Google Cloud offers Cloud Identity and Access Management (Cloud IAM), which lets you give granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud IAM roles for reCAPTCHA Enterprise.
To learn how to assign Cloud IAM roles to a user or service account, read Managing policies in the Cloud IAM documentation.
Permissions and roles
This section summarizes the permissions and roles reCAPTCHA Enterprise supports.
API permissions
The following table lists the permissions that the caller must have to call each
method in the reCAPTCHA Enterprise API, recaptchaenterprise.googleapis.com/v1:
| Method (REST/RPC) | Required Permission(s) | For resource type |
|---|---|---|
recaptchaenterprise.assessments.annotate / AnnotateAssessmentRequest |
recaptchaenterprise.assessments.annotate |
project |
recaptchaenterprise.assessments.create / CreateAssessmentRequest |
recaptchaenterprise.assessments.create |
project |
recaptchaenterprise.keys.create / CreateKeyRequest |
recaptchaenterprise.keys.create |
project |
recaptchaenterprise.keys.delete / DeleteKeyRequest |
recaptchaenterprise.keys.delete |
project |
recaptchaenterprise.keys.get / GetKeyRequest |
recaptchaenterprise.keys.get |
project |
recaptchaenterprise.keys.list / ListKeysRequest |
recaptchaenterprise.keys.list |
project |
recaptchaenterprise.keys.update / UpdateKeyRequest |
recaptchaenterprise.keys.update |
project |
Roles
Cloud IAM roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for reCAPTCHA Enterprise:
| Role name | reCAPTCHA Enterprise permissions | Description |
|---|---|---|
roles/recaptchaenterprise.agentCloud reCAPTCHA Enterprise Agent |
recaptchaenterprise.assessments.createrecaptchaenterprise.assessments.annotate |
Access to create and annotate reCAPTCHA Enterprise assessments. |
roles/recaptchaenterprise.viewerCloud reCAPTCHA Enterprise Viewer |
recaptchaenterprise.keys.getrecaptchaenterprise.keys.list |
Access to view reCAPTCHA Enterprise keys. |
roles/recaptchaenterprise.adminCloud reCAPTCHA Enterprise Admin |
Permissions in recaptchaenterprise.viewer, plus:recaptchaenterprise.keys.createrecaptchaenterprise.keys.deleterecaptchaenterprise.keys.update |
Access to view and modify reCAPTCHA Enterprise keys. |
Custom roles
To create a custom role that includes reCAPTCHA Enterprise permissions, do the following:
- For a role granting permissions only for the reCAPTCHA Enterprise API, choose from the permissions in the preceding section, API permissions.
- For a role granting permissions for the reCAPTCHA Enterprise API and console, choose permission groups in the preceding section, Console permissions.
- To grant the ability to create and annotate assessments, include the
permission(s) in the role
roles/recaptchaenterprise.agentin the section Roles.
For more information on custom roles, go to Creating and managing custom roles.