Permisos y funciones de IAM

En esta página, se describe cómo puedes controlar el acceso a la API y los permisos de los recursos de Gemini Enterprise con Identity and Access Management (IAM).

Descripción general

Google Cloud ofrece IAM, que te permite otorgar acceso más detallado a recursos específicos de Google Cloud y evita el acceso no deseado a otros recursos. En esta página, se describen los roles y permisos de IAM de Gemini Enterprise. Para ver una descripción detallada deGoogle Cloud IAM, consulta la documentación de IAM.

Gemini Enterprise proporciona un conjunto de roles predefinidos diseñados para ayudarte a controlar el acceso a tus recursos de Gemini Enterprise. También puedes crear tus funciones personalizadas, si las funciones predefinidas no proporcionan los conjuntos de permisos que necesitas. Además, las funciones básicas anteriores (Editor, Visualizador y Propietario) también están disponibles, aunque no proporcionan el mismo control detallado que las funciones de Gemini Enterprise. En particular, las funciones básicas brindan acceso a los recursos en Google Cloud en lugar de solo para Gemini Enterprise. Consulta la documentación sobre las funciones básicas para obtener más información.

Funciones predefinidas

Gemini Enterprise proporciona algunos roles predefinidos que puedes usar para proporcionar permisos más detallados a las principales. La función que otorgas a un principal controla las acciones que puede realizar. Los principales pueden ser personas, grupos o cuentas de servicios.

Puedes otorgar varias funciones al mismo principal y cambiarlas en cualquier momento, siempre que tengas los permisos para hacerlo.

Las funciones más amplias incluyen las más específicas. Por ejemplo, el rol de editor de Discovery Engine incluye todos los permisos del rol de visualizador de Discovery Engine, junto con los permisos adicionales del rol de editor de Discovery Engine. Del mismo modo, el rol de administrador de Discovery Engine incluye todos los permisos del rol de editor de Discovery Engine, junto con sus permisos adicionales.

Las funciones básicas (Propietario, Editor y Visualizador) proporcionan permisos en Google Cloud. Los roles específicos de Gemini Enterprise solo proporcionan permisos de Gemini Enterprise, excepto los siguientes Google Cloudpermisos, que son necesarios para el uso general de Google Cloud :

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
  • serviceusage.services.get

En la siguiente tabla, se enumeran los roles de IAM de Gemini Enterprise con una lista correspondiente de todos los permisos para cada rol.

Rol Permisos

(roles/discoveryengine.admin)

Otorga acceso completo a todos los recursos de Discovery Engine.

discoveryengine.aclConfigs.*

  • discoveryengine.aclConfigs.get
  • discoveryengine.aclConfigs.update

discoveryengine.agents.*

  • discoveryengine.agents.create
  • discoveryengine.agents.delete
  • discoveryengine.agents.get
  • discoveryengine.agents.list
  • discoveryengine.agents.update

discoveryengine.alertPolicies.*

  • discoveryengine.alertPolicies.create
  • discoveryengine.alertPolicies.get
  • discoveryengine.alertPolicies.update

discoveryengine.analytics.*

  • discoveryengine.analytics.acquireDashboardSession
  • discoveryengine.analytics.refreshDashboardSessionTokens

discoveryengine.answers.get

discoveryengine.assistAnswers.get

discoveryengine.assistants.*

  • discoveryengine.assistants.assist
  • discoveryengine.assistants.create
  • discoveryengine.assistants.delete
  • discoveryengine.assistants.get
  • discoveryengine.assistants.list
  • discoveryengine.assistants.update

discoveryengine.branches.*

  • discoveryengine.branches.get
  • discoveryengine.branches.list

discoveryengine.cmekConfigs.*

  • discoveryengine.cmekConfigs.get
  • discoveryengine.cmekConfigs.list
  • discoveryengine.cmekConfigs.update

discoveryengine.collections.*

  • discoveryengine.collections.delete
  • discoveryengine.collections.get
  • discoveryengine.collections.list

discoveryengine.completionConfigs.*

  • discoveryengine.completionConfigs.completeQuery
  • discoveryengine.completionConfigs.get
  • discoveryengine.completionConfigs.update

discoveryengine.connectorRuns.*

  • discoveryengine.connectorRuns.cancel
  • discoveryengine.connectorRuns.list

discoveryengine.controls.*

  • discoveryengine.controls.create
  • discoveryengine.controls.delete
  • discoveryengine.controls.get
  • discoveryengine.controls.list
  • discoveryengine.controls.update

discoveryengine.conversations.*

  • discoveryengine.conversations.converse
  • discoveryengine.conversations.create
  • discoveryengine.conversations.delete
  • discoveryengine.conversations.get
  • discoveryengine.conversations.list
  • discoveryengine.conversations.update

discoveryengine.dataConnectors.*

  • discoveryengine.dataConnectors.acquireAccessToken
  • discoveryengine.dataConnectors.acquireAndStoreRefreshToken
  • discoveryengine.dataConnectors.buildActionInvocation
  • discoveryengine.dataConnectors.checkRefreshToken
  • discoveryengine.dataConnectors.executeAction
  • discoveryengine.dataConnectors.get
  • discoveryengine.dataConnectors.queryAvailableActions
  • discoveryengine.dataConnectors.startConnectorRun
  • discoveryengine.dataConnectors.update

discoveryengine.dataStores.*

  • discoveryengine.dataStores.completeQuery
  • discoveryengine.dataStores.create
  • discoveryengine.dataStores.delete
  • discoveryengine.dataStores.enrollSolutions
  • discoveryengine.dataStores.get
  • discoveryengine.dataStores.list
  • discoveryengine.dataStores.listCustomModels
  • discoveryengine.dataStores.trainCustomModel
  • discoveryengine.dataStores.update

discoveryengine.documentProcessingConfigs.*

  • discoveryengine.documentProcessingConfigs.get
  • discoveryengine.documentProcessingConfigs.update

discoveryengine.documents.*

  • discoveryengine.documents.batchGetDocumentsMetadata
  • discoveryengine.documents.create
  • discoveryengine.documents.delete
  • discoveryengine.documents.get
  • discoveryengine.documents.import
  • discoveryengine.documents.list
  • discoveryengine.documents.purge
  • discoveryengine.documents.update

discoveryengine.engines.*

  • discoveryengine.engines.create
  • discoveryengine.engines.createEngineUserData
  • discoveryengine.engines.delete
  • discoveryengine.engines.get
  • discoveryengine.engines.list
  • discoveryengine.engines.pause
  • discoveryengine.engines.resume
  • discoveryengine.engines.tune
  • discoveryengine.engines.update

discoveryengine.evaluations.*

  • discoveryengine.evaluations.create
  • discoveryengine.evaluations.get
  • discoveryengine.evaluations.list

discoveryengine.groundingConfigs.check

discoveryengine.identityMappingStores.*

  • discoveryengine.identityMappingStores.create
  • discoveryengine.identityMappingStores.delete
  • discoveryengine.identityMappingStores.get
  • discoveryengine.identityMappingStores.importIdentityMappings
  • discoveryengine.identityMappingStores.list
  • discoveryengine.identityMappingStores.listIdentityMappings
  • discoveryengine.identityMappingStores.purgeIdentityMappings

discoveryengine.licenseConfigs.*

  • discoveryengine.licenseConfigs.create
  • discoveryengine.licenseConfigs.get
  • discoveryengine.licenseConfigs.list
  • discoveryengine.licenseConfigs.update

discoveryengine.locations.*

  • discoveryengine.locations.estimateDataSize
  • discoveryengine.locations.exchangeAuthCredentials
  • discoveryengine.locations.getConnectorSource
  • discoveryengine.locations.listConnectorSources
  • discoveryengine.locations.setUpDataConnector

discoveryengine.models.*

  • discoveryengine.models.create
  • discoveryengine.models.delete
  • discoveryengine.models.get
  • discoveryengine.models.list
  • discoveryengine.models.pause
  • discoveryengine.models.resume
  • discoveryengine.models.tune
  • discoveryengine.models.update

