This document describes how to use Google Cloud Identity and Access Management (IAM) for access control in Dataplex Universal Catalog.
IAM controls access to your Dataplex Universal Catalog resources at the Google Cloud resource level. It determines who can manage Dataplex Universal Catalog resources, for example, entry groups and entries. You can manage these resources using Google Cloud APIs and tools such as the Google Cloud console, Google Cloud CLI, or client libraries.
For more information about IAM, see the IAM documentation.
IAM overview
By default, when you create a new Google Cloud project, the original project creator is granted the Owner role. Other Google-managed service accounts might exist by default or be created when you enable an API to perform specific tasks. However, no other individual users have access to the project and its resources, including Dataplex Universal Catalog resources. This access is granted only when you explicitly add users as project members or grant them roles on specific resources.
IAM lets you grant granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege by granting only the necessary access to your resources.
IAM lets you control who (principals) has what access (roles) to which resources.
Principal
A principal can be a Google Account (for end users), a service account (for apps and virtual machines), a Google group, or a Google Workspace or Cloud Identity domain. These principals can access a resource. When granting roles, you identify the principal using an identifier, as described in Policy binding reference.
For more information, see IAM overview: Principals.
The Dataplex Universal Catalog Service Agent
Dataplex Universal Catalog uses a Google Cloud managed service account known as a service agent to access your resources. The service agent is created when you enable the Dataplex API. The service agent is identifiable by its email:
service-CUSTOMER_PROJECT_NUMBER@gcp-sa-dataplex.iam.gserviceaccount.com
Here, CUSTOMER_PROJECT_NUMBER is the project
number of the project where you enabled the Dataplex API.
The Dataplex Universal Catalog service agent requires the
Dataplex Service Agent (roles/dataplex.serviceAgent) role on the project
to manage Dataplex Universal Catalog resources. This role is automatically granted
when you enable the API. If you revoke this role, Dataplex Universal Catalog might
not function correctly.
Resource
Resources you can grant access to in Dataplex Universal Catalog include projects, entry groups, entries, aspect types, and entry types.
Some API methods require permissions for multiple resources. For example, attaching an aspect to an entry requires permissions on both the entry and the aspect type.
Role
A role is a collection of permissions. Permissions determine what operations are allowed on a resource. When you grant a role to a principal, you grant all the permissions that the role contains.
You can grant one or more roles to a principal.
Similar to other Google Cloud products, Dataplex Universal Catalog supports three types of roles:
Basic roles: highly permissive roles (Owner, Editor, Viewer) that existed before IAM was introduced. For more information about basic roles, see Basic roles.
Predefined roles: provide granular access to specific Google Cloud resources. For more information about predefined roles, see Predefined roles. The Dataplex Universal Catalog IAM roles documentation details the Dataplex Universal Catalog predefined roles.
Custom roles: help you enforce the principle of least privilege by granting only the specific permissions needed. For more information about custom roles, see Custom roles.
As an example, the Dataplex Viewer (roles/dataplex.viewer) predefined role
provides read-only access to Dataplex Universal Catalog resources. A principal
with this role can view entry groups, entries, aspect types, and entry types,
but cannot create, update, or delete them. Conversely, the Dataplex Universal Catalog
Administrator (roles/dataplex.admin) grants broad access to manage
Dataplex Universal Catalog resources.
For more information about assigning roles, see Granting, changing, and revoking access.
To determine which permissions you need for a specific task, see the reference pages for Dataplex Universal Catalog roles and Dataplex Universal Catalog permissions.
For example, for a project resource, you can assign the
roles/dataplex.admin role to a Google Account. That account can then manage
Dataplex Universal Catalog resources in the project, but cannot manage other
resources. You can also use IAM to manage the basic roles granted
to project team members.
IAM policies for resources
An IAM policy lets you manage IAM roles on resources instead of, or in addition to, managing roles at the project level. This provides flexibility to apply the principle of least privilege by granting access only to the specific resources collaborators need for their work.
Resources inherit the policies of their parent resources. If you set a policy at the project level, it's inherited by all its child resources. The effective policy for a resource is the union of the policy set at that resource and the policy inherited from higher in the hierarchy. For more information, see the IAM policy hierarchy.
You can get and set IAM policies using the Google Cloud console, the Identity and Access Management API, or the gcloud CLI.
- For the Google Cloud console, see Access control using the Google Cloud console.
- For the API, see Access control using the API.
- For the gcloud CLI, see Access control using the gcloud CLI .
What's next?
- Learn more about IAM roles.
- Learn more about IAM permissions.
- Learn more about Dataplex Universal Catalog security