Access Control

    • Payments Reseller Subscription API utilizes Identity and Access Management (IAM) for access control, enabling you to grant permissions at the project level.

    • You can grant specific permissions like listing products or provisioning subscriptions, and control access to all API resources within a project.

    • Every API method requires specific permissions; granting the project editor role to your service account automatically provides all necessary permissions.

    • Roles like viewer , editor , and specific resource-type roles determine the level of access granted for various API operations.

    • Currently, access control is managed at the project level for all partner entities; partner-level access control is not yet supported but can be discussed with the team.

    This document describes the access control options available to you in Payments Reseller Subscription API.

    Overview

    Payments Reseller Subscription API uses Identity and Access Management (IAM) for access control.

    In Payments Reseller Subscription API, access control can be configured at the project level. For example:

    • Grant access with limited capabilities, such as to only list all products that can be resold, but not to provision the subscription.
    • Grant access to all Payments Reseller Subscription API resources within a project to a group of developers.

    Please use the GCP project associated with the partner_id to manage IAM roles and permissions.

    For a detailed description of IAM and its features, see the IAM documentation . In particular, see Granting, changing, and revoking access to resources .

    Every Payments Reseller Subscription API method requires the caller to have the necessary permissions. By granting your service account project editor role would automatically grant all of the following permissions needed by Payments Reseller Subscription API.

    If you run your server on Compute Engine, or App Engine, their respective default service account should already have such role granted.

    For a list of the permissions and roles that Payments Reseller Subscription API IAM supports, see the Roles section, below.

    Permissions and roles

    This section summarizes the permissions and roles that IAM supports for Payments Reseller Subscriptions API.

    Required permissions

    The following table lists the permissions that the caller must have to call each method:

    Method
    Required Permission(s)

    partners.subscriptions.get

    paymentsresellersubscription.subscriptions.get

    partners.subscriptions.provision

    paymentsresellersubscription.subscriptions.provision

    partners.subscriptions.extend

    paymentsresellersubscription.subscriptions.extend

    partners.subscriptions.cancel

    paymentsresellersubscription.subscriptions.cancel

    partners.subscriptions.suspend

    paymentsresellersubscription.subscriptions.suspend

    partners.subscriptions.resume

    paymentsresellersubscription.subscriptions.resume

    partners.subscriptions.lineItems.patch

    paymentsresellersubscription.subscriptionLineItems.update

    partners.products.list

    paymentsresellersubscription.products.list

    partners.promotions.list

    paymentsresellersubscription.promotions.list

    partners.userSessions.generate

    paymentsresellersubscription.userSessions.generate

    Roles

    The following table lists Payments Reseller Subscription API related IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

    Subscription related roles:

    Role
    includes permission(s):
    Resource type:

    roles/paymentsresellersubscription.subscriptions.viewer

    or

    roles/paymentsresellersubscription.partners.viewer

    or

    roles.viewer

    paymentsresellersubscription.subscriptions.get

    Subscription

    roles/paymentsresellersubscription.subscriptions.editor

    or

    roles/paymentsresellersubscription.partners.editor

    or

    roles.editor

    All of above, as well as:

    paymentsresellersubscription.subscriptions.provision

    Subscription

    paymentsresellersubscription.subscriptions.extend

    Subscription

    paymentsresellersubscription.subscriptions.cancel

    Subscription

    paymentsresellersubscription.subscriptions.suspend

    Subscription

    paymentsresellersubscription.subscriptions.resume

    Subscription

    paymentsresellersubscription.subscriptionLineItems.update

    SubscriptionLineItem

    Product and Promotion related roles:

    Role
    includes permission(s):
    Resource type:

    roles/paymentsresellersubscription.products.viewer

    or

    roles/paymentsresellersubscription.partners.viewer

    or

    roles.viewer

    paymentsresellersubscription.products.list

    Product

    roles/paymentsresellersubscription.promotions.viewer

    or

    roles/paymentsresellersubscription.partners.viewer

    or

    roles.viewer

    paymentsresellersubscription.promotions.list

    Promotion

    UserSession related roles:

    Role
    includes permission(s):
    Resource type:

    roles/paymentsresellersubscription.userSessionEditor

    or

    roles/paymentsresellersubscription.partnerAdmin

    or

    roles.editor

    paymentsresellersubscription.userSessions.generate

    UserSession

    Partner Id Level Access Control

    We currently do not support managing access control on the partner entity level. Your designated service accounts under the corresponding roles either have access to resources under all-or-nonepartner entities of the containing Cloud project.

    If you have such use cases that needs partner entity level access control, please discuss with our team.
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: