In questa pagina vengono descritti i ruoli e le autorizzazioni di Identity and Access Management (IAM) necessari per acquistare e gestire i prodotti commerciali su Cloud Marketplace.
Con IAM, puoi gestire il controllo dell'accesso definendo chi (identità)
ha quale accesso (ruolo) per quale risorsa. Per le app commerciali su Cloud Marketplace, gli utenti della tua organizzazione Google Cloud richiedono ruoli IAM per registrarsi ai piani Cloud Marketplace e apportare modifiche ai piani di fatturazione.
Prima di iniziare
- Per concedere ruoli e autorizzazioni di Cloud Marketplace utilizzando
gcloud
, installa gcloud CLI. In caso contrario, puoi concedere i ruoli utilizzando la console Google Cloud.
Ruoli IAM per l'acquisto e la gestione dei prodotti
Ti consigliamo di assegnare il ruolo IAM Amministratore di fatturazione (roles/billing.admin
) agli utenti che acquistano servizi da Cloud Marketplace.
Gli utenti che vogliono accedere ai servizi devono disporre almeno del ruolo Visualizzatore progetto (roles/viewer
).
Se hai bisogno di un controllo più granulare sulle autorizzazioni degli utenti, puoi creare ruoli personalizzati con le autorizzazioni che vuoi concedere.
Elenco di ruoli e autorizzazioni IAM
Puoi concedere agli utenti uno o più dei seguenti ruoli IAM.
A seconda del ruolo che concedi agli utenti, devi anche assegnarlo a un account, un'organizzazione o un progetto di fatturazione Google Cloud. Per maggiori dettagli, consulta la sezione Concessione dei ruoli IAM agli utenti.
Role |
Permissions |
Commerce Business Enablement Configuration Admin
Beta
(roles/commercebusinessenablement.admin )
Admin of Various Provider Configuration resources
|
commercebusinessenablement.leadgenConfig.*
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.leadgenConfig.update
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.*
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.*
commercebusinessenablement.resellerRestrictions.list
commercebusinessenablement.resellerRestrictions.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Admin
Beta
(roles/commercebusinessenablement.paymentConfigAdmin )
Administration of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.*
commercebusinessenablement.paymentConfig.get
commercebusinessenablement.paymentConfig.update
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Viewer
Beta
(roles/commercebusinessenablement.paymentConfigViewer )
Viewer of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Rebates Admin
Beta
(roles/commercebusinessenablement.rebatesAdmin )
Provides admin access to rebates
|
commercebusinessenablement.operations.*
commercebusinessenablement.operations.cancel
commercebusinessenablement.operations.delete
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.*
commercebusinessenablement.refunds.cancel
commercebusinessenablement.refunds.create
commercebusinessenablement.refunds.delete
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
commercebusinessenablement.refunds.start
commercebusinessenablement.refunds.update
|
Commerce Business Enablement Rebates Viewer
Beta
(roles/commercebusinessenablement.rebatesViewer )
Provides read-only access to rebates
|
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
|
Commerce Business Enablement Reseller Discount Admin
Beta
(roles/commercebusinessenablement.resellerDiscountAdmin )
Provides admin access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.*
commercebusinessenablement.resellerDiscountOffers.cancel
commercebusinessenablement.resellerDiscountOffers.create
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.*
commercebusinessenablement.resellerPrivateOfferPlans.cancel
commercebusinessenablement.resellerPrivateOfferPlans.create
commercebusinessenablement.resellerPrivateOfferPlans.delete
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
commercebusinessenablement.resellerPrivateOfferPlans.publish
commercebusinessenablement.resellerPrivateOfferPlans.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Reseller Discount Viewer
Beta
(roles/commercebusinessenablement.resellerDiscountViewer )
Provides read-only access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Configuration Viewer
Beta
(roles/commercebusinessenablement.viewer )
Viewer of Various Provider Configuration resource
|
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerRestrictions.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Offer Catalog Offers Viewer
Beta
(roles/commerceoffercatalog.offersViewer )
Allows viewing offers
|
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
|
Commerce Organization Governance Admin
Beta
(roles/commerceorggovernance.admin )
Full access to Organization Governance APIs
|
commerceorggovernance.*
commerceorggovernance.collectionRequestApprovals.list
commerceorggovernance.collectionRequestApprovals.review
commerceorggovernance.collections.create
commerceorggovernance.collections.delete
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.collections.update
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.consumerSharingPolicies.update
commerceorggovernance.organizationSettings.get
commerceorggovernance.organizationSettings.update
commerceorggovernance.populateCollectionJobs.create
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.populateCollectionJobs.run
commerceorggovernance.populateCollectionJobs.update
commerceorggovernance.services.get
commerceorggovernance.services.list
commerceorggovernance.services.request
resourcemanager.projects.get
resourcemanager.projects.list
|
Governed Marketplace User
Beta
(roles/commerceorggovernance.user )
Full access to Governed Marketplace features.
