Dataplex IAM roles

Dataplex defines several Identity and access management (IAM) roles. Each predefined role contains a set of IAM permissions that allow principals to perform certain actions. You can use an IAM policy to give a principal one or more IAM roles.

IAM also offers the ability to create customized roles. You can create custom IAM roles and assign the role one or more permissions. Then, you can grant the new role to your principals. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles.

This document describes the IAM roles relevant to Dataplex.

For a detailed description of IAM and its features, see the IAM documentation.

About Dataplex roles

Dataplex IAM roles are a bundle of one or more permissions. You grant roles to principals to allow them to perform actions on the Dataplex resources in your project. For example, the Dataplex Viewer role contains the dataplex.*.get and dataplex.*.list permissions, which allow users to get and list Dataplex resources in a project. For more information, see Dataplex permissions.

You can apply Dataplex roles to any resources in the service hierarchy, including projects, lakes, and data zones.

Basic roles

You can assign basic roles at the project level by using the IAM Project roles. The following is the list of permissions associated with IAM Project roles:

Project Role	Permissions
Project Owner	All Project Editor permissions plus permissions to manage access control for the project (get/set IamPolicy) and to set up project billing
Project Editor	All Project Viewer permissions plus all project permissions for actions that modify state (create, delete, update, use)
Project Viewer	All project permissions for read-only actions that preserve state (get, list)

Predefined roles for Dataplex

Predefined roles contain the permissions that are needed to perform a task or a group of related tasks.

Note the following:

The Dataplex Administrator, Dataplex Editor, and Dataplex Viewer roles don't provide access to Dataplex Catalog resources.
No role grants permissions to add or delete Dataplex Catalog entries from system-defined entry groups, such as @bigquery and @dataplex.
The Dataplex Entry Owner role includes the following:
- Grants full access to entry-related operations.
- Grants permissions to add aspects of some of the system aspect types, such as Schema, Generic, Overview, and Contacts.
- Grants permissions to create entries of the GenericEntry type.
- This role lets you create an entry with an entry type and aspect type, where the entry type and aspect type are defined in the same project as the entry. Otherwise, additional Dataplex Entry Type User and Dataplex Aspect Type User roles must be granted on the projects where the entry type and aspect type are defined.
- When using the LookupEntry method or the SearchEntries method, this role doesn't grant permissions to read entries that are created from Google Cloud resources outside of Dataplex, such as BigQuery entries. To read these entries, you must be granted permissions on the source system resources. Alternatively, you can read the entries with only the Dataplex Entry Owner role by using the GetEntry method.
To search for entries using the SearchEntries method, you must be granted at least one of the Dataplex Catalog IAM roles on the project that is used in the API request. Permissions on search results are checked independently of the selected project.

The following table lists the Dataplex predefined roles and the permissions associated with each role:

