Nesta página, descrevemos os papéis e permissões de gerenciamento de identidade e acesso (IAM)
necessários para comprar e gerenciar produtos comerciais no Cloud Marketplace.
O IAM permite gerenciar o controle de acesso ao definir quem (identidade)
tem qual acesso (papel) a que recurso. Para apps comerciais no
Cloud Marketplace, os usuários na sua Google Cloud organização precisam
de papéis do IAM para se inscrever em planos do Cloud Marketplace e
fazer alterações nos planos de faturamento.
Antes de começar
- Para conceder papéis e permissões do Cloud Marketplace usando
gcloud
, instale
a CLI gcloud. Caso contrário, conceda
papéis usando o console do Google Cloud.
Papéis do IAM para compra e gerenciamento de produtos
Recomendamos que você atribua o papel do IAM de
administrador da conta de faturamento
aos usuários que estão comprando serviços do
Cloud Marketplace.
Os usuários que querem acessar os serviços precisam ter, no mínimo, o papel de
Leitor.
Para ter um controle mais granular sobre as permissões dos usuários, crie papéis personalizados com as permissões que você quer
conceder.
Requisitos específicos do produto
Para usar os serviços a seguir em um projeto Google Cloud , é necessário ter a função Editor do projeto:
- Google Cloud Dataprep by Trifacta
- Neo4j Aura Professional
Lista de papéis e permissões do IAM
É possível conceder aos usuários um ou mais dos papéis do IAM a seguir.
Dependendo do papel que você está concedendo aos usuários, é necessário atribuir o papel
a uma Google Cloud conta de faturamento, organização ou projeto. Para detalhes,
consulte a seção Como conceder papéis do IAM aos usuários.
Role |
Permissions |
Commerce Business Enablement Configuration Admin
Beta
(roles/commercebusinessenablement.admin )
Admin of Various Provider Configuration resources
|
commercebusinessenablement.leadgenConfig.*
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.leadgenConfig.update
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.*
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.*
commercebusinessenablement.resellerRestrictions.list
commercebusinessenablement.resellerRestrictions.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Admin
Beta
(roles/commercebusinessenablement.paymentConfigAdmin )
Administration of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.*
commercebusinessenablement.paymentConfig.get
commercebusinessenablement.paymentConfig.update
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Viewer
Beta
(roles/commercebusinessenablement.paymentConfigViewer )
Viewer of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Rebates Admin
Beta
(roles/commercebusinessenablement.rebatesAdmin )
Provides admin access to rebates
|
commercebusinessenablement.operations.*
commercebusinessenablement.operations.cancel
commercebusinessenablement.operations.delete
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.*
commercebusinessenablement.refunds.cancel
commercebusinessenablement.refunds.create
commercebusinessenablement.refunds.delete
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
commercebusinessenablement.refunds.start
commercebusinessenablement.refunds.update
|
Commerce Business Enablement Rebates Viewer
Beta
(roles/commercebusinessenablement.rebatesViewer )
Provides read-only access to rebates
|
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
|
Commerce Business Enablement Reseller Discount Admin
Beta
(roles/commercebusinessenablement.resellerDiscountAdmin )
Provides admin access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.*
commercebusinessenablement.resellerDiscountOffers.cancel
commercebusinessenablement.resellerDiscountOffers.create
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.*
commercebusinessenablement.resellerPrivateOfferPlans.cancel
commercebusinessenablement.resellerPrivateOfferPlans.create
commercebusinessenablement.resellerPrivateOfferPlans.delete
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
commercebusinessenablement.resellerPrivateOfferPlans.publish
commercebusinessenablement.resellerPrivateOfferPlans.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Reseller Discount Viewer
Beta
(roles/commercebusinessenablement.resellerDiscountViewer )
Provides read-only access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Configuration Viewer
Beta
(roles/commercebusinessenablement.viewer )
Viewer of Various Provider Configuration resource
|
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerRestrictions.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Offer Catalog Offers Viewer
Beta
(roles/commerceoffercatalog.offersViewer )
Allows viewing offers
|
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
|
Commerce Organization Governance Admin
Beta
(roles/commerceorggovernance.admin )
Full access to Organization Governance APIs
|
commerceorggovernance.*
commerceorggovernance.collectionRequestApprovals.list
commerceorggovernance.collectionRequestApprovals.review
commerceorggovernance.collections.create
commerceorggovernance.collections.delete
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.collections.update
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.consumerSharingPolicies.update
commerceorggovernance.organizationSettings.get
commerceorggovernance.organizationSettings.update
commerceorggovernance.populateCollectionJobs.create
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.populateCollectionJobs.run
commerceorggovernance.populateCollectionJobs.update
commerceorggovernance.services.get
commerceorggovernance.services.list
commerceorggovernance.services.request
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Governed Marketplace User
Beta
(roles/commerceorggovernance.user )
Full access to Governed Marketplace features.
