Manage user access with Marketplace User Access Restrictions

By default, any user with the Identity and Access Management (IAM) permission resourcemanager.projects.get for a Google Cloud project can access Google Cloud Marketplace to discover new products. If you want to enforce stricter governance and procurement policies in your Google Cloud organization, you can use Marketplace User Access Restrictions to require that users have additional IAM permissions to accomplish some tasks.

Required IAM permissions

After you turn on Marketplace User Access Restrictions, your organization's users must have the following IAM permissions to complete the following tasks:

Action IAM Roles Level at which role is assigned
Enable Marketplace User Access Restrictions Organization Administrator (roles/resourcemanager.organizationAdmin) AND Commerce Organization Governance Admin (roles/commerceorggovernance.admin) roles Organization level
Interacting with products listed on the Google Cloud Marketplace Governed Marketplace User (roles/commerceorggovernance.user) role Organization, Folder, or Project level

The Governed Marketplace User IAM role contains the following IAM permissions:

  • commerceorggovernance.services.get
  • commerceorggovernance.services.list
  • commerceorggovernance.services.request
  • resourcemanager.projects.get
  • consumerprocurement.entitlements.list

When Cloud Marketplace User Access Restrictions is turned on for your organization, you must have these IAM permissions to do the following:

  • commerceorggovernance.services.list lets you view and interact with the Google Private Marketplace homepage.
  • commerceorggovernance.services.get lets you interact with product listing pages.
  • If Request Product is turned on, commerceorggovernance.services.request and consumerprocurement.entitlements.list let you request unapproved products or products that haven't been procured.

Before you begin

  1. Ensure you have sufficient roles to enable Marketplace User Access Restrictions. You can find the required details listed above.

  2. Ensure users and administrators in your organization that require access to the Marketplace are given sufficient roles. You can find the required roles listed above.

  3. Verify that Google Private Marketplace supports the products that you plan to use. For a list of supported products, see Supported products.

Turn on Marketplace User Access Restrictions

By default, Marketplace User Access Restrictions is turned off for your organization.

After you've assigned the above IAM roles to relevant users and administrators in your organization, to turn this feature on, complete the following steps:

  1. In Cloud Marketplace, click Marketplace Governance.

    Go to Marketplace

  2. In Governance settings, click the toggle to enable Marketplace User Access Restrictions.

  3. Click Confirm in the dialog.