Identity and access management (IAM)

This page describes how you can control CTS access and permissions using Identity and Access Management (IAM).

Overview

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Cloud Talent Solution IAM roles and permissions. For a detailed description of Google Cloud Platform IAM, see the IAM documentation.

CTS provides a set of predefined roles designed to help you easily control access to your CTS resources. You can also create your own custom roles, if the predefined roles do not provide the sets of permissions you need. In addition, the legacy primitive roles (Editor, Viewer, and Owner) are also still available to you, although they do not provide the same fine-grained control as the CTS roles. In particular, the primitive roles provide access to resources across Google Cloud Platform rather than just for CTS. See the primitive roles documentation for more information.

The table below outlines the predefined roles available for Job Search and Profile Search (Beta) in addition to the primitive roles. Contact us if you're interested in participating in Profile Search.

Role Description
Admin Allows users to access the Google Cloud Platform Management tools only.
jobsEditor Allows Job Search users to create, modify or delete job or company content.
jobsViewer Allows read-only access to job or company content in Job Search.
profilesEditor Allows Profile Search users to create, modify or delete profile or tenant content.
profilesViewer Allows read-only access to profile or tenant content in Profile Search.

Predefined roles

CTS provides predefined roles you can use to provide finer-grained permissions to project members. The role you grant to a project member controls what actions the member can take. Project members can be individuals, groups, or service accounts.

You can grant multiple roles to the same project member, and you can change the roles granted to a project member at any time, provided you have the permissions to do so.

The broader roles include the more narrowly defined roles. For example, the jobsEditor role includes all of the permissions of the jobsViewer role, along with the addition permissions of the jobsEditor role.

The primitive roles (Owner, Editor, Viewer) provide permissions across Google Cloud Platform. The roles specific to CTS provide only CTS permissions, except for the following GCP permissions, which are needed for general GCP usage:

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
  • serviceusage.services.get

The following table lists the predefined roles available for CTS, along with their permissions:

Role Name CTS permissions Description
roles/owner Owner cloudjobdiscovery.* Full access and control for all Google Cloud Platform resources; manage user access and set up billing for a project.
roles/editor Editor All cloudjobdiscovery permissions except:
cloudjobdiscovery.tools.*
iam.serviceAccounts.list
Read-write access to all GCP and CTS resources except the ability to modify permissions and billing.
roles/viewer Viewer cloudjobdiscovery.*.get
cloudjobdiscovery.*.list
cloudjobdiscovery.*.search
resourcemanager.projects.get
resourcemanager.projects.list
Read-only access to all GCP resources, including Cloud Talent Solution resources.
roles/cloudjobdiscovery.admin Cloud Talent Solution Admin cloudjobdiscovery.tools.*
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Access to Cloud Talent Solution self-service tools.
roles/cloudjobdiscovery.jobsEditor Job Search Editor cloudjobdiscovery.companies.*
cloudjobdiscovery.events.*
cloudjobdiscovery.jobs.*
resourcemanager.projects.list
resourcemanager.projects.get
Write access to all Job Search data.
roles/cloudjobdiscovery.jobsViewer Job Search Viewer cloudjobdiscovery.companies.get
cloudjobdiscovery.companies.list
cloudjobdiscovery.jobs.get
cloudjobdiscovery.jobs.search
resourcemanager.projects.get
resourcemanager.projects.list
Read-only access to all Job Search resources.
roles/cloudjobdiscovery.profilesEditor Profile Search Editor cloudjobdiscovery.profiles.*
cloudjobdiscovery.events.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.list
resourcemanager.projects.get
Write access to all Profile Search data.
roles/cloudjobdiscovery.profilesViewer Profile Search Viewer cloudjobdiscovery.profiles.get
cloudjobdiscovery.profiles.search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list
Read-only access to all Profile Search resources.

Managing CTS IAM

You can get and set IAM policies and roles using the Google Cloud Platform Console, IAM API methods, or the Cloud Talent Solution APIs themselves. For more information, see Granting, Changing, and Revoking Access to Project Members.

What's next

Var denne siden nyttig? Si fra hva du synes:

Send tilbakemelding om ...

Cloud Talent Solution Documentation