Configure access controls for apps

This page explains how a Gemini Enterprise admin can use the API to manage fine-grained access control for individual Gemini Enterprise apps.

By default, IAM permissions are often managed at the project level. App-level IAM allows for more granular control, enabling admins to:

  • Restrict user access to specific apps within the same Google Cloud project.
  • Align permissions with organizational needs and data silos for your Gemini Enterprise deployments.

For example, consider an organization with an HR app and a company-wide app. An HR team member with project-level permissions can access both the apps. By contrast, using an app-level IAM policy, you can grant a sales team member access to only the company-wide app, thereby preventing them from accessing the HR app.

Diagram of app-level IAM policy examples.

Before you begin

Manage IAM policies for apps

To manage access to your Gemini Enterprise app, you can use the getIamPolicy and setIamPolicy API methods.

The following steps show you how to retrieve the current policy and then update it to grant or revoke user access.

Get the app IAM policy

Get the current IAM policy of your app using the getIamPolicy method. It's recommended to fetch the existing policy first to avoid overwriting any current permissions.

REST

curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://ENDPOINT_LOCATION-discoveryengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/collections/default_collection/engines/APP_ID:getIamPolicy"

Replace the following:

  • PROJECT_ID: the ID of your project.
  • ENDPOINT_LOCATION: the multi-region for your API request. Specify one of the following values:
    • us for the US multi-region
    • eu for the EU multi-region
    • global for the Global location
    For more information, see Specify a multi-region for your data store.
  • LOCATION: the multi-region of your data store: global, us, or eu

  • APP_ID: the ID of the app that you want to configure.

Update the app IAM policy

To grant or revoke user access to the app, update the app's IAM policy using the setIamPolicy method.

The IAM policy uses the Gemini Enterprise User (roles/discoveryengine.agentspaceUser) role to grant users direct access to the app.

REST

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
      "policy": {
         "etag": "ETAG",
         "bindings": [
          {
            "role": "roles/discoveryengine.agentspaceUser",
            "members": [
              "user:USER_EMAIL_1",
              "user:USER_EMAIL_2"
            ]
          }
        ]
      }
    }' \
"https://ENDPOINT_LOCATION-discoveryengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/collections/default_collection/engines/APP_ID:setIamPolicy"

Replace the following:

  • ETAG: the etag value you got as the response when you used the getIamPolicy method.

  • USER_EMAIL_1, USER_EMAIL_2: one or more user email addresses.

    • To grant access, add user emails to the members array, each prefixed with user:

    • To revoke access, remove the user email addresses from the members array.

  • PROJECT_ID: the ID of your project.

  • ENDPOINT_LOCATION: the multi-region for your API request. Specify one of the following values:

    • us for the US multi-region
    • eu for the EU multi-region
    • global for the Global location
    For more information, see Specify a multi-region for your data store.

  • LOCATION: the multi-region of your data store: global, us, or eu.

  • APP_ID: the ID of the app that you want to configure.

What's next?

If you want to delete an app with an IAM policy, you can remove the users from the policy before deleting the app. For more information, see Best practices for deleting an app with an IAM policy.