Access Control
Stay organized with collections
Save and categorize content based on your preferences.
This document describes the access control options available to you in Payments Reseller Subscription API.
Overview
Payments Reseller Subscription API uses Identity and Access Management (IAM) for access control.
In Payments Reseller Subscription API, access control can be configured at the project level. For example:
- Grant access with limited capabilities, such as to only list all products that can be resold, but not to provision the subscription.
- Grant access to all Payments Reseller Subscription API resources within a project to a group of developers.
Please use the GCP project associated with the partner_id to manage IAM roles and permissions.
For a detailed description of IAM and its features, see the IAM documentation. In particular, see Granting, changing, and revoking access to resources.
Every Payments Reseller Subscription API method requires the caller to have the necessary permissions. By granting your service account project editor role would automatically grant all of the following permissions needed by Payments Reseller Subscription API.
If you run your server on Compute Engine, or App Engine, their respective default service account should already have such role granted.
For a list of the permissions and roles that Payments Reseller Subscription API IAM supports, see the Roles section, below.
Permissions and roles
This section summarizes the permissions and roles that IAM supports for Payments Reseller Subscriptions API.
Required permissions
The following table lists the permissions that the caller must have to call each method:
Roles
The following table lists Payments Reseller Subscription API related IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.
Subscription related roles:
| Role | includes permission(s): | Resource type: |
|
roles/paymentsresellersubscription.subscriptions.viewer
or
roles/paymentsresellersubscription.partners.viewer
or
roles.viewer
|
paymentsresellersubscription.subscriptions.get
| Subscription |
|
roles/paymentsresellersubscription.subscriptions.editor
or
roles/paymentsresellersubscription.partners.editor
or
roles.editor
| All of above, as well as: |
|
paymentsresellersubscription.subscriptions.provision
| Subscription |
|
paymentsresellersubscription.subscriptions.extend
| Subscription |
|
paymentsresellersubscription.subscriptions.cancel
| Subscription |
|
paymentsresellersubscription.subscriptions.suspend
| Subscription |
|
paymentsresellersubscription.subscriptions.resume
| Subscription |
Product and Promotion related roles:
| Role | includes permission(s): | Resource type: |
|
roles/paymentsresellersubscription.products.viewer
or
roles/paymentsresellersubscription.partners.viewer
or
roles.viewer
|
paymentsresellersubscription.products.list
| Product |
|
roles/paymentsresellersubscription.promotions.viewer
or
roles/paymentsresellersubscription.partners.viewer
or
roles.viewer
|
paymentsresellersubscription.promotions.list
| Promotion |
UserSession related roles:
| Role | includes permission(s): | Resource type: |
|
roles/paymentsresellersubscription.userSessionEditor
or
roles/paymentsresellersubscription.partnerAdmin
or
roles.editor
|
paymentsresellersubscription.userSessions.generate
| UserSession |
Partner Id Level Access Control
We currently do not support managing access control on the partner entity level. Your designated service accounts under the corresponding roles either have access to resources under all-or-none partner entities of the containing Cloud project.
If you have such use cases that needs partner entity level access control, please discuss with our team.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-03-27 UTC.
