Manage user access with Marketplace User Access Restrictions

By default, any user with the Identity and Access Management (IAM) permission resourcemanager.projects.get for a Google Cloud project can access Google Cloud Marketplace to discover new products. If you want to enforce stricter governance and procurement policies in your Google Cloud organization, you can use Marketplace User Access Restrictions to require that users have additional IAM permissions to accomplish some tasks.

Required IAM permissions

After you turn on Marketplace User Access Restrictions, your organization's users must have the following IAM permissions to complete the following tasks:

Action IAM Roles Level at which role is assigned
Enable Marketplace User Access Restrictions Organization Administrator (roles/resourcemanager.organizationAdmin) AND Commerce Organization Governance Admin (roles/commerceorggovernance.admin) roles Organization level
Interacting with products listed on the Google Cloud Marketplace Governed Marketplace User (roles/commerceorggovernance.user) role Organization, Folder, or Project level

The Governed Marketplace User IAM role contains the following IAM permissions: commerceorggovernance.services.get, commerceorggovernance.services.list, commerceorggovernance.services.request, and resourcemanager.projects.get. When Marketplace User Access Restrictions is enabled for your organization, these IAM permissions are required to do the following:

  1. commerceorggovernance.services.list → to view and interact with the Private Marketplace homepage.

  2. commerceorggovernance.services.get → to interact with product listing pages.

  3. commerceorggovernance.services.request → to request unapproved and not procured products for their use-case, when Request Product is enabled.

Before you begin

  1. Ensure you have sufficient roles to enable Marketplace User Access Restrictions. You can find the required details listed above.

  2. Ensure users and administrators in your organization that require access to the Marketplace are given sufficient roles. You can find the required roles listed above.

  3. Verify that Google Private Marketplace supports the products that you plan to use. For a list of supported products, see Supported products.

Turn on Marketplace User Access Restrictions

By default, Marketplace User Access Restrictions is turned off for your organization.

After you've assigned the above IAM roles to relevant users and administrators in your organization, to turn this feature on, complete the following steps:

  1. In Cloud Marketplace, click Marketplace Governance.

    Go to Marketplace

  2. In Governance settings, click the toggle to enable Marketplace User Access Restrictions.

  3. Click Confirm in the dialog.