It is common for multiple team members to collaborate on building an agent and for services to access the agent. Using roles, you can control access and permissions granted to principals.
You can configure access using the Google Cloud console with Identity and Access Management (IAM). The Google Cloud console is used to grant IAM roles to principals. See the IAM quickstart for detailed instructions on adding, editing, and removing permissions.
To access the settings, open the IAM page in the Google Cloud console.
Add a user or service account to the project
You can provide permissions to either users or service accounts by granting them roles on your Google Cloud project. Users are added by providing their email address. Service accounts are also added by providing their associated email address. You need to add service accounts when you want to use one service account for multiple projects. To find the email address associated with your service account, see the IAM Service Accounts page in the Google Cloud console.
Add a principal
To add a principal, do the following:
- Click at the top of the page.
- Enter the principal's email address.
- Select a role.
- Click Save.
Change permissions
To change permissions, do the following:
- Click for the principal.
- Select a different role.
- Click Save.
Remove a principal
To remove a principal, click for the principal.
IAM roles
The following roles are available to access CX Agent Studio.
Gemini Enterprise for Customer Experience Admin (ces.googleapis.com/admin)
This provides full access to resources.
Base roles:
ces.googleapis.com/viewerces.googleapis.com/clientcontactcenterinsights.googleapis.com/admin
Additional permissions:
ces.googleapis.com/operations.deleteces.googleapis.com/operations.cancelces.googleapis.com/apps.createces.googleapis.com/apps.updateces.googleapis.com/apps.deleteces.googleapis.com/apps.importces.googleapis.com/apps.exportces.googleapis.com/apps.runEvaluationces.googleapis.com/agents.createces.googleapis.com/agents.updateces.googleapis.com/agents.updateCallbacksces.googleapis.com/agents.updateInstructionsces.googleapis.com/agents.updateToolsces.googleapis.com/agents.updateGeneralces.googleapis.com/agents.deleteces.googleapis.com/examples.createces.googleapis.com/examples.updateces.googleapis.com/examples.deleteces.googleapis.com/tools.createces.googleapis.com/tools.updateces.googleapis.com/tools.deleteces.googleapis.com/guardrails.createces.googleapis.com/guardrails.updateces.googleapis.com/guardrails.deleteces.googleapis.com/toolsets.createces.googleapis.com/toolsets.updateces.googleapis.com/toolsets.deleteces.googleapis.com/deployments.createces.googleapis.com/deployments.updateces.googleapis.com/deployments.deleteces.googleapis.com/conversations.deleteces.googleapis.com/evaluations.createces.googleapis.com/evaluations.updateces.googleapis.com/evaluations.deleteces.googleapis.com/evaluationResults.deleteces.googleapis.com/evaluationDatasets.createces.googleapis.com/evaluationDatasets.updateces.googleapis.com/evaluationDatasets.deleteces.googleapis.com/evaluationRuns.deleteces.googleapis.com/scheduledEvaluationRuns.createces.googleapis.com/scheduledEvaluationRuns.updateces.googleapis.com/scheduledEvaluationRuns.deleteces.googleapis.com/appVersions.createces.googleapis.com/appVersions.deleteces.googleapis.com/appVersions.restoreces.googleapis.com/omnichannels.createces.googleapis.com/omnichannels.updateces.googleapis.com/omnichannels.deleteces.googleapis.com/apps.createTagBindingces.googleapis.com/apps.deleteTagBindingces.googleapis.com/apps.listTagBindingsces.googleapis.com/apps.listEffectiveTagsces.googleapis.com/assistantSessions.createces.googleapis.com/routes.createces.googleapis.com/routes.updateces.googleapis.com/routes.deleteces.googleapis.com/endpointConfigs.createces.googleapis.com/endpointConfigs.updateces.googleapis.com/endpointConfigs.deleteces.googleapis.com/sipDomains.createces.googleapis.com/sipDomains.updateces.googleapis.com/sipDomains.deleteces.googleapis.com/securitySettings.update
Gemini Enterprise for Customer Experience Viewer (ces.googleapis.com/viewer)
This provides read-only access to resources.