Role Permissions

Role	Permissions
Dataplex Administrator (`roles/dataplex.admin`) Full access to Dataplex resources, except Dataplex Catalog.	`cloudasset.assets.analyzeIamPolicy` `cloudasset.assets.searchAllIamPolicies` `cloudasset.assets.searchAllResources` `dataplex.assetActions.list` `dataplex.assets.create` `dataplex.assets.delete` `dataplex.assets.get` `dataplex.assets.getIamPolicy` `dataplex.assets.list` `dataplex.assets.setIamPolicy` `dataplex.assets.update` `dataplex.content.` `dataplex.content.create` `dataplex.content.delete` `dataplex.content.get` `dataplex.content.getIamPolicy` `dataplex.content.list` `dataplex.content.setIamPolicy` `dataplex.content.update` `dataplex.dataAttributeBindings.` `dataplex.dataAttributeBindings.create` `dataplex.dataAttributeBindings.delete` `dataplex.dataAttributeBindings.get` `dataplex.dataAttributeBindings.getIamPolicy` `dataplex.dataAttributeBindings.list` `dataplex.dataAttributeBindings.setIamPolicy` `dataplex.dataAttributeBindings.update` `dataplex.dataAttributes.` `dataplex.dataAttributes.bind` `dataplex.dataAttributes.create` `dataplex.dataAttributes.delete` `dataplex.dataAttributes.get` `dataplex.dataAttributes.getIamPolicy` `dataplex.dataAttributes.list` `dataplex.dataAttributes.setIamPolicy` `dataplex.dataAttributes.update` `dataplex.dataTaxonomies.` `dataplex.dataTaxonomies.configureDataAccess` `dataplex.dataTaxonomies.configureResourceAccess` `dataplex.dataTaxonomies.create` `dataplex.dataTaxonomies.delete` `dataplex.dataTaxonomies.get` `dataplex.dataTaxonomies.getIamPolicy` `dataplex.dataTaxonomies.list` `dataplex.dataTaxonomies.setIamPolicy` `dataplex.dataTaxonomies.update` `dataplex.datascans.` `dataplex.datascans.create` `dataplex.datascans.delete` `dataplex.datascans.get` `dataplex.datascans.getData` `dataplex.datascans.getIamPolicy` `dataplex.datascans.list` `dataplex.datascans.run` `dataplex.datascans.setIamPolicy` `dataplex.datascans.update` `dataplex.encryptionConfig.` `dataplex.encryptionConfig.create` `dataplex.encryptionConfig.delete` `dataplex.encryptionConfig.get` `dataplex.encryptionConfig.list` `dataplex.encryptionConfig.update` `dataplex.entities.` `dataplex.entities.create` `dataplex.entities.delete` `dataplex.entities.get` `dataplex.entities.list` `dataplex.entities.update` `dataplex.entryGroups.export` `dataplex.entryGroups.import` `dataplex.environments.` `dataplex.environments.create` `dataplex.environments.delete` `dataplex.environments.execute` `dataplex.environments.get` `dataplex.environments.getIamPolicy` `dataplex.environments.list` `dataplex.environments.setIamPolicy` `dataplex.environments.update` `dataplex.lakeActions.list` `dataplex.lakes.` `dataplex.lakes.create` `dataplex.lakes.delete` `dataplex.lakes.get` `dataplex.lakes.getIamPolicy` `dataplex.lakes.list` `dataplex.lakes.setIamPolicy` `dataplex.lakes.update` `dataplex.locations.` `dataplex.locations.get` `dataplex.locations.list` `dataplex.metadataJobs.` `dataplex.metadataJobs.cancel` `dataplex.metadataJobs.create` `dataplex.metadataJobs.get` `dataplex.metadataJobs.list` `dataplex.operations.` `dataplex.operations.cancel` `dataplex.operations.delete` `dataplex.operations.get` `dataplex.operations.list` `dataplex.partitions.` `dataplex.partitions.create` `dataplex.partitions.delete` `dataplex.partitions.get` `dataplex.partitions.list` `dataplex.partitions.update` `dataplex.tasks.` `dataplex.tasks.cancel` `dataplex.tasks.create` `dataplex.tasks.delete` `dataplex.tasks.get` `dataplex.tasks.getIamPolicy` `dataplex.tasks.list` `dataplex.tasks.run` `dataplex.tasks.setIamPolicy` `dataplex.tasks.update` `dataplex.zoneActions.list` `dataplex.zones.*` `dataplex.zones.create` `dataplex.zones.delete` `dataplex.zones.get` `dataplex.zones.getIamPolicy` `dataplex.zones.list` `dataplex.zones.setIamPolicy` `dataplex.zones.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Aspect Type Owner (`roles/dataplex.aspectTypeOwner`) Grants access to creating and managing Aspect Types. Does not give the right to create/modify Entries.	`datacatalog.migrationConfig.get` `dataplex.aspectTypes.*` `dataplex.aspectTypes.create` `dataplex.aspectTypes.delete` `dataplex.aspectTypes.get` `dataplex.aspectTypes.getIamPolicy` `dataplex.aspectTypes.list` `dataplex.aspectTypes.setIamPolicy` `dataplex.aspectTypes.update` `dataplex.aspectTypes.use` `dataplex.operations.get` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Aspect Type User (`roles/dataplex.aspectTypeUser`) Grants access to use Aspect Types to create/modify Entries with the corresponding aspects.	`datacatalog.migrationConfig.get` `dataplex.aspectTypes.get` `dataplex.aspectTypes.list` `dataplex.aspectTypes.use` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Binding Administrator (`roles/dataplex.bindingAdmin`) Full access on DataAttribute Bindig resources.	`dataplex.dataAttributeBindings.*` `dataplex.dataAttributeBindings.create` `dataplex.dataAttributeBindings.delete` `dataplex.dataAttributeBindings.get` `dataplex.dataAttributeBindings.getIamPolicy` `dataplex.dataAttributeBindings.list` `dataplex.dataAttributeBindings.setIamPolicy` `dataplex.dataAttributeBindings.update`
Dataplex Catalog Admin (`roles/dataplex.catalogAdmin`) Has full access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries.	`datacatalog.migrationConfig.get` `dataplex.aspectTypes.` `dataplex.aspectTypes.create` `dataplex.aspectTypes.delete` `dataplex.aspectTypes.get` `dataplex.aspectTypes.getIamPolicy` `dataplex.aspectTypes.list` `dataplex.aspectTypes.setIamPolicy` `dataplex.aspectTypes.update` `dataplex.aspectTypes.use` `dataplex.entries.` `dataplex.entries.create` `dataplex.entries.delete` `dataplex.entries.get` `dataplex.entries.list` `dataplex.entries.update` `dataplex.entryGroups.` `dataplex.entryGroups.create` `dataplex.entryGroups.delete` `dataplex.entryGroups.export` `dataplex.entryGroups.get` `dataplex.entryGroups.getIamPolicy` `dataplex.entryGroups.import` `dataplex.entryGroups.list` `dataplex.entryGroups.setIamPolicy` `dataplex.entryGroups.update` `dataplex.entryGroups.useContactsAspect` `dataplex.entryGroups.useGenericAspect` `dataplex.entryGroups.useGenericEntry` `dataplex.entryGroups.useOverviewAspect` `dataplex.entryGroups.useSchemaAspect` `dataplex.entryTypes.` `dataplex.entryTypes.create` `dataplex.entryTypes.delete` `dataplex.entryTypes.get` `dataplex.entryTypes.getIamPolicy` `dataplex.entryTypes.list` `dataplex.entryTypes.setIamPolicy` `dataplex.entryTypes.update` `dataplex.entryTypes.use` `dataplex.operations.get` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Catalog Editor (`roles/dataplex.catalogEditor`) Has write access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Cannot set IAM policies on resources	`datacatalog.migrationConfig.get` `dataplex.aspectTypes.create` `dataplex.aspectTypes.delete` `dataplex.aspectTypes.get` `dataplex.aspectTypes.getIamPolicy` `dataplex.aspectTypes.list` `dataplex.aspectTypes.update` `dataplex.aspectTypes.use` `dataplex.entries.