Papéis do IAM do catálogo universal do Dataplex

Com o gerenciamento de identidade e acesso (IAM), você controla quem pode fazer o quê no Dataplex Universal Catalog. Você pode adotar o princípio de segurança do menor privilégio para proteger dados particulares, evitar acesso não autorizado, reduzir a superfície de ataque ou atender à conformidade regulatória.

O Dataplex Universal Catalog oferece vários papéis predefinidos do IAM, cada um com um conjunto específico de permissões que permitem aos usuários realizar ações. É possível conceder esses papéis usando uma política do IAM.

Para um controle mais granular, crie um papel personalizado do IAM escolhendo permissões específicas e atribuindo esse novo papel aos usuários. Com os papéis personalizados, você cria um modelo de acesso que atende às necessidades da sua organização.

Este documento descreve os papéis predefinidos e personalizados do IAM relevantes para o Dataplex Universal Catalog.

Para uma descrição detalhada do IAM e dos recursos dele, consulte a documentação do IAM.

Se você estiver usando o Data Catalog, as concessões de acesso às entradas do Data Catalog não serão transferidas automaticamente para as entradas do Dataplex Universal Catalog. É necessário conceder acesso explicitamente às entradas do Dataplex Universal Catalog antes de usá-las.

Sobre as funções do Dataplex Universal Catalog

Os papéis do IAM do Dataplex Universal Catalog são um pacote de uma ou mais permissões. Você concede papéis aos principais para permitir que eles executem ações nos recursos do Dataplex Universal Catalog no seu projeto. Por exemplo, o papel Leitor do Dataplex contém as permissões dataplex.*.get e dataplex.*.list, que permitem aos usuários acessar e listar recursos do Dataplex Universal Catalog em um projeto. Para mais informações, consulte Permissões do Dataplex Universal Catalog.

É possível aplicar papéis do Dataplex Universal Catalog a qualquer recurso na hierarquia de serviços, incluindo:

  • Projetos
  • Lakes, zonas de dados e recursos
  • Verificações, tarefas e ambientes de dados
  • Grupos de entradas, tipos de entradas, tipos de aspectos e glossários
  • Taxonomias, atributos e vinculações de atributos de dados

Funções predefinidas para o Dataplex Universal Catalog

Os papéis predefinidos contêm as permissões necessárias para executar uma tarefa ou um grupo de tarefas relacionadas.

Os seguintes papéis oferecem acesso amplo aos recursos do Dataplex Universal Catalog:

Papel Descrição
Administrador do Dataplex
(roles/dataplex.admin)		 Acesso total aos recursos do Dataplex Universal Catalog.
Editor do Dataplex
(roles/dataplex.editor)		 Edite o acesso aos recursos do Dataplex Universal Catalog.
Leitor do Dataplex
(roles/dataplex.viewer)		 Acesso somente leitura aos recursos do Dataplex Universal Catalog.
Desenvolvedor do Dataplex
(roles/dataplex.developer)		 Permite executar cargas de trabalho de análise de dados.

Os papéis Administrador do Dataplex (roles/dataplex.admin), Editor do Dataplex (roles/dataplex.editor) e Leitor do Dataplex (roles/dataplex.viewer) não dão acesso a recursos de metadados, como grupos de entradas, tipos de entradas, tipos de aspectos e entradas.

A tabela a seguir lista os papéis predefinidos do catálogo universal do Dataplex e as permissões associadas a cada um:

Role Permissions

(roles/dataplex.admin)

Full access to Dataplex Universal Catalog resources, except for catalog resources like entries and entry groups.

cloudasset.assets.analyzeIamPolicy

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

dataplex.assetActions.list

dataplex.assets.create

dataplex.assets.delete

dataplex.assets.get

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.assets.setIamPolicy

dataplex.assets.update

dataplex.content.*

  • dataplex.content.create
  • dataplex.content.delete
  • dataplex.content.get
  • dataplex.content.getIamPolicy
  • dataplex.content.list
  • dataplex.content.setIamPolicy
  • dataplex.content.update

dataplex.dataAssets.*

  • dataplex.dataAssets.create
  • dataplex.dataAssets.delete
  • dataplex.dataAssets.get
  • dataplex.dataAssets.list
  • dataplex.dataAssets.update

dataplex.dataAttributeBindings.*

  • dataplex.dataAttributeBindings.create
  • dataplex.dataAttributeBindings.delete
  • dataplex.dataAttributeBindings.get
  • dataplex.dataAttributeBindings.getIamPolicy
  • dataplex.dataAttributeBindings.list
  • dataplex.dataAttributeBindings.setIamPolicy
  • dataplex.dataAttributeBindings.update

dataplex.dataAttributes.*

  • dataplex.dataAttributes.bind
  • dataplex.dataAttributes.create
  • dataplex.dataAttributes.delete
  • dataplex.dataAttributes.get
  • dataplex.dataAttributes.getIamPolicy
  • dataplex.dataAttributes.list
  • dataplex.dataAttributes.setIamPolicy
  • dataplex.dataAttributes.update

dataplex.dataProducts.*

  • dataplex.dataProducts.create
  • dataplex.dataProducts.delete
  • dataplex.dataProducts.get
  • dataplex.dataProducts.getIamPolicy
  • dataplex.dataProducts.list
  • dataplex.dataProducts.setIamPolicy
  • dataplex.dataProducts.update

dataplex.dataTaxonomies.*

  • dataplex.dataTaxonomies.configureDataAccess
  • dataplex.dataTaxonomies.configureResourceAccess
  • dataplex.dataTaxonomies.create
  • dataplex.dataTaxonomies.delete
  • dataplex.dataTaxonomies.get
  • dataplex.dataTaxonomies.getIamPolicy
  • dataplex.dataTaxonomies.list
  • dataplex.dataTaxonomies.setIamPolicy
  • dataplex.dataTaxonomies.update

dataplex.datascans.*

  • dataplex.datascans.create
  • dataplex.datascans.delete
  • dataplex.datascans.get
  • dataplex.datascans.getData
  • dataplex.datascans.getIamPolicy
  • dataplex.datascans.list
  • dataplex.datascans.run
  • dataplex.datascans.setIamPolicy
  • dataplex.datascans.update

dataplex.entities.*

  • dataplex.entities.create
  • dataplex.entities.delete
  • dataplex.entities.get
  • dataplex.entities.list
  • dataplex.entities.update

dataplex.entries.link

dataplex.entryGroups.export

dataplex.entryGroups.import

dataplex.entryGroups.useDefinitionEntryLink

dataplex.entryGroups.useRelatedEntryLink

dataplex.entryGroups.useSynonymEntryLink

dataplex.entryLinks.*

  • dataplex.entryLinks.create
  • dataplex.entryLinks.delete
  • dataplex.entryLinks.get
  • dataplex.entryLinks.reference

