Examples of IAM permissions and roles

Storage Transfer Service provides permissions and roles to enable granular control of your data transfers. You can use these permissions and roles to isolate access to particular individual or business units performing data transfer. You can also create custom IAM roles so that you can grant permissions that fit your project's requirements.

Before you begin

Enabling transfers and report creation for a business unit

In this scenario, a business unit needs to use Storage Transfer Service to transfer data. The business unit's IT department wants to configure Storage Transfer Service to allow:

  • The IT department to start, monitor, and delete transfers.
  • Employees in the business unit to start and monitor their transfers.
  • Executives to see the business unit's Storage Transfer Service usage.

To accomplish these objectives, you grant the following roles

Role Members Description
roles/storagetransfer.admin Business unit IT Department employees Granting IT staff the roles/storagetransfer.admin role allows them to perform common management tasks, such as monitoring and deleting transfers.
roles/storagetransfer.user Employees of the business unit Granting employees the roles/storagetransfer.user role allows them to submit transfers and to view progress of transfers. They can also view the progress of transfers submitted by coworkers to the same project. However, they cannot delete transfer jobs.
roles/storagetransfer.viewer Executives for the business unit, or auditors and security personnel. Granting executives the roles/storagetransfer.viewer role allows them to view all transfers, but not start or delete transfer jobs.

Implementing this scenario

Your actions

Assign employees to the relevant roles:

  • IT staff: roles/storagetransfer.admin
  • Non-IT staff employees: roles/storagetransfer.user
  • Executives: roles/storagetransfer.viewer

For step-by-step instructions, see the Grant access section of Granting, Changing, and Revoking Access to Resources.

Enabling transfers for a separate team that performs data retention

In this scenario, a business unit needs to use Storage Transfer Service to transfer data, but a separate team performs the data retention. The business unit's IT department wants to configure Storage Transfer Service to allow:

  • A data retention team to view and delete jobs.
  • The IT department to view transfers.
  • Employees in the business unit to start and monitor their transfers.
  • Executives to see the business unit's Storage Transfer Service usage.

To accomplish these objectives, you grant the following roles

Role Members Description
A custom role that grants storagetransfer.jobs.delete and storagetransfer.jobs.list permissions. Members of the Data Retention team Granting data retention staff a role with storagetransfer.jobs.delete and storage.jobs.list permissions allows them perform data retention tasks.
roles/storagetransfer.admin Business unit IT Department employees Granting IT staff the roles/storagetransfer.admin role allows them to perform common management tasks, such as monitoring and deleting transfers. It also allows members to change the IAM policies for transfers.
roles/storagetransfer.user Employees of the business unit Granting employees the roles/storagetransfer.user role allows them to submit transfers and to view progress of transfers. They can also view the progress of transfers submitted by coworkers to the same project. However, they cannot delete transfer jobs.
roles/storagetransfer.viewer Executives for the business unit Granting executives the roles/storagetransfer.viewer role allows them to view all transfers, but not start or delete transfer jobs.

Implementing this scenario

Your actions

Do the following to implement the scenario:

  1. Create a custom role for the data retention team that augments the roles/storagetransfer.viewer role by also granting the storagetransfer.jobs.delete permission.

    For step-by-step instructions, see the Creating a custom role section of Creating and Managing Custom Roles.

  2. Assign employees to the relevant roles:

    • Data Retention staff: The custom role you created
    • IT staff: roles/storagetransfer.admin
    • Non-IT staff employees: roles/storagetransfer.user
    • Executives: roles/storagetransfer.viewer

    For step-by-step instructions, see the Grant access section of Granting, Changing, and Revoking Access to Resources.

Oliko tästä sivusta apua? Kerro mielipiteesi

Palautteen aihe:

Tämä sivu
Cloud Storage Transfer Service Documentation