*` `dataplex.entries.create` `dataplex.entries.delete` `dataplex.entries.get` `dataplex.entries.list` `dataplex.entries.update` `dataplex.entryGroups.create` `dataplex.entryGroups.delete` `dataplex.entryGroups.get` `dataplex.entryGroups.getIamPolicy` `dataplex.entryGroups.list` `dataplex.entryGroups.update` `dataplex.entryGroups.useContactsAspect` `dataplex.entryGroups.useGenericAspect` `dataplex.entryGroups.useGenericEntry` `dataplex.entryGroups.useOverviewAspect` `dataplex.entryGroups.useSchemaAspect` `dataplex.entryTypes.create` `dataplex.entryTypes.delete` `dataplex.entryTypes.get` `dataplex.entryTypes.getIamPolicy` `dataplex.entryTypes.list` `dataplex.entryTypes.update` `dataplex.entryTypes.use` `dataplex.operations.get` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Catalog Viewer (`roles/dataplex.catalogViewer`) Has read access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Can view IAM policies on Catalog resources.	`datacatalog.migrationConfig.get` `dataplex.aspectTypes.get` `dataplex.aspectTypes.getIamPolicy` `dataplex.aspectTypes.list` `dataplex.entries.get` `dataplex.entries.list` `dataplex.entryGroups.get` `dataplex.entryGroups.getIamPolicy` `dataplex.entryGroups.list` `dataplex.entryTypes.get` `dataplex.entryTypes.getIamPolicy` `dataplex.entryTypes.list` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Data Owner (`roles/dataplex.dataOwner`) Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.	`dataplex.assets.ownData` `dataplex.assets.readData` `dataplex.assets.writeData`
Dataplex Data Reader (`roles/dataplex.dataReader`) Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.	`dataplex.assets.readData`
Dataplex DataScan Administrator (`roles/dataplex.dataScanAdmin`) Full access to DataScan resources.	`dataplex.datascans.*` `dataplex.datascans.create` `dataplex.datascans.delete` `dataplex.datascans.get` `dataplex.datascans.getData` `dataplex.datascans.getIamPolicy` `dataplex.datascans.list` `dataplex.datascans.run` `dataplex.datascans.setIamPolicy` `dataplex.datascans.update` `dataplex.operations.get` `dataplex.operations.list`
Dataplex DataScan Creator (`roles/dataplex.dataScanCreator`) Access to create new DataScan resources.	`dataplex.datascans.create` `dataplex.datascans.get` `dataplex.datascans.list` `dataplex.operations.get`
Dataplex DataScan DataViewer (`roles/dataplex.dataScanDataViewer`) Read access to DataScan resources and additional contents.	`dataplex.datascans.get` `dataplex.datascans.getData` `dataplex.datascans.getIamPolicy` `dataplex.datascans.list`
Dataplex DataScan Editor (`roles/dataplex.dataScanEditor`) Write access to DataScan resources.	`dataplex.datascans.create` `dataplex.datascans.delete` `dataplex.datascans.get` `dataplex.datascans.getData` `dataplex.datascans.getIamPolicy` `dataplex.datascans.list` `dataplex.datascans.run` `dataplex.datascans.update` `dataplex.operations.get` `dataplex.operations.list`
Dataplex DataScan Viewer (`roles/dataplex.dataScanViewer`) Read access to DataScan resources.	`dataplex.datascans.get` `dataplex.datascans.getIamPolicy` `dataplex.datascans.list`
Dataplex Data Writer (`roles/dataplex.dataWriter`) Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.	`dataplex.assets.writeData`
Dataplex Developer (`roles/dataplex.developer`) Allows running data analytics workloads in a lake.	`dataplex.content.*` `dataplex.content.create` `dataplex.content.delete` `dataplex.content.get` `dataplex.content.getIamPolicy` `dataplex.content.list` `dataplex.content.setIamPolicy` `dataplex.content.update` `dataplex.environments.execute` `dataplex.environments.get` `dataplex.environments.list` `dataplex.tasks.cancel` `dataplex.tasks.create` `dataplex.tasks.delete` `dataplex.tasks.get` `dataplex.tasks.list` `dataplex.tasks.run` `dataplex.tasks.update`
Dataplex Editor (`roles/dataplex.editor`) Write access to Dataplex resources.	`cloudasset.assets.analyzeIamPolicy` `dataplex.assetActions.list` `dataplex.assets.create` `dataplex.assets.delete` `dataplex.assets.get` `dataplex.assets.getIamPolicy` `dataplex.assets.list` `dataplex.assets.update` `dataplex.content.delete` `dataplex.content.get` `dataplex.content.getIamPolicy` `dataplex.content.list` `dataplex.dataAttributeBindings.create` `dataplex.dataAttributeBindings.delete` `dataplex.dataAttributeBindings.get` `dataplex.dataAttributeBindings.getIamPolicy` `dataplex.dataAttributeBindings.list` `dataplex.dataAttributeBindings.update` `dataplex.dataAttributes.bind` `dataplex.dataAttributes.create` `dataplex.dataAttributes.delete` `dataplex.dataAttributes.get` `dataplex.dataAttributes.getIamPolicy` `dataplex.dataAttributes.list` `dataplex.dataAttributes.update` `dataplex.dataTaxonomies.configureDataAccess` `dataplex.dataTaxonomies.configureResourceAccess` `dataplex.dataTaxonomies.create` `dataplex.dataTaxonomies.delete` `dataplex.dataTaxonomies.get` `dataplex.dataTaxonomies.getIamPolicy` `dataplex.dataTaxonomies.list` `dataplex.dataTaxonomies.update` `dataplex.datascans.create` `dataplex.datascans.delete` `dataplex.datascans.get` `dataplex.datascans.getIamPolicy` `dataplex.datascans.list` `dataplex.datascans.run` `dataplex.datascans.update` `dataplex.environments.create` `dataplex.environments.delete` `dataplex.environments.get` `dataplex.environments.getIamPolicy` `dataplex.environments.list` `dataplex.environments.update` `dataplex.lakeActions.list` `dataplex.lakes.create` `dataplex.lakes.delete` `dataplex.lakes.get` `dataplex.lakes.getIamPolicy` `dataplex.lakes.list` `dataplex.lakes.update` `dataplex.operations.*` `dataplex.operations.cancel` `dataplex.operations.delete` `dataplex.operations.get` `dataplex.operations.list` `dataplex.tasks.cancel` `dataplex.tasks.create` `dataplex.tasks.delete` `dataplex.tasks.get` `dataplex.tasks.getIamPolicy` `dataplex.tasks.list` `dataplex.tasks.run` `dataplex.tasks.update` `dataplex.zoneActions.list` `dataplex.zones.create` `dataplex.zones.delete` `dataplex.zones.get` `dataplex.zones.getIamPolicy` `dataplex.zones.list` `dataplex.zones.update`
Dataplex Encryption Admin (`roles/dataplex.encryptionAdmin`) Gives user permissions to manage encryption config.	`dataplex.encryptionConfig.*` `dataplex.encryptionConfig.create` `dataplex.encryptionConfig.delete` `dataplex.encryptionConfig.get` `dataplex.encryptionConfig.list` `dataplex.encryptionConfig.update` `dataplex.operations.get` `dataplex.operations.list`
