New in Gemini Enterprise: Granular Access Control for Your Custom Agents

# New in Gemini Enterprise: Granular Access Control for Your Custom Agents (IAM) **Gone are the days of "everyone sees everything."** This is a crucial step forward for the maturity of Gemini Enterprise within large organizations. Until now, deploying agents in the console lacked finesse regarding access rights management. Today, Google Cloud introduces (in **Preview**) a highly anticipated feature for administrators and security teams: **granular sharing of custom agents via IAM.** ## Why is this important? In an enterprise environment, segregation of duties and the principle of least privilege are fundamental. Previously, agent visibility could be too broad. With this update, you can now define precisely **who** is allowed to interact with **which** agent. This enables you to: * 🔒 **Secure sensitive agents:** An HR agent handling confidential data should only be visible to the HR team, not the entire engineering department. * 🧹 **Clean up the user experience:** End users only see agents relevant to their job role, without being polluted by test agents or agents from other departments. * 🤝 **Manage complex environments:** Facilitate the coexistence of development agents (ADK), Dialogflow agents, and Marketplace agents within the same organization. ## Which agents are covered? This sharing feature applies to the entire ecosystem of custom agents registered in Gemini Enterprise: 1. **A2A Agents (Agent-to-Agent):** Your orchestration agents. 2. **ADK Agents (Agent Development Kit):** Hosted on Vertex AI Agent Engine. 3. **Dialogflow Agents:** Your classic conversational agents. 4. **Marketplace Agents:** Third-party solutions added from Google Cloud Marketplace. > **⚠️ Important Note:** This feature is currently in **Preview**. It is available "as is" and is subject to the specific terms of Google Cloud pre-GA offerings. ## How to configure permissions (Quick Tutorial) Management is done directly from the Google Cloud console, leveraging the robust IAM mechanisms you already know. ### The Procedure Here are the steps to restrict or open access to an agent: 1. Go to the **Gemini Enterprise** page in the Google Cloud console. 2. Select your app, then click **Agents** in the navigation menu. 3. Click the **Display name** of the target agent. 4. Open the **User permissions** tab. 5. Click **Add user**. ### Supported Member Types The strength of this update lies in the flexibility of identities supported via the configuration panel: | Member Type | Description | Ideal Use Case | | :--- | :--- | :--- | | **User** | An individual email address. | Targeted testing or VIP access for an executive. | | **Group** | A Google Group (group email). | Team management (e.g., `marketing@pyl.tech`). | | **Principal Set** | Identities from an identity pool (Workforce Identity). | Complex external identity federations. | | **All users** | All users in the organization. | General interest agents (e.g., IT Helpdesk). | ## Technical Focus: "Principal Sets" For enterprises using **Workforce Identity Federation**, you can achieve extreme granularity using *Principal Sets*. You don't have to add users one by one. You can define rules based on attributes from your external Identity Provider (IdP). ## Conclusion The arrival of IAM management on deployed agents transforms Gemini Enterprise from a powerful tool into a truly governable platform at scale. This opens the door to broader, safer, and better-organized deployments on geminienterprise.pyl.tech. Log in to your console and start segmenting your agents today!