dataplex.environments.*

  • dataplex.environments.create
  • dataplex.environments.delete
  • dataplex.environments.execute
  • dataplex.environments.get
  • dataplex.environments.getIamPolicy
  • dataplex.environments.list
  • dataplex.environments.setIamPolicy
  • dataplex.environments.update

dataplex.glossaries.*

  • dataplex.glossaries.create
  • dataplex.glossaries.delete
  • dataplex.glossaries.get
  • dataplex.glossaries.getIamPolicy
  • dataplex.glossaries.import
  • dataplex.glossaries.list
  • dataplex.glossaries.setIamPolicy
  • dataplex.glossaries.update

dataplex.glossaryCategories.*

  • dataplex.glossaryCategories.create
  • dataplex.glossaryCategories.delete
  • dataplex.glossaryCategories.get
  • dataplex.glossaryCategories.list
  • dataplex.glossaryCategories.update

dataplex.glossaryTerms.*

  • dataplex.glossaryTerms.create
  • dataplex.glossaryTerms.delete
  • dataplex.glossaryTerms.get
  • dataplex.glossaryTerms.list
  • dataplex.glossaryTerms.update
  • dataplex.glossaryTerms.use

dataplex.lakeActions.list

dataplex.lakes.*

  • dataplex.lakes.create
  • dataplex.lakes.delete
  • dataplex.lakes.get
  • dataplex.lakes.getIamPolicy
  • dataplex.lakes.list
  • dataplex.lakes.setIamPolicy
  • dataplex.lakes.update

dataplex.locations.*

  • dataplex.locations.get
  • dataplex.locations.list

dataplex.metadataFeeds.*

  • dataplex.metadataFeeds.create
  • dataplex.metadataFeeds.delete
  • dataplex.metadataFeeds.get
  • dataplex.metadataFeeds.list
  • dataplex.metadataFeeds.update

dataplex.metadataJobs.*

  • dataplex.metadataJobs.cancel
  • dataplex.metadataJobs.create
  • dataplex.metadataJobs.get
  • dataplex.metadataJobs.list

dataplex.operations.*

  • dataplex.operations.cancel
  • dataplex.operations.delete
  • dataplex.operations.get
  • dataplex.operations.list

dataplex.partitions.*

  • dataplex.partitions.create
  • dataplex.partitions.delete
  • dataplex.partitions.get
  • dataplex.partitions.list
  • dataplex.partitions.update

dataplex.tasks.*

  • dataplex.tasks.cancel
  • dataplex.tasks.create
  • dataplex.tasks.delete
  • dataplex.tasks.get
  • dataplex.tasks.getIamPolicy
  • dataplex.tasks.list
  • dataplex.tasks.run
  • dataplex.tasks.setIamPolicy
  • dataplex.tasks.update

dataplex.zoneActions.list

dataplex.zones.*

  • dataplex.zones.create
  • dataplex.zones.delete
  • dataplex.zones.get
  • dataplex.zones.getIamPolicy
  • dataplex.zones.list
  • dataplex.zones.setIamPolicy
  • dataplex.zones.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.aspectTypeOwner)

Grants access to creating and managing Aspect Types. Does not give the right to create/modify Entries.

datacatalog.migrationConfig.get

dataplex.aspectTypes.*

  • dataplex.aspectTypes.create
  • dataplex.aspectTypes.delete
  • dataplex.aspectTypes.get
  • dataplex.aspectTypes.getIamPolicy
  • dataplex.aspectTypes.list
  • dataplex.aspectTypes.setIamPolicy
  • dataplex.aspectTypes.update
  • dataplex.aspectTypes.use

dataplex.operations.get

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.aspectTypeUser)

Grants access to use Aspect Types to create/modify Entries with the corresponding aspects.

datacatalog.migrationConfig.get

dataplex.aspectTypes.get

dataplex.aspectTypes.list

dataplex.aspectTypes.use

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.bindingAdmin)

Full access on DataAttribute Binding resources.

dataplex.dataAttributeBindings.*

  • dataplex.dataAttributeBindings.create
  • dataplex.dataAttributeBindings.delete
  • dataplex.dataAttributeBindings.get
  • dataplex.dataAttributeBindings.getIamPolicy
  • dataplex.dataAttributeBindings.list
  • dataplex.dataAttributeBindings.setIamPolicy
  • dataplex.dataAttributeBindings.update

(roles/dataplex.catalogAdmin)

Full access to catalog resources, including entries, entry groups, and glossaries.

datacatalog.migrationConfig.get

dataplex.aspectTypes.*

  • dataplex.aspectTypes.create
  • dataplex.aspectTypes.delete
  • dataplex.aspectTypes.get
  • dataplex.aspectTypes.getIamPolicy
  • dataplex.aspectTypes.list
  • dataplex.aspectTypes.setIamPolicy
  • dataplex.aspectTypes.update
  • dataplex.aspectTypes.use

dataplex.entries.*

  • dataplex.entries.create
  • dataplex.entries.delete
  • dataplex.entries.get
  • dataplex.entries.getData
  • dataplex.entries.link
  • dataplex.entries.list
  • dataplex.entries.update

dataplex.entryGroups.*

  • dataplex.entryGroups.create
  • dataplex.entryGroups.delete
  • dataplex.entryGroups.export
  • dataplex.entryGroups.get
  • dataplex.entryGroups.getIamPolicy
  • dataplex.entryGroups.import
  • dataplex.entryGroups.list
  • dataplex.entryGroups.setIamPolicy
  • dataplex.entryGroups.update
  • dataplex.entryGroups.useContactsAspect
  • dataplex.entryGroups.useDataProfileAspect
  • dataplex.entryGroups.useDataQualityScorecardAspect
  • dataplex.entryGroups.useDefinitionEntryLink
  • dataplex.entryGroups.useDescriptionsAspect
  • dataplex.entryGroups.useGenericAspect
  • dataplex.entryGroups.useGenericEntry
  • dataplex.entryGroups.useOverviewAspect
  • dataplex.entryGroups.useQueriesAspect
  • dataplex.entryGroups.useRefreshCadenceAspect
  • dataplex.entryGroups.useRelatedEntryLink
  • dataplex.entryGroups.useSchemaAspect
  • dataplex.entryGroups.useStorageAspect
  • dataplex.entryGroups.useSynonymEntryLink

dataplex.entryLinks.*

  • dataplex.entryLinks.create
  • dataplex.entryLinks.delete
  • dataplex.entryLinks.get
  • dataplex.entryLinks.reference

dataplex.entryTypes.*

  • dataplex.entryTypes.create
  • dataplex.entryTypes.delete
  • dataplex.entryTypes.get
  • dataplex.entryTypes.getIamPolicy
  • dataplex.entryTypes.list
  • dataplex.entryTypes.setIamPolicy
  • dataplex.entryTypes.update
  • dataplex.entryTypes.use

dataplex.glossaries.*

  • dataplex.glossaries.create
  • dataplex.glossaries.delete
  • dataplex.glossaries.get
  • dataplex.glossaries.getIamPolicy
  • dataplex.glossaries.import
  • dataplex.glossaries.list
  • dataplex.glossaries.setIamPolicy
  • dataplex.glossaries.update

dataplex.glossaryCategories.*

  • dataplex.glossaryCategories.create
  • dataplex.glossaryCategories.delete
  • dataplex.glossaryCategories.get
  • dataplex.glossaryCategories.list
  • dataplex.glossaryCategories.update

dataplex.glossaryTerms.*

  • dataplex.glossaryTerms.create
  • dataplex.glossaryTerms.delete
  • dataplex.glossaryTerms.get
  • dataplex.glossaryTerms.list
  • dataplex.glossaryTerms.update
  • dataplex.glossaryTerms.use

dataplex.operations.get

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.catalogEditor)