Dataplex Entry Group Exporter ^Beta (`roles/dataplex.entryGroupExporter`) Grants access to export this entry group for Metadata Job processing.	`dataplex.entryGroups.export` `dataplex.entryGroups.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Entry Group Importer (`roles/dataplex.entryGroupImporter`) Grants access to import this entry group for Metadata Job processing.	`dataplex.entryGroups.get` `dataplex.entryGroups.import` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Entry Group Owner (`roles/dataplex.entryGroupOwner`) Owns Entry Groups and Entries inside of them.	`datacatalog.migrationConfig.get` `dataplex.aspectTypes.get` `dataplex.aspectTypes.list` `dataplex.aspectTypes.use` `dataplex.entries.` `dataplex.entries.create` `dataplex.entries.delete` `dataplex.entries.get` `dataplex.entries.list` `dataplex.entries.update` `dataplex.entryGroups.` `dataplex.entryGroups.create` `dataplex.entryGroups.delete` `dataplex.entryGroups.export` `dataplex.entryGroups.get` `dataplex.entryGroups.getIamPolicy` `dataplex.entryGroups.import` `dataplex.entryGroups.list` `dataplex.entryGroups.setIamPolicy` `dataplex.entryGroups.update` `dataplex.entryGroups.useContactsAspect` `dataplex.entryGroups.useGenericAspect` `dataplex.entryGroups.useGenericEntry` `dataplex.entryGroups.useOverviewAspect` `dataplex.entryGroups.useSchemaAspect` `dataplex.entryTypes.get` `dataplex.entryTypes.list` `dataplex.entryTypes.use` `dataplex.operations.get` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Entry Owner (`roles/dataplex.entryOwner`) Owns Metadata Entries.	`datacatalog.migrationConfig.get` `dataplex.aspectTypes.get` `dataplex.aspectTypes.list` `dataplex.aspectTypes.use` `dataplex.entries.*` `dataplex.entries.create` `dataplex.entries.delete` `dataplex.entries.get` `dataplex.entries.list` `dataplex.entries.update` `dataplex.entryGroups.get` `dataplex.entryGroups.useContactsAspect` `dataplex.entryGroups.useGenericAspect` `dataplex.entryGroups.useGenericEntry` `dataplex.entryGroups.useOverviewAspect` `dataplex.entryGroups.useSchemaAspect` `dataplex.entryTypes.get` `dataplex.entryTypes.list` `dataplex.entryTypes.use` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Entry Type Owner (`roles/dataplex.entryTypeOwner`) Grants access to creating and managing Entry Types. Does not give the right to create/modify Entries.	`datacatalog.migrationConfig.get` `dataplex.entryTypes.*` `dataplex.entryTypes.create` `dataplex.entryTypes.delete` `dataplex.entryTypes.get` `dataplex.entryTypes.getIamPolicy` `dataplex.entryTypes.list` `dataplex.entryTypes.setIamPolicy` `dataplex.entryTypes.update` `dataplex.entryTypes.use` `dataplex.operations.get` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Entry Type User (`roles/dataplex.entryTypeUser`) Grants access to use Entry Types to create/modify Entries of those types.	`datacatalog.migrationConfig.get` `dataplex.entryTypes.get` `dataplex.entryTypes.list` `dataplex.entryTypes.use` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Metadata Job Owner (`roles/dataplex.metadataJobOwner`) Grants access to creating and managing Metadata Jobs. Does not give the right to create/modify Entry Groups.	`dataplex.metadataJobs.*` `dataplex.metadataJobs.cancel` `dataplex.metadataJobs.create` `dataplex.metadataJobs.get` `dataplex.metadataJobs.list` `dataplex.operations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Metadata Job Viewer (`roles/dataplex.metadataJobViewer`) Read access to Metadata Job resources.	`dataplex.metadataJobs.get` `dataplex.metadataJobs.list` `dataplex.operations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Metadata Reader (`roles/dataplex.metadataReader`) Read only access to metadata.	`dataplex.assets.get` `dataplex.assets.list` `dataplex.entities.get` `dataplex.entities.list` `dataplex.partitions.get` `dataplex.partitions.list` `dataplex.zones.get` `dataplex.zones.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Metadata Writer (`roles/dataplex.metadataWriter`) Write and Read access to metadata.	`dataplex.assets.get` `dataplex.assets.list` `dataplex.entities.` `dataplex.entities.create` `dataplex.entities.delete` `dataplex.entities.get` `dataplex.entities.list` `dataplex.entities.update` `dataplex.partitions.` `dataplex.partitions.create` `dataplex.partitions.delete` `dataplex.partitions.get` `dataplex.partitions.list` `dataplex.partitions.update` `dataplex.zones.get` `dataplex.zones.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataplex Security Administrator (`roles/dataplex.securityAdmin`) Permissions configure ResourceAccess and DataAccess Specs on Data Attributes.	`dataplex.dataTaxonomies.configureDataAccess` `dataplex.dataTaxonomies.configureResourceAccess`
Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.	`bigquery.datasets.get` `bigquery.models.create` `bigquery.models.delete` `bigquery.models.export` `bigquery.models.getData` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.models.updateData` `bigquery.models.updateMetadata` `bigquery.routines.create` `bigquery.routines.delete` `bigquery.routines.get` `bigquery.routines.list` `bigquery.routines.update` `bigquery.tables.create` `bigquery.tables.createSnapshot` `bigquery.tables.delete` `bigquery.tables.deleteSnapshot` `bigquery.tables.export` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.list` `bigquery.tables.restoreSnapshot` `bigquery.tables.update` `bigquery.tables.updateData` `storage.buckets.get` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list` `storage.objects.update`
Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.	`bigquery.datasets.get` `bigquery.models.export` `bigquery.models.getData` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.routines.get` `bigquery.routines.list` `bigquery.tables.export` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.list` `storage.buckets.get` `storage.objects.get` `storage.objects.list`
Dataplex Storage Data Writer (`roles/dataplex.storageDataWriter`) Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.	`bigquery.tables.updateData` `storage.objects.create` `storage.objects.delete` `storage.objects.update`
Dataplex Taxonomy Administrator (`roles/dataplex.taxonomyAdmin`) Full access to DataTaxonomy, DataAttribute resources.	`dataplex.dataAttributes.*` `dataplex.dataAttributes.bind` `dataplex.dataAttributes.create` `dataplex.dataAttributes.delete` `dataplex.dataAttributes.get` `dataplex.dataAttributes.getIamPolicy` `dataplex.dataAttributes.list` `dataplex.dataAttributes.setIamPolicy` `dataplex.dataAttributes.update` `dataplex.dataTaxonomies.create` `dataplex.dataTaxonomies.delete` `dataplex.dataTaxonomies.get` `dataplex.dataTaxonomies.getIamPolicy` `dataplex.dataTaxonomies.list` `dataplex.dataTaxonomies.setIamPolicy` `dataplex.dataTaxonomies.update`
Dataplex Taxonomy Viewer (`roles/dataplex.taxonomyViewer`) Read access on DataTaxonomy, DataAttribute resources.	`dataplex.dataAttributes.get` `dataplex.dataAttributes.getIamPolicy` `dataplex.dataAttributes.list` `dataplex.dataTaxonomies.get` `dataplex.dataTaxonomies.getIamPolicy` `dataplex.dataTaxonomies.list`
Dataplex Viewer (`roles/dataplex.viewer`) Read access to Dataplex resources.	`cloudasset.assets.analyzeIamPolicy` `dataplex.assetActions.list` `dataplex.assets.get` `dataplex.assets.getIamPolicy` `dataplex.assets.list` `dataplex.content.get` `dataplex.content.getIamPolicy` `dataplex.content.list` `dataplex.dataAttributeBindings.get` `dataplex.dataAttributeBindings.getIamPolicy` `dataplex.dataAttributeBindings.list` `dataplex.dataAttributes.get` `dataplex.dataAttributes.getIamPolicy` `dataplex.dataAttributes.list` `dataplex.dataTaxonomies.get` `dataplex.dataTaxonomies.getIamPolicy` `dataplex.dataTaxonomies.list` `dataplex.datascans.get` `dataplex.datascans.getIamPolicy` `dataplex.datascans.list` `dataplex.environments.get` `dataplex.environments.getIamPolicy` `dataplex.environments.list` `dataplex.lakeActions.list` `dataplex.lakes.get` `dataplex.lakes.getIamPolicy` `dataplex.lakes.list` `dataplex.operations.get` `dataplex.operations.list` `dataplex.tasks.get` `dataplex.tasks.getIamPolicy` `dataplex.tasks.list` `dataplex.zoneActions.list` `dataplex.zones.get` `dataplex.zones.getIamPolicy` `dataplex.zones.list`

