Grant user access to open models

For you to enable open models and make a prompt request, a Google Cloud administrator must set the required permissions and verify the organization policy allows the use of required APIs .

Set required permissions to use open models

The following roles and permissions are required to use open models:

You must have the Consumer Procurement Entitlement Manager Identity and Access Management (IAM) role. Anyone who's been granted this role can enable open models in Model Garden.
You must have the aiplatform.endpoints.predict permission. This permission is included in the Vertex AI User IAM role. For more information, see Vertex AI User and Access control .

Console

To grant the Consumer Procurement Entitlement Manager IAM roles to a user, go to the IAMpage.

Go to IAM
In the Principalcolumn, find the user principal for which you want to enable access to open models, and then click Edit principalin that row.
In the Edit accesspane, click Add another role.
In Select a role, select Consumer Procurement Entitlement Manager.
In the Edit accesspane, click Add another role.
In Select a role, select Vertex AI User.
Click Save.

gcloud

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

Grant the Consumer Procurement Entitlement Manager role that's required to enable open models in Model Garden

 gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
--member = 
 PRINCIPAL 
  
--role = 
roles/consumerprocurement.entitlementManager

Grant the Vertex AI User role that includes the aiplatform.endpoints.predict permission which is required to make prompt requests:
```
 gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
--member = 
 PRINCIPAL 
  
--role = 
roles/aiplatform.user 
```
Replace PRINCIPAL with the identifier for the principal. The identifier takes the form user|group|serviceAccount:email or domain:domain —for example, user:cloudysanfrancisco@gmail.com , group:admins@example.com , serviceAccount:test123@example.domain.com , or domain:example.domain.com .

The output is a list of policy bindings that includes the following:
```
 -   members:
  -   user: PRINCIPAL 
role: roles/roles/consumerprocurement.entitlementManager 
```
For more information, see Grant a single role and gcloud projects add-iam-policy-binding .

Set the organization policy for open model access

To enable open models, your organization policy must allow the following API: Cloud Commerce Consumer Procurement API - cloudcommerceconsumerprocurement.googleapis.com

If your organization sets an organization policy to restrict service usage , then an organization administrator must verify that cloudcommerceconsumerprocurement.googleapis.com is allowed by setting the organization policy .

Also, if you have an organization policy that restricts model usage in Model Garden, the policy must allow access to open models. For more information, see Control model access .

What's next

Learn how to make a Call MaaS APIs for open models .

Grant user access to open models Stay organized with collections Save and categorize content based on your preferences.