Base roles:
contactcenterinsights.googleapis.com/viewer
Additional permissions:
cloudresourcemanager.googleapis.com/projects.getcloudresourcemanager.googleapis.com/projects.listces.googleapis.com/operations.listces.googleapis.com/operations.getces.googleapis.com/locations.listces.googleapis.com/locations.getces.googleapis.com/apps.listces.googleapis.com/apps.getces.googleapis.com/agents.listces.googleapis.com/agents.getces.googleapis.com/examples.listces.googleapis.com/examples.getces.googleapis.com/tools.listces.googleapis.com/tools.getces.googleapis.com/guardrails.listces.googleapis.com/guardrails.getces.googleapis.com/toolsets.listces.googleapis.com/toolsets.getces.googleapis.com/deployments.listces.googleapis.com/deployments.getces.googleapis.com/conversations.listces.googleapis.com/conversations.getces.googleapis.com/appVersions.listces.googleapis.com/appVersions.getces.googleapis.com/evaluations.listces.googleapis.com/evaluations.getces.googleapis.com/evaluationResults.listces.googleapis.com/evaluationResults.getces.googleapis.com/evaluationDatasets.listces.googleapis.com/evaluationDatasets.getces.googleapis.com/evaluationRuns.listces.googleapis.com/evaluationRuns.getces.googleapis.com/scheduledEvaluationRuns.listces.googleapis.com/scheduledEvaluationRuns.getces.googleapis.com/changelogs.listces.googleapis.com/changelogs.getces.googleapis.com/omnichannels.getces.googleapis.com/omnichannels.listces.googleapis.com/apps.listTagBindingsces.googleapis.com/apps.listEffectiveTagsces.googleapis.com/assistantSessions.listces.googleapis.com/assistantSessions.getces.googleapis.com/routes.listces.googleapis.com/routes.getces.googleapis.com/endpointConfigs.listces.googleapis.com/endpointConfigs.getces.googleapis.com/sipDomains.listces.googleapis.com/sipDomains.getces.googleapis.com/securitySettings.get
Gemini Enterprise for Customer Experience Client (ces.googleapis.com/client)
This provides query access to agents.
Permissions:
ces.googleapis.com/sessions.runSessionces.googleapis.com/sessions.bidiRunSessionces.googleapis.com/tools.execute
Gemini Enterprise for Customer Experience App Editor (ces.googleapis.com/appEditor)
Full control over app-level settings. Manages global logging, audio/voice configurations, storage buckets, and app versions.
Base roles:
ces.googleapis.com/viewer
Additional permissions:
ces.googleapis.com/apps.createces.googleapis.com/apps.updateces.googleapis.com/apps.deleteces.googleapis.com/apps.importces.googleapis.com/apps.exportces.googleapis.com/apps.runEvaluationces.googleapis.com/apps.createTagBindingces.googleapis.com/apps.deleteTagBindingces.googleapis.com/appVersions.createces.googleapis.com/appVersions.deleteces.googleapis.com/appVersions.restore
Gemini Enterprise for Customer Experience Agent Editor (ces.googleapis.com/agentEditor)
Full control over Agent node structures, flows, instructions, and callbacks. Can add/remove tools from agents (but not create new tools).
Base roles:
ces.googleapis.com/viewerces.googleapis.com/client
Additional permissions:
ces.googleapis.com/agents.createces.googleapis.com/agents.updateces.googleapis.com/agents.updateCallbacksces.googleapis.com/agents.updateInstructionsces.googleapis.com/agents.updateToolsces.googleapis.com/agents.updateGeneralces.googleapis.com/agents.deleteces.googleapis.com/examples.createces.googleapis.com/examples.updateces.googleapis.com/examples.delete
Gemini Enterprise for Customer Experience Tools Editor (ces.googleapis.com/toolsEditor)
Full control over Tools, Toolsets, and Integrations.
Base roles:
ces.googleapis.com/viewerces.googleapis.com/client
Additional permissions:
ces.googleapis.com/tools.createces.googleapis.com/tools.updateces.googleapis.com/tools.deleteces.googleapis.com/toolsets.createces.googleapis.com/toolsets.updateces.googleapis.com/toolsets.delete
Gemini Enterprise for Customer Experience Guardrails Editor (ces.googleapis.com/guardrailsEditor)
Full control over safety settings and guardrails.