Dataplex Administrator

(roles/dataplex.admin)

Full access to Dataplex resources, except Dataplex Catalog.

cloudasset.assets.analyzeIamPolicy

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

dataplex.assetActions.list

dataplex.assets.create

dataplex.assets.delete

dataplex.assets.get

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.assets.setIamPolicy

dataplex.assets.update

dataplex.content.*

dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update

dataplex.dataAttributeBindings.*

dataplex.dataAttributeBindings.create
dataplex.dataAttributeBindings.delete
dataplex.dataAttributeBindings.get
dataplex.dataAttributeBindings.getIamPolicy
dataplex.dataAttributeBindings.list
dataplex.dataAttributeBindings.setIamPolicy
dataplex.dataAttributeBindings.update

dataplex.dataAttributes.*

dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataAttributes.setIamPolicy
dataplex.dataAttributes.update

dataplex.dataTaxonomies.*

dataplex.dataTaxonomies.configureDataAccess
dataplex.dataTaxonomies.configureResourceAccess
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
dataplex.dataTaxonomies.setIamPolicy
dataplex.dataTaxonomies.update

dataplex.datascans.*

dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.setIamPolicy
dataplex.datascans.update

dataplex.encryptionConfig.*

dataplex.encryptionConfig.create
dataplex.encryptionConfig.delete
dataplex.encryptionConfig.get
dataplex.encryptionConfig.list
dataplex.encryptionConfig.update

dataplex.entities.*

dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update

dataplex.entryGroups.export

dataplex.entryGroups.import

dataplex.environments.*

dataplex.environments.create
dataplex.environments.delete
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.environments.update

dataplex.lakeActions.list

dataplex.lakes.*

dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.lakes.update

dataplex.locations.*

dataplex.locations.get
dataplex.locations.list

dataplex.metadataJobs.*

dataplex.metadataJobs.cancel
dataplex.metadataJobs.create
dataplex.metadataJobs.get
dataplex.metadataJobs.list

dataplex.operations.*

dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list

dataplex.partitions.*

dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update

dataplex.tasks.*

dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.setIamPolicy
dataplex.tasks.update

dataplex.zoneActions.list

dataplex.zones.*

dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataplex.zones.update

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Aspect Type Owner

(roles/dataplex.aspectTypeOwner)

Grants access to creating and managing Aspect Types. Does not give the right to create/modify Entries.

datacatalog.migrationConfig.get

dataplex.aspectTypes.*

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use

dataplex.operations.get

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Aspect Type User

(roles/dataplex.aspectTypeUser)

Grants access to use Aspect Types to create/modify Entries with the corresponding aspects.

datacatalog.migrationConfig.get

dataplex.aspectTypes.get

dataplex.aspectTypes.list

dataplex.aspectTypes.use

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Binding Administrator

(roles/dataplex.bindingAdmin)

Full access on DataAttribute Bindig resources.

dataplex.dataAttributeBindings.*

dataplex.dataAttributeBindings.create
dataplex.dataAttributeBindings.delete
dataplex.dataAttributeBindings.get
dataplex.dataAttributeBindings.getIamPolicy
dataplex.dataAttributeBindings.list
dataplex.dataAttributeBindings.setIamPolicy
dataplex.dataAttributeBindings.update

