Access Control
Overview
BigQuery uses Identity and Access Management (IAM) to manage access to resources. The three types of resources available in BigQuery are organizations, projects, and datasets. In the IAM policy hierarchy, datasets are child resources of projects. Tables and views are child resources of datasets - they inherit permissions from their parent dataset.
- To grant access to a resource, assign one or more roles to a user, group, or service account.
- Organization and project roles affect the ability to run jobs or manage the project, whereas dataset roles affect the ability access or modify the data inside of a project.
- IAM provides two types of roles: predefined and primitive roles. When you assign both predefined and primitive roles to a user, the permissions granted are a union of each role's permissions.
Permissions and roles
Predefined roles comparison matrix
You can assign the following BigQuery predefined roles.
| Capability | dataViewer |
dataEditor |
dataOwner |
user |
jobUser |
admin |
|---|---|---|---|---|---|---|
| List/get projects | ✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
| List tables | ✓ |
✓ |
✓ |
✓ |
✓ |
|
| Get table data/metadata | ✓ |
✓ |
✓ |
✓ |
||
| Create tables | ✓ |
✓ |
✓ |
|||
| Modify/delete tables | ✓ |
✓ |
✓ |
|||
| List/get datasets | ✓ |
✓ |
✓ |
|||
| Create new datasets | ✓ |
✓ |
✓ |
✓ |
||
| Modify/delete datasets | ✓ |
✓ |
||||
| Create jobs/queries | ✓ |
✓ |
✓ |
|||
| Cancel jobs | Self-created jobs | Self-created jobs | Any jobs | |||
| Get/list saved queries | ||||||
| Create/update/delete saved queries | ✓ |
✓ |
||||
| Get transfers | ✓ |
✓ |
||||
| Create/update transfers | ✓ |
Permissions
The following table describes the permissions available in BigQuery.
| Permission | Description |
|---|---|
bigquery.jobs.create |
Create new jobs. |
bigquery.jobs.list |
List all jobs and retrieve metadata on any job.* |
bigquery.jobs.get |
Get data and metadata on any job.* |
bigquery.jobs.update |
Cancel any job.* |
bigquery.datasets.create |
Create new empty datasets. |
bigquery.datasets.list |
List datasets and metadata on datasets. |
bigquery.datasets.delete |
Delete a dataset. |
bigquery.datasets.get |
Get metadata about a dataset. |
bigquery.datasets.update |
Update metadata for a dataset. |
bigquery.tables.create |
Create new tables. |
bigquery.tables.list |
List tables and metadata on tables. |
bigquery.tables.delete |
Delete tables. |
bigquery.tables.get |
Get table metadata. To get table data, you needbigquery.tables.getData. |
bigquery.tables.getData |
Get table data. To get table metadata, you needbigquery.tables.get. |
bigquery.tables.export |
Export table data out of BigQuery. |
bigquery.tables.update |
Update table metadata. To update table data, you needbigquery.tables.updateData. |
bigquery.tables.updateData |
Update table data. To update table metadata, you needbigquery.tables.update. |
bigquery.transfers.create |
Create transfers. |
bigquery.transfers.get |
Get transfer metadata. |
bigquery.transfers.update |
Update transfers. |
bigquery.savedqueries.create |
Create saved queries. |
bigquery.savedqueries.get |
Get metadata on saved queries. |
bigquery.savedqueries.list |
List saved queries. |
bigquery.savedqueries.update |
Update saved queries. |
bigquery.savedqueries.delete |
Delete saved queries. |
Permissions required for methods
The following table lists the permissions that the caller must have to call each method:
| Method | Required Permission(s) |
|---|---|
datasets.delete |
bigquery.datasets.delete If the targeted dataset is not empty, you also needbigquery.tables.delete. |
datasets.get |
bigquery.datasets.get |
datasets.insert |
bigquery.datasets.insert |
datasets.list |
bigquery.datasets.list Also usesbigquery.datasets.getto check permissions on returned datasets. |
datasets.patch |
bigquery.datasets.update |
datasets.update |
bigquery.datasets.update |
jobs.cancel |
bigquery.jobs.update You can cancel your own jobs without this permission. |
jobs.get |
bigquery.jobs.get You can get your own jobs without this permission. |
jobs.getQueryResults |
bigquery.jobs.get You can get your own jobs without this permission. |
jobs.insert |
bigquery.jobs.createto start the job Additional permissions might be necessary to complete the job. |
jobs.list |
bigquery.jobs.list |
jobs.query |
bigquery.jobs.createto start the job Additional permissions might be necessary to complete the job. |
projects.list |
resourcemanager.projects.get |
tabledata.insertAll |
bigquery.tables.updateData |
tabledata.list |
bigquery.tables.getData |
tables.delete |
bigquery.tables.delete |
tables.get |
bigquery.tables.get |
tables.insert |
bigquery.tables.create If the method creates a view, it also needsbigquery.tables.getDatapermissions to all the tables referenced in the view. |
tables.list |
bigquery.tables.list |
tables.patch |
bigquery.tables.update |
tables.update |
bigquery.tables.update If the method updates a view, it also needsbigquery.tables.getDatapermissions to all the tables referenced in the view. If the view is already authorized on the dataset, the method also needsbigquery.datasets.updateon all datasets associated with the tables. |
projects.transferConfigs.create |
bigquery.transfers.create |
projects.transferConfigs.get |
bigquery.transfers.get |
projects.transferConfigs.patch |
bigquery.transfers.update |
Roles
The following table lists the Google BigQuery API IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.
