Access control with IAM

App Optimize API uses Identity and Access Management (IAM) to control access to its resources, such as reports and operations. IAM lets you grant granular access to specific App Optimize API resources and helps prevent unwanted access to other resources.

This document describes the IAM permissions and roles that apply to App Optimize API.

Permissions overview

Permissions allow users to perform specific actions on App Optimize API resources. The following table lists the permissions for App Optimize API:

Predefined roles

IAM provides predefined roles that grant a set of related permissions. The following roles are available for App Optimize API and are described in the following subsections:

Because App Optimize API is in Preview, these roles might not be visible in the Google Cloud console. To grant these roles, use the Google Cloud CLI. If you haven't already done so, install and initialize the Google Cloud CLI.

To grant the App Optimize Admin role (roles/appoptimize.admin) to a user, run the following command:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:USER_EMAIL" \
    --role="roles/appoptimize.admin"

To grant the App Optimize Viewer role (roles/appoptimize.viewer) to a user, run the following command:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:USER_EMAIL" \
    --role="roles/appoptimize.viewer"

Replace the following:

• PROJECT_ID: the ID of the Google Cloud project that will own the report resource.
• USER_EMAIL: the email address of the user you want to grant the role to.

For more information on granting roles, see Manage access to projects, folders, and organizations.

App Optimize Admin

Grants full control over App Optimize API resources, and includes permissions granted to App Optimize Viewer.

• Role name: roles/appoptimize.admin
• Permissions included:
  • appoptimize.operations.*
  • appoptimize.reports.*

App Optimize Viewer

Grants permissions to read App Optimize API reports, their metadata, and operations.

• Role name: roles/appoptimize.viewer
• Permissions included:
  • appoptimize.operations.get
  • appoptimize.operations.list
  • appoptimize.reports.get
  • appoptimize.reports.getData
  • appoptimize.reports.list

Permissions to create reports

To create a report, a user, service account, or other principal must have:

• The appoptimize.reports.create permission, typically granted by the App Optimize Admin (roles/appoptimize.admin) role, on the project where the report resource will be created.

• The billing.resourceCosts.get permission on all the projects scoped in the report. This permission is provided by roles such as Billing Account Viewer (roles/billing.viewer) or the basic Viewer (roles/viewer).

• The permissions to access the data sources encompassed by the report's scope, dimensions, and metrics. App Optimize API checks these permissions when the report is created. The roles that grant this data source access include:

  • For CPU and memory utilization metrics, the Monitoring Viewer (roles/monitoring.viewer) role on the scoped resources.

  • For App Hub application scopes and dimensions, the App Management Viewer (roles/apphub.appManagementViewer) role on the applications' App Hub host project.

  If you are generating a report on an App Hub application, which can be made up of multiple projects, you must have the required monitoring and billing permissions on all of the application's associated projects to create the report.

Permissions to read report data

Once a report has been successfully created, a principal needs only the following permission to read the generated data:

• appoptimize.reports.getData on the project where the report was created, or on the report itself. This permission is included in the roles/appoptimize.viewer role.

What's next

• Learn more about IAM roles and permissions.
• Learn how to create a report.
• Review the App Optimize API overview.