Controle de acesso com o IAM

Nesta página, descrevemos os papéis e permissões de gerenciamento de identidade e acesso (IAM) necessários para comprar e gerenciar produtos comerciais no Cloud Marketplace.

O IAM permite gerenciar o controle de acesso ao definir quem (identidade) tem qual acesso (papel) a que recurso. Para apps comerciais no Cloud Marketplace, os usuários na sua Google Cloud organização precisam de papéis do IAM para se inscrever em planos do Cloud Marketplace e fazer alterações nos planos de faturamento.

Antes de começar

  • Para conceder papéis e permissões do Cloud Marketplace usando gcloud, instale a CLI gcloud. Caso contrário, conceda papéis usando o console do Google Cloud.

Papéis do IAM para compra e gerenciamento de produtos

Recomendamos que você atribua o papel do IAM de administrador da conta de faturamento aos usuários que estão comprando serviços do Cloud Marketplace.

Os usuários que querem acessar os serviços precisam ter, no mínimo, o papel de Leitor.

Para ter um controle mais granular sobre as permissões dos usuários, crie papéis personalizados com as permissões que você quer conceder.

Requisitos específicos do produto

Para usar os serviços a seguir em um projeto Google Cloud , é necessário ter a função Editor do projeto:

  • Google Cloud Dataprep by Trifacta
  • Neo4j Aura Professional

Lista de papéis e permissões do IAM

É possível conceder aos usuários um ou mais dos papéis do IAM a seguir. Dependendo do papel que você está concedendo aos usuários, é necessário atribuir o papel a uma Google Cloud conta de faturamento, organização ou projeto. Para detalhes, consulte a seção Como conceder papéis do IAM aos usuários.

Role Permissions

(roles/commercebusinessenablement.admin)

Admin of Various Provider Configuration resources

commercebusinessenablement.leadgenConfig.*

  • commercebusinessenablement.leadgenConfig.get
  • commercebusinessenablement.leadgenConfig.update

commercebusinessenablement.partnerAccounts.*

  • commercebusinessenablement.partnerAccounts.get
  • commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.*

  • commercebusinessenablement.resellerConfig.get
  • commercebusinessenablement.resellerConfig.update

commercebusinessenablement.resellerRestrictions.*

  • commercebusinessenablement.resellerRestrictions.list
  • commercebusinessenablement.resellerRestrictions.update

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.paymentConfigAdmin)

Administration of Payment Configuration resource

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.paymentConfig.*

  • commercebusinessenablement.paymentConfig.get
  • commercebusinessenablement.paymentConfig.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.paymentConfigViewer)

Viewer of Payment Configuration resource

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.paymentConfig.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.rebatesAdmin)

Provides admin access to rebates

commercebusinessenablement.operations.*

  • commercebusinessenablement.operations.cancel
  • commercebusinessenablement.operations.delete
  • commercebusinessenablement.operations.get
  • commercebusinessenablement.operations.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.refunds.*

  • commercebusinessenablement.refunds.cancel
  • commercebusinessenablement.refunds.create
  • commercebusinessenablement.refunds.delete
  • commercebusinessenablement.refunds.get
  • commercebusinessenablement.refunds.list
  • commercebusinessenablement.refunds.start
  • commercebusinessenablement.refunds.update

(roles/commercebusinessenablement.rebatesViewer)

Provides read-only access to rebates

commercebusinessenablement.operations.get

commercebusinessenablement.operations.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.refunds.get

commercebusinessenablement.refunds.list

(roles/commercebusinessenablement.resellerDiscountAdmin)

Provides admin access to reseller discount offers

commercebusinessenablement.partnerAccounts.*

  • commercebusinessenablement.partnerAccounts.get
  • commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerDiscountConfig.get

commercebusinessenablement.resellerDiscountOffers.*

  • commercebusinessenablement.resellerDiscountOffers.cancel
  • commercebusinessenablement.resellerDiscountOffers.create
  • commercebusinessenablement.resellerDiscountOffers.list

commercebusinessenablement.resellerPrivateOfferPlans.*

  • commercebusinessenablement.resellerPrivateOfferPlans.cancel
  • commercebusinessenablement.resellerPrivateOfferPlans.create
  • commercebusinessenablement.resellerPrivateOfferPlans.delete
  • commercebusinessenablement.resellerPrivateOfferPlans.get
  • commercebusinessenablement.resellerPrivateOfferPlans.list
  • commercebusinessenablement.resellerPrivateOfferPlans.publish
  • commercebusinessenablement.resellerPrivateOfferPlans.update

