This page describes how to grant the required role to a service agent so that it can be used to profile data at the organization or folder level.
Perform these tasks if both of the following conditions apply:
- You created a scan configuration at the organization or folder level.
Sensitive Data Protection isn't generating any data profiles for the scan configuration. When you view the configuration details, you see the following error message:
None of the driver projects (PROJECT_ID) have MISSING_PERMISSION permission for organizations/ORGANIZATION_ID.
Get the ID of the service agent
Get the service agent ID that is associated with your scan configuration:
Go to the discovery scan configurations list.
- Select your scan configuration.
- On the details page that opens, copy the service agent ID. This ID is in the format of an email address.
Give your service agent ID to a Google Cloud administrator, who must then grant data profiling access to the service agent.
Grant data profiling access
This section describes how to grant access to a service agent so that it can be used to profile data at the organization or folder level.
Only someone who has the permissions to grant IAM roles to a service agent, such as a Google Cloud administrator, can perform these steps.
To complete these steps, you need the ID of the service agent that you want to grant data profiling access to.
To grant data profiling access at the organization or folder level, follow these steps:
In the Google Cloud console, go to the IAM page.
If you're in the project view, switch to the organization view. On the toolbar, click the project selector, and select your organization.
Click Grant access.
In the New principals field, enter the service agent ID.
Grant the DLP Organization Data Profiles Driver role.
Click Save.