|
commerceorggovernance.services.*
commerceorggovernance.services.get
commerceorggovernance.services.list
commerceorggovernance.services.request
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Organization Governance Viewer
Beta
(roles/commerceorggovernance.viewer )
Full access to Organization Governance read-only APIs.
|
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.organizationSettings.get
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.services.get
commerceorggovernance.services.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Events Viewer
Beta
(roles/commercepricemanagement.eventsViewer )
Allows viewing key events for an offer
|
commerceprice.events.*
commerceprice.events.get
commerceprice.events.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Private Offers Admin
Beta
(roles/commercepricemanagement.privateOffersAdmin )
Allows managing private offers
|
commerceagreementpublishing.*
commerceagreementpublishing.agreements.create
commerceagreementpublishing.agreements.delete
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.agreements.update
commerceagreementpublishing.documents.create
commerceagreementpublishing.documents.delete
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceagreementpublishing.documents.update
commerceprice.*
commerceprice.events.get
commerceprice.events.list
commerceprice.privateoffers.cancel
commerceprice.privateoffers.create
commerceprice.privateoffers.delete
commerceprice.privateoffers.get
commerceprice.privateoffers.list
commerceprice.privateoffers.publish
commerceprice.privateoffers.sendEmail
commerceprice.privateoffers.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Price Management Viewer
Beta
(roles/commercepricemanagement.viewer )
Allows viewing offers, free trials, skus
|
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceprice.privateoffers.get
commerceprice.privateoffers.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Producer Admin
Beta
(roles/commerceproducer.admin )
Grants full access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Producer Viewer
Beta
(roles/commerceproducer.viewer )
Grants read access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Consumer Procurement Entitlement Manager
(roles/consumerprocurement.entitlementManager )
Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer
project.
|
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.*
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Entitlement Viewer
(roles/consumerprocurement.entitlementViewer )
Allows inspecting entitlements and service states for a consumer project.
|
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Events Viewer
(roles/consumerprocurement.eventsViewer )
Allows viewing key events for an offer
|
consumerprocurement.events.*
consumerprocurement.events.get
consumerprocurement.events.list
|
Consumer Procurement Order Administrator
(roles/consumerprocurement.orderAdmin )
Allows managing purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.*
consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.events.*
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.orderAttributions.*
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.*
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place
|
Consumer Procurement Order Viewer
(roles/consumerprocurement.orderViewer )
Allows inspecting purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
|
Consumer Procurement Administrator
(roles/consumerprocurement.procurementAdmin )
Allows managing purchases, consents at both billing account and project level.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.*
consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.allowProjectGrant
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Viewer
(roles/consumerprocurement.procurementViewer )
Allows inspecting purchases, consents and entitlements and service states for a consumer project.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Concessione dei ruoli IAM agli utenti
Dai ruoli riportati nella tabella precedente, i ruoli consumerprocurement.orderAdmin
e consumerprocurement.orderViewer
devono essere assegnati a livello di organizzazione o account di fatturazione, mentre i ruoli consumerprocurement.entitlementManager
e consumerprocurement.entitlementViewer
devono essere assegnati a livello di progetto o organizzazione.