Write access to catalog resources, including entries, entry groups, and glossaries. Cannot set IAM policies on resources.

datacatalog.migrationConfig.get

dataplex.aspectTypes.create

dataplex.aspectTypes.delete

dataplex.aspectTypes.get

dataplex.aspectTypes.getIamPolicy

dataplex.aspectTypes.list

dataplex.aspectTypes.update

dataplex.aspectTypes.use

dataplex.entries.*

  • dataplex.entries.create
  • dataplex.entries.delete
  • dataplex.entries.get
  • dataplex.entries.getData
  • dataplex.entries.link
  • dataplex.entries.list
  • dataplex.entries.update

dataplex.entryGroups.create

dataplex.entryGroups.delete

dataplex.entryGroups.get

dataplex.entryGroups.getIamPolicy

dataplex.entryGroups.list

dataplex.entryGroups.update

dataplex.entryGroups.useContactsAspect

dataplex.entryGroups.useDataProfileAspect

dataplex.entryGroups.useDataQualityScorecardAspect

dataplex.entryGroups.useDefinitionEntryLink

dataplex.entryGroups.useDescriptionsAspect

dataplex.entryGroups.useGenericAspect

dataplex.entryGroups.useGenericEntry

dataplex.entryGroups.useOverviewAspect

dataplex.entryGroups.useQueriesAspect

dataplex.entryGroups.useRefreshCadenceAspect

dataplex.entryGroups.useRelatedEntryLink

dataplex.entryGroups.useSchemaAspect

dataplex.entryGroups.useStorageAspect

dataplex.entryGroups.useSynonymEntryLink

dataplex.entryLinks.create

dataplex.entryLinks.delete

dataplex.entryLinks.get

dataplex.entryTypes.create

dataplex.entryTypes.delete

dataplex.entryTypes.get

dataplex.entryTypes.getIamPolicy

dataplex.entryTypes.list

dataplex.entryTypes.update

dataplex.entryTypes.use

dataplex.glossaries.create

dataplex.glossaries.delete

dataplex.glossaries.get

dataplex.glossaries.getIamPolicy

dataplex.glossaries.list

dataplex.glossaries.update

dataplex.glossaryCategories.*

  • dataplex.glossaryCategories.create
  • dataplex.glossaryCategories.delete
  • dataplex.glossaryCategories.get
  • dataplex.glossaryCategories.list
  • dataplex.glossaryCategories.update

dataplex.glossaryTerms.*

  • dataplex.glossaryTerms.create
  • dataplex.glossaryTerms.delete
  • dataplex.glossaryTerms.get
  • dataplex.glossaryTerms.list
  • dataplex.glossaryTerms.update
  • dataplex.glossaryTerms.use

dataplex.operations.get

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.catalogViewer)

Read access to catalog resources, including entries, entry groups, and glossaries. Can view IAM policies on catalog resources.

datacatalog.migrationConfig.get

dataplex.aspectTypes.get

dataplex.aspectTypes.getIamPolicy

dataplex.aspectTypes.list

dataplex.entries.get

dataplex.entries.list

dataplex.entryGroups.get

dataplex.entryGroups.getIamPolicy

dataplex.entryGroups.list

dataplex.entryLinks.get

dataplex.entryTypes.get

dataplex.entryTypes.getIamPolicy

dataplex.entryTypes.list

dataplex.glossaries.get

dataplex.glossaries.getIamPolicy

dataplex.glossaries.list

dataplex.glossaryCategories.get

dataplex.glossaryCategories.list

dataplex.glossaryTerms.get

dataplex.glossaryTerms.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.dataOwner)

Owner access to data. To be granted to Dataplex Universal Catalog resources Lake, Zone or Asset only.

dataplex.assets.ownData

dataplex.assets.readData

dataplex.assets.writeData

(roles/dataplex.dataProductsAdmin)

Full access to Data Products.

dataplex.dataAssets.*

  • dataplex.dataAssets.create
  • dataplex.dataAssets.delete
  • dataplex.dataAssets.get
  • dataplex.dataAssets.list
  • dataplex.dataAssets.update

dataplex.dataProducts.*

  • dataplex.dataProducts.create
  • dataplex.dataProducts.delete
  • dataplex.dataProducts.get
  • dataplex.dataProducts.getIamPolicy
  • dataplex.dataProducts.list
  • dataplex.dataProducts.setIamPolicy
  • dataplex.dataProducts.update

dataplex.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.dataProductsConsumer)

Restricted read access, intended for consumers of Data Products.

dataplex.dataAssets.get

dataplex.dataAssets.list

dataplex.dataProducts.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.dataProductsEditor)

Write access to Data Products.

dataplex.dataAssets.*

  • dataplex.dataAssets.create
  • dataplex.dataAssets.delete
  • dataplex.dataAssets.get
  • dataplex.dataAssets.list
  • dataplex.dataAssets.update

dataplex.dataProducts.create

dataplex.dataProducts.delete

dataplex.dataProducts.get

dataplex.dataProducts.getIamPolicy

dataplex.dataProducts.list

dataplex.dataProducts.update

dataplex.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.dataProductsViewer)

Read access to Data Products.

dataplex.dataAssets.get

dataplex.dataAssets.list

dataplex.dataProducts.get

dataplex.dataProducts.getIamPolicy

dataplex.dataProducts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.dataReader)

Read only access to data. To be granted to Dataplex Universal Catalog resources Lake, Zone or Asset only.

dataplex.assets.readData

(roles/dataplex.dataScanAdmin)

Full access to DataScan resources.

dataplex.datascans.*

  • dataplex.datascans.create
  • dataplex.datascans.delete
  • dataplex.datascans.get
  • dataplex.datascans.getData
  • dataplex.datascans.getIamPolicy
  • dataplex.datascans.list
  • dataplex.datascans.run
  • dataplex.datascans.setIamPolicy
  • dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

(roles/dataplex.dataScanCreator)

Access to create new DataScan resources.

