Access control (IAM)

Role Based Access Control (RBAC) is a key differentiator between reCAPTCHA Enterprise and all prior versions of reCAPTCHA. Google Cloud offers Identity and Access Management (IAM), which enables you to give granular access to specific Google Cloud resources and prevents unwanted access to other resources, such as logs and analytics. This page describes the IAM roles for reCAPTCHA Enterprise.

To learn how to assign IAM roles to a user or service account, read Managing policies in the IAM documentation.

Roles and permissions

The following table lists the necessary IAM Roles and their permissions for reCAPTCHA Enterprise:

Role name Role description Role object Role permissions
reCAPTCHA Enterprise Agent Access to create and annotate reCAPTCHA Enterprise assessments. roles/recaptchaenterprise.agent recaptchaenterprise.assessments.create recaptchaenterprise.assessments.annotate
reCAPTCHA Enterprise Admin Access to view, modify, and delete reCAPTCHA Enterprise keys. roles/recaptchaenterprise.admin recaptchaenterprise.viewer recaptchaenterprise.keys.create recaptchaenterprise.keys.delete recaptchaenterprise.keys.update
reCAPTCHA Enterprise Viewer Access to view reCAPTCHA Enterprise keys. roles/recaptchaenterprise.viewer recaptchaenterprise.keys.get recaptchaenterprise.keys.list

Custom roles

You might require custom roles for use cases such as regulatory requirements. To create a custom role that includes reCAPTCHA Enterprise permissions, perform the appropriate action as shown in the following table:

Role description Action
Role that only grants permissions for the reCAPTCHA Enterprise API Choose from the permissions in the API permissions section.
Role that grants permissions for the reCAPTCHA Enterprise API and console Choose permissions groups in the in the Roles and permissions section.
Role that grants the ability to create and annotate assessments Include the permissions in the role `roles/recaptchaenterprise.agent` in the Roles and permissions section.

For more information on custom roles, go to Creating and managing custom roles.

API permissions

The following table lists the permissions that the caller must have to call each method in the reCAPTCHA Enterprise API, recaptchaenterprise.googleapis.com/v1:

Method (REST/RPC) Required Permission(s) For resource type
recaptchaenterprise.assessments.annotate / AnnotateAssessmentRequest recaptchaenterprise.assessments.annotate project
recaptchaenterprise.assessments.create / CreateAssessmentRequest recaptchaenterprise.assessments.create project
recaptchaenterprise.keys.create / CreateKeyRequest recaptchaenterprise.keys.create project
recaptchaenterprise.keys.delete / DeleteKeyRequest recaptchaenterprise.keys.delete project
recaptchaenterprise.keys.get / GetKeyRequest recaptchaenterprise.keys.get project
recaptchaenterprise.keys.list / ListKeysRequest recaptchaenterprise.keys.list project
recaptchaenterprise.keys.update / UpdateKeyRequest recaptchaenterprise.keys.update project