Dataplex Catalog Admin

(roles/dataplex.catalogAdmin)

Has full access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries.

datacatalog.migrationConfig.get

dataplex.aspectTypes.*

dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.setIamPolicy
dataplex.aspectTypes.update
dataplex.aspectTypes.use

dataplex.entries.*

dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update

dataplex.entryGroups.*

dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.export
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.import
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect

dataplex.entryTypes.*

dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

dataplex.operations.get

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Catalog Editor

(roles/dataplex.catalogEditor)

Has write access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Cannot set IAM policies on resources

datacatalog.migrationConfig.get

dataplex.aspectTypes.create

dataplex.aspectTypes.delete

dataplex.aspectTypes.get

dataplex.aspectTypes.getIamPolicy

dataplex.aspectTypes.list

dataplex.aspectTypes.update

dataplex.aspectTypes.use

dataplex.entries.*

dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update

dataplex.entryGroups.create

dataplex.entryGroups.delete

dataplex.entryGroups.get

dataplex.entryGroups.getIamPolicy

dataplex.entryGroups.list

dataplex.entryGroups.update

dataplex.entryGroups.useContactsAspect

dataplex.entryGroups.useGenericAspect

dataplex.entryGroups.useGenericEntry

dataplex.entryGroups.useOverviewAspect

dataplex.entryGroups.useSchemaAspect

dataplex.entryTypes.create

dataplex.entryTypes.delete

dataplex.entryTypes.get

dataplex.entryTypes.getIamPolicy

dataplex.entryTypes.list

dataplex.entryTypes.update

dataplex.entryTypes.use

dataplex.operations.get

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Catalog Viewer

(roles/dataplex.catalogViewer)

Has read access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Can view IAM policies on Catalog resources.

datacatalog.migrationConfig.get

dataplex.aspectTypes.get

dataplex.aspectTypes.getIamPolicy

dataplex.aspectTypes.list

dataplex.entries.get

dataplex.entries.list

dataplex.entryGroups.get

dataplex.entryGroups.getIamPolicy

dataplex.entryGroups.list

dataplex.entryTypes.get

dataplex.entryTypes.getIamPolicy

dataplex.entryTypes.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Data Owner

(roles/dataplex.dataOwner)

Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.

dataplex.assets.ownData

dataplex.assets.readData

dataplex.assets.writeData

Dataplex Data Reader

(roles/dataplex.dataReader)

Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.

dataplex.assets.readData

Dataplex DataScan Administrator

(roles/dataplex.dataScanAdmin)

Full access to DataScan resources.

dataplex.datascans.*

dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.setIamPolicy
dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

Dataplex DataScan Creator

(roles/dataplex.dataScanCreator)

Access to create new DataScan resources.

dataplex.datascans.create

dataplex.datascans.get

dataplex.datascans.list

dataplex.operations.get

Dataplex DataScan DataViewer

(roles/dataplex.dataScanDataViewer)

Read access to DataScan resources and additional contents.

dataplex.datascans.get

dataplex.datascans.getData

dataplex.datascans.getIamPolicy

dataplex.datascans.list

Dataplex DataScan Editor

(roles/dataplex.dataScanEditor)

Write access to DataScan resources.

dataplex.datascans.create

dataplex.datascans.delete

dataplex.datascans.get

dataplex.datascans.getData

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.datascans.run

dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

Dataplex DataScan Viewer

(roles/dataplex.dataScanViewer)

Read access to DataScan resources.

dataplex.datascans.get

dataplex.datascans.getIamPolicy

dataplex.datascans.list

Dataplex Data Writer

(roles/dataplex.dataWriter)

Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.

dataplex.assets.writeData

Dataplex Developer

(roles/dataplex.developer)

Allows running data analytics workloads in a lake.

dataplex.content.*

dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update

dataplex.environments.execute

dataplex.environments.get

dataplex.environments.list

dataplex.tasks.cancel

dataplex.tasks.create

dataplex.tasks.delete

dataplex.tasks.get

dataplex.tasks.list

dataplex.tasks.run

dataplex.tasks.update

Dataplex Editor

(roles/dataplex.editor)

Write access to Dataplex resources.

cloudasset.assets.analyzeIamPolicy

dataplex.assetActions.list

dataplex.assets.create

dataplex.assets.delete

dataplex.assets.get

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.assets.update

dataplex.content.delete

dataplex.content.get

dataplex.content.getIamPolicy

dataplex.content.list

dataplex.dataAttributeBindings.create

dataplex.dataAttributeBindings.delete

dataplex.dataAttributeBindings.get

dataplex.dataAttributeBindings.getIamPolicy

dataplex.dataAttributeBindings.list

dataplex.dataAttributeBindings.update

dataplex.dataAttributes.bind

dataplex.dataAttributes.create

dataplex.dataAttributes.delete

dataplex.dataAttributes.get

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataAttributes.update

dataplex.dataTaxonomies.configureDataAccess

dataplex.dataTaxonomies.configureResourceAccess

dataplex.dataTaxonomies.create

dataplex.dataTaxonomies.delete

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.dataTaxonomies.update

dataplex.datascans.create

dataplex.datascans.delete

dataplex.datascans.get

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.datascans.run

dataplex.datascans.update

dataplex.environments.create

dataplex.environments.delete

dataplex.environments.get

dataplex.environments.getIamPolicy

dataplex.environments.list

dataplex.environments.update

dataplex.lakeActions.list

dataplex.lakes.create

dataplex.lakes.delete

dataplex.lakes.get

dataplex.lakes.getIamPolicy

dataplex.lakes.list

dataplex.lakes.update

dataplex.operations.*

dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list

dataplex.tasks.cancel

dataplex.tasks.create

dataplex.tasks.delete

dataplex.tasks.get

dataplex.tasks.getIamPolicy

dataplex.tasks.list

dataplex.tasks.run

dataplex.tasks.update

dataplex.zoneActions.list

dataplex.zones.create

dataplex.zones.delete

dataplex.zones.get

dataplex.zones.getIamPolicy

dataplex.zones.list

dataplex.zones.update

Dataplex Encryption Admin

(roles/dataplex.encryptionAdmin)

