Nesta página, descrevemos os papéis e permissões de gerenciamento de identidade e acesso (IAM)
necessários para comprar e gerenciar produtos comerciais no Cloud Marketplace.
O IAM permite gerenciar o controle de acesso ao definir quem (identidade)
tem qual acesso (papel) a que recurso . Para apps comerciais no
Cloud Marketplace, os usuários na sua Google Cloud organização precisam
de papéis do IAM para se inscrever em planos do Cloud Marketplace e
fazer alterações nos planos de faturamento.
Antes de começar
Para conceder papéis e permissões do Cloud Marketplace usando gcloud
, instale
a CLI gcloud . Caso contrário, conceda
papéis usando o console do Google Cloud.
Papéis do IAM para compra e gerenciamento de produtos
Recomendamos que você atribua o papel do IAM de
administrador da conta de faturamento
aos usuários que estão comprando serviços do
Cloud Marketplace.
Os usuários que querem acessar os serviços precisam ter, no mínimo, o papel de
Leitor .
Para ter um controle mais granular sobre as permissões dos usuários, crie papéis personalizados com as permissões que você quer
conceder.
Requisitos específicos do produto
Para usar os serviços a seguir em um projeto Google Cloud , é necessário ter a função Editor do projeto :
Google Cloud Dataprep by Trifacta
Neo4j Aura Professional
Lista de papéis e permissões do IAM
É possível conceder aos usuários um ou mais dos papéis do IAM a seguir.
Dependendo do papel que você está concedendo aos usuários, é necessário atribuir o papel
a uma Google Cloud conta de faturamento, organização ou projeto. Para detalhes,
consulte a seção Como conceder papéis do IAM aos usuários .
Role
Permissions
Commerce Business Enablement Configuration Admin
Beta
(roles/commercebusinessenablement.admin
)
Admin of Various Provider Configuration resources
commercebusinessenablement.leadgenConfig.*
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.leadgenConfig.update
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.*
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.*
commercebusinessenablement.resellerRestrictions.list
commercebusinessenablement.resellerRestrictions.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement PaymentConfig Admin
Beta
(roles/commercebusinessenablement.paymentConfigAdmin
)
Administration of Payment Configuration resource
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.*
commercebusinessenablement.paymentConfig.get
commercebusinessenablement.paymentConfig.update
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement PaymentConfig Viewer
Beta
(roles/commercebusinessenablement.paymentConfigViewer
)
Viewer of Payment Configuration resource
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement Rebates Admin
Beta
(roles/commercebusinessenablement.rebatesAdmin
)
Provides admin access to rebates
commercebusinessenablement.operations.*
commercebusinessenablement.operations.cancel
commercebusinessenablement.operations.delete
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.*
commercebusinessenablement.refunds.cancel
commercebusinessenablement.refunds.create
commercebusinessenablement.refunds.delete
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
commercebusinessenablement.refunds.start
commercebusinessenablement.refunds.update
Commerce Business Enablement Rebates Viewer
Beta
(roles/commercebusinessenablement.rebatesViewer
)
Provides read-only access to rebates
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
Commerce Business Enablement Reseller Discount Admin
Beta
(roles/commercebusinessenablement.resellerDiscountAdmin
)
Provides admin access to reseller discount offers
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.*
commercebusinessenablement.resellerDiscountOffers.cancel
commercebusinessenablement.resellerDiscountOffers.create
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.*
commercebusinessenablement.resellerPrivateOfferPlans.cancel
commercebusinessenablement.resellerPrivateOfferPlans.create
commercebusinessenablement.resellerPrivateOfferPlans.delete
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
commercebusinessenablement.resellerPrivateOfferPlans.publish
commercebusinessenablement.resellerPrivateOfferPlans.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement Reseller Discount Viewer
Beta
(roles/commercebusinessenablement.resellerDiscountViewer
)
Provides read-only access to reseller discount offers
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement Configuration Viewer
Beta
(roles/commercebusinessenablement.viewer
)
Viewer of Various Provider Configuration resource
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerRestrictions.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Offer Catalog Offers Viewer
Beta
(roles/commerceoffercatalog.offersViewer
)
Allows viewing offers
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
Commerce Organization Governance Admin
Beta
(roles/commerceorggovernance.admin
)
Full access to Organization Governance APIs
commerceorggovernance.*
commerceorggovernance.collectionRequestApprovals.list
commerceorggovernance.collectionRequestApprovals.review
commerceorggovernance.collections.create
commerceorggovernance.collections.delete
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.collections.update
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.consumerSharingPolicies.update
commerceorggovernance.organizationSettings.get
commerceorggovernance.organizationSettings.update
commerceorggovernance.populateCollectionJobs.create
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.populateCollectionJobs.run
commerceorggovernance.populateCollectionJobs.update
commerceorggovernance.services.get
commerceorggovernance.services.list
commerceorggovernance.services.request
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
Governed Marketplace User
Beta
(roles/commerceorggovernance.user
)
Full access to Governed Marketplace features.
