This document explains how to use Identity and Access Management (IAM) to manage access controlfor Dataplex Universal Catalog resources. IAM controls access toyour Dataplex Universal Catalog resources at the Google Cloud resource level. Itlets you control which principals can manage specific resources, such as entrygroups and entries, using the Google Cloud console, Google Cloud CLI, clientlibraries, or APIs.

For more information about IAM, see theIAM documentation.

IAM overview

When you create a new Google Cloud project, theoriginal project creator is granted the Owner role. Other Google-managed serviceaccounts might exist or be created when you enable an API to performspecific tasks. However, no other individual users have access to the projectand its resources, including Dataplex Universal Catalog resources. You grant this accessonly when you explicitly add users as project members or grant them roles onspecific resources.

IAM lets you grant granular access to specific Google Cloudresources and prevents unwanted access to other resources. IAMlets you adopt the security principle of least privilege by granting only thenecessary access to your resources.

IAM lets you controlwho (principals) haswhat access(roles) towhich resources.

Principal

A principal can be a Google Account (for end users), a service account (for appsand virtual machines), a Google group, or a Google Workspace or Cloud Identitydomain. These principals can access a resource. When you grant roles, youidentify the principal using an identifier, as described inPolicy bindingreference.

For more information, seeIAM overview: Principals.

The Dataplex Universal Catalog Service Agent

Dataplex Universal Catalog uses a Google Cloud managed service account, aservice agent, to access your resources. Service agents are service accountsmanaged by Google that allow Google Cloud services to access resourcesin your project. This is different from user-managed service accounts, whichyou create and use to represent your applications or workloads.

The Dataplex Universal Catalog service agent is created when youenable the Dataplex API. You can identify the service agent by its email:

service-CUSTOMER_PROJECT_NUMBER@gcp-sa-dataplex.iam.gserviceaccount.com

Here,CUSTOMER_PROJECT_NUMBER is the projectnumber of the project where you enabled the Dataplex API.

The Dataplex Universal Catalog service agent requires theDataplex Service Agent (roles/dataplex.serviceAgent) role on the projectto manage Dataplex Universal Catalog resources. When you enable the API, the systemautomatically grants this role. If you revoke this role, Dataplex Universal Catalogmight not function correctly.

If Dataplex Universal Catalog needs to access resources in other projects (forexample, Cloud Storage buckets or BigQuery datasets that you want toattach as assets or scan for data profiles), you must grant this service agentthe required permissions in the projects containing those resources.

For more information about granting permissions to the service agent forattaching assets, seeManage data assets.

For more information about granting permissions to the service agent fordata profiling, seeCreate and use data profile scans.

Resource

Resources you can grant access to in Dataplex Universal Catalog include projects,entry groups, entries, aspect types, and entry types.

Some API methods require permissions for multiple resources. For example,attaching an aspect to an entry requires permissions on both the entry andthe aspect type.

Role

A role is a collection of permissions that determine which operations a principalcan perform on a resource. When you grant a role to a principal, you grant allthe permissions that the role contains.

You can grant one or more roles to a principal.

Similar to other Google Cloud products, Dataplex Universal Catalog supportsthree types of roles:

• Basic roles: highly permissive roles (Owner, Editor, Viewer) thatexisted before IAM was introduced. For moreinformation about basic roles, seeBasicroles.

• Predefined roles: provide granular access to specific Google Cloudresources. For more information about predefined roles, seePredefinedroles. TheDataplex Universal Catalog IAM rolesdocumentation details the Dataplex Universal Catalogpredefined roles.

• Custom roles: help you enforce the principle of least privilege bygranting only the specific permissions needed. For more information aboutcustom roles, seeCustom roles.

For example, theDataplex Viewer (roles/dataplex.viewer) predefined roleprovides read-only access to Dataplex Universal Catalog resources. A principalwith this role can view entry groups, entries, aspect types, and entry types,but can't create, update, or delete them. Conversely, theDataplex Universal CatalogAdministrator (roles/dataplex.admin) grants broad access to manageDataplex Universal Catalog resources.

For more information about assigning roles, seeGranting,changing, and revoking access.

To determine which permissions you need for a specific task, see the referencepages forDataplex Universal Catalog roles andDataplex Universal Catalog permissions.

For example, for a project resource, you can assign theroles/dataplex.admin role to a Google Account. That account can then manageDataplex Universal Catalog resources in the project, but can't manage otherresources. You can also use IAM to manage the basic roles grantedto project team members.

IAM policies for resources

An IAM policy lets you manage IAM roles onresources instead of, or in addition to, managing roles at the project level.This provides flexibility to apply the principle of least privilege by grantingaccess only to the specific resources collaborators need for their work.

Resources inherit the policies of their parent resources. If you set apolicy at the project level, all its child resources inherit it. Theeffective policy for a resource is the union of the policy set at that resourceand the policy inherited from higher in the hierarchy. For more information,see theIAM policyhierarchy.

You can get and set IAM policies using the Google Cloud console, theIdentity and Access Management API, or the gcloud CLI.

• For the Google Cloud console, seeAccess control using theGoogle Cloud console.
• For the API, seeAccess control using the API.
• For the gcloud CLI, seeAccess control using the gcloud CLI.

What's next

• Learn more aboutIAM roles.
• Learn more aboutIAMpermissions.
• Learn more aboutDataplex Universal Catalog security