discoveryengine.operations.*

  • discoveryengine.operations.get
  • discoveryengine.operations.list

discoveryengine.projects.*

  • discoveryengine.projects.get
  • discoveryengine.projects.provision
  • discoveryengine.projects.reportConsentChange

discoveryengine.rankingConfigs.rank

discoveryengine.sampleQueries.*

  • discoveryengine.sampleQueries.create
  • discoveryengine.sampleQueries.delete
  • discoveryengine.sampleQueries.get
  • discoveryengine.sampleQueries.import
  • discoveryengine.sampleQueries.list
  • discoveryengine.sampleQueries.update

discoveryengine.sampleQuerySets.*

  • discoveryengine.sampleQuerySets.create
  • discoveryengine.sampleQuerySets.delete
  • discoveryengine.sampleQuerySets.get
  • discoveryengine.sampleQuerySets.list
  • discoveryengine.sampleQuerySets.update

discoveryengine.schemas.*

  • discoveryengine.schemas.create
  • discoveryengine.schemas.delete
  • discoveryengine.schemas.get
  • discoveryengine.schemas.list
  • discoveryengine.schemas.preview
  • discoveryengine.schemas.update
  • discoveryengine.schemas.validate

discoveryengine.servingConfigs.*

  • discoveryengine.servingConfigs.answer
  • discoveryengine.servingConfigs.create
  • discoveryengine.servingConfigs.delete
  • discoveryengine.servingConfigs.get
  • discoveryengine.servingConfigs.list
  • discoveryengine.servingConfigs.recommend
  • discoveryengine.servingConfigs.search
  • discoveryengine.servingConfigs.update

discoveryengine.sessions.*

  • discoveryengine.sessions.addContextFile
  • discoveryengine.sessions.create
  • discoveryengine.sessions.delete
  • discoveryengine.sessions.downloadFile
  • discoveryengine.sessions.get
  • discoveryengine.sessions.list
  • discoveryengine.sessions.listSessionFileMetadata
  • discoveryengine.sessions.recommendQuestions
  • discoveryengine.sessions.removeContextFile
  • discoveryengine.sessions.search
  • discoveryengine.sessions.selectContextFiles
  • discoveryengine.sessions.update
  • discoveryengine.sessions.uploadFile

discoveryengine.siteSearchEngines.*

  • discoveryengine.siteSearchEngines.batchVerifyTargetSites
  • discoveryengine.siteSearchEngines.disableAdvancedSiteSearch
  • discoveryengine.siteSearchEngines.enableAdvancedSiteSearch
  • discoveryengine.siteSearchEngines.fetchDomainVerificationStatus
  • discoveryengine.siteSearchEngines.get
  • discoveryengine.siteSearchEngines.recrawlUris

discoveryengine.sitemaps.*

  • discoveryengine.sitemaps.create
  • discoveryengine.sitemaps.delete
  • discoveryengine.sitemaps.fetch

discoveryengine.suggestionDenyListEntries.*

  • discoveryengine.suggestionDenyListEntries.import
  • discoveryengine.suggestionDenyListEntries.purge

discoveryengine.targetSites.*

  • discoveryengine.targetSites.batchCreate
  • discoveryengine.targetSites.create
  • discoveryengine.targetSites.delete
  • discoveryengine.targetSites.get
  • discoveryengine.targetSites.list
  • discoveryengine.targetSites.update

discoveryengine.userEvents.*

  • discoveryengine.userEvents.create
  • discoveryengine.userEvents.fetchStats
  • discoveryengine.userEvents.import
  • discoveryengine.userEvents.purge

discoveryengine.userStores.*

  • discoveryengine.userStores.batchUpdateUserLicenses
  • discoveryengine.userStores.get
  • discoveryengine.userStores.listUserLicenses
  • discoveryengine.userStores.update

discoveryengine.users.*

  • discoveryengine.users.get
  • discoveryengine.users.update

discoveryengine.widgetConfigs.*

  • discoveryengine.widgetConfigs.get
  • discoveryengine.widgetConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/discoveryengine.editor)

Otorga acceso de lectura y escritura a todos los recursos de Discovery Engine.