commerceorggovernance.services.*
commerceorggovernance.services.get
commerceorggovernance.services.list
commerceorggovernance.services.request
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Organization Governance Viewer
Beta
(roles/commerceorggovernance.viewer
)
Full access to Organization Governance read-only APIs.
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.organizationSettings.get
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.services.get
commerceorggovernance.services.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Price Management Events Viewer
Beta
(roles/commercepricemanagement.eventsViewer
)
Allows viewing key events for an offer
commerceprice.events.*
commerceprice.events.get
commerceprice.events.list
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Price Management Private Offers Admin
Beta
(roles/commercepricemanagement.privateOffersAdmin
)
Allows managing private offers
commerceagreementpublishing.*
commerceagreementpublishing.agreements.create
commerceagreementpublishing.agreements.delete
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.agreements.update
commerceagreementpublishing.documents.create
commerceagreementpublishing.documents.delete
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceagreementpublishing.documents.update
commerceprice.*
commerceprice.events.get
commerceprice.events.list
commerceprice.privateoffers.cancel
commerceprice.privateoffers.create
commerceprice.privateoffers.delete
commerceprice.privateoffers.get
commerceprice.privateoffers.list
commerceprice.privateoffers.publish
commerceprice.privateoffers.sendEmail
commerceprice.privateoffers.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Commerce Price Management Viewer
Beta
(roles/commercepricemanagement.viewer
)
Allows viewing offers, free trials, skus
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceprice.privateoffers.get
commerceprice.privateoffers.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Commerce Producer Admin
Beta
(roles/commerceproducer.admin
)
Grants full access to all resources in Cloud Commerce Producer API.
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Producer Viewer
Beta
(roles/commerceproducer.viewer
)
Grants read access to all resources in Cloud Commerce Producer API.
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
Consumer Procurement Entitlement Manager
(roles/consumerprocurement.entitlementManager
)
Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer
project.
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.*
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Consumer Procurement Entitlement Viewer
(roles/consumerprocurement.entitlementViewer
)
Allows inspecting entitlements and service states for a consumer project.
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Consumer Procurement Events Viewer
(roles/consumerprocurement.eventsViewer
)
Allows viewing key events for an offer
consumerprocurement.events.*
consumerprocurement.events.get
consumerprocurement.events.list
Consumer Procurement License Pool Editor
(roles/consumerprocurement.licensePoolEditor
)
Allows managing license pools and license assignments.
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update
Consumer Procurement License Pool Viewer
(roles/consumerprocurement.licensePoolViewer
)
Allows viewing license pools and license assignments.