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.resellerDiscountViewer)

Provides read-only access to reseller discount offers

commercebusinessenablement.partnerAccounts.*

  • commercebusinessenablement.partnerAccounts.get
  • commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerDiscountConfig.get

commercebusinessenablement.resellerDiscountOffers.list

commercebusinessenablement.resellerPrivateOfferPlans.get

commercebusinessenablement.resellerPrivateOfferPlans.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.viewer)

Viewer of Various Provider Configuration resource

commercebusinessenablement.leadgenConfig.get

commercebusinessenablement.partnerAccounts.*

  • commercebusinessenablement.partnerAccounts.get
  • commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerRestrictions.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceoffercatalog.offersViewer)

Allows viewing offers

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

(roles/commerceorggovernance.admin)

Full access to Organization Governance APIs

commerceorggovernance.*

  • commerceorggovernance.collectionRequestApprovals.list
  • commerceorggovernance.collectionRequestApprovals.review
  • commerceorggovernance.collections.create
  • commerceorggovernance.collections.delete
  • commerceorggovernance.collections.get
  • commerceorggovernance.collections.list
  • commerceorggovernance.collections.update
  • commerceorggovernance.consumerSharingPolicies.get
  • commerceorggovernance.consumerSharingPolicies.update
  • commerceorggovernance.organizationSettings.get
  • commerceorggovernance.organizationSettings.update
  • commerceorggovernance.populateCollectionJobs.create
  • commerceorggovernance.populateCollectionJobs.list
  • commerceorggovernance.populateCollectionJobs.run
  • commerceorggovernance.populateCollectionJobs.update
  • commerceorggovernance.services.get
  • commerceorggovernance.services.list
  • commerceorggovernance.services.request

consumerprocurement.entitlements.*

  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceorggovernance.user)

Full access to Governed Marketplace features.

commerceorggovernance.services.*

  • commerceorggovernance.services.get
  • commerceorggovernance.services.list
  • commerceorggovernance.services.request

consumerprocurement.entitlements.*

  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceorggovernance.viewer)

Full access to Organization Governance read-only APIs.

commerceorggovernance.collections.get

commerceorggovernance.collections.list

commerceorggovernance.consumerSharingPolicies.get

commerceorggovernance.organizationSettings.get

commerceorggovernance.populateCollectionJobs.list

commerceorggovernance.services.get

commerceorggovernance.services.list

consumerprocurement.entitlements.*

  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercepricemanagement.eventsViewer)

Allows viewing key events for an offer

commerceprice.events.*

  • commerceprice.events.get
  • commerceprice.events.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercepricemanagement.privateOffersAdmin)

Allows managing private offers

commerceagreementpublishing.*

  • commerceagreementpublishing.agreements.create
  • commerceagreementpublishing.agreements.delete
  • commerceagreementpublishing.agreements.get
  • commerceagreementpublishing.agreements.list
  • commerceagreementpublishing.agreements.update
  • commerceagreementpublishing.documents.create
  • commerceagreementpublishing.documents.delete
  • commerceagreementpublishing.documents.get
  • commerceagreementpublishing.documents.list
  • commerceagreementpublishing.documents.update

commerceprice.*

  • commerceprice.events.get
  • commerceprice.events.list
  • commerceprice.privateoffers.cancel
  • commerceprice.privateoffers.create
  • commerceprice.privateoffers.delete
  • commerceprice.privateoffers.get
  • commerceprice.privateoffers.list
  • commerceprice.privateoffers.publish
  • commerceprice.privateoffers.sendEmail
  • commerceprice.privateoffers.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/commercepricemanagement.viewer)

