This page describes how you can control Recommendations AI access and permissions using Identity and Access Management (IAM).
Overview
Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Recommendations AI IAM roles and permissions. For a detailed description of Google Cloud IAM, see the IAM documentation.
Recommendations AI provides a set of predefined roles designed to help you easily control access to your Recommendations AI resources. You can also create your own custom roles, if the predefined roles do not provide the sets of permissions you need. In addition, the older basic roles (Editor, Viewer, and Owner) are also still available to you, although they do not provide the same fine-grained control as the Recommendations AI roles. In particular, the basic roles provide access to resources across Google Cloud rather than just for Recommendations AI. See the basic roles documentation for more information.
Predefined roles
Recommendations AI provides some predefined roles you can use to provide finer-grained permissions to principals. The role you grant to a principal controls what actions the principal can take. Principals can be individuals, groups, or service accounts.
You can grant multiple roles to the same principal, and you can change the roles granted to a principal at any time, provided you have the permissions to do so.
The broader roles include the more narrowly defined roles. For example, the Recommendations AI Editor role includes all of the permissions of the Recommendations AI Viewer role, along with the addition permissions of the Recommendations AI Editor role. Likewise, the Recommendations AI Admin role includes all of the permissions of the Recommendations AI Editor role, along with its additional permissions.
The basic roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Recommendations AI provide only Recommendations AI permissions, except for the following Google Cloud (Google Cloud) permissions, which are needed for general Google Cloud usage:
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
serviceusage.services.get
The following table lists the predefined roles available for Recommendations AI, along with their Recommendations AI permissions:
Name | Recommendations AI permissions (automlrecommendations.) |
Description |
---|---|---|
Project > Owner | All |
Full access and control for all Google Cloud resources; manage user access and set up billing for a project |
Project > Editor | All automlrecommendations permissions except:apiKeys.list | Read-write access to all Google Cloud and Recommendations AI
resources (except events.purge , events.rejoin and
the ability to modify permissions and billing) |
Project > Viewer |
*.get *.list Except: apiKeys.list |
Read-only access to all Google Cloud resources, including Recommendations AI resources |
Recommendations AI Admin | All automlrecommendations permissions |
Full control for all Cloud Recommendations AI. |
Recommendations AI Editor |
catalogItems.create catalogItems.delete catalogItems.get catalogItems.list catalogItems.update events.create events.list apiKeys.create recommendations.create recommendations.list recommendations.pause recommendations.resume recommendations.update placements.create placements.list |
Can read all Recommendations AI resources and write
catalogItems , events ,
recommendations , apiKeys ,
placements except: apiKeys.delete events.purge events.rejoin placements.delete recommendations.delete catalog.update
|
Recommendations AI Admin Viewer |
*.get *.list *.getStats |
Read-only access to all Recommendations AI resources. Provides all permissions of the Recommendations AI Viewer role, plus the ability to list apiKeys. |
Recommendations AI Viewer |
*.get *.list *.getStats Except: apiKeys.list |
Read-only access to all Recommendations AI resources, except for listing apiKeys. |
Managing Recommendations AI IAM
You can get and set IAM policies and roles using the Google Cloud Console, the IAM methods of the API, or the Recommendations AI. For more information, see Granting, Changing, and Revoking Access.
What's next
- Learn how to grant and revoke access.
- Learn more about IAM.
- Learn more about basic roles.
- Learn more about custom roles.