Gives user permissions to manage encryption config.

dataplex.encryptionConfig.*

dataplex.encryptionConfig.create
dataplex.encryptionConfig.delete
dataplex.encryptionConfig.get
dataplex.encryptionConfig.list
dataplex.encryptionConfig.update

dataplex.operations.get

dataplex.operations.list

Dataplex Entry Group Exporter ^Beta

(roles/dataplex.entryGroupExporter)

Grants access to export this entry group for Metadata Job processing.

dataplex.entryGroups.export

dataplex.entryGroups.get

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Entry Group Importer

(roles/dataplex.entryGroupImporter)

Grants access to import this entry group for Metadata Job processing.

dataplex.entryGroups.get

dataplex.entryGroups.import

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Entry Group Owner

(roles/dataplex.entryGroupOwner)

Owns Entry Groups and Entries inside of them.

datacatalog.migrationConfig.get

dataplex.aspectTypes.get

dataplex.aspectTypes.list

dataplex.aspectTypes.use

dataplex.entries.*

dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update

dataplex.entryGroups.*

dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.export
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.import
dataplex.entryGroups.list
dataplex.entryGroups.setIamPolicy
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect

dataplex.entryTypes.get

dataplex.entryTypes.list

dataplex.entryTypes.use

dataplex.operations.get

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Entry Owner

(roles/dataplex.entryOwner)

Owns Metadata Entries.

datacatalog.migrationConfig.get

dataplex.aspectTypes.get

dataplex.aspectTypes.list

dataplex.aspectTypes.use

dataplex.entries.*

dataplex.entries.create
dataplex.entries.delete
dataplex.entries.get
dataplex.entries.list
dataplex.entries.update

dataplex.entryGroups.get

dataplex.entryGroups.useContactsAspect

dataplex.entryGroups.useGenericAspect

dataplex.entryGroups.useGenericEntry

dataplex.entryGroups.useOverviewAspect

dataplex.entryGroups.useSchemaAspect

dataplex.entryTypes.get

dataplex.entryTypes.list

dataplex.entryTypes.use

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Entry Type Owner

(roles/dataplex.entryTypeOwner)

Grants access to creating and managing Entry Types. Does not give the right to create/modify Entries.

datacatalog.migrationConfig.get

dataplex.entryTypes.*

dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.setIamPolicy
dataplex.entryTypes.update
dataplex.entryTypes.use

dataplex.operations.get

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Entry Type User

(roles/dataplex.entryTypeUser)

Grants access to use Entry Types to create/modify Entries of those types.

datacatalog.migrationConfig.get

dataplex.entryTypes.get

dataplex.entryTypes.list

dataplex.entryTypes.use

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Metadata Job Owner

(roles/dataplex.metadataJobOwner)

Grants access to creating and managing Metadata Jobs. Does not give the right to create/modify Entry Groups.

dataplex.metadataJobs.*

dataplex.metadataJobs.cancel
dataplex.metadataJobs.create
dataplex.metadataJobs.get
dataplex.metadataJobs.list

dataplex.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Metadata Job Viewer

(roles/dataplex.metadataJobViewer)

Read access to Metadata Job resources.

dataplex.metadataJobs.get

dataplex.metadataJobs.list

dataplex.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Metadata Reader

(roles/dataplex.metadataReader)

Read only access to metadata.

dataplex.assets.get

dataplex.assets.list

dataplex.entities.get

dataplex.entities.list

dataplex.partitions.get

dataplex.partitions.list

dataplex.zones.get

dataplex.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Metadata Writer

(roles/dataplex.metadataWriter)

Write and Read access to metadata.

dataplex.assets.get

dataplex.assets.list

dataplex.entities.*

dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update

dataplex.partitions.*

dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update

dataplex.zones.get

dataplex.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Security Administrator

(roles/dataplex.securityAdmin)

Permissions configure ResourceAccess and DataAccess Specs on Data Attributes.

dataplex.dataTaxonomies.configureDataAccess

dataplex.dataTaxonomies.configureResourceAccess

Dataplex Storage Data Owner

(roles/dataplex.storageDataOwner)

Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.datasets.get

bigquery.models.create

bigquery.models.delete

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.models.updateData

bigquery.models.updateMetadata

bigquery.routines.create

bigquery.routines.delete

bigquery.routines.get

bigquery.routines.list

bigquery.routines.update

bigquery.tables.create

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

Dataplex Storage Data Reader

(roles/dataplex.storageDataReader)

Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.datasets.get

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

storage.buckets.get

storage.objects.get

storage.objects.list

Dataplex Storage Data Writer

(roles/dataplex.storageDataWriter)

Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.tables.updateData

storage.objects.create

storage.objects.delete

storage.objects.update

Dataplex Taxonomy Administrator

(roles/dataplex.taxonomyAdmin)

Full access to DataTaxonomy, DataAttribute resources.

dataplex.dataAttributes.*

dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataAttributes.setIamPolicy
dataplex.dataAttributes.update

dataplex.dataTaxonomies.create

dataplex.dataTaxonomies.delete

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.dataTaxonomies.setIamPolicy

dataplex.dataTaxonomies.update

Dataplex Taxonomy Viewer

(roles/dataplex.taxonomyViewer)

Read access on DataTaxonomy, DataAttribute resources.

dataplex.dataAttributes.get

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

Dataplex Viewer

(roles/dataplex.viewer)

Read access to Dataplex resources.

cloudasset.assets.analyzeIamPolicy

dataplex.assetActions.list

dataplex.assets.get

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.content.get

dataplex.content.getIamPolicy

dataplex.content.list

dataplex.dataAttributeBindings.get

dataplex.dataAttributeBindings.getIamPolicy

dataplex.dataAttributeBindings.list

dataplex.dataAttributes.get

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.datascans.get

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.environments.get

dataplex.environments.getIamPolicy

dataplex.environments.list

dataplex.lakeActions.list

dataplex.lakes.get

dataplex.lakes.getIamPolicy

dataplex.lakes.list

dataplex.operations.get

dataplex.operations.list

dataplex.tasks.get

dataplex.tasks.getIamPolicy

dataplex.tasks.list

dataplex.zoneActions.list

dataplex.zones.get

dataplex.zones.getIamPolicy

dataplex.zones.list

Predefined roles for data lineage

To access the lineage for any Dataplex Catalog entry, you need access to the entry in Dataplex. To access the Dataplex Catalog entry, you need a viewer role on the corresponding system resource or the Dataplex Catalog Viewer role (roles/dataplex.catalogViewer) on the project that stores the Dataplex Catalog entry. This section describes roles that are required to view the lineage.