dataplex.datascans.create

dataplex.datascans.get

dataplex.datascans.list

dataplex.operations.get

(roles/dataplex.dataScanDataViewer)

Read access to DataScan resources, including the results.

dataplex.datascans.get

dataplex.datascans.getData

dataplex.datascans.getIamPolicy

dataplex.datascans.list

(roles/dataplex.dataScanEditor)

Write access to DataScan resources.

dataplex.datascans.create

dataplex.datascans.delete

dataplex.datascans.get

dataplex.datascans.getData

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.datascans.run

dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

(roles/dataplex.dataScanViewer)

Read access to DataScan resources, excluding the results.

dataplex.datascans.get

dataplex.datascans.getIamPolicy

dataplex.datascans.list

(roles/dataplex.dataWriter)

Write access to data. To be granted to Dataplex Universal Catalog resources Lake, Zone or Asset only.

dataplex.assets.writeData

(roles/dataplex.developer)

Allows running data analytics workloads in a lake.

dataplex.content.*

  • dataplex.content.create
  • dataplex.content.delete
  • dataplex.content.get
  • dataplex.content.getIamPolicy
  • dataplex.content.list
  • dataplex.content.setIamPolicy
  • dataplex.content.update

dataplex.environments.execute

dataplex.environments.get

dataplex.environments.list

dataplex.tasks.cancel

dataplex.tasks.create

dataplex.tasks.delete

dataplex.tasks.get

dataplex.tasks.list

dataplex.tasks.run

dataplex.tasks.update

(roles/dataplex.discoveryBigLakePublishingServiceAgent)

Gives the Dataplex Discovery Service Agent permissions to use bigquery connection.

bigquery.connections.delegate

bigquery.connections.use

(roles/dataplex.discoveryPublishingServiceAgent)

Gives the Dataplex Discovery Service Agent dataset create and get permissions.

bigquery.datasets.create

bigquery.datasets.get

(roles/dataplex.discoveryServiceAgent)

Gives the Dataplex Discovery Service Agent bucket read permissions.

storage.buckets.get

storage.objects.get

storage.objects.list

(roles/dataplex.editor)

Write access to Dataplex Universal Catalog resources, except for catalog resources like entries, entry groups, and glossaries.

cloudasset.assets.analyzeIamPolicy

dataplex.assetActions.list

dataplex.assets.create

dataplex.assets.delete

dataplex.assets.get

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.assets.update

dataplex.content.delete

dataplex.content.get

dataplex.content.getIamPolicy

dataplex.content.list

dataplex.dataAssets.*

  • dataplex.dataAssets.create
  • dataplex.dataAssets.delete
  • dataplex.dataAssets.get
  • dataplex.dataAssets.list
  • dataplex.dataAssets.update

dataplex.dataAttributeBindings.create

dataplex.dataAttributeBindings.delete

dataplex.dataAttributeBindings.get

dataplex.dataAttributeBindings.getIamPolicy

dataplex.dataAttributeBindings.list

dataplex.dataAttributeBindings.update

dataplex.dataAttributes.bind

dataplex.dataAttributes.create

dataplex.dataAttributes.delete

dataplex.dataAttributes.get

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataAttributes.update

dataplex.dataProducts.create

dataplex.dataProducts.delete

dataplex.dataProducts.get

dataplex.dataProducts.getIamPolicy

dataplex.dataProducts.list

dataplex.dataProducts.update

dataplex.dataTaxonomies.configureDataAccess

dataplex.dataTaxonomies.configureResourceAccess

dataplex.dataTaxonomies.create

dataplex.dataTaxonomies.delete

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.dataTaxonomies.update

dataplex.datascans.create

dataplex.datascans.delete

dataplex.datascans.get

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.datascans.run

dataplex.datascans.update

dataplex.environments.create

dataplex.environments.delete

dataplex.environments.get

dataplex.environments.getIamPolicy

dataplex.environments.list

dataplex.environments.update

dataplex.lakeActions.list

dataplex.lakes.create

dataplex.lakes.delete

dataplex.lakes.get

dataplex.lakes.getIamPolicy

dataplex.lakes.list

dataplex.lakes.update

dataplex.operations.*

  • dataplex.operations.cancel
  • dataplex.operations.delete
  • dataplex.operations.get
  • dataplex.operations.list

dataplex.tasks.cancel

dataplex.tasks.create

dataplex.tasks.delete

dataplex.tasks.get

dataplex.tasks.getIamPolicy

dataplex.tasks.list

dataplex.tasks.run

dataplex.tasks.update

dataplex.zoneActions.list

dataplex.zones.create

dataplex.zones.delete

dataplex.zones.get

dataplex.zones.getIamPolicy

dataplex.zones.list

dataplex.zones.update

(roles/dataplex.encryptionAdmin)

Gives user permissions to manage encryption configurations.

dataplex.encryptionConfig.*

  • dataplex.encryptionConfig.create
  • dataplex.encryptionConfig.delete
  • dataplex.encryptionConfig.get
  • dataplex.encryptionConfig.list
  • dataplex.encryptionConfig.update

dataplex.operations.get

dataplex.operations.list

(roles/dataplex.entryGroupExporter)

Grants access to export this entry group for Metadata Job processing.

dataplex.entryGroups.export

dataplex.entryGroups.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.entryGroupImporter)

Grants access to import this entry group for Metadata Job processing.

dataplex.entryGroups.get

dataplex.entryGroups.import

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.entryGroupOwner)

Owns Entry Groups and Entries inside of them.

datacatalog.migrationConfig.get

dataplex.aspectTypes.get

dataplex.aspectTypes.list

dataplex.aspectTypes.use

dataplex.entries.*

  • dataplex.entries.create
  • dataplex.entries.delete
  • dataplex.entries.get
  • dataplex.entries.getData
  • dataplex.entries.link
  • dataplex.entries.list
  • dataplex.entries.update

dataplex.entryGroups.*

  • dataplex.entryGroups.create
  • dataplex.entryGroups.delete
  • dataplex.entryGroups.export
  • dataplex.entryGroups.get
  • dataplex.entryGroups.getIamPolicy
  • dataplex.entryGroups.import
  • dataplex.entryGroups.list
  • dataplex.entryGroups.setIamPolicy
  • dataplex.entryGroups.update
  • dataplex.entryGroups.useContactsAspect
  • dataplex.entryGroups.useDataProfileAspect
  • dataplex.entryGroups.useDataQualityScorecardAspect
  • dataplex.entryGroups.useDefinitionEntryLink
  • dataplex.entryGroups.useDescriptionsAspect
  • dataplex.entryGroups.useGenericAspect
  • dataplex.entryGroups.useGenericEntry
  • dataplex.entryGroups.useOverviewAspect
  • dataplex.entryGroups.useQueriesAspect
  • dataplex.entryGroups.useRefreshCadenceAspect
  • dataplex.entryGroups.useRelatedEntryLink
  • dataplex.entryGroups.useSchemaAspect
  • dataplex.entryGroups.useStorageAspect
  • dataplex.entryGroups.useSynonymEntryLink

dataplex.entryLinks.*

  • dataplex.entryLinks.create
  • dataplex.entryLinks.delete
  • dataplex.entryLinks.get
  • dataplex.entryLinks.reference

dataplex.entryTypes.get

dataplex.entryTypes.list

dataplex.entryTypes.use

dataplex.operations.get

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.entryOwner)