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
Consumer Procurement Order Administrator
(roles/consumerprocurement.orderAdmin
)
Allows managing purchases.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.*
consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.events.*
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update
consumerprocurement.orderAttributions.*
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.*
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place
Consumer Procurement Order Viewer
(roles/consumerprocurement.orderViewer
)
Allows inspecting purchases.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
Consumer Procurement Administrator
(roles/consumerprocurement.procurementAdmin
)
Allows managing purchases, consents at both billing account and project level.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.*
consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.allowProjectGrant
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Consumer Procurement Viewer
(roles/consumerprocurement.procurementViewer
)
Allows inspecting purchases, consents and entitlements and service states for a consumer project.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Como conceder papéis do IAM aos usuários
Com base nas funções na tabela acima, os papéis
consumerprocurement.orderAdmin
e consumerprocurement.orderViewer
precisam ser atribuídos no nível da conta de faturamento ou da organização, e os
papéis consumerprocurement.entitlementManager
e consumerprocurement.entitlementViewer
precisam ser atribuídos no nível do projeto ou da organização.
Para conceder papéis a usuários usando gcloud
, execute um dos seguintes comandos:
Você precisa ter o papel resourcemanager.organizationAdmin
para atribuir papéis no nível da organização.
gcloud organizations add-iam-policy-binding organization-id \
--member= member --role= role-id
Os valores do marcador são:
organization-id : o ID numérico da organização para a qual você está concedendo
o papel.
member : o usuário a que você está concedendo acesso.
role-id : o ID do papel da tabela anterior.
Você precisa ter o papel billing.admin
para atribuir papéis no nível da conta de faturamento.
gcloud beta billing accounts set-iam-policy account-id \
policy-file
Os valores do marcador são:
Você precisa ter o papel resourcemanager.folderAdmin
para atribuir papéis no nível do projeto.
gcloud projects add-iam-policy-binding project-id \
--member= member --role= role-id
Os valores do marcador são:
project-id : o projeto que você está concedendo ao
papel.
member : o usuário a que você está concedendo acesso.
role-id : o ID do papel da tabela anterior.
Para conceder papéis a usuários usando o console do Google Cloud, consulte a documentação
do IAM sobre Como conceder, alterar e revogar acesso a usuários .
Como usar papéis personalizados com o Cloud Marketplace
Para ter um controle granular sobre as permissões que você concede aos usuários,
crie papéis personalizados com as permissões
que você quer conceder.
Se você estiver criando um papel personalizado para usuários que compram serviços do
Cloud Marketplace, o papel precisará incluir estas permissões para a
conta de faturamento usada para comprar serviços:
Como acessar sites de parceiros com Logon único (SSO)
Alguns produtos do Marketplace são compatíveis com o SSO para o site externo
de um parceiro. Os usuários autorizados da organização têm acesso a um botão
"GERENCIAR NO PROVEDOR" na página de detalhes do produto. Esse
botão direciona os usuários ao site do parceiro. Em alguns casos, os usuários são
solicitados a "Fazer login com o Google". Em outros casos, os usuários acessam um
contexto de conta compartilhada.
Para acessar o recurso de SSO, os usuários acessam a página
de detalhes do produto e selecionam um projeto apropriado. O projeto precisa estar vinculado a
uma conta de faturamento em que o plano foi comprado. Para detalhes sobre o gerenciamento de planos
do Marketplace, consulte
Como gerenciar planos de faturamento .
Além disso, o usuário precisa ter permissões de IAM suficientes no projeto
selecionado. Para a maioria dos produtos, o roles/consumerprocurement.entitlementManager
(ou
roles/editor
papel básico ) é obrigatório no momento.
Permissões mínimas para produtos específicos
Os seguintes produtos podem operar em um conjunto diferente de permissões para acessar
os recursos do SSO:
Apache Kafka no Confluent Cloud
DataStax Astra para Apache Cassandra
Elastic Cloud
Neo4j Aura Professional
Redis Enterprise Cloud
Para esses produtos, use as seguintes permissões mínimas:
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
serviceusage.services.get
serviceusage.services.list
resourcemanager.projects.get
Essas permissões geralmente são concedidas com os
papéis roles/consumerprocurement.entitlementManager
ou
roles/consumerprocurement.entitlementViewer
.