Per concedere i ruoli agli utenti che utilizzano gcloud
, esegui uno dei seguenti comandi:
organizzazione
Devi avere il ruolo resourcemanager.organizationAdmin
per assegnare i ruoli a livello di organizzazione.
gcloud organizations add-iam-policy-binding organization-id \
--member=member --role=role-id
I valori segnaposto sono:
- organization-id: l'ID numerico dell'organizzazione per cui stai concedendo il ruolo.
- member: l'utente a cui stai concedendo l'accesso.
- role-id: l'ID ruolo dalla tabella precedente.
Account di fatturazione
Devi avere il ruolo billing.admin
per assegnare i ruoli a livello di account di fatturazione.
gcloud beta billing accounts set-iam-policy account-id \
policy-file
I valori segnaposto sono:
progetto
Devi avere il ruolo resourcemanager.folderAdmin
per assegnare i ruoli a livello di progetto.
gcloud projects add-iam-policy-binding project-id \
--member=member --role=role-id
I valori segnaposto sono:
- project-id: il progetto per cui stai concedendo il ruolo.
- member: l'utente a cui stai concedendo l'accesso.
- role-id: l'ID ruolo dalla tabella precedente.
Per concedere i ruoli agli utenti utilizzando la console Google Cloud, consulta la documentazione di IAM su come concedere, modificare e revocare l'accesso per gli utenti.
Utilizzo dei ruoli personalizzati con Cloud Marketplace
Se vuoi un controllo granulare sulle autorizzazioni che concedi agli utenti, puoi creare ruoli personalizzati con le autorizzazioni che vuoi concedere.
Se stai creando un ruolo personalizzato per gli utenti che acquistano servizi da Cloud Marketplace, il ruolo deve includere queste autorizzazioni per l'account di fatturazione che utilizzano per acquistare servizi:
Accesso ai siti web partner con Single Sign-On (SSO)
Alcuni prodotti Marketplace supportano il Single Sign-On (SSO) al sito web esterno di un partner. Gli utenti autorizzati all'interno dell'organizzazione hanno accesso a un pulsante "GESTISCI SU PROVIDER" nella pagina dei dettagli del prodotto. Questo pulsante indirizza gli utenti al sito web del partner. In alcuni casi, agli utenti viene chiesto
di accedere con Google. In altri casi, gli utenti hanno eseguito
l'accesso in un contesto di account condiviso.
Per accedere alla funzionalità SSO, gli utenti devono andare alla pagina dei dettagli del prodotto e selezionare un progetto appropriato. Il progetto deve essere collegato a un account di fatturazione in cui è stato acquistato. Per maggiori dettagli sulla gestione dei piani Marketplace, consulta Gestione dei piani di fatturazione.
Inoltre, l'utente deve disporre di autorizzazioni IAM sufficienti all'interno del progetto selezionato. Per la maggior parte dei prodotti, al momento è obbligatorio il roles/consumerprocurement.entitlementManager
(o il ruolo di base roles/editor
).
Autorizzazioni minime per prodotti specifici
I seguenti prodotti possono operare con un insieme diverso di autorizzazioni per accedere alle funzionalità SSO:
- Apache Kafka su Confluent Cloud
- DataStax Astra per Apache Cassandra
- "Elastic Cloud
- Neo4j Aura Professional
- Cloud Redis Enterprise
Per questi prodotti, puoi utilizzare le seguenti autorizzazioni minime:
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
serviceusage.services.get
serviceusage.services.list
resourcemanager.projects.get
Queste autorizzazioni vengono in genere concesse con i ruoli roles/consumerprocurement.entitlementManager
o roles/consumerprocurement.entitlementViewer
.