discoveryengine.aclConfigs.get

discoveryengine.agents.*

  • discoveryengine.agents.create
  • discoveryengine.agents.delete
  • discoveryengine.agents.get
  • discoveryengine.agents.list
  • discoveryengine.agents.update

discoveryengine.alertPolicies.get

discoveryengine.analytics.*

  • discoveryengine.analytics.acquireDashboardSession
  • discoveryengine.analytics.refreshDashboardSessionTokens

discoveryengine.answers.get

discoveryengine.assistAnswers.get

discoveryengine.assistants.assist

discoveryengine.assistants.get

discoveryengine.assistants.list

discoveryengine.branches.*

  • discoveryengine.branches.get
  • discoveryengine.branches.list

discoveryengine.cmekConfigs.get

discoveryengine.cmekConfigs.list

discoveryengine.collections.get

discoveryengine.collections.list

discoveryengine.completionConfigs.completeQuery

discoveryengine.completionConfigs.get

discoveryengine.connectorRuns.list

discoveryengine.controls.get

discoveryengine.controls.list

discoveryengine.conversations.*

  • discoveryengine.conversations.converse
  • discoveryengine.conversations.create
  • discoveryengine.conversations.delete
  • discoveryengine.conversations.get
  • discoveryengine.conversations.list
  • discoveryengine.conversations.update

discoveryengine.dataConnectors.acquireAccessToken

discoveryengine.dataConnectors.acquireAndStoreRefreshToken

discoveryengine.dataConnectors.buildActionInvocation

discoveryengine.dataConnectors.checkRefreshToken

discoveryengine.dataConnectors.executeAction

discoveryengine.dataConnectors.get

discoveryengine.dataConnectors.queryAvailableActions

discoveryengine.dataStores.completeQuery

discoveryengine.dataStores.get

discoveryengine.dataStores.list

discoveryengine.dataStores.listCustomModels

discoveryengine.dataStores.trainCustomModel

discoveryengine.documentProcessingConfigs.get

discoveryengine.documents.batchGetDocumentsMetadata

discoveryengine.documents.create

discoveryengine.documents.delete

discoveryengine.documents.get

discoveryengine.documents.import

discoveryengine.documents.list

discoveryengine.documents.update

discoveryengine.engines.createEngineUserData

discoveryengine.engines.get

discoveryengine.engines.list

discoveryengine.engines.pause

discoveryengine.engines.resume

discoveryengine.engines.tune

discoveryengine.evaluations.get

discoveryengine.evaluations.list

discoveryengine.groundingConfigs.check

discoveryengine.identityMappingStores.*

  • discoveryengine.identityMappingStores.create
  • discoveryengine.identityMappingStores.delete
  • discoveryengine.identityMappingStores.get
  • discoveryengine.identityMappingStores.importIdentityMappings
  • discoveryengine.identityMappingStores.list
  • discoveryengine.identityMappingStores.listIdentityMappings
  • discoveryengine.identityMappingStores.purgeIdentityMappings

discoveryengine.licenseConfigs.get

discoveryengine.licenseConfigs.list

discoveryengine.models.*

  • discoveryengine.models.create
  • discoveryengine.models.delete
  • discoveryengine.models.get
  • discoveryengine.models.list
  • discoveryengine.models.pause
  • discoveryengine.models.resume
  • discoveryengine.models.tune
  • discoveryengine.models.update

discoveryengine.operations.*

  • discoveryengine.operations.get
  • discoveryengine.operations.list

discoveryengine.projects.get

discoveryengine.rankingConfigs.rank

discoveryengine.sampleQueries.*

  • discoveryengine.sampleQueries.create
  • discoveryengine.sampleQueries.delete
  • discoveryengine.sampleQueries.get
  • discoveryengine.sampleQueries.import
  • discoveryengine.sampleQueries.list
  • discoveryengine.sampleQueries.update

discoveryengine.sampleQuerySets.*

  • discoveryengine.sampleQuerySets.create
  • discoveryengine.sampleQuerySets.delete
  • discoveryengine.sampleQuerySets.get
  • discoveryengine.sampleQuerySets.list
  • discoveryengine.sampleQuerySets.update