[null,null,["Last updated 2025-03-27 UTC."],[[["\u003cp\u003ePayments Reseller Subscription API utilizes Identity and Access Management (IAM) for access control, enabling you to grant permissions at the project level.\u003c/p\u003e\n"],["\u003cp\u003eYou can grant specific permissions like listing products or provisioning subscriptions, and control access to all API resources within a project.\u003c/p\u003e\n"],["\u003cp\u003eEvery API method requires specific permissions; granting the project editor role to your service account automatically provides all necessary permissions.\u003c/p\u003e\n"],["\u003cp\u003eRoles like \u003ccode\u003eviewer\u003c/code\u003e, \u003ccode\u003eeditor\u003c/code\u003e, and specific resource-type roles determine the level of access granted for various API operations.\u003c/p\u003e\n"],["\u003cp\u003eCurrently, access control is managed at the project level for all partner entities; partner-level access control is not yet supported but can be discussed with the team.\u003c/p\u003e\n"]]],["Payments Reseller Subscription API utilizes Identity and Access Management (IAM) for project-level access control. Access can be tailored, from listing products to managing subscriptions. Each API method requires specific permissions, like `subscriptions.get` or `products.list`. Granting a service account the project editor role provides all necessary permissions. Roles such as viewer or editor grant different permissions sets for subscriptions, products, promotions, or user sessions. Partner-level access control is not supported and further inquiries are recommended.\n"],null,["# Access Control\n\nThis document describes the access control options available to you in Payments Reseller Subscription API.\n\nOverview\n--------\n\nPayments Reseller Subscription API uses [Identity and Access Management (IAM)](https://cloud.google.com/iam/docs/overview) for access control.\n\nIn Payments Reseller Subscription API, access control can be configured at the project level. For example:\n\n- Grant access with limited capabilities, such as to only list all products that can be resold, but not to provision the subscription.\n- Grant access to all Payments Reseller Subscription API resources within a project to a group of developers.\n\nPlease use the GCP project associated with the partner_id to manage IAM roles and permissions.\n\nFor a detailed description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/overview). In particular, see [Granting, changing, and revoking access to resources](https://cloud.google.com/iam/docs/granting-changing-revoking-access).\n\nEvery Payments Reseller Subscription API method requires the caller to have the necessary permissions. By granting your service account project editor role would automatically grant all of the following permissions needed by Payments Reseller Subscription API.\n\nIf you run your server on Compute Engine, or App Engine, their respective [default service account](https://cloud.google.com/iam/docs/service-accounts#default) should already have such role granted.\n\nFor a list of the permissions and roles that Payments Reseller Subscription API IAM supports, see the [Roles](/payments/reseller/subscription/reference/index/Access.Control#roles) section, below.\n\nPermissions and roles\n---------------------\n\nThis section summarizes the permissions and roles that IAM supports for Payments Reseller Subscriptions API.\n\n### Required permissions\n\nThe following table lists the permissions that the caller must have to call each method:\n\n\u003cbr /\u003e\n\n| Method | Required Permission(s) |\n|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|\n| [\u003cbr /\u003e `partners.subscriptions.get`](/payments/reseller/subscription/reference/rest/v1/partners.subscriptions/get) [](/payments/reseller/subscription/reference/rest/v1/partners.subscriptions/get) | \u003cbr /\u003e `paymentsresellersubscription.subscriptions.get` \u003cbr /\u003e |\n| [\u003cbr /\u003e `partners.subscriptions.provision`](/payments/reseller/subscription/reference/rest/v1/partners.subscriptions/provision) [](/payments/reseller/subscription/reference/rest/v1/partners.subscriptions/provision) | \u003cbr /\u003e `paymentsresellersubscription.subscriptions.provision` \u003cbr /\u003e |\n| [\u003cbr /\u003e `partners.subscriptions.extend`](/payments/reseller/subscription/reference/rest/v1/partners.subscriptions/extend) [](/payments/reseller/subscription/reference/rest/v1/partners.subscriptions/extend) | \u003cbr /\u003e `paymentsresellersubscription.subscriptions.extend` \u003cbr /\u003e |\n| [\u003cbr /\u003e `partners.subscriptions.cancel`](/payments/reseller/subscription/reference/rest/v1/partners.subscriptions/cancel) [](/payments/reseller/subscription/reference/rest/v1/partners.subscriptions/cancel) | \u003cbr /\u003e `paymentsresellersubscription.subscriptions.cancel` \u003cbr /\u003e |\n| [\u003cbr /\u003e `partners.subscriptions.suspend`](/payments/reseller/subscription/reference/rest/v1/partners.subscriptions/suspend) [](/payments/reseller/subscription/reference/rest/v1/partners.subscriptions/suspend) | \u003cbr /\u003e `paymentsresellersubscription.subscriptions.suspend` \u003cbr /\u003e |\n| [\u003cbr /\u003e `partners.subscriptions.resume`](/payments/reseller/subscription/reference/rest/v1/partners.subscriptions/resume) [](/payments/reseller/subscription/reference/rest/v1/partners.subscriptions/resume) | \u003cbr /\u003e `paymentsresellersubscription.subscriptions.resume` \u003cbr /\u003e |\n| [\u003cbr /\u003e `partners.products.list`](/payments/reseller/subscription/reference/rest/v1/partners.products/list) [](/payments/reseller/subscription/reference/rest/v1/partners.products/list) | \u003cbr /\u003e `paymentsresellersubscription.products.list` \u003cbr /\u003e |\n| [\u003cbr /\u003e `partners.promotions.list`](/payments/reseller/subscription/reference/rest/v1/partners.promotions/list) [](/payments/reseller/subscription/reference/rest/v1/partners.promotions/list) | \u003cbr /\u003e `paymentsresellersubscription.promotions.list` \u003cbr /\u003e |\n| [\u003cbr /\u003e `partners.userSessions.generate`](/payments/reseller/subscription/reference/rest/v1/partners.userSessions/generate) [](/payments/reseller/subscription/reference/rest/v1/partners.userSessions/generate) | \u003cbr /\u003e `paymentsresellersubscription.userSessions.generate` \u003cbr /\u003e |\n\n\u003cbr /\u003e\n\n### Roles\n\nThe following table lists Payments Reseller Subscription API related IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.\n\nSubscription related roles:\n\n\u003cbr /\u003e\n\n| Role | includes permission(s): | Resource type: |\n|---------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|----------------|\n| \u003cbr /\u003e `roles/paymentsresellersubscription.subscriptions.viewer` or `roles/paymentsresellersubscription.partners.viewer` or `roles.viewer` \u003cbr /\u003e | \u003cbr /\u003e `paymentsresellersubscription.subscriptions.get` \u003cbr /\u003e | Subscription |\n| \u003cbr /\u003e `roles/paymentsresellersubscription.subscriptions.editor` or `roles/paymentsresellersubscription.partners.editor` or `roles.editor` \u003cbr /\u003e | **All of above, as well as:** ||\n| \u003cbr /\u003e `roles/paymentsresellersubscription.subscriptions.editor` or `roles/paymentsresellersubscription.partners.editor` or `roles.editor` \u003cbr /\u003e | \u003cbr /\u003e `paymentsresellersubscription.subscriptions.provision` \u003cbr /\u003e | Subscription |\n| \u003cbr /\u003e `roles/paymentsresellersubscription.subscriptions.editor` or `roles/paymentsresellersubscription.partners.editor` or `roles.editor` \u003cbr /\u003e | \u003cbr /\u003e `paymentsresellersubscription.subscriptions.extend` \u003cbr /\u003e | Subscription |\n| \u003cbr /\u003e `roles/paymentsresellersubscription.subscriptions.editor` or `roles/paymentsresellersubscription.partners.editor` or `roles.editor` \u003cbr /\u003e | \u003cbr /\u003e `paymentsresellersubscription.subscriptions.cancel` \u003cbr /\u003e | Subscription |\n| \u003cbr /\u003e `paymentsresellersubscription.subscriptions.suspend` \u003cbr /\u003e | Subscription |\n| \u003cbr /\u003e `paymentsresellersubscription.subscriptions.resume` \u003cbr /\u003e | Subscription |\n\n\u003cbr /\u003e\n\nProduct and Promotion related roles:\n\n\u003cbr /\u003e\n\n| Role | includes permission(s): | Resource type: |\n|------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|----------------|\n| \u003cbr /\u003e `roles/paymentsresellersubscription.products.viewer` or `roles/paymentsresellersubscription.partners.viewer` or `roles.viewer` \u003cbr /\u003e | \u003cbr /\u003e `paymentsresellersubscription.products.list` \u003cbr /\u003e | Product |\n| \u003cbr /\u003e `roles/paymentsresellersubscription.promotions.viewer` or `roles/paymentsresellersubscription.partners.viewer` or `roles.viewer` \u003cbr /\u003e | \u003cbr /\u003e `paymentsresellersubscription.promotions.list` \u003cbr /\u003e | Promotion |\n\n\u003cbr /\u003e\n\nUserSession related roles:\n\n\u003cbr /\u003e\n\n| Role | includes permission(s): | Resource type: |\n|---------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|----------------|\n| \u003cbr /\u003e `roles/paymentsresellersubscription.userSessionEditor` or `roles/paymentsresellersubscription.partnerAdmin` or `roles.editor` \u003cbr /\u003e | \u003cbr /\u003e `paymentsresellersubscription.userSessions.generate` \u003cbr /\u003e | UserSession |\n\n\u003cbr /\u003e\n\nPartner Id Level Access Control\n-------------------------------\n\nWe currently do not support managing access control on the partner entity level. Your designated service accounts under the corresponding roles either have access to resources under **all-or-none** partner entities of the containing Cloud project.\n\nIf you have such use cases that needs partner entity level access control, please discuss with our team."]]