Dataplex Universal Catalog IAM permissions

This document lists the IAM permissions for Dataplex Universal Catalog. Permissions allow users to perform specific actions on Dataplex Universal Catalog resources. For example, the dataplex.datascans.create permission allows a user to create Dataplex Universal Catalog data scans in your project.

Permissions and roles

You don't directly give users permissions. Instead, you grant them roles, which have one or more permissions bundled within them. This approach aligns with the principle of least privilege, encouraging you to grant only the necessary access required for a user or service account to perform its tasks.

IAM offers predefined roles for common use cases. If these predefined roles don't meet your specific needs, you can create your own custom roles containing only the specific permissions required.

For more information about predefined Dataplex Universal Catalog roles and the permissions that they contain, see Dataplex Universal Catalog IAM roles.

For a detailed description of IAM and its features, see the IAM documentation.

IAM policy Set and Get permissions

The following table lists the permissions that are required to get and set IAM permissions:

Resource	API method	IAM permission
Aspect types	GetIamPolicy	dataplex.aspectTypes.getIamPolicy
Aspect types	SetIamPolicy	dataplex.aspectTypes.setIamPolicy
Entry groups	GetIamPolicy	dataplex.entryGroups.getIamPolicy
Entry groups	SetIamPolicy	dataplex.entryGroups.setIamPolicy
Entry types	GetIamPolicy	dataplex.entryTypes.getIamPolicy
Entry types	SetIamPolicy	dataplex.entryTypes.setIamPolicy
Lakes	GetIamPolicy	dataplex.lakes.getIamPolicy
Lakes	SetIamPolicy	dataplex.lakes.setIamPolicy

Metadata management permissions

The set of permissions that is required to perform operations on entry types, aspect types, entry groups, and entries depends on whether the resources are system resources or custom resources. System resources are defined by Dataplex Universal Catalog, and custom resources are defined by you or your organization.

To perform operations that are related to multiple resources (for example, creating an entry of a particular entry type, or adding an aspect of a particular aspect type to an entry), you might need multiple permissions associated with the resources.

Entry types

To create and manage entry types, you must be granted at least the standard create, get, list, update, and delete permissions.

When you create an entry type, you must be granted permissions to use each aspect type that you want to mark as required for that entry type.

To use an entry type (for example, to create entries of an entry type), you must be granted the use permission on the entry type.

The following table lists the permissions that are required for operating on entry types:

Operation	IAM permission
Create entry types	`dataplex.entryTypes.create` `dataplex.aspectTypes.use` (for every required aspect type in the entry type) `dataplex.entryGroups.useASPECT_TYPE` (for every required system aspect type in the entry type). See the permissions for system aspect types.
Delete entry types	`dataplex.entryTypes.delete` `dataplex.aspectTypes.use` (for required aspect types in the entry types) `dataplex.entryGroups.useASPECT_TYPE` (for every required system aspect type in the entry type). See the permissions for system aspect types.
Get entry types	`dataplex.entryTypes.get`
List entry types	`dataplex.entryTypes.list`
Update entry types	`dataplex.entryTypes.update` `dataplex.aspectTypes.use` (for every required aspect type in the entry type) `dataplex.entryGroups.useASPECT_TYPE` (for every required system aspect type in the entry type). See the permissions for system aspect types.
Use entry types (when creating entries, updating top-level entry fields and required aspect type values)	`dataplex.entryTypes.use` `dataplex.entries.create` or `dataplex.entries.update` `dataplex.aspectTypes.use` (for every aspect created or updated)

Aspect types

To create and manage aspect types, you must be granted the standard create, get, list, update, and delete permissions.

To use an aspect type (for example, to attach it as an optional aspect on an entry), you must be granted the use permission on the aspect type.

Aspect types are categorized into system aspect types and custom aspect types. System aspect types are created by Dataplex Universal Catalog and custom aspect types are created by you or your organization. System aspect types are further categorized into usable and read-only. For more information, see Categories of aspect types.

The following table lists the permissions that are required for operating on custom and system aspect types:

Operation	Permissions required for custom aspect types	Permissions required for usable system aspect types	Permissions required for read-only system aspect types
Create aspect types	`dataplex.aspectTypes.create`	N/A	N/A
Delete aspect types	`dataplex.aspectTypes.delete`	N/A	N/A
Get aspect types	`dataplex.aspectTypes.get`	Granted to `allUsers`	Granted to `allUsers`
List aspect types	`dataplex.aspectTypes.list`	Not applicable (N/A)	N/A
Set optional aspect type values when creating or updating entries	`dataplex.aspectTypes.use` `dataplex.entries.create` or `dataplex.entries.update`	`dataplex.entryGroups.useASPECT_TYPE`. See the permissions for system aspect types. `dataplex.entries.create` or `dataplex.entries.update`	N/A
Set required aspect type values when creating or updating entries	`dataplex.aspectTypes.use` `dataplex.entryTypes.use` `dataplex.entries.create` or `dataplex.entries.update`	`dataplex.entryGroups.useASPECT_TYPE`. See the permissions for system aspect types. `dataplex.entryTypes.use` `dataplex.entries.create` or `dataplex.entries.update`	N/A
Update aspect types	`dataplex.aspectTypes.update`	N/A	N/A

Entry groups

To create and manage entry groups, you must be granted the standard create, get, list, update, and delete permissions.

