Service account roles

Service account roles form a key security and identity management for your system and make it possible for you to tailor different operations and display different data to drivers, consumers, and fleet operators.

What is a service account?

To manage access to your data in Fleet Engine for client applications, you provide service accounts, which authenticate software activity by a predetermined role rather than authenticating users through a personalized identity mechanism. Users who access data from your system do so through a client that uses this account role, which then limits permission to only those parts of your system deemed appropriate to a specific purpose. This type of scope restriction is based on the concept of the Principle of least privilege.

For a full explanation of service account roles, see Understanding IAM roles in the Google Cloud documentation.

How do service account roles work with Fleet Engine?

IAM roles define a set of permissions on resources allowed for a principal. For example, the Admin roles are allowed to do everything with Application Default Credentials, whereas the Untrusted Driver role is only allowed to update vehicle location and is restricted to using JWTs for authentication and authorization.
For untrusted environments, such as mobile phones and web browsers, JWT claims provide additional restrictions to only those entities that the caller may operate on. These can be for specific vehicles, trips, or tasks.
Your code running in a low-trust environment must first call on your code running in a trusted environment, which issues the JWT.
Fleet Engine performs the following security checks on API calls for a resource:
1. The calling principal has the appropriate permissions (through role assignment) for the action on the resource.
2. For non-Admin roles, the JWT claims passed in the request provide the necessary permission for the resource.

For more information, see JSON Web Tokens.

Fleet Engine service account roles

Based on the Mobility service you choose, your Fleet Engine installation uses the roles and permissions described as follows.

On-demand trips

Role Permission

Role	Permission
Fleet Engine On-demand Admin `roles/fleetengine.ondemandAdmin`	Grants read and write permission for all vehicle and trips resources. Principals with this role don't need to use JWTs and should instead use Application Default Credentials. Ignores custom JWT claims. This role should be restricted to trusted environments such as your own server. Some Fleet Engine users might still see the Fleet Engine Service Super User role, but this is now deprecated.
Fleet Engine Driver SDK User `roles/fleetengine.driverSdkUser`	Update vehicle locations and routes, and retrieve information about vehicles and trips. Tokens are typically used from ridesharing or delivery driver apps.
Fleet Engine Consumer SDK User `roles/fleetengine.consumerSdkUser`	Search for vehicles and retrieve information about vehicles and trips. Tokens are typically used from ridesharing or delivery consumer apps.

Fleet Engine On-demand Admin

roles/fleetengine.ondemandAdmin

Grants read and write permission for all vehicle and trips resources. Principals with this role don't need to use JWTs and should instead use Application Default Credentials. Ignores custom JWT claims. This role should be restricted to trusted environments such as your own server.

Some Fleet Engine users might still see the Fleet Engine Service Super User role, but this is now deprecated.

Fleet Engine Driver SDK User

roles/fleetengine.driverSdkUser

Update vehicle locations and routes, and retrieve information about vehicles and trips. Tokens are typically used from ridesharing or delivery driver apps.

Fleet Engine Consumer SDK User

roles/fleetengine.consumerSdkUser

Search for vehicles and retrieve information about vehicles and trips. Tokens are typically used from ridesharing or delivery consumer apps.

Scheduled tasks

Role Permission

Role	Permission
Fleet Engine Delivery Admin `roles/fleetengine.deliveryAdmin`	Grants read and write permission for delivery resources. Principals with this role don't need to use JWTs and should instead use Application Default Credentials. Custom JWT claims are ignored. This role should be restricted to trusted environments such as your own servers.
Fleet Engine Delivery Fleet Reader `roles/fleetengine.deliveryFleetReader`	Grants permission to read delivery vehicles and tasks and to search for tasks using a tracking ID. Tokens issued by a service account with this role are typically used from a delivery fleet operator's web browser.
Fleet Engine Delivery Untrusted Driver User `roles/fleetengine.deliveryUntrustedDriver`	Grants permission to update delivery vehicle location. Tokens issued by a service account with this role are typically used from your delivery driver's mobile device. Note: Untrusted refers to a driver's device that is not managed by corporate IT, but instead provided by the driver and typically without appropriate IT security controls. Organizations with Bring Your Own Device policies should opt for the safety of this role and only rely on the mobile app to send vehicle location updates to Fleet Engine. All other interactions should originate from your backend servers.
Fleet Engine Delivery Consumer User `roles/fleetengine.deliveryConsumer`	Grants permission to search for tasks using a tracking ID, and to read but not update task information. Tokens issued by a service account with this role are typically used from a delivery consumer's web browser.
Fleet Engine Delivery Trusted Driver User `roles/fleetengine.deliveryTrustedDriver`	Grants permission to create and update delivery vehicles and tasks, including updating the delivery vehicle location and task status or outcome. Tokens issued by a service account with this role are typically used from your delivery driver's mobile devices or from your backend servers. Note: Trusted refers to a driver's device managed by corporate IT that has appropriate security controls. Organizations that furnish these devices can choose to integrate Fleet Engine interactions into the mobile app.

Fleet Engine Delivery Admin

roles/fleetengine.deliveryAdmin

Grants read and write permission for delivery resources. Principals with this role don't need to use JWTs and should instead use Application Default Credentials. Custom JWT claims are ignored. This role should be restricted to trusted environments such as your own servers.

Fleet Engine Delivery Fleet Reader

roles/fleetengine.deliveryFleetReader

Grants permission to read delivery vehicles and tasks and to search for tasks using a tracking ID. Tokens issued by a service account with this role are typically used from a delivery fleet operator's web browser.

Fleet Engine Delivery Untrusted Driver User

roles/fleetengine.deliveryUntrustedDriver

Grants permission to update delivery vehicle location. Tokens issued by a service account with this role are typically used from your delivery driver's mobile device.

Note: Untrusted refers to a driver's device that is not managed by corporate IT, but instead provided by the driver and typically without appropriate IT security controls. Organizations with Bring Your Own Device policies should opt for the safety of this role and only rely on the mobile app to send vehicle location updates to Fleet Engine. All other interactions should originate from your backend servers.

Fleet Engine Delivery Consumer User

roles/fleetengine.deliveryConsumer

Grants permission to search for tasks using a tracking ID, and to read but not update task information. Tokens issued by a service account with this role are typically used from a delivery consumer's web browser.

Fleet Engine Delivery Trusted Driver User

roles/fleetengine.deliveryTrustedDriver

Grants permission to create and update delivery vehicles and tasks, including updating the delivery vehicle location and task status or outcome. Tokens issued by a service account with this role are typically used from your delivery driver's mobile devices or from your backend servers.

Note: Trusted refers to a driver's device managed by corporate IT that has appropriate security controls. Organizations that furnish these devices can choose to integrate Fleet Engine interactions into the mobile app.

What's next

Read about JSON Web Tokens to understand their use in Fleet Engine.