|
commerceorggovernance.services.*
commerceorggovernance.services.get
commerceorggovernance.services.list
commerceorggovernance.services.request
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Organization Governance Viewer
Beta
(roles/commerceorggovernance.viewer )
Full access to Organization Governance read-only APIs.
|
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.organizationSettings.get
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.services.get
commerceorggovernance.services.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Events Viewer
Beta
(roles/commercepricemanagement.eventsViewer )
Allows viewing key events for an offer
|
commerceprice.events.*
commerceprice.events.get
commerceprice.events.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Private Offers Admin
Beta
(roles/commercepricemanagement.privateOffersAdmin )
Allows managing private offers
|
commerceagreementpublishing.*
commerceagreementpublishing.agreements.create
commerceagreementpublishing.agreements.delete
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.agreements.update
commerceagreementpublishing.documents.create
commerceagreementpublishing.documents.delete
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceagreementpublishing.documents.update
commerceprice.*
commerceprice.events.get
commerceprice.events.list
commerceprice.privateoffers.cancel
commerceprice.privateoffers.create
commerceprice.privateoffers.delete
commerceprice.privateoffers.get
commerceprice.privateoffers.list
commerceprice.privateoffers.publish
commerceprice.privateoffers.sendEmail
commerceprice.privateoffers.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Price Management Viewer
Beta
(roles/commercepricemanagement.viewer )
Allows viewing offers, free trials, skus
|
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceprice.privateoffers.get
commerceprice.privateoffers.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Producer Admin
Beta
(roles/commerceproducer.admin )
Grants full access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Producer Viewer
Beta
(roles/commerceproducer.viewer )
Grants read access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Consumer Procurement Entitlement Manager
(roles/consumerprocurement.entitlementManager )
Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer
project.
|
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.*
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Entitlement Viewer
(roles/consumerprocurement.entitlementViewer )
Allows inspecting entitlements and service states for a consumer project.
|
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Events Viewer
(roles/consumerprocurement.eventsViewer )
Allows viewing key events for an offer
|
consumerprocurement.events.*
consumerprocurement.events.get
consumerprocurement.events.list
|
Consumer Procurement License Pool Editor
(roles/consumerprocurement.licensePoolEditor )
Allows managing license pools and license assignments.
|
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update
|
Consumer Procurement License Pool Viewer
(roles/consumerprocurement.licensePoolViewer )
Allows viewing license pools and license assignments.