Owns Metadata Entries and EntryLinks.

datacatalog.migrationConfig.get

dataplex.aspectTypes.get

dataplex.aspectTypes.list

dataplex.aspectTypes.use

dataplex.entries.*

  • dataplex.entries.create
  • dataplex.entries.delete
  • dataplex.entries.get
  • dataplex.entries.getData
  • dataplex.entries.link
  • dataplex.entries.list
  • dataplex.entries.update

dataplex.entryGroups.get

dataplex.entryGroups.useContactsAspect

dataplex.entryGroups.useDataProfileAspect

dataplex.entryGroups.useDataQualityScorecardAspect

dataplex.entryGroups.useDefinitionEntryLink

dataplex.entryGroups.useDescriptionsAspect

dataplex.entryGroups.useGenericAspect

dataplex.entryGroups.useGenericEntry

dataplex.entryGroups.useOverviewAspect

dataplex.entryGroups.useQueriesAspect

dataplex.entryGroups.useRefreshCadenceAspect

dataplex.entryGroups.useRelatedEntryLink

dataplex.entryGroups.useSchemaAspect

dataplex.entryGroups.useStorageAspect

dataplex.entryGroups.useSynonymEntryLink

dataplex.entryLinks.*

  • dataplex.entryLinks.create
  • dataplex.entryLinks.delete
  • dataplex.entryLinks.get
  • dataplex.entryLinks.reference

dataplex.entryTypes.get

dataplex.entryTypes.list

dataplex.entryTypes.use

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.entryTypeOwner)

Grants access to creating and managing Entry Types. Does not give the right to create/modify Entries.

datacatalog.migrationConfig.get

dataplex.entryTypes.*

  • dataplex.entryTypes.create
  • dataplex.entryTypes.delete
  • dataplex.entryTypes.get
  • dataplex.entryTypes.getIamPolicy
  • dataplex.entryTypes.list
  • dataplex.entryTypes.setIamPolicy
  • dataplex.entryTypes.update
  • dataplex.entryTypes.use

dataplex.operations.get

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.entryTypeUser)

Grants access to use Entry Types to create/modify Entries of those types.

datacatalog.migrationConfig.get

dataplex.entryTypes.get

dataplex.entryTypes.list

dataplex.entryTypes.use

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.metadataFeedOwner)

Grants access to creating and managing Metadata Feeds. Does not give the right to create/modify Entry Groups.

dataplex.metadataFeeds.*

  • dataplex.metadataFeeds.create
  • dataplex.metadataFeeds.delete
  • dataplex.metadataFeeds.get
  • dataplex.metadataFeeds.list
  • dataplex.metadataFeeds.update

dataplex.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.metadataFeedViewer)

Read access to Metadata Feed resources.

dataplex.metadataFeeds.get

dataplex.metadataFeeds.list

dataplex.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.metadataJobOwner)

Grants access to creating and managing Metadata Jobs. Does not give the right to create/modify Entry Groups.

dataplex.metadataJobs.*

  • dataplex.metadataJobs.cancel
  • dataplex.metadataJobs.create
  • dataplex.metadataJobs.get
  • dataplex.metadataJobs.list

dataplex.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.metadataJobViewer)

Read access to Metadata Job resources.

dataplex.metadataJobs.get

dataplex.metadataJobs.list

dataplex.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.metadataReader)

Read only access to metadata within table and fileset entities and partitions.

dataplex.assets.get

dataplex.assets.list

dataplex.entities.get

dataplex.entities.list

dataplex.partitions.get

dataplex.partitions.list

dataplex.zones.get

dataplex.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.metadataWriter)

Write and read access to metadata within table and fileset entities and partitions.

dataplex.assets.get

dataplex.assets.list

dataplex.entities.*

  • dataplex.entities.create
  • dataplex.entities.delete
  • dataplex.entities.get
  • dataplex.entities.list
  • dataplex.entities.update

dataplex.partitions.*

  • dataplex.partitions.create
  • dataplex.partitions.delete
  • dataplex.partitions.get
  • dataplex.partitions.list
  • dataplex.partitions.update

dataplex.zones.get

dataplex.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.securityAdmin)

Permissions configure ResourceAccess and DataAccess Specs on Data Attributes.

dataplex.dataTaxonomies.configureDataAccess

dataplex.dataTaxonomies.configureResourceAccess

(roles/dataplex.serviceAgent)

Gives the Dataplex service account access to project resources. This access will be used in data discovery, data management and data workload management.

bigquery.bireservations.*

  • bigquery.bireservations.get
  • bigquery.bireservations.update

bigquery.capacityCommitments.*

  • bigquery.capacityCommitments.create
  • bigquery.capacityCommitments.delete
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.capacityCommitments.update

bigquery.config.*

  • bigquery.config.get
  • bigquery.config.update

bigquery.connections.*

  • bigquery.connections.create
  • bigquery.connections.delegate
  • bigquery.connections.delete
  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.setIamPolicy
  • bigquery.connections.update
  • bigquery.connections.updateTag
  • bigquery.connections.use

bigquery.dataPolicies.attach

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

  • bigquery.datasets.create
  • bigquery.datasets.createTagBinding
  • bigquery.datasets.delete
  • bigquery.datasets.deleteTagBinding
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.link
  • bigquery.datasets.listEffectiveTags
  • bigquery.datasets.listSharedDatasetUsage
  • bigquery.datasets.listTagBindings
  • bigquery.datasets.setIamPolicy
  • bigquery.datasets.update
  • bigquery.datasets.updateTag

bigquery.jobs.*

  • bigquery.jobs.create
  • bigquery.jobs.createGlobalQuery
  • bigquery.jobs.delete
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.jobs.update

bigquery.models.*

  • bigquery.models.create
  • bigquery.models.delete
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.models.updateData
  • bigquery.models.updateMetadata
  • bigquery.models.updateTag

bigquery.objectRefs.*

  • bigquery.objectRefs.read
  • bigquery.objectRefs.write

bigquery.readsessions.*

  • bigquery.readsessions.create
  • bigquery.readsessions.getData
  • bigquery.readsessions.update

bigquery.reservationAssignments.*

  • bigquery.reservationAssignments.create
  • bigquery.reservationAssignments.delete
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search

bigquery.reservationGroups.*

  • bigquery.reservationGroups.create
  • bigquery.reservationGroups.delete
  • bigquery.reservationGroups.get
  • bigquery.reservationGroups.list

bigquery.reservations.*

  • bigquery.reservations.create
  • bigquery.reservations.delete
  • bigquery.reservations.get
  • bigquery.reservations.getIamPolicy
  • bigquery.reservations.list
  • bigquery.reservations.listFailoverDatasets
  • bigquery.reservations.setIamPolicy
  • bigquery.reservations.update
  • bigquery.reservations.use

bigquery.routines.*

  • bigquery.routines.create
  • bigquery.routines.delete
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.routines.update
  • bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.get

