Access control

With Private Catalog, cloud admins can make their products discoverable to their internal enterprise users. Cloud admins can manage their products and ensure their users are always launching the latest versions.


  • You must have a Google Cloud organization and access to the organization.
  • You must have the administrator role for your Google Cloud organization.

What is IAM?

Google Cloud offers Identity and Access Management, which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (identity) has what (roles) permission to which resources by setting IAM policies. IAM policies grant specific role(s) to a project member, giving the identity certain permissions. For example, for a given resource, such as a project, you can assign the roles/compute.networkAdmin role to a Google account and that account can control network-related resources in the project, but cannot manage other resources, like instances and disks.

Private Catalog IAM roles

With IAM, every API method in both the Private Catalog API and Private Catalog Producer API require that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a user, group, or service account as a member of your project. In addition to the legacy roles, owner, editor, and viewer, you can assign the Private Catalog and Private Catalog Producer roles described in this page to the members of your project.

The following tables list the IAM roles available to Private Catalog users. The tables are organized into different roles.

Catalog Admin

Role name Description Includes permissions

Permissions to control over Private Catalog Producer resources and read permissions over association and target resources.

  • cloudprivatecatalogproducer.catalogs.create
  • cloudprivatecatalogproducer.catalogs.list
  • cloudprivatecatalogproducer.catalogs.get
  • cloudprivatecatalogproducer.catalogs.update
  • cloudprivatecatalogproducer.catalogs.delete
  • cloudprivatecatalogproducer.catalogs.undelete
  • cloudprivatecatalogproducer.catalogs.getIamPolicy
  • cloudprivatecatalogproducer.catalogs.setIamPolicy
  • cloudprivatecatalogproducer.associations.create
  • cloudprivatecatalogproducer.associations.list
  • cloudprivatecatalogproducer.associations.get
  • cloudprivatecatalogproducer.associations.delete

Catalog Manager

Role name Description Includes permissions

Permissions to manage associations with Private Catalog Producer and target resources.

  • cloudprivatecatalog.targets.get
  • cloudprivatecatalogproducer.catalogs.get
  • cloudprivatecatalogproducer.catalogs.list
  • cloudprivatecatalogproducer.targets.associate
  • cloudprivatecatalogproducer.targets.unassociate
  • cloudprivatecatalogproducer.associations.get
  • cloudprivatecatalogproducer.associations.list
  • cloudprivatecatalogproducer.associations.create
  • cloudprivatecatalogproducer.associations.delete

Catalog Consumer

Role name Description Includes permissions
roles/cloudprivatecatalog.consumer Permissions to browse catalogs under a target resource context.
  • cloudprivatecatalog.targets.get

Adding users to Private Catalog IAM roles

Users, Google Groups, or domains must have the resourcemanager.organizations.setIamPolicy permission on the organization to add users to the Private Catalog IAM roles. You can give a user or group that permission by granting them the Organization Administrator role (roles/resourcemanager.organizationAdmin).

For example, if your organization would like users granted the Catalog Admin role to also be able to add and remove users and groups from the other Private Catalog IAM roles, then an Organization Administrator can do the following:

  • Create a Google Group for the users (MyCompanyCatalogAdmins).
  • Assign the Google Group (MyCompanyCatalogAdmins) the Organization Administrator role.
  • Assign the Google Group (MyCompanyCatalogAdmins) the Catalog Admin role.

In the example, members of the Google Group (MyCompanyCatalogAdmins) can assign users and groups to IAM roles in the organization because the group has been granted the setIamPolicy permission when granted the Organization Administrator role. As new Catalog Administrators join the organization, add them to the Google Group (MyCompanyCatalogAdmins) to grant them the desired roles.

To add a user, group, or domain to a Private Catalog IAM role, follow these steps.

  1. Sign in to the Google Cloud Console IAM & admin page as an Organization Administrator.
    Go to the Cloud Console IAM & admin page
  2. Select Cloud Private Catalog from the side menu.
  3. Select the role to assign:
    • Catalog Admin
    • Catalog Manager
    • Catalog Consumer
  4. Specify the users, groups, or domains to add.

What's next