Entry groups are categorized into system entry groups, which are created by Dataplex Universal Catalog, and custom entry groups, which are created by you or your organization. For more information, see Categories of entry groups.

The following table lists the permissions that are required for operating on entry groups:

Operation	Permissions required for custom entry groups	Permissions required for system entry groups (starting with @)
Create entry groups	`dataplex.entryGroups.create`	N/A
Delete entry groups	`dataplex.entryGroups.delete`	N/A
Get entry groups	`dataplex.entryGroups.get`	`dataplex.entryGroups.get`
List entry groups	`dataplex.entryGroups.list`	`dataplex.entryGroups.list`
Update entry groups	`dataplex.entryGroups.update`	N/A

Entries

To create and manage entries, you must be granted the standard create, get, list, update, and delete permissions.

Note the following:

For lookup (LookupEntry) and search (SearchEntries) methods, the permission from the original source system is required on the entry. For example, if the source is a BigQuery table, you need bigquery.tables.get permission to view metadata, and bigquery.tables.getData to view data aspects.
If permission to view data aspects is not present, entries are still be visible, but contents of data aspects is hidden.
When you create an entry or update the top-level fields of an entry, you must be granted the use permission on the entry type.
When you create, update, or delete a required aspect, you must be granted the use permission on the entry type of an entry, as well as on the underlying aspect type. This is because the required aspects are enforced by the entry type.
When you create, update, or delete an optional aspect, you must be granted the use permission on the aspect type of an aspect.
When you upsert an entry (UpdateEntry with allow_missing = True), you must be granted the create permission.

For more information about the entry types that entries are based on, see Categories of entry types.

The following table lists the permissions that are required for operating on entries:

Operation	Entry based on custom entry type	Entry based on usable system entry type	Entry based on read-only system entry type
Create entries	`dataplex.entries.create` `dataplex.entryTypes.use` `dataplex.aspectTypes.use` (for every aspect created) `dataplex.entryGroups.useASPECT_TYPE` (for every aspect of a usable system aspect type created). See the permissions for system aspect types.	`dataplex.entries.create` `dataplex.entryGroups.useENTRY_TYPE`. See the permissions for system entry types. `dataplex.entryGroups.useASPECT_TYPE` (for every system aspect created). See the permissions for system aspect types. `dataplex.aspectTypes.use` (for every custom aspect created)	N/A
Get entries	`dataplex.entries.get` To view data aspects, `dataplex.entries.getData` is also required.	`dataplex.entries.get` To view data aspects, `dataplex.entries.getData` is also required.	`dataplex.entries.get` To view data aspects, `dataplex.entries.getData` is also required.
List entries	`dataplex.entries.list`	`dataplex.entries.list`	`dataplex.entries.list`
Lookup entries	Requires metadata read permission of the source system. Permission to read data from the source system is required to view data aspects. For custom entries, where Dataplex Universal Catalog is treated as the source system, these permissions are `dataplex.entries.get` and `dataplex.entries.getData`, respectively.	Requires metadata read permission of the source system. Permission to read data from the source system is required to view data aspects. For custom entries, where Dataplex Universal Catalog is treated as the source system, these permissions are `dataplex.entries.get` and `dataplex.entries.getData`, respectively.	Requires metadata read permission of the source system. Permission to read data from the source system is required to view data aspects. For custom entries, where Dataplex Universal Catalog is treated as the source system, these permissions are `dataplex.entries.get` and `dataplex.entries.getData`, respectively.
Search entries	Read permission of the original source system. For custom entries, this is `dataplex.entries.get`, because Dataplex Universal Catalog is treated as the original source system.	Read permission of the original source system. For custom entries, this is `dataplex.entries.get`, because Dataplex Universal Catalog is treated as the original source system.	Read permission of the original source system. For custom entries, this is `dataplex.entries.get`, because Dataplex Universal Catalog is treated as the original source system.
Update entries	`dataplex.entries.update` `dataplex.entryTypes.use` (for updating top-level fields or required aspects) `dataplex.aspectTypes.use` (for every aspect updated) `dataplex.entryGroups.useASPECT_TYPE` (for every system aspect updated). See the permissions for system aspect types. `dataplex.entries.create` (if `allow_missing` is `True`)	`dataplex.entries.update` `dataplex.entryGroups.useENTRY_TYPE` (for updating top-level fields or required aspects). See the permissions for system entry types. `dataplex.aspectTypes.use` (for every custom aspect updated) `dataplex.entryGroups.useASPECT_TYPE` (for every aspect that belongs to system aspect types). See the permissions for system aspect types. `dataplex.entries.create` (if `allow_missing` is `True`)	`dataplex.entries.update` `dataplex.aspectTypes.use` (for every custom aspect updated) `dataplex.entryGroups.useASPECT_TYPE` (for every aspect of a usable system aspect type updated). See the permissions for system aspect types. Top-level fields and required aspects can't be edited.

