Important: Recommendations AI has migrated to the Retail API, which is now generally available.

The Recommendations AI API (service endpoint and this documentation set remain available, but they will no longer be updated. We recommend migrating your recommendations to the Retail API (service endpoint See the new documentation:

Identity and Access Management (IAM)

This page describes how you can control Recommendations AI access and permissions using Identity and Access Management (IAM).


Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Recommendations AI IAM roles and permissions. For a detailed description of Google Cloud IAM, see the IAM documentation.

Recommendations AI provides a set of predefined roles designed to help you easily control access to your Recommendations AI resources. You can also create your own custom roles, if the predefined roles do not provide the sets of permissions you need. In addition, the older basic roles (Editor, Viewer, and Owner) are also still available to you, although they do not provide the same fine-grained control as the Recommendations AI roles. In particular, the basic roles provide access to resources across Google Cloud rather than just for Recommendations AI. See the basic roles documentation for more information.

Predefined roles

Recommendations AI provides some predefined roles you can use to provide finer-grained permissions to project members. The role you grant to a project member controls what actions the member can take. Project members can be individuals, groups, or service accounts.

You can grant multiple roles to the same project member, and you can change the roles granted to a project member at any time, provided you have the permissions to do so.

The broader roles include the more narrowly defined roles. For example, the Recommendations AI Editor role includes all of the permissions of the Recommendations AI Viewer role, along with the addition permissions of the Recommendations AI Editor role. Likewise, the Recommendations AI Admin role includes all of the permissions of the Recommendations AI Editor role, along with its additional permissions.

The basic roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Recommendations AI provide only Recommendations AI permissions, except for the following Google Cloud (Google Cloud) permissions, which are needed for general Google Cloud usage:

  • resourcemanager.projects.get
  • resourcemanager.projects.list

The following table lists the predefined roles available for Recommendations AI, along with their Recommendations AI permissions:

Name Recommendations AI permissions
Project > Owner All automlrecommendations permissions Full access and control for all Google Cloud resources; manage user access and set up billing for a project
Project > Editor All automlrecommendations permissions except:
Read-write access to all Google Cloud and Recommendations AI resources (except events.purge, events.rejoin and the ability to modify permissions and billing)
Project > Viewer *.get
Read-only access to all Google Cloud resources, including Recommendations AI resources
Recommendations AI Admin All automlrecommendations permissions Full control for all Cloud Recommendations AI.
Recommendations AI Editor catalogItems.create
Can read all Recommendations AI resources and write catalogItems, events, recommendations, apiKeys, placements except:
Recommendations AI Admin Viewer *.get
Read-only access to all Recommendations AI resources. Provides all permissions of the Recommendations AI Viewer role, plus the ability to list apiKeys.
Recommendations AI Viewer *.get
Read-only access to all Recommendations AI resources, except for listing apiKeys.

Managing Recommendations AI IAM

You can get and set IAM policies and roles using the Google Cloud Console, the IAM methods of the API, or the Recommendations AI. For more information, see Granting, Changing, and Revoking Access to Project Members.

What's next