| Role | includes permission(s): | for resource type: |
|---|---|---|
roles/bigquery.dataViewer |
resourcemanager.projects.get |
Organization |
resourcemanager.projects.list |
Organization | |
bigquery.datasets.list |
Project | |
bigquery.datasets.get |
Dataset | |
bigquery.tables.list |
Dataset | |
bigquery.tables.get |
Dataset | |
bigquery.tables.getData |
Dataset | |
bigquery.tables.export |
Dataset | |
roles/bigquery.dataEditor |
All of the above, as well as: | |
bigquery.datasets.create |
Project | |
bigquery.tables.create |
Dataset | |
bigquery.tables.delete |
Dataset | |
bigquery.tables.update |
Dataset | |
bigquery.tables.updateData |
Dataset | |
roles/bigquery.dataOwner |
All of the above, as well as: | |
bigquery.datasets.delete |
Project | |
bigquery.datasets.update |
Dataset | |
roles/bigquery.user |
resourcemanager.projects.get |
Organization |
resourcemanager.projects.list |
Organization | |
bigquery.jobs.create |
Project | |
bigquery.jobs.list |
Project | |
bigquery.datasets.create |
Project | |
bigquery.datasets.list |
Project | |
bigquery.datasets.get |
Project | |
bigquery.tables.list |
Project | |
bigquery.transfers.get |
Project | |
bigquery.savedqueries.get |
Project | |
bigquery.savedqueries.list |
Project | |
roles/bigquery.jobUser |
resourcemanager.projects.get |
Organization |
resourcemanager.projects.list |
Organization | |
bigquery.jobs.create |
Project | |
roles/bigquery.admin |
All permissions from other roles, as well as: | |
bigquery.jobs.get |
Project | |
bigquery.jobs.update |
Project | |
bigquery.savedqueries.create |
Project | |
bigquery.savedqueries.delete |
Project | |
bigquery.savedqueries.update |
Project | |
bigquery.transfers.update |
Project |
Predefined roles details
| Predefined roles details | |
|---|---|
roles/bigquery. user |
Permissions to run jobs, including queries, within the project. Most individuals (data scientists/analysts) in an enterprise should be users. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted thebigquery.dataOwnerrole for these new datasets.Rationale:This role allows the separation of data access from the ability to run work in the project, which is useful when team members query data from multiple projects. Dataset and table enumeration is included as a way to help users discover potential data sources.Resource Types:OrganizationProject |
roles/bigquery. jobUser |
Permissions to run jobs, including queries, within the project. The jobUser role can enumerate their own jobs and cancel their own jobs.Rationale:This role allows the separation of data access from the ability to run work in the project, which is useful when team members query data from multiple projects. This role does not allow access to any BigQuery data. If data access is required, grant dataset-level access controls.Resource Types:OrganizationProject |
roles/bigquery. dataViewer |
When applied to a dataset, dataViewer provides permissions to:Read the dataset's metadata and to list tables in the dataset.Read data and metadata from the dataset's tables.When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.For example, a user who merely has bigquery.dataViewer permissions on a dataset without any other permissions can only list the tables in the dataset and use the get() APIs to read the contents of the tables. The user cannot query the data without additional permissions.For an example of a user with permissions to run queries, consider the following scenario. A user who hasbigquery.userpermissions in projectA, andbigquery.dataViewerpermissions on projectA:dataset1 and projectB:dataset2 can run a query in projectA that uses either or both of these datasets.For external data sources that reside outside of BigQuery storage, additional permissions from those non-BigQuery data sources might be necessary.Rationale:The dataViewer role is intended for read-only data access. The dataViewer can access data, but additional permissions, such as those granted by the bigquery.user or bigquery.admin roles, are necessary to issue query jobs. The dataViewer doesn’t have the ability to incur costs.Resource Types:OrganizationProjectDataset |
roles/bigquery. dataEditor |
When applied to a dataset, dataEditor provides permissions to:Read the dataset's metadata and to list tables in the dataset.Create, update, get, and delete the dataset's tables.When applied at the project or organization level, this role can also create new datasets.Rationale:The dataEditor role extendsbigquery.dataViewerby issuing create, update, delete privileges for the tables within the dataset, but not allowing mutations of the dataset itself.Resource Types:OrganizationProjectDataset |
