Stay organized with collectionsSave and categorize content based on your preferences.
Access control for tenants
Identity Platform provides Admin APIs to manage your tenants, users, and
authentication tokens. You can leverageIdentity and Access Managementto prevent unwanted access using these APIs.
Granting, changing, and revoking access
Follow these steps to grant a user a role on a tenant resource:
Open the Identity Platform Tenants page in the Google Cloud console.Go to the tenants page
Select a tenant from the list.
Switch to thePermissionstab in the info panel on the right.
ClickAdd principalto grant a user a new role, or use the list to
modify or revoke access for an existing user.
To learn more about access control using IAM, see theIAM documentation. To set the access control policy
for a resource, use thesetIamPolicymethod.
API permissions
This table lists the role required to call each method in the
Identity Platform API. The role should be assigned on the tenant resource.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eIdentity Platform uses Admin APIs to manage tenants, users, and authentication tokens, with Identity and Access Management (IAM) for access control.\u003c/p\u003e\n"],["\u003cp\u003eYou can grant, modify, or revoke user access to a tenant resource directly within the Google Cloud console's Identity Platform Tenants page under the Permissions tab.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003esetIamPolicy\u003c/code\u003e method can be used to set the access control policy for tenant resources, allowing for direct management of permissions.\u003c/p\u003e\n"],["\u003cp\u003eDifferent Identity Platform API methods require specific roles, such as Editor or Viewer, which need to be assigned to a tenant resource for access.\u003c/p\u003e\n"],["\u003cp\u003eTo control access to various tenant management operations, such as creating or deleting a tenant, users need the Editor or Viewer roles on the corresponding project or tenant.\u003c/p\u003e\n"]]],[],null,["# Access control for tenants\n==========================\n\nIdentity Platform provides Admin APIs to manage your tenants, users, and\nauthentication tokens. You can leverage\n[Identity and Access Management](/iam) to prevent unwanted access using these APIs.\n\nGranting, changing, and revoking access\n---------------------------------------\n\nFollow these steps to grant a user a role on a tenant resource:\n\n1. Open the Identity Platform Tenants page in the Google Cloud console. \n\n [Go to the tenants page](https://console.cloud.google.com/customer-identity/tenants)\n\n2. Select a tenant from the list.\n\n3. Switch to the **Permissions** tab in the info panel on the right.\n\n4. Click **Add principal** to grant a user a new role, or use the list to\n modify or revoke access for an existing user.\n\nTo learn more about access control using IAM, see the\n[IAM documentation](/iam/docs). To set the access control policy\nfor a resource, use the [`setIamPolicy` method](/identity-platform/docs/reference/rest/v2/projects.tenants/setIamPolicy).\n\nAPI permissions\n---------------\n\nThis table lists the role required to call each method in the\nIdentity Platform API. The role should be assigned on the tenant resource."]]
