Sensitive Data Protection IAM permissions

IAM permissions

Common permissions

Some methods do not have Sensitive Data Protection-specific permissions. Instead, they use common ones, as the methods can cause billable events, but do not access any protected cloud resources.

All actions that trigger billable events such as the projects.content methods require the serviceusage.services.use permission for the project that's specified in parent. The roles/editor, roles/owner, and roles/dlp.user roles contain the required permission or you can define your own custom roles containing this permission.

This permission ensures you are authorized to bill the project you specify.

Service account

To access both Google Cloud resources and execute calls to Sensitive Data Protection, Sensitive Data Protection uses the credentials of the Cloud Data Loss Prevention Service Agent to authenticate to other APIs. A service agent is a special type of service account that runs internal Google processes on your behalf. The service agent is identifiable using the email:

service-PROJECT_NUMBER@dlp-api.iam.gserviceaccount.com

The Cloud Data Loss Prevention Service Agent is created the first time it is needed. You can create it in advance by making a call to InspectContent:

curl --request POST \
  "https://dlp.googleapis.com/v2/projects/PROJECT_ID/locations/us-central1/content:inspect" \
  --header "X-Goog-User-Project: PROJECT_ID" \
  --header "Authorization: Bearer $(gcloud auth print-access-token)" \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --data '{"item":{"value":"google@google.com"}}' \
  --compressed

Replace PROJECT_ID with the project ID.

The Cloud Data Loss Prevention Service Agent is automatically granted common permissions on the project that are needed for inspecting resources and is listed in the IAM section of the Google Cloud console. The service agent exists indefinitely with the project and is only deleted when the project is deleted. Sensitive Data Protection relies on this service agent, so you should not remove it.

For more information on how service accounts are used in data profiling operations, see Service agent container and service agent.

Job permissions

Permission name Description
dlp.jobs.create Create new jobs.
dlp.jobs.cancel Cancel jobs.
dlp.jobs.delete Delete jobs.
dlp.jobs.get Read job objects.
dlp.jobs.list List jobs.
dlp.jobs.hybridInspect Make a hybrid inspect call on a hybrid job.

Job trigger permissions

Permission name Description
dlp.jobTriggers.create Create new job triggers.
dlp.jobTriggers.delete Delete job triggers.
dlp.jobTriggers.get Read job trigger objects.
dlp.jobTriggers.list List job triggers.
dlp.jobTriggers.update Update job triggers.
dlp.jobTriggers.hybridInspect Make a hybrid inspect call on a hybrid trigger.

Inspection template permissions

Permission name Description
dlp.inspectTemplates.create Create new inspection templates.
dlp.inspectTemplates.delete Delete inspection templates.
dlp.inspectTemplates.get Read inspection template objects.
dlp.inspectTemplates.list List inspection templates.
dlp.inspectTemplates.update Update inspection templates.

De-identification template permissions

Permission name Description
dlp.deidentifyTemplates.create Create new de-identification templates.
dlp.deidentifyTemplates.delete Delete de-identification templates.
dlp.deidentifyTemplates.get Read de-identification template objects.
dlp.deidentifyTemplates.list List de-identification templates.
dlp.deidentifyTemplates.update Update de-identification templates.

Data profile permissions

Permission name Description
dlp.projectDataProfiles.list List project data profiles.
dlp.projectDataProfiles.get Read project data profile objects.
dlp.tableDataProfiles.delete Delete a single table profile and its column profiles.
dlp.tableDataProfiles.list List table data profiles.
dlp.tableDataProfiles.get Read table data profile objects.
dlp.columnDataProfiles.list List column data profiles.
dlp.columnDataProfiles.get Read column data profile objects.
dlp.fileStoreProfiles.delete Delete a single file store profile.
dlp.fileStoreProfiles.list List file store data profiles.
dlp.fileStoreProfiles.get Read file store data profile objects.

Estimate permissions

Permission name Description
dlp.estimates.get Read estimate objects.
dlp.estimates.list List estimate objects.
dlp.estimates.create Create an estimate object.
dlp.estimates.delete Delete an estimate object.
dlp.estimates.cancel Cancel an ongoing estimation.

Stored infoType permissions

Permission name Description
dlp.storedInfoTypes.create Create new stored infotypes.
dlp.storedInfoTypes.delete Delete stored infotypes.
dlp.storedInfoTypes.get Read stored infotypes.
dlp.storedInfoTypes.list List stored infotypes.
dlp.storedInfoTypes.update Update stored infotypes.

Subscription permissions

Permission name Description
dlp.subscriptions.get Create new subscriptions.
dlp.subscriptions.list List subscriptions.
dlp.subscriptions.create Create subscriptions.
dlp.subscriptions.cancel Cancel subscriptions.
dlp.subscriptions.update Update subscriptions.

Chart permissions

Permission name Description
dlp.charts.get Get chart data for data profiles dashboard.

Miscellaneous permissions

Permission name Description
dlp.kms.encrypt De-identify content using encryption tokens persisted in Cloud KMS.