi dalam organisasi memiliki akses ke
tombol "KELOLA DI PENYEDIA" di halaman detail produk. Tombol
ini mengarahkan pengguna ke situs partner. Dalam beberapa kasus, pengguna
akan diminta untuk "Login dengan Google". Dalam kasus lain, pengguna login dalam
konteks akun bersama.
Untuk mengakses kemampuan SSO, pengguna membuka halaman detail produk, lalu memilih project yang sesuai. Project harus ditautkan ke
akun penagihan tempat paket telah dibeli. Untuk mengetahui detail tentang pengelolaan paket Marketplace, lihat Mengelola paket penagihan.
Selain itu, pengguna harus memiliki izin IAM yang memadai dalam project yang dipilih. Untuk sebagian besar produk, roles/consumerprocurement.entitlementManager (atau
peran dasar
roles/editor) saat ini diperlukan.
Izin minimal untuk produk tertentu
Produk berikut dapat beroperasi pada kumpulan izin yang berbeda untuk mengakses kemampuan SSO:
- Apache Kafka di Confluent Cloud
- DataStax Astra untuk Apache Cassandra
- Elastic Cloud
- Neo4j Aura Professional
- Cloud Redis Enterprise
Untuk produk tersebut, Anda dapat menggunakan izin minimal berikut:
consumerprocurement.entitlements.getconsumerprocurement.entitlements.listserviceusage.services.getserviceusage.services.listresourcemanager.projects.get
Izin ini biasanya diberikan dengan peran
roles/consumerprocurement.entitlementManager atau
roles/consumerprocurement.entitlementViewer.