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

  • bigquery.savedqueries.create
  • bigquery.savedqueries.delete
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.savedqueries.update

bigquery.tables.*

  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.createTagBinding
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.deleteSnapshot
  • bigquery.tables.deleteTagBinding
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.listEffectiveTags
  • bigquery.tables.listTagBindings
  • bigquery.tables.replicateData
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.setCategory
  • bigquery.tables.setColumnDataPolicy
  • bigquery.tables.setIamPolicy
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateIndex
  • bigquery.tables.updateTag

bigquery.transfers.*

  • bigquery.transfers.get
  • bigquery.transfers.update

bigquerymigration.translation.translate

datacatalog.catalogs.searchAll

datacatalog.categories.getIamPolicy

datacatalog.categories.setIamPolicy

datacatalog.entries.get

datacatalog.taxonomies.create

datacatalog.taxonomies.delete

datacatalog.taxonomies.get

datacatalog.taxonomies.list

datacatalog.taxonomies.update

dataform.*

  • dataform.commentThreads.create
  • dataform.commentThreads.delete
  • dataform.commentThreads.get
  • dataform.commentThreads.list
  • dataform.commentThreads.update
  • dataform.comments.create
  • dataform.comments.delete
  • dataform.comments.get
  • dataform.comments.list
  • dataform.comments.update
  • dataform.compilationResults.create
  • dataform.compilationResults.get
  • dataform.compilationResults.list
  • dataform.compilationResults.query
  • dataform.config.get
  • dataform.config.update
  • dataform.folders.addContents
  • dataform.folders.create
  • dataform.folders.delete
  • dataform.folders.get
  • dataform.folders.getIamPolicy
  • dataform.folders.move
  • dataform.folders.queryContents
  • dataform.folders.setIamPolicy
  • dataform.folders.update
  • dataform.locations.get
  • dataform.locations.list
  • dataform.operations.cancel
  • dataform.operations.delete
  • dataform.operations.get
  • dataform.operations.list
  • dataform.releaseConfigs.create
  • dataform.releaseConfigs.delete
  • dataform.releaseConfigs.get
  • dataform.releaseConfigs.list
  • dataform.releaseConfigs.update
  • dataform.repositories.commit
  • dataform.repositories.computeAccessTokenStatus
  • dataform.repositories.create
  • dataform.repositories.delete
  • dataform.repositories.fetchHistory
  • dataform.repositories.fetchRemoteBranches
  • dataform.repositories.get
  • dataform.repositories.getIamPolicy
  • dataform.repositories.list
  • dataform.repositories.move
  • dataform.repositories.queryDirectoryContents
  • dataform.repositories.readFile
  • dataform.repositories.scheduleRelease
  • dataform.repositories.scheduleWorkflow
  • dataform.repositories.setIamPolicy
  • dataform.repositories.update
  • dataform.teamFolders.create
  • dataform.teamFolders.delete
  • dataform.teamFolders.get
  • dataform.teamFolders.getIamPolicy
  • dataform.teamFolders.setIamPolicy
  • dataform.teamFolders.update
  • dataform.workflowConfigs.create
  • dataform.workflowConfigs.delete
  • dataform.workflowConfigs.get
  • dataform.workflowConfigs.list
  • dataform.workflowConfigs.update
  • dataform.workflowInvocations.cancel
  • dataform.workflowInvocations.create
  • dataform.workflowInvocations.delete
  • dataform.workflowInvocations.get
  • dataform.workflowInvocations.list
  • dataform.workflowInvocations.query
  • dataform.workspaces.commit
  • dataform.workspaces.create
  • dataform.workspaces.delete
  • dataform.workspaces.fetchFileDiff
  • dataform.workspaces.fetchFileGitStatuses
  • dataform.workspaces.fetchGitAheadBehind
  • dataform.workspaces.get
  • dataform.workspaces.getIamPolicy
  • dataform.workspaces.installNpmPackages
  • dataform.workspaces.list
  • dataform.workspaces.makeDirectory
  • dataform.workspaces.moveDirectory
  • dataform.workspaces.moveFile
  • dataform.workspaces.pull
  • dataform.workspaces.push
  • dataform.workspaces.queryDirectoryContents
  • dataform.workspaces.readFile
  • dataform.workspaces.removeDirectory
  • dataform.workspaces.removeFile
  • dataform.workspaces.reset
  • dataform.workspaces.searchFiles
  • dataform.workspaces.setIamPolicy
  • dataform.workspaces.writeFile

dataplex.assets.getIamPolicy

dataplex.datascans.*

  • dataplex.datascans.create
  • dataplex.datascans.delete
  • dataplex.datascans.get
  • dataplex.datascans.getData
  • dataplex.datascans.getIamPolicy
  • dataplex.datascans.list
  • dataplex.datascans.run
  • dataplex.datascans.setIamPolicy
  • dataplex.datascans.update

dataplex.environments.execute

dataplex.environments.get

dataplex.environments.list

dataplex.lakes.get

dataplex.lakes.getIamPolicy

dataplex.operations.get

dataplex.operations.list

dataplex.projects.search

dataplex.zones.getIamPolicy

dataproc.batches.cancel

dataproc.batches.create

dataproc.batches.get

dataproc.operations.cancel

dataproc.operations.get

dataproc.operations.list

firebase.projects.get

iam.serviceAccounts.actAs

logging.logEntries.create

logging.logEntries.route

metastore.services.get

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

orgpolicy.policy.get

recommender.iamPolicyInsights.*

  • recommender.iamPolicyInsights.get
  • recommender.iamPolicyInsights.list
  • recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

  • recommender.iamPolicyRecommendations.get
  • recommender.iamPolicyRecommendations.list
  • recommender.iamPolicyRecommendations.update

recommender.storageBucketSoftDeleteInsights.*

  • recommender.storageBucketSoftDeleteInsights.get
  • recommender.storageBucketSoftDeleteInsights.list
  • recommender.storageBucketSoftDeleteInsights.update

recommender.storageBucketSoftDeleteRecommendations.*

  • recommender.storageBucketSoftDeleteRecommendations.get
  • recommender.storageBucketSoftDeleteRecommendations.list
  • recommender.storageBucketSoftDeleteRecommendations.update