Allows viewing offers, free trials, skus

commerceagreementpublishing.agreements.get

commerceagreementpublishing.agreements.list

commerceagreementpublishing.documents.get

commerceagreementpublishing.documents.list

commerceprice.privateoffers.get

commerceprice.privateoffers.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/commerceproducer.admin)

Grants full access to all resources in Cloud Commerce Producer API.

commercebusinessenablement.partnerInfo.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceproducer.viewer)

Grants read access to all resources in Cloud Commerce Producer API.

commercebusinessenablement.partnerInfo.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/consumerprocurement.entitlementManager)

Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project.

commerceoffercatalog.offers.get

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.entitlements.*

  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list

consumerprocurement.freeTrials.*

  • consumerprocurement.freeTrials.create
  • consumerprocurement.freeTrials.get
  • consumerprocurement.freeTrials.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/consumerprocurement.entitlementViewer)

Allows inspecting entitlements and service states for a consumer project.

commerceoffercatalog.offers.get

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.entitlements.*

  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list

consumerprocurement.freeTrials.get

consumerprocurement.freeTrials.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/consumerprocurement.eventsViewer)

Allows viewing key events for an offer

consumerprocurement.events.*

  • consumerprocurement.events.get
  • consumerprocurement.events.list

(roles/consumerprocurement.licensePoolEditor)

Allows managing license pools and license assignments.

consumerprocurement.licensePools.*

  • consumerprocurement.licensePools.assign
  • consumerprocurement.licensePools.enumerateLicensedUsers
  • consumerprocurement.licensePools.get
  • consumerprocurement.licensePools.unassign
  • consumerprocurement.licensePools.update

(roles/consumerprocurement.licensePoolViewer)

Allows viewing license pools and license assignments.

consumerprocurement.licensePools.enumerateLicensedUsers

consumerprocurement.licensePools.get

(roles/consumerprocurement.orderAdmin)

Allows managing purchases.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

consumerprocurement.accounts.*

  • consumerprocurement.accounts.create
  • consumerprocurement.accounts.delete
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.events.*

  • consumerprocurement.events.get
  • consumerprocurement.events.list

consumerprocurement.licensePools.*

  • consumerprocurement.licensePools.assign
  • consumerprocurement.licensePools.enumerateLicensedUsers
  • consumerprocurement.licensePools.get
  • consumerprocurement.licensePools.unassign
  • consumerprocurement.licensePools.update

consumerprocurement.orderAttributions.*

  • consumerprocurement.orderAttributions.get
  • consumerprocurement.orderAttributions.list
  • consumerprocurement.orderAttributions.update

consumerprocurement.orders.*

  • consumerprocurement.orders.cancel
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • consumerprocurement.orders.modify
  • consumerprocurement.orders.place

(roles/consumerprocurement.orderViewer)

Allows inspecting purchases.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.credits.list

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.licensePools.enumerateLicensedUsers

consumerprocurement.licensePools.get

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

(roles/consumerprocurement.procurementAdmin)

Allows managing purchases, consents at both billing account and project level.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

consumerprocurement.*

  • consumerprocurement.accounts.create
  • consumerprocurement.accounts.delete
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.consents.allowProjectGrant
  • consumerprocurement.consents.check
  • consumerprocurement.consents.grant
  • consumerprocurement.consents.list
  • consumerprocurement.consents.revoke
  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list
  • consumerprocurement.events.get
  • consumerprocurement.events.list
  • consumerprocurement.freeTrials.create
  • consumerprocurement.freeTrials.get
  • consumerprocurement.freeTrials.list
  • consumerprocurement.licensePools.assign
  • consumerprocurement.licensePools.enumerateLicensedUsers
  • consumerprocurement.licensePools.get
  • consumerprocurement.licensePools.unassign
  • consumerprocurement.licensePools.update
  • consumerprocurement.orderAttributions.get
  • consumerprocurement.orderAttributions.list
  • consumerprocurement.orderAttributions.update
  • consumerprocurement.orders.cancel
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • consumerprocurement.orders.modify
  • consumerprocurement.orders.place

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/consumerprocurement.procurementViewer)

Allows inspecting purchases, consents and entitlements and service states for a consumer project.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.credits.list

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.entitlements.*

  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list

consumerprocurement.freeTrials.get

consumerprocurement.freeTrials.list

consumerprocurement.licensePools.enumerateLicensedUsers

consumerprocurement.licensePools.get

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Como conceder papéis do IAM aos usuários

Com base nas funções na tabela acima, os papéis consumerprocurement.orderAdmin e consumerprocurement.orderViewer precisam ser atribuídos no nível da conta de faturamento ou da organização, e os papéis consumerprocurement.entitlementManager e consumerprocurement.entitlementViewer precisam ser atribuídos no nível do projeto ou da organização.

Para conceder papéis a usuários usando gcloud, execute um dos seguintes comandos:

Organização

Você precisa ter o papel resourcemanager.organizationAdmin para atribuir papéis no nível da organização.

gcloud organizations add-iam-policy-binding organization-id \
--member=member --role=role-id

Os valores do marcador são:

  • organization-id: o ID numérico da organização para a qual você está concedendo o papel.
  • member: o usuário a que você está concedendo acesso.
  • role-id: o ID do papel da tabela anterior.

Conta de faturamento

Você precisa ter o papel billing.admin para atribuir papéis no nível da conta de faturamento.

gcloud beta billing accounts set-iam-policy account-id \
policy-file

Os valores do marcador são:

Projeto

Você precisa ter o papel resourcemanager.folderAdmin para atribuir papéis no nível do projeto.

gcloud projects add-iam-policy-binding project-id \
--member=member --role=role-id

Os valores do marcador são:

  • project-id: o projeto que você está concedendo ao papel.
  • member: o usuário a que você está concedendo acesso.
  • role-id: o ID do papel da tabela anterior.

Para conceder papéis a usuários usando o console do Google Cloud, consulte a documentação do IAM sobre Como conceder, alterar e revogar acesso a usuários.

Como usar papéis personalizados com o Cloud Marketplace

Para ter um controle granular sobre as permissões que você concede aos usuários, crie papéis personalizados com as permissões que você quer conceder.

Se você estiver criando um papel personalizado para usuários que compram serviços do Cloud Marketplace, o papel precisará incluir estas permissões para a conta de faturamento usada para comprar serviços:

Como acessar sites de parceiros com Logon único (SSO)

Alguns produtos do Marketplace são compatíveis com o SSO para o site externo de um parceiro. Os usuários autorizados da organização têm acesso a um botão "GERENCIAR NO PROVEDOR" na página de detalhes do produto. Esse botão direciona os usuários ao site do parceiro. Em alguns casos, os usuários são solicitados a "Fazer login com o Google". Em outros casos, os usuários acessam um contexto de conta compartilhada.

Para acessar o recurso de SSO, os usuários acessam a página de detalhes do produto e selecionam um projeto apropriado. O projeto precisa estar vinculado a uma conta de faturamento em que o plano foi comprado. Para detalhes sobre o gerenciamento de planos do Marketplace, consulte Como gerenciar planos de faturamento.

Além disso, o usuário precisa ter permissões de IAM suficientes no projeto selecionado. Para a maioria dos produtos, o roles/consumerprocurement.entitlementManager (ou roles/editor papel básico) é obrigatório no momento.

Permissões mínimas para produtos específicos

Os seguintes produtos podem operar em um conjunto diferente de permissões para acessar os recursos do SSO:

  • Apache Kafka no Confluent Cloud
  • DataStax Astra para Apache Cassandra
  • Elastic Cloud
  • Neo4j Aura Professional
  • Redis Enterprise Cloud

Para esses produtos, use as seguintes permissões mínimas:

  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list
  • serviceusage.services.get
  • serviceusage.services.list
  • resourcemanager.projects.get

Essas permissões geralmente são concedidas com os papéis roles/consumerprocurement.entitlementManager ou roles/consumerprocurement.entitlementViewer.