Access Control

You can share the assets or compute quota of your Earth Engine enabled project with other Earth Engine users at the project level. An Earth Engine enabled project has the Earth Engine API enabled and an assets folder as described on this page. Earth Engine assets or compute can be shared with another user or group of users. If you want to share with a group of users, Create a new Google Group and note its email (available from the About link on the group page). The steps described below apply to either an individual or group email.

Assets

Asset level permissions

There are several options to update permissions at the asset level.

Project level asset permissions

Sharing at the project level sets permissions on all assets in your Earth Engine enabled Cloud Project at once.

You can share assets at the project level by assigning the appropriate Identity and Access Management (IAM) role on your project's IAM admin page. See Understanding Roles for an overview of IAM roles and/or Predefined Earth Engine IAM Roles for details.

When another user attempts to access one of your assets, permissions are first checked at the asset level. If permissions have not been set at the asset level or the check fails (i.e. no access), permissions will be checked at the project level.

Earth Engine Service Usage

To utilize the Earth Engine service on a project, a user must have at least the Service Usage Consumer role. For example, to connect to a project from the Code Editor, you must have permission to route compute requests through the project and view its assets. So you need to have at least the Service Usage Consumer role and the Earth Engine Resource Viewer role as described in the Predefined Earth Engine IAM Roles section.

Setting project level permissions

To set permissions at the project level, assign a project IAM role to a user or group of users:

  1. Open the IAM page in the GCP Console
    Open the IAM Page
    Or hover over your project name on the Assets tab of the Code Editor and click the icon.
  2. Click select a project and click on your project (you should already be there if you opened the IAM page from the Code Editor.
  3. Click ADD at the top and add the individual or group email as the new member, or click on the icon next to the existing member in the project.
  4. In the Role drop down search for the Earth Engine Resource role you want to grant. See Predefined Earth Engine IAM Roles for details.
  5. Click the SAVE button.

Predefined Earth Engine IAM Roles

Earth Engine provides predefined roles which allow varying degrees of control over Earth Engine resources within a project. These roles are:

Role Title Description
roles/earthengine.viewer Earth Engine Resource Viewer Provides permission to view and list Assets, list tasks, and perform interactive computations.
roles/earthengine.writer Earth Engine Resource Writer Provides permission to read, create, modify and delete assets, import images and tables, read and update tasks, perform interactive computations, and create long running export tasks.
roles/earthengine.admin Earth Engine Admin Provides permission for all Earth Engine resources including changing access controls for Earth Engine assets.
roles/earthengine.appsPublisher Earth Engine Apps Publisher Provides permission to create a service account for use with an Earth Engine app.

Note that you may set a primitive or custom role if the predefined Earth Engine roles do not meet your needs. You can see the bundle of permissions associated with each role from the IAM Roles page by filtering to a specific role and clicking on the role.