discoveryengine.schemas.get

discoveryengine.schemas.list

discoveryengine.schemas.preview

discoveryengine.schemas.validate

discoveryengine.servingConfigs.answer

discoveryengine.servingConfigs.get

discoveryengine.servingConfigs.list

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.sessions.*

  • discoveryengine.sessions.addContextFile
  • discoveryengine.sessions.create
  • discoveryengine.sessions.delete
  • discoveryengine.sessions.downloadFile
  • discoveryengine.sessions.get
  • discoveryengine.sessions.list
  • discoveryengine.sessions.listSessionFileMetadata
  • discoveryengine.sessions.recommendQuestions
  • discoveryengine.sessions.removeContextFile
  • discoveryengine.sessions.search
  • discoveryengine.sessions.selectContextFiles
  • discoveryengine.sessions.update
  • discoveryengine.sessions.uploadFile

discoveryengine.siteSearchEngines.get

discoveryengine.targetSites.get

discoveryengine.targetSites.list

discoveryengine.userEvents.create

discoveryengine.userEvents.fetchStats

discoveryengine.userEvents.import

discoveryengine.userStores.get

discoveryengine.widgetConfigs.*

  • discoveryengine.widgetConfigs.get
  • discoveryengine.widgetConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/discoveryengine.user)

Otorga acceso a nivel de usuario a los recursos de Discovery Engine.

discoveryengine.accounts.create

discoveryengine.agents.*

  • discoveryengine.agents.create
  • discoveryengine.agents.delete
  • discoveryengine.agents.get
  • discoveryengine.agents.list
  • discoveryengine.agents.update

discoveryengine.answers.get

discoveryengine.assistAnswers.get

discoveryengine.assistants.assist

discoveryengine.completionConfigs.completeQuery

discoveryengine.dataConnectors.acquireAccessToken

discoveryengine.dataConnectors.acquireAndStoreRefreshToken

discoveryengine.dataConnectors.buildActionInvocation

discoveryengine.dataConnectors.checkRefreshToken

discoveryengine.dataConnectors.executeAction

discoveryengine.dataConnectors.queryAvailableActions

discoveryengine.engines.createEngineUserData

discoveryengine.engines.get

discoveryengine.notebooks.create

discoveryengine.notebooks.list

discoveryengine.servingConfigs.answer

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.sessions.*

  • discoveryengine.sessions.addContextFile
  • discoveryengine.sessions.create
  • discoveryengine.sessions.delete
  • discoveryengine.sessions.downloadFile
  • discoveryengine.sessions.get
  • discoveryengine.sessions.list
  • discoveryengine.sessions.listSessionFileMetadata
  • discoveryengine.sessions.recommendQuestions
  • discoveryengine.sessions.removeContextFile
  • discoveryengine.sessions.search
  • discoveryengine.sessions.selectContextFiles
  • discoveryengine.sessions.update
  • discoveryengine.sessions.uploadFile

discoveryengine.userEvents.create

discoveryengine.widgetConfigs.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/discoveryengine.viewer)

Otorga acceso de lectura a todos los recursos de Discovery Engine.

discoveryengine.aclConfigs.get

discoveryengine.agents.get

discoveryengine.agents.list

discoveryengine.alertPolicies.get

discoveryengine.analytics.*

  • discoveryengine.analytics.acquireDashboardSession
  • discoveryengine.analytics.refreshDashboardSessionTokens

