Access Control

This document describes the access control options available to you in Payments Reseller Subscription API.

Overview

Payments Reseller Subscription API uses Identity and Access Management (IAM) for access control.

In Payments Reseller Subscription API, access control can be configured at the project level. For example:

Grant access with limited capabilities, such as to only list all products that can be resold, but not to provision the subscription.
Grant access to all Payments Reseller Subscription API resources within a project to a group of developers.

Please use the GCP project associated with the partner_id to manage IAM roles and permissions.

For a detailed description of IAM and its features, see the IAM documentation. In particular, see Granting, changing, and revoking access to resources.

Every Payments Reseller Subscription API method requires the caller to have the necessary permissions. By granting your service account project editor role would automatically grant all of the following permissions needed by Payments Reseller Subscription API.

If you run your server on Compute Engine, or App Engine, their respective default service account should already have such role granted.

For a list of the permissions and roles that Payments Reseller Subscription API IAM supports, see the Roles section, below.

Permissions and roles

This section summarizes the permissions and roles that IAM supports for Payments Reseller Subscriptions API.

Required permissions

The following table lists the permissions that the caller must have to call each method:

Method	Required Permission(s)
`partners.subscriptions.get`	`paymentsresellersubscription.subscriptions.get`
`partners.subscriptions.provision`	`paymentsresellersubscription.subscriptions.provision`
`partners.subscriptions.extend`	`paymentsresellersubscription.subscriptions.extend`
`partners.subscriptions.cancel`	`paymentsresellersubscription.subscriptions.cancel`
`partners.products.list`	`paymentsresellersubscription.products.list`
`partners.promotions.list`	`paymentsresellersubscription.promotions.list`
`partners.userSessions.generate`	`paymentsresellersubscription.userSessions.generate`

Roles

The following table lists Payments Reseller Subscription API related IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

Subscription related roles:

Role	includes permission(s):	Resource type:
`roles/paymentsresellersubscription.subscriptions.viewer` or `roles/paymentsresellersubscription.partners.viewer` or `roles.viewer`	`paymentsresellersubscription.subscriptions.get`	Subscription
`roles/paymentsresellersubscription.subscriptions.editor` or `roles/paymentsresellersubscription.partners.editor` or `roles.editor`	All of above, as well as:
	`paymentsresellersubscription.subscriptions.provision`	Subscription
	`paymentsresellersubscription.subscriptions.extend`	Subscription
	`paymentsresellersubscription.subscriptions.cancel`	Subscription

Product and Promotion related roles:

Role includes permission(s): Resource type:

Role	includes permission(s):	Resource type:
`roles/paymentsresellersubscription.products.viewer` or `roles/paymentsresellersubscription.partners.viewer` or `roles.viewer`	`paymentsresellersubscription.products.list`	Product
`roles/paymentsresellersubscription.promotions.viewer` or `roles/paymentsresellersubscription.partners.viewer` or `roles.viewer`	`paymentsresellersubscription.promotions.list`	Promotion

roles/paymentsresellersubscription.products.viewer

roles/paymentsresellersubscription.partners.viewer

roles.viewer

paymentsresellersubscription.products.list

Product

roles/paymentsresellersubscription.promotions.viewer

roles/paymentsresellersubscription.partners.viewer

roles.viewer

paymentsresellersubscription.promotions.list

Promotion

UserSession related roles:

Role includes permission(s): Resource type:

Role	includes permission(s):	Resource type:
`roles/paymentsresellersubscription.userSessionEditor` or `roles/paymentsresellersubscription.partnerAdmin` or `roles.editor`	`paymentsresellersubscription.userSessions.generate`	UserSession

roles/paymentsresellersubscription.userSessionEditor

roles/paymentsresellersubscription.partnerAdmin

roles.editor

paymentsresellersubscription.userSessions.generate

UserSession

Partner Id Level Access Control

We currently do not support managing access control on the partner entity level. Your designated service accounts under the corresponding roles either have access to resources under all-or-none partner entities of the containing Cloud project.

If you have such use cases that needs partner entity level access control, please discuss with our team.