Base roles:
- ces.googleapis.com/viewer
- ces.googleapis.com/client
Additional permissions:
- ces.googleapis.com/guardrails.create
- ces.googleapis.com/guardrails.update
- ces.googleapis.com/guardrails.delete
Gemini Enterprise for Customer Experience Evals Editor (ces.googleapis.com/evalsEditor)
Full control over Evaluation datasets, runs, and results.
Base roles:
ces.googleapis.com/viewerces.googleapis.com/client
Additional permissions:
ces.googleapis.com/evaluations.createces.googleapis.com/evaluations.updateces.googleapis.com/evaluations.deleteces.googleapis.com/evaluationResults.deleteces.googleapis.com/evaluationDatasets.createces.googleapis.com/evaluationDatasets.updateces.googleapis.com/evaluationDatasets.deleteces.googleapis.com/evaluationRuns.deleteces.googleapis.com/scheduledEvaluationRuns.createces.googleapis.com/scheduledEvaluationRuns.updateces.googleapis.com/scheduledEvaluationRuns.delete
Gemini Enterprise for Customer Experience Security Settings Editor (ces.googleapis.com/securitySettingsEditor)
Full control over project-wide Security Settings.
Base roles:
ces.googleapis.com/viewer
Additional permissions:
ces.googleapis.com/securitySettings.update
Gemini Enterprise for Customer Experience Deployment Editor (ces.googleapis.com/deploymentEditor)
Ability to manage environments and deploy specific App Versions to them.
Base roles:
ces.googleapis.com/viewer
Additional permissions:
ces.googleapis.com/deployments.createces.googleapis.com/deployments.updateces.googleapis.com/deployments.delete
Customer Experience Insights
CX Agent Studio integrates with CX Insights, and you must provide the following CX Insights permissions to principals that access CX Agent Studio:
contactcenterinsights.googleapis.com/conversations.getcontactcenterinsights.googleapis.com/conversations.list
These permissions are automatically included by the child roles of
ces.googleapis.com/admin and ces.googleapis.com/viewer.
However,
if you are defining custom roles,
be sure to include these permissions in custom role definitions.
Alternatively, you can grant one of the following CX Insights roles to relevant principals:
contactcenterinsights.googleapis.com/viewer: Provides read-only access to conversationscontactcenterinsights.googleapis.com/admin: Grants full access to conversations
In addition to roles, you may need to follow steps for Discovery engine setup.
Requests that involve Cloud Storage access
Some CX Agent Studio requests access objects in Cloud Storage for reading or writing data. When you call one of these requests, CX Agent Studio accesses the Cloud Storage data on the caller's behalf. This means that your request authentication must have permissions to access CX Agent Studio as well as the Cloud Storage objects.
When using a Google client library and IAM roles, see the Cloud Storage access control guide for information on Cloud Storage roles.
When implementing your own client and using OAuth, you must use the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform(access to all project resources)
Add a condition to restrict access to one agent application
When adding or editing a principal, you can create conditional role bindings that restrict access to one agent application.
The following condition provides access to a specific agent application as well as top-level resources within the project needed by the agent application:
resource.name == "projects/PROJECT_ID" ||
resource.name.startsWith("projects/PROJECT_ID/locations/LOCATION_ID/apps/APP_ID") ||
resource.name.startsWith("projects/PROJECT_ID/locations/LOCATION_ID/operations") ||
resource.name.startsWith("projects/PROJECT_ID/locations/LOCATION_ID/sipDomains") ||
resource.name.startsWith("projects/PROJECT_ID/locations/LOCATION_ID/omnichannels") ||
resource.name.startsWith("projects/PROJECT_ID/locations/LOCATION_ID/dataStores") ||
resource.name.startsWith("projects/PROJECT_ID/locations/LOCATION_ID/routes") ||
resource.name.startsWith("projects/PROJECT_ID/locations/LOCATION_ID/endpointConfigs")
In order to have access to Customer Experience Insights, you should grant Customer Experience Insights roles in addition to conditional granting.