Note: This documentation applies to the Standard, Plus, and Frontline editions of Gemini Enterprise. For information about the Business edition, see the Gemini Enterprise - Business edition Help Center.

Share agents from Google Cloud console

This page explains how to share agents with users in your organization. As an administrator, you can share the available agents (Google-made, employee-made, and custom-made) with individual users, groups, Workforce Identity Pool groups, or all users in your organization. For more information about the different types of agents available in Gemini Enterprise, see Agents overview.

Before you begin

Before you can share an agent, you must meet the following requirements:

You must have an existing Gemini Enterprise web app. To create a new app, see Create an app.
To share custom agents, you must have registered or added the custom agents to Gemini Enterprise using any of the following options:

Share an agent

To share an agent, follow these steps:

Console

In the Google Cloud console, go to the Gemini Enterprise page.

Go to Gemini Enterprise

Select your project.
Click your app from the Name column. The navigation menu updates.
Click Agents from the navigation menu.
Click the Display name of the agent that you want to share.
Click the User permissions tab, and the Permissioned users page displays.
Click Add user. The Add user permissions roles to agent dialog displays.

Configure the permission details:

Select one of the following options in the Member type section:
- User: An individual end user. For this member type to function, you must include the correct IAM role. For more information, see IAM roles and permissions.
- Group: A collection of end users. For this member type to function, you must include the correct IAM role. For more information, see IAM roles and permissions.
- Principal: A single identity in a Workforce Identity Pool group, which includes external groups that aren't managed by Google.
- Workforce identity pool: All identities in a Workforce Identity Pool.
- All users: All users in the organization.

Enter the unique member identification, and select a role:

Member type	Description
User	Enter email addresses in the Member field. Select a role in the Assign role field.
Group	Enter email addresses in the Member field. Select a role in the Assign role field.
Principal	A single identity within a WIF.
Workforce identity pool	Enter Principal identifier in the Member field. Select a role in the Assign role field. For examples of principal sets, see Principal sets.
All users	Select a role in the Assign role field.

Click Save.

Principal sets

The following are examples of principal sets that you can specify for the Workforce identity pool member type:

Principal set	Description
`//iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ID`	A single identity in a WIF.
`//iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID`	All workforce identities in a group.
`//iam.googleapis.com/locations/global/workforcePools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE`	All workforce identities with a specific attribute value.
`//iam.googleapis.com/locations/global/workforcePools/POOL_ID/*`	All identities in a workforce identity pool.

Replace the following placeholders with values in the code sample:

PROJECT_NUMBER: the number used in the resource path to identify a specific Google Cloud project.
GROUP_ID: a specific group identifier from an external Identity Provider (IdP), letting you grant access to all members of that group.
POOL_ID: the unique ID for the workforce identity pool that you create in Google Cloud.
ATTRIBUTE_NAME: a user-defined name of a custom attribute that you have mapped from an external Identity Provider (IdP).
ATTRIBUTE_VALUE: the specific value of the ATTRIBUTE_NAME used to restrict access.