Lineage viewer role

The Data Lineage Viewer role (roles/datalineage.viewer) lets you view Dataplex lineage in the Google Cloud console and read lineage information using the Data Lineage API. The runs, and events for a given process are all stored in the same project as the process. In the case of automated lineage, the process, runs, and events are stored in the project in which the job that generated the lineage was running. This could be for example the project in which a BigQuery job was running.

You need different roles to view the lineage between assets and to view metadata of the assets. For the former, you need the Data Lineage Viewer role (roles/datalineage.viewer). For the latter, you need the same roles as used for accessing metadata entries in Dataplex.

Roles to view lineage between two assets

To view lineage between assets, you need the Data Lineage Viewer role (roles/datalineage.viewer) on the following projects:

The project in which you're viewing lineage (known as active project), that is the project in the drop-down at the top of the Google Cloud console or the project from which API calls are made. This would normally be the project that contains the resources you will create in Dataplex Catalog or access in other Google Cloud systems with the API.
The projects in which lineage is recorded (known as compute project). Lineage is stored in the project in which the corresponding process was executed, as described earlier. This project can be different from the project that stores the asset that you're viewing lineage for.

For more information about granting roles, see Manage access. You might also be able to get the required permissions through custom roles or other predefined roles.

Depending on the use case, grant the Data Lineage Viewer role (roles/datalineage.viewer) on the folder or organization level to ensure access to the lineage (see Grant or revoke a single role). Roles required for data lineage can be granted only through the Google Cloud CLI.

Roles to view asset metadata when viewing lineage

When metadata about an asset is stored in Dataplex Catalog, you only get to view that metadata if you have a viewer role on the corresponding system resource or the Dataplex Catalog Viewer role (roles/dataplex.catalogViewer) on the project in which the Dataplex Catalog entry is stored. You might have access to assets on the lineage graph or list through appropriate viewer roles but no access to the lineage between them. This is the case when you don't have the Data Lineage Viewer role (roles/datalineage.viewer) on the project in which the lineage was recorded. In this case, the Data Lineage API and Google Cloud console doesn't show the lineage and doesn't return an error, to prevent leaking information about the existence of lineage. Therefore, absence of lineage for an asset does not mean that there is no lineage for that asset, but that you might not have access to that lineage.

Data Lineage Events Producer role

The Data Lineage Events Producer role (roles/datalineage.producer) lets users manually record lineage information using the Data Lineage API.

Data Lineage Editor role

The Data Lineage Editor role (roles/datalineage.editor) lets users manually modify lineage information using the Data Lineage API.

Data Lineage Administrator role

The Data Lineage Administrator role (roles/datalineage.admin) lets users perform all lineage operations listed in this section.

Data roles

Dataplex defines the following IAM roles that are intended to be applied to any resource managed by Dataplex. For more information about the permissions that are associated with each role, see the Predefined roles section of this document.

Data role	Capabilities	Justification
Dataplex Data Owner (`roles/dataplex.dataOwner`)	All permissions on the managed resource. And all permissions on all child resources (regardless of the resource type).	Data owners can update resource metadata, grant higher granularity permissions (for example, on child tables of a BigQuery dataset), and create child resources, in addition to various other permissions. They have complete ownership of the resource.
Dataplex Data Reader (`roles/dataplex.dataReader`)	Ability to read data in the managed resource and its children. And ability to read metadata of the managed resource and its children.	Enables ability to read data and metadata.
Dataplex Data Writer (`roles/dataplex.dataWriter`)	Ability to create/update/delete data (not metadata).	Enables core Dataplex user journeys.

What's next

Learn how to create custom IAM roles.
Learn how to grant and manage roles.
See the Dataplex IAM permissions mapping.

Dataplex IAM roles

About Dataplex roles

Basic roles

Predefined roles for Dataplex

Dataplex Administrator

Dataplex Aspect Type Owner

Dataplex Aspect Type User

Dataplex Binding Administrator

Dataplex Catalog Admin

Dataplex Catalog Editor

Dataplex Catalog Viewer

Dataplex Data Owner

Dataplex Data Reader

Dataplex DataScan Administrator

Dataplex DataScan Creator

Dataplex DataScan DataViewer

Dataplex DataScan Editor

Dataplex DataScan Viewer

Dataplex Data Writer

Dataplex Developer

Dataplex Editor

Dataplex Encryption Admin

Dataplex Entry Group Exporter Beta

Dataplex Entry Group Importer

Dataplex Entry Group Owner

Dataplex Entry Owner

Dataplex Entry Type Owner

Dataplex Entry Type User

Dataplex Metadata Job Owner

Dataplex Metadata Job Viewer

Dataplex Metadata Reader

Dataplex Metadata Writer

Dataplex Security Administrator

Dataplex Storage Data Owner

Dataplex Storage Data Reader

Dataplex Storage Data Writer

Dataplex Taxonomy Administrator

Dataplex Taxonomy Viewer

Dataplex Viewer

Predefined roles for data lineage

Lineage viewer role

Roles to view lineage between two assets

Roles to view asset metadata when viewing lineage

Data Lineage Events Producer role

Data Lineage Editor role

Data Lineage Administrator role

Data roles

What's next

Dataplex Entry Group Exporter ^Beta