roles/bigquery. dataOwner |
When applied to a dataset, dataOwner provides permissions to:Read, update, and delete the dataset.Create, update, get, and delete the dataset's tables.When applied at the project or organization level, this role can also create new datasets.Rationale:The dataOwner role extendsbigquery.dataEditorby adding the ability to modify and delete the containing dataset.Resource Types:OrganizationProjectDataset |
roles/bigquery. admin |
Permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.Rationale:This is the highest level role with the broadest responsibilities, the superuser who supports their colleagues as they perform their various analyses.Resource Types:OrganizationProject |
Primitive IAM roles
The primitive IAM roles map directly to the legacy BigQuery viewer/editor/owner project roles and the reader/writer/owner dataset roles.
Transitioning from primitive roles
For users more familiar with the legacy authorization setup, BigQuery exposed a combination ofprimitive rolesas the project level permissions (Reader, Writer, Owner).
For compatibility purposes, the per-dataset level legacy permissions map directly into their equivalent predefined roles.
| BigQuery Legacy Permissions | IAM Equivalent |
|---|---|
| Project - Can View | Primitive Role - Viewer |
| Project - Can Edit | Primitive Role - Editor |
| Project - Is Owner | Primitive Role - Owner |
| Dataset - READER | bigquery.dataViewer |
| Dataset - WRITER | bigquery.dataEditor |
| Dataset - OWNER | bigquery.dataOwner |
Primitive roles for projects
By default, granting access to a project also grants access to datasets within it. Default access can be overridden on a per-dataset basis. Any user with the projectOwnerrole has the ability to revoke or change any project role.
When a project is created, BigQuery grants theOwnerrole to the user who created the project.
| Primitive role | Capabilities |
|---|---|
Viewer |
Can start a job in the project. Additional dataset roles are required depending on the job type.Can list and get all jobs, and update jobs that they started for the projectIf you create a dataset in a project that contains any viewers, BigQuery grants those users thebigquery.dataViewerpredefined role for the new dataset. |
Editor |
Same asViewer, plus:Can create a new dataset in the projectIf you create a dataset in a project that contains any editors, BigQuery grants those users thebigquery.dataEditorpredefined role for the new dataset. |
Owner |
Same asEditor, plus:Can list all datasets in the projectCan delete any dataset in the projectCan list and get all jobs run on the project, including jobs run by other project usersIf you create a dataset, BigQuery grants all project owners thebigquery.dataOwnerpredefined role for the new dataset. |
Primitive roles for projects are granted or revoked through theGoogle Cloud Platform Console. You must haveOwneraccess to the project in order to grant or revoke a new project role.
For more information about how to grant or revoke access for project roles, seeManaging project members.
Primitive roles for datasets
The primitive roles for datasets are functionally equivalent to the predefined roles described inTransitioning from primitive roles.
Dataset roles can be granted to the following entity types:
| Entity type | API |
|---|---|
| Single users, by email address | access.userByEmail |
| AGoogle Group, by email address | access.groupByEmail |
| A predefined group of users, such as all users, or a group of users that have the sameproject rolefor the project that contains the dataset | access.specialGroup |
The following primitive roles apply to datasets:
| Dataset role | Capabilities |
|---|---|
READER |
Can read, query, copy or export tables in the datasetCan callgeton the datasetCan callgetandliston tables in the datasetCan callliston table data for tables in the dataset |
WRITER |
Same asREADER, plus:Can edit or append data in the datasetCan callinsert,insertAll,updateordeleteCan use tables in the dataset as destinations for load, copy or query jobs |
OWNER |
Same asWRITER, plus:Can callupdateon the datasetCan calldeleteon the datasetNote:A dataset must have at least one entity with theOWNERrole. A user with theOWNERrole can't remove their ownOWNERrole. |
When you create a new dataset, BigQuery adds default dataset access for the following entities. Roles that you specify on dataset creation overwrite the default values.