Storage Transfer Service provides permissions and roles to enable granular control of your data transfers. You can use these permissions and roles to isolate access to particular individual or business units performing data transfer. You can also create custom IAM roles so that you can grant permissions that fit your project's requirements.
Before you begin
Read the IAM Overview of basic IAM concepts.
Read about the available IAM predefined roles.
Understand the IAM best practices for least privilege.
Enabling transfers and report creation for a business unit
In this scenario, a business unit needs to use Storage Transfer Service to transfer data. The business unit's IT department wants to configure Storage Transfer Service to allow:
- The IT department to start, monitor, and delete transfers.
- Employees in the business unit to start and monitor their transfers.
- Executives to see the business unit's Storage Transfer Service usage.
To accomplish these objectives, you grant the following roles
| Role | Principals | Description |
|---|---|---|
| roles/storagetransfer.admin | Business unit IT Department employees | Granting IT staff the roles/storagetransfer.admin role allows them to perform common management tasks, such as monitoring and deleting transfers. |
| roles/storagetransfer.user | Employees of the business unit | Granting employees the roles/storagetransfer.user role allows them to submit transfers and to view progress of transfers. They can also view the progress of transfers submitted by coworkers to the same project. However, they cannot delete transfer jobs. |
| roles/storagetransfer.viewer | Executives for the business unit, or auditors and security personnel. | Granting executives the roles/storagetransfer.viewer role allows them to view all transfers, but not start or delete transfer jobs. |
Implementing this scenario
Your actions
Assign employees to the relevant roles:
- IT staff: roles/storagetransfer.admin
- Non-IT staff employees: roles/storagetransfer.user
- Executives: roles/storagetransfer.viewer
For step-by-step instructions, see the Grant access section of Granting, Changing, and Revoking Access to Resources.
Enabling transfers for a separate team that performs data retention
In this scenario, a business unit needs to use Storage Transfer Service to transfer data, but a separate team performs the data retention. The business unit's IT department wants to configure Storage Transfer Service to allow:
- A data retention team to view and delete jobs.
- The IT department to view transfers.
- Employees in the business unit to start and monitor their transfers.
- Executives to see the business unit's Storage Transfer Service usage.
To accomplish these objectives, you grant the following roles
| Role | Principals | Description |
|---|---|---|
| A custom role that grants storagetransfer.jobs.delete and storagetransfer.jobs.list permissions. | Members of the Data Retention team | Granting data retention staff a role with storagetransfer.jobs.delete and storagetransfer.jobs.list permissions allows them perform data retention tasks. |
| roles/storagetransfer.admin | Business unit IT Department employees | Granting IT staff the roles/storagetransfer.admin role allows them to perform common management tasks, such as monitoring and deleting transfers. It also allows IT staff to change the IAM policies for transfers. |
| roles/storagetransfer.user | Employees of the business unit | Granting employees the roles/storagetransfer.user role allows them to submit transfers and to view progress of transfers. They can also view the progress of transfers submitted by coworkers to the same project. However, they cannot delete transfer jobs. |
| roles/storagetransfer.viewer | Executives for the business unit | Granting executives the roles/storagetransfer.viewer role allows them to view all transfers, but not start or delete transfer jobs. |
Implementing this scenario
Your actions
Do the following to implement the scenario:
Create a custom role for the data retention team that augments the roles/storagetransfer.viewer role by also granting the storagetransfer.jobs.delete permission.
For step-by-step instructions, see the Creating a custom role section of Creating and Managing Custom Roles.
Assign employees to the relevant roles:
- Data Retention staff: The custom role you created
- IT staff: roles/storagetransfer.admin
- Non-IT staff employees: roles/storagetransfer.user
- Executives: roles/storagetransfer.viewer
For step-by-step instructions, see the Grant access section of Granting, Changing, and Revoking Access to Resources.