discoveryengine.answers.get

discoveryengine.assistAnswers.get

discoveryengine.assistants.get

discoveryengine.assistants.list

discoveryengine.branches.*

  • discoveryengine.branches.get
  • discoveryengine.branches.list

discoveryengine.cmekConfigs.get

discoveryengine.cmekConfigs.list

discoveryengine.collections.get

discoveryengine.collections.list

discoveryengine.completionConfigs.completeQuery

discoveryengine.completionConfigs.get

discoveryengine.connectorRuns.list

discoveryengine.controls.get

discoveryengine.controls.list

discoveryengine.conversations.converse

discoveryengine.conversations.get

discoveryengine.conversations.list

discoveryengine.dataConnectors.buildActionInvocation

discoveryengine.dataConnectors.checkRefreshToken

discoveryengine.dataConnectors.get

discoveryengine.dataConnectors.queryAvailableActions

discoveryengine.dataStores.completeQuery

discoveryengine.dataStores.get

discoveryengine.dataStores.list

discoveryengine.dataStores.listCustomModels

discoveryengine.documentProcessingConfigs.get

discoveryengine.documents.batchGetDocumentsMetadata

discoveryengine.documents.get

discoveryengine.documents.list

discoveryengine.engines.get

discoveryengine.engines.list

discoveryengine.evaluations.get

discoveryengine.evaluations.list

discoveryengine.groundingConfigs.check

discoveryengine.identityMappingStores.get

discoveryengine.identityMappingStores.list

discoveryengine.identityMappingStores.listIdentityMappings

discoveryengine.models.get

discoveryengine.models.list

discoveryengine.operations.*

  • discoveryengine.operations.get
  • discoveryengine.operations.list

discoveryengine.projects.get

discoveryengine.rankingConfigs.rank

discoveryengine.sampleQueries.get

discoveryengine.sampleQueries.list

discoveryengine.sampleQuerySets.get

discoveryengine.sampleQuerySets.list

discoveryengine.schemas.get

discoveryengine.schemas.list

discoveryengine.schemas.preview

discoveryengine.schemas.validate

discoveryengine.servingConfigs.answer

discoveryengine.servingConfigs.get

discoveryengine.servingConfigs.list

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.sessions.downloadFile

discoveryengine.sessions.get

discoveryengine.sessions.list

discoveryengine.sessions.listSessionFileMetadata

discoveryengine.sessions.recommendQuestions

discoveryengine.siteSearchEngines.get

discoveryengine.targetSites.get

discoveryengine.targetSites.list

discoveryengine.userEvents.fetchStats

discoveryengine.userStores.get

discoveryengine.widgetConfigs.get

resourcemanager.projects.get

resourcemanager.projects.list

Administra IAM de Gemini Enterprise

Puedes obtener y establecer políticas de permisos de IAM y roles de IAM con la consola de Google Cloud . Para obtener más información, consulta Administra el acceso a proyectos, carpetas y organizaciones.

Otorga permisos a los administradores

Como propietario del proyecto, puedes otorgar los roles de Discovery Engine Admin, Service Usage Consumer y Logs Viewer a los usuarios que deseen ser administradores.

Sigue estos pasos para agregar los roles:

  1. En la consola de Google Cloud , ve a la página IAM.

    Ir a IAM
  2. Selecciona el proyecto.
  3. Haz clic en Grant access.

  4. En el campo Principales nuevas, ingresa el identificador del usuario. Por lo general, esta es la dirección de correo electrónico de una Cuenta de Google o de un grupo de usuarios.

  5. Agrega los roles:
    1. Haz clic en Agregar otro rol.
    2. En la lista Seleccionar un rol, selecciona Administrador de Discovery Engine.
    3. Repite los pasos a y b para agregar los roles Consumidor de Service Usage y Visualizador de registros.
  6. Haz clic en Guardar.

Otorga permisos a tus usuarios

En esta sección, se describe cómo otorgar a los usuarios el rol de Discovery Engine user que necesitan para acceder a las apps.

  1. En la consola de Google Cloud , ve a la página IAM.

    Ir a IAM
  2. Selecciona el proyecto.
  3. Haz clic en Grant access.

  4. En el campo Principales nuevas, ingresa el identificador del usuario. Por lo general, es la dirección de correo electrónico de una Cuenta de Google, un grupo de usuarios o el identificador de un usuario en un grupo de identidades del personal. Para obtener más información, consulta Identificadores principales para las políticas de permisos.

  5. Agrega el rol:
    1. Haz clic en Agregar otro rol.
    2. En la lista Seleccionar un rol, selecciona Usuario de Discovery Engine.
  6. Haz clic en Guardar.

Para permitir que los usuarios administren y compartan apps, otórgales el rol de Discovery Engine viewer.

¿Qué sigue?