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.report

serviceusage.services.use

storage.anywhereCaches.*

  • storage.anywhereCaches.create
  • storage.anywhereCaches.disable
  • storage.anywhereCaches.get
  • storage.anywhereCaches.list
  • storage.anywhereCaches.pause
  • storage.anywhereCaches.resume
  • storage.anywhereCaches.update

storage.bucketOperations.*

  • storage.bucketOperations.cancel
  • storage.bucketOperations.get
  • storage.bucketOperations.list

storage.buckets.*

  • storage.buckets.create
  • storage.buckets.createTagBinding
  • storage.buckets.delete
  • storage.buckets.deleteTagBinding
  • storage.buckets.enableObjectRetention
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.getIpFilter
  • storage.buckets.getObjectInsights
  • storage.buckets.list
  • storage.buckets.listEffectiveTags
  • storage.buckets.listTagBindings
  • storage.buckets.relocate
  • storage.buckets.restore
  • storage.buckets.setIamPolicy
  • storage.buckets.setIpFilter
  • storage.buckets.update
  • storage.buckets.viewIntelligenceDetails

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.intelligenceConfigs.*

  • storage.intelligenceConfigs.get
  • storage.intelligenceConfigs.update

storage.managedFolders.*

  • storage.managedFolders.create
  • storage.managedFolders.delete
  • storage.managedFolders.get
  • storage.managedFolders.getIamPolicy
  • storage.managedFolders.list
  • storage.managedFolders.setIamPolicy

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.createContext
  • storage.objects.delete
  • storage.objects.deleteContext
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.overrideUnlockedRetention
  • storage.objects.restore
  • storage.objects.setIamPolicy
  • storage.objects.setRetention
  • storage.objects.update
  • storage.objects.updateContext

storagebatchoperations.*

  • storagebatchoperations.bucketOperations.get
  • storagebatchoperations.bucketOperations.list
  • storagebatchoperations.jobs.cancel
  • storagebatchoperations.jobs.create
  • storagebatchoperations.jobs.delete
  • storagebatchoperations.jobs.get
  • storagebatchoperations.jobs.list
  • storagebatchoperations.locations.get
  • storagebatchoperations.locations.list
  • storagebatchoperations.operations.cancel
  • storagebatchoperations.operations.delete
  • storagebatchoperations.operations.get
  • storagebatchoperations.operations.list

telemetry.metrics.write

(roles/dataplex.storageDataOwner)

Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.datasets.get

bigquery.models.create

bigquery.models.delete

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.models.updateData

bigquery.models.updateMetadata

bigquery.routines.create

bigquery.routines.delete

bigquery.routines.get

bigquery.routines.list

bigquery.routines.update

bigquery.tables.create

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/dataplex.storageDataReader)

Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.datasets.get

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

storage.buckets.get

storage.objects.get

storage.objects.list

(roles/dataplex.storageDataWriter)

Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.tables.updateData

storage.objects.create

storage.objects.delete

storage.objects.update

(roles/dataplex.taxonomyAdmin)

Full access to DataTaxonomy, DataAttribute resources.

dataplex.dataAttributes.*

  • dataplex.dataAttributes.bind
  • dataplex.dataAttributes.create
  • dataplex.dataAttributes.delete
  • dataplex.dataAttributes.get
  • dataplex.dataAttributes.getIamPolicy
  • dataplex.dataAttributes.list
  • dataplex.dataAttributes.setIamPolicy
  • dataplex.dataAttributes.update

dataplex.dataTaxonomies.create

dataplex.dataTaxonomies.delete

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.dataTaxonomies.setIamPolicy

dataplex.dataTaxonomies.update

(roles/dataplex.taxonomyViewer)

Read access on DataTaxonomy, DataAttribute resources.

dataplex.dataAttributes.get

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

(roles/dataplex.viewer)

Read access to Dataplex Universal Catalog resources, except for catalog resources like entries, entry groups, and glossaries.

cloudasset.assets.analyzeIamPolicy

dataplex.assetActions.list

dataplex.assets.get

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.content.get

dataplex.content.getIamPolicy

dataplex.content.list

dataplex.dataAssets.get

dataplex.dataAssets.list

dataplex.dataAttributeBindings.get

dataplex.dataAttributeBindings.getIamPolicy

dataplex.dataAttributeBindings.list

dataplex.dataAttributes.get

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataProducts.get

dataplex.dataProducts.getIamPolicy

dataplex.dataProducts.list

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.datascans.get

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.environments.get

dataplex.environments.getIamPolicy

dataplex.environments.list

dataplex.lakeActions.list

dataplex.lakes.get

dataplex.lakes.getIamPolicy

dataplex.lakes.list

dataplex.operations.get

dataplex.operations.list

dataplex.tasks.get

dataplex.tasks.getIamPolicy

dataplex.tasks.list

dataplex.zoneActions.list

dataplex.zones.get

dataplex.zones.getIamPolicy

dataplex.zones.list

Função de proprietário de entradas e links de entradas do Dataplex

O papel Proprietário de entradas e links de entradas do Dataplex (roles/dataplex.entryOwner) inclui os seguintes recursos:

  • Concede acesso total a operações relacionadas a entradas.
  • Concede permissões para adicionar aspectos de alguns dos tipos de aspectos do sistema, como Schema, Generic, Overview e Contacts.
  • Concede permissões para criar entradas do tipo GenericEntry.
  • Com essa função, é possível criar uma entrada com um tipo de entrada e um tipo de aspecto, em que o tipo de entrada e o tipo de aspecto são definidos no mesmo projeto da entrada. Caso contrário, também é necessário conceder os papéis Usuário de tipos de entradas do Dataplex (roles/dataplex.entryTypeUser) e Usuário de tipos de aspectos do Dataplex (roles/dataplex.aspectTypeUser) nos projetos em que os tipos de entradas e aspectos estão definidos.
  • Essa função não concede permissões para ler entradas criadas de recursos Google Cloud fora do Universal Catalog do Dataplex, como entradas do BigQuery, ao usar os métodos LookupEntry ou SearchEntries. Para ler essas entradas, você precisa ter permissões nos recursos do sistema de origem. Como alternativa, é possível ler as entradas apenas com a função Proprietário de entradas e links de entradas do Dataplex (roles/dataplex.entryOwner) usando o método GetEntry.

Considerações sobre papéis

  • Nenhuma função concede permissões para adicionar ou excluir entradas do Dataplex Universal Catalog de grupos de entradas definidos pelo sistema, como @bigquery e @dataplex.

  • Para ver os aspectos de dados anexados a uma entrada, você precisa de permissões para ler dados do recurso de origem que a entrada representa, além de permissões para ver a entrada. Se você tiver permissão para ver uma entrada, mas não tiver permissões de leitura de dados para o recurso de origem, ainda poderá ver todos os outros metadados na entrada. No entanto, o Dataplex Universal Catalog oculta o conteúdo de todos os aspectos de dados anexados.

