IAM roles for Document AI

Predefined roles

The following table describes Identity and Access Management (IAM) roles that are associated with Document AI and lists the permissions that are contained in each role. Unless otherwise noted, these roles can be applied either to entire projects or specific processors.

Role	Description	Permissions
Document AI Administrator (`roles/documentai.admin`)	Grants full access to all resources in Document AI.	Role: `roles/documentai.editor`
Document AI Editor (`roles/documentai.editor`)	Grants access to use all resources in Document AI.	Role: `roles/documentai.viewer` `documentai.processors.create` `documentai.processors.update` `documentai.processors.delete`
Document AI Viewer (`roles/documentai.viewer`)	Grants access to view all resources and process documents in Document AI	Role: `roles/documentai.apiUser` Permissions: `resourcemanager.projects.get` `resourcemanager.projects.list` `documentai.locations.get` `documentai.locations.list` `documentai.processorTypes.list` `documentai.processors.get` `documentai.processors.list`
Document AI API User (`roles/documentai.apiUser`)	Grants access to process documents in Document AI	Permissions: `documentai.operations.getLegacy` `documentai.processors.processOnline` `documentai.processors.processBatch`

Caution: The permissions for documentai.processors.create and documentai.datasets.update are highly privileged. A user or service account with these permissions can create new Document AI processors that can interact with any Cloud Storage bucket in your project and grant access to the files within, potentially exposing sensitive data.

Basic roles

Basic roles are roles that existed prior to IAM. These roles have unique characteristics:

Basic roles can only be granted for an entire project, not for individual buckets within the project. Like other roles that you grant for a project, basic roles apply to all buckets and objects in the project.
Basic roles contain additional permissions for other Google Cloud services that are not covered in this section. See basic roles for a general discussion of the permissions that basic roles grant.
In some cases, basic roles can be used as if they were groups, which causes any principal that has the basic role to get additional access for some resources.
- A basic role can be used as if it were a group when granting roles for buckets.
- A basic role can be used as if it were a group when setting ACLs on objects.
For a discussion of additional access that principals with basic roles typically gain due to this behavior, see modifiable behavior.

Custom roles

You may wish to define your own roles which contain bundles of permissions that you specify. To support this, IAM offers custom roles.

What's next

Learn about each IAM permission for Document AI.
For a reference of other Google Cloud roles, see Understanding Roles.