Skip to main content

Assign an access policy



Assign an access policy to a user or a service account. If the email address supplied to the principal request body field is not known to the IAM service, a new user account is created to track that email address within the IAM service. However, a corresponding SSO user account is not created at that time. Use the create SSO user call to create a corresponding SSO user account.

If the principal email address corresponds to a service account, then the specified role is applied to that service account. Service account email addresses conform to the following format:





Specifies the role to be assigned to the principal for the specified resource.

    principal stringrequired

    The email address for the user or service account to which you are assigning this access policy.

    resource stringrequired

    The PAN Resource Name that identifies the TSG for which you are assigning this access policy. It follows this format:


    role stringrequired

    The role that you are using for this access policy. If you are assigning a custom role, then this must be the custom role's ID.


Successful response.

    id string

    Access policy's unique identifier.

    principal string

    Email address of the user or service account which is receiving this role.

    resource string

    Resource to which the principal is gaining access. This is a string in the format:


    role string

    Role to assign to the principal.