|
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
|
Consumer Procurement Order Administrator
(roles/consumerprocurement.orderAdmin )
Allows managing purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.*
consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.events.*
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update
consumerprocurement.orderAttributions.*
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.*
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place
|
Consumer Procurement Order Viewer
(roles/consumerprocurement.orderViewer )
Allows inspecting purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
|
Consumer Procurement Administrator
(roles/consumerprocurement.procurementAdmin )
Allows managing purchases, consents at both billing account and project level.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.*
consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.allowProjectGrant
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Viewer
(roles/consumerprocurement.procurementViewer )
Allows inspecting purchases, consents and entitlements and service states for a consumer project.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Como conceder papéis do IAM aos usuários
Com base nas funções na tabela acima, os papéis
consumerprocurement.orderAdmin
e consumerprocurement.orderViewer
precisam ser atribuídos no nível da conta de faturamento ou da organização, e os
papéis consumerprocurement.entitlementManager
e consumerprocurement.entitlementViewer
precisam ser atribuídos no nível do projeto ou da organização.
Para conceder papéis a usuários usando gcloud
, execute um dos seguintes comandos:
Organização
Você precisa ter o papel resourcemanager.organizationAdmin
para atribuir papéis no nível da organização.
gcloud organizations add-iam-policy-binding organization-id \
--member=member --role=role-id
Os valores do marcador são:
- organization-id: o ID numérico da organização para a qual você está concedendo
o papel.
- member: o usuário a que você está concedendo acesso.
- role-id: o ID do papel da tabela anterior.
Conta de faturamento
Você precisa ter o papel billing.admin
para atribuir papéis no nível da conta de faturamento.
gcloud beta billing accounts set-iam-policy account-id \
policy-file
Os valores do marcador são:
Projeto
Você precisa ter o papel resourcemanager.folderAdmin
para atribuir papéis no nível do projeto.
gcloud projects add-iam-policy-binding project-id \
--member=member --role=role-id
Os valores do marcador são:
- project-id: o projeto que você está concedendo ao
papel.
- member: o usuário a que você está concedendo acesso.
- role-id: o ID do papel da tabela anterior.
Para conceder papéis a usuários usando o console do Google Cloud, consulte a documentação
do IAM sobre Como conceder, alterar e revogar acesso a usuários.
Como usar papéis personalizados com o Cloud Marketplace
Para ter um controle granular sobre as permissões que você concede aos usuários,
crie papéis personalizados com as permissões
que você quer conceder.
Se você estiver criando um papel personalizado para usuários que compram serviços do
Cloud Marketplace, o papel precisará incluir estas permissões para a
conta de faturamento usada para comprar serviços:
Como acessar sites de parceiros com Logon único (SSO)
Alguns produtos do Marketplace são compatíveis com o SSO para o site externo
de um parceiro. Os usuários autorizados da organização têm acesso a um botão
"GERENCIAR NO PROVEDOR" na página de detalhes do produto. Esse
botão direciona os usuários ao site do parceiro. Em alguns casos, os usuários são
solicitados a "Fazer login com o Google". Em outros casos, os usuários acessam um
contexto de conta compartilhada.
Para acessar o recurso de SSO, os usuários acessam a página
de detalhes do produto e selecionam um projeto apropriado. O projeto precisa estar vinculado a
uma conta de faturamento em que o plano foi comprado. Para detalhes sobre o gerenciamento de planos
do Marketplace, consulte
Como gerenciar planos de faturamento.
Além disso, o usuário precisa ter permissões de IAM suficientes no projeto
selecionado. Para a maioria dos produtos, o roles/consumerprocurement.entitlementManager
(ou
roles/editor
papel básico) é obrigatório no momento.
Permissões mínimas para produtos específicos
Os seguintes produtos podem operar em um conjunto diferente de permissões para acessar
os recursos do SSO:
- Apache Kafka no Confluent Cloud
- DataStax Astra para Apache Cassandra
- Elastic Cloud
- Neo4j Aura Professional
- Redis Enterprise Cloud
Para esses produtos, use as seguintes permissões mínimas:
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
serviceusage.services.get
serviceusage.services.list
resourcemanager.projects.get
Essas permissões geralmente são concedidas com os
papéis roles/consumerprocurement.entitlementManager
ou
roles/consumerprocurement.entitlementViewer
.