Access Control

This document describes the access control options available to you in Payments Reseller Subscription API.

Overview

Payments Reseller Subscription API uses Identity and Access Management (IAM) for access control.

In Payments Reseller Subscription API, access control can be configured at the project level. For example:

  • Grant access with limited capabilities, such as to only list all products that can be resold, but not to provision the subscription.
  • Grant access to all Payments Reseller Subscription API resources within a project to a group of developers.

Please use the GCP project associated with the partner_id to manage IAM roles and permissions.

For a detailed description of IAM and its features, see the IAM documentation. In particular, see Granting, changing, and revoking access to resources.

Every Payments Reseller Subscription API method requires the caller to have the necessary permissions. By granting your service account project editor role would automatically grant all of the following permissions needed by Payments Reseller Subscription API.

If you run your server on Compute Engine, or App Engine, their respective default service account should already have such role granted.

For a list of the permissions and roles that Payments Reseller Subscription API IAM supports, see the Roles section, below.

Permissions and roles

This section summarizes the permissions and roles that IAM supports for Payments Reseller Subscriptions API.

Required permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)

partners.subscriptions.get

paymentsresellersubscription.subscriptions.get

partners.subscriptions.provision

paymentsresellersubscription.subscriptions.provision

partners.subscriptions.extend

paymentsresellersubscription.subscriptions.extend

partners.subscriptions.cancel

paymentsresellersubscription.subscriptions.cancel

partners.products.list

paymentsresellersubscription.products.list

partners.promotions.list

paymentsresellersubscription.promotions.list

Roles

The following table lists Payments Reseller Subscription API related IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

Subscription related roles:

Role includes permission(s): Resource type:

roles/paymentsresellersubscription.subscriptions.viewer

or

roles/paymentsresellersubscription.partners.viewer

or

roles.viewer

paymentsresellersubscription.subscriptions.get

 Subscription

roles/paymentsresellersubscription.subscriptions.editor

or

roles/paymentsresellersubscription.partners.editor

or

roles.editor

 All of above, as well as:

paymentsresellersubscription.subscriptions.provision

 Subscription

paymentsresellersubscription.subscriptions.extend

 Subscription

paymentsresellersubscription.subscriptions.cancel

 Subscription

Product and Promotion related roles:

Role includes permission(s): Resource type:

roles/paymentsresellersubscription.products.viewer

or

roles/paymentsresellersubscription.partners.viewer

or

roles.viewer

paymentsresellersubscription.products.list

 Product

roles/paymentsresellersubscription.promotions.viewer

or

roles/paymentsresellersubscription.partners.viewer

or

roles.viewer

paymentsresellersubscription.promotions.list

 Promotion

Partner Id Level Access Control

We currently do not support managing access control on the partner entity level. Your designated service accounts under the corresponding roles either have access to resources under all-or-none partner entities of the containing Cloud project.

If you have such use cases that needs partner entity level access control, please discuss with our team.