Metadata job permissions

The following table lists the permissions that are required for working with metadata import jobs and metadata export jobs.

Operation	IAM permission
Access the exported results from metadata export jobs	`storage.objects.get`
Cancel metadata jobs	`dataplex.metadataJobs.cancel`
Create metadata export jobs	`dataplex.metadataJobs.create` `dataplex.entryGroups.export` `dataplex.entryGroups.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Create metadata import jobs	`dataplex.metadataJobs.create` `dataplex.entryTypes.use` (for custom entry types in the job's scope) `dataplex.entryTypes.useENTRY_TYPE` (for every system entry type in the job's scope). See the permissions for system entry types. However, this permission isn't needed to modify optional aspects when running an aspect-only metadata import job. `dataplex.aspectTypes.use` (for custom aspect types in the job's scope) `dataplex.aspectTypes.useASPECT_TYPE` (for every system aspect type in the job's scope). See the permissions for system aspect types. `dataplex.entryGroups.import` (for entry groups in the job's scope)
Get metadata jobs	`dataplex.metadataJobs.get`
List metadata jobs	`dataplex.metadataJobs.list`

System aspect types and entry types

Each system-defined aspect type and system-defined entry type has its own IAM permissions. These permissions use a format like dataplex.entryGroups.useASPECT_TYPE or dataplex.entryGroups.useENTRY_TYPE. For example, the permission for the overview system aspect type is dataplex.entryGroups.useOverviewAspect.

The following table lists the permissions that apply to system-defined aspect types and entry types.

Resource	IAM permission
`contacts` (system aspect type)	`dataplex.entryGroups.useContactsAspect`
`data-profile` (system aspect type)	`dataplex.entryGroups.useDataProfileAspect`
`data-quality-scorecard` (system aspect type)	`dataplex.entryGroups.useDataQualityScorecardAspect`
`generic` (system aspect type)	`dataplex.entryGroups.useGenericAspect`
`generic` (system entry type)	`dataplex.entryGroups.useGenericEntry`
`overview` (system aspect type)	`dataplex.entryGroups.useOverviewAspect`
`schema` (system aspect type)	`dataplex.entryGroups.useSchemaAspect`

Lake, zone, and asset permissions

The following table lists the permissions that are required for operating on lakes, zones, and assets:

API method	IAM permission
CreateAsset	dataplex.assets.create
CreateLake	dataplex.lakes.create
CreateZone	dataplex.zones.create
DeleteAsset	dataplex.assets.delete
DeleteLake	dataplex.lakes.delete
DeleteZone	dataplex.zones.delete
GetAsset	dataplex.assets.get
GetLake	dataplex.lakes.get
GetZone	dataplex.zones.get
ListAssetActions	dataplex.assetActions.list
ListAssets	dataplex.assets.list
ListLakeActions	dataplex.lakeActions.list
ListLakes	dataplex.lakes.list
ListZoneActions	dataplex.zoneActions.list
ListZones	dataplex.zones.list
UpdateAsset	dataplex.assets.update
UpdateLake	dataplex.lakes.update
UpdateZone	dataplex.zones.update

Task permissions

The following table lists the permissions that are required for operating on tasks:

API method	IAM permission
CancelJob	dataplex.tasks.cancel
CreateTask	dataplex.tasks.create
DeleteTask	dataplex.tasks.delete
GetJob	dataplex.tasks.get
GetTask	dataplex.tasks.get
ListJobs	dataplex.tasks.get
ListTasks	dataplex.tasks.list
UpdateTask	dataplex.tasks.update

Environment permissions

The following table lists the permissions that are required for operating on environments:

API method	IAM permission
CreateContent	dataplex.content.create
CreateEnvironment	dataplex.environments.create
DeleteContent	dataplex.content.delete
DeleteEnvironment	dataplex.environments.delete
GetContent	dataplex.content.get
GetEnvironment	dataplex.environments.get
ListContent	dataplex.content.list
ListEnvironments	dataplex.environments.list
ListSessions	dataplex.environments.get
UpdateContent	dataplex.content.update
UpdateEnvironment	dataplex.environments.update

Metadata permissions

The following table lists the permissions that are required for operating on entities and partitions:

API method	IAM permission
CreateEntity	dataplex.entities.create
CreatePartition	dataplex.partitions.create
DeleteEntity	dataplex.entities.delete
DeletePartition	dataplex.partitions.delete
GetEntity	dataplex.entities.get
GetPartition	dataplex.partitions.get
ListEntities	dataplex.entities.list
ListPartitions	dataplex.partitions.list

Data scan permissions

The following table lists the permissions that are required for operating on data scans:

API method	IAM permission
CreateDataScan	dataplex.datascans.create
DeleteDataScan	dataplex.datascans.delete
GetDataScan (basic view)	dataplex.datascans.get
GetDataScan (full view)	dataplex.datascans.getData
GetDataScanJob (basic view)	dataplex.datascans.get
GetDataScanJob (full view)	dataplex.datascans.getData
ListDataScanJobs	dataplex.datascans.get
ListDataScans	dataplex.datascans.list
RunDataScan	dataplex.datascans.run
UpdateDataScan	dataplex.datascans.update