  • Os papéis Administrador de catálogo do Dataplex (roles/dataplex.catalogAdmin) e Editor de catálogo do Dataplex (roles/dataplex.catalogEditor) concedem permissões para visualizar entradas personalizadas.

  • Para pesquisar entradas usando o método SearchEntries, você precisa ter pelo menos um dos seguintes papéis do IAM no projeto usado na solicitação da API: Administrador do catálogo do Dataplex (roles/dataplex.catalogAdmin), Editor do catálogo do Dataplex (roles/dataplex.catalogEditor) ou Leitor do catálogo do Dataplex (roles/dataplex.catalogViewer). As permissões nos resultados da pesquisa são verificadas independentemente do projeto selecionado.

Papéis predefinidos para linhagem de dados

Para acessar a linhagem de qualquer entrada do Dataplex Universal Catalog, você precisa de uma função de leitor no recurso do sistema correspondente ou a função de leitor do catálogo do Dataplex (roles/dataplex.catalogViewer) no projeto que armazena a entrada do Dataplex Universal Catalog. Esta seção descreve os papéis necessários para trabalhar com linhagem.

Role Permissions

(roles/datalineage.admin)

Grants full access to all resources in Data Lineage API

datalineage.*

  • datalineage.configs.get
  • datalineage.configs.update
  • datalineage.events.create
  • datalineage.events.delete
  • datalineage.events.get
  • datalineage.events.getFields
  • datalineage.events.list
  • datalineage.locations.processOpenLineageMessage
  • datalineage.locations.searchLinks
  • datalineage.operations.get
  • datalineage.processes.create
  • datalineage.processes.delete
  • datalineage.processes.get
  • datalineage.processes.list
  • datalineage.processes.update
  • datalineage.runs.create
  • datalineage.runs.delete
  • datalineage.runs.get
  • datalineage.runs.list
  • datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.editor)

Grants edit access to all resources in Data Lineage API

datalineage.events.*

  • datalineage.events.create
  • datalineage.events.delete
  • datalineage.events.get
  • datalineage.events.getFields
  • datalineage.events.list

datalineage.locations.*

  • datalineage.locations.processOpenLineageMessage
  • datalineage.locations.searchLinks

datalineage.operations.get

datalineage.processes.create

datalineage.processes.get

datalineage.processes.list

datalineage.processes.update

datalineage.runs.create

datalineage.runs.get

datalineage.runs.list

datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.producer)

Grants access to creating all resources in Data Lineage API

datalineage.events.create

datalineage.locations.processOpenLineageMessage

datalineage.processes.create

datalineage.processes.get

datalineage.processes.update

datalineage.runs.create

datalineage.runs.get

datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.viewer)

Grants read access to all resources in Data Lineage API

datalineage.events.get

datalineage.events.getFields

datalineage.events.list

datalineage.locations.searchLinks

datalineage.processes.get

datalineage.processes.list

datalineage.runs.get

datalineage.runs.list

resourcemanager.projects.get

resourcemanager.projects.list

Função de leitor de linhagem

Com a função de leitor da linhagem de dados (roles/datalineage.viewer), é possível ver a linhagem do catálogo universal do Dataplex no console Google Cloud e ler informações de linhagem usando a API Data Lineage. As execuções e os eventos de um determinado processo são armazenados no mesmo projeto que o processo. No caso da linhagem automatizada, o processo, as execuções e os eventos são armazenados no projeto em que o job que gerou a linhagem estava sendo executado. Por exemplo, pode ser o projeto em que um job do BigQuery estava sendo executado.

Para conferir a linhagem entre recursos, você precisa da função de leitor da linhagem de dados (roles/datalineage.viewer) no projeto em que você está visualizando a linhagem e nos projetos em que ela é registrada. Especificamente, você precisa da função nos seguintes projetos:

  • O projeto em que você está visualizando a linhagem (conhecido como projeto ativo), ou seja, o projeto no menu suspenso na parte de cima do console do Google Cloud ou o projeto de onde as chamadas de API são feitas. Normalmente, é o projeto que contém os recursos criados no Dataplex Universal Catalog ou acessados em outros sistemas do Google Cloud com a API.
  • Os projetos em que a linhagem é registrada (conhecidos como projeto de computação). A linhagem é armazenada no projeto em que o processo correspondente foi executado, conforme descrito anteriormente. Esse projeto pode ser diferente daquele que armazena o recurso para o qual você está visualizando a linhagem.

Para acessar os metadados de recursos, você precisa das mesmas funções usadas para acessar entradas de metadados no Dataplex Universal Catalog.

Dependendo do caso de uso, conceda a função de visualizador da linhagem de dados (roles/datalineage.viewer) no nível da pasta ou da organização para garantir o acesso à linhagem. Consulte Conceder ou revogar uma única função.

Funções para visualizar metadados de recursos ao consultar a linhagem

Para ver os metadados de um recurso armazenado no Dataplex Universal Catalog, você precisa ter uma função de leitor no recurso do sistema correspondente ou a função de leitor do Dataplex Catalog (roles/dataplex.catalogViewer) no projeto que armazena a entrada do Dataplex Universal Catalog. Você pode ter acesso a recursos no gráfico ou na lista de linhagem usando as funções de visualizador adequadas, mas não à linhagem entre eles. Isso acontece se você não tiver o papel de leitor da linhagem de dados (roles/datalineage.viewer) no projeto em que a linhagem foi registrada. Nesse caso, a API Data Lineage e o console Google Cloud não mostram a linhagem nem retornam um erro. Isso evita o vazamento de informações sobre a existência da linhagem. Portanto, a ausência de linhagem para um recurso não significa que ela não existe, mas sim que você não tem permissão para acessá-la.

Papéis de metadados

As funções de metadados concedem permissões para visualizar e atualizar metadados, como esquemas de tabela.

Papel Descrição
Gravador de metadados do Dataplex
(roles/dataplex.metadataWriter)		 Permite atualizar os metadados de um recurso.
Leitor de metadados do Dataplex
(roles/dataplex.metadataReader)		 Permite ler metadados, por exemplo, para consultar uma tabela.

Funções de dados

O Dataplex Universal Catalog define as seguintes funções do IAM que se aplicam a qualquer recurso gerenciado por ele. Para mais informações sobre as permissões associadas a cada papel, consulte a seção Papéis predefinidos deste documento.

Papel Descrição
Proprietário de dados do Dataplex
(roles/dataplex.dataOwner)		 Acesso total ao recurso gerenciado e aos filhos dele. As permissões incluem atualizar metadados, criar recursos filhos e conceder permissões granulares.
Leitor de dados do Dataplex
(roles/dataplex.dataReader)		 Acesso de leitura a dados e metadados no recurso gerenciado e nos filhos dele.
Gravador de dados do Dataplex
(roles/dataplex.dataWriter)		 Acesso de gravação aos dados no recurso gerenciado. Isso inclui criar, atualizar e excluir dados, mas não metadados.

A seguir