Access control with IAM

Overview

BigQuery ML uses Identity and Access Management (IAM) to manage access to model resources. To grant access to a model resource, assign one or more IAM roles to a user, group, or service account. BigQuery ML's permissions are incorporated into the IAM roles.

This page provides details on BigQuery ML IAM permissions and roles. For more information on access controls in BigQuery, see the BigQuery access control page.

BigQuery ML permissions

The following table describes the permissions available in BigQuery ML.

For more information on BigQuery ML releases, see the Release notes.

Permission	Description
`bigquery.jobs.create` `bigquery.models.create` `bigquery.models.getData` `bigquery.models.updateData`	Create a new model using `CREATE MODEL` statement
`bigquery.jobs.create` `bigquery.models.create` `bigquery.models.getData` `bigquery.models.updateData` `bigquery.models.updateMetadata`	Replace an existing model using `CREATE OR REPLACE MODEL` statement
`bigquery.models.delete`	Delete model using models.delete API
`bigquery.jobs.create` `bigquery.models.delete`	Delete model using `DROP MODEL` statement
`bigquery.models.getMetadata`	Get model metadata using models.get API
`bigquery.models.list`	List models and metadata on models using models.list API
`bigquery.models.updateMetadata`	Update model metadata using models.delete API. If setting or updating a non-zero expiration time for Model, `bigquery.models.delete` permission is also needed
`bigquery.jobs.create` `bigquery.models.getData`	Perform evaluation, prediction and model and feature inspections using `ML.EVALUATE`, `ML.PREDICT`, `ML.TRAINING_INFO`, and `ML.WEIGHTS`, etc.
`bigquery.jobs.create` `bigquery.models.export`	Export a model

Roles

The following table lists the BigQuery predefined IAM roles with a corresponding list of all the permissions each role includes. BigQuery ML permissions are listed along with the BigQuery permissions. Note that every permission is applicable to a particular resource type.

Role	Permissions
BigQuery Admin (`roles/bigquery.admin`) Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Lowest-level resources where you can grant this role: Datasets Row access policies Tables Views	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.* bigquery.reservations.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.overrideTimeTravelRestrictions bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration.translation.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Connection Admin (`roles/bigquery.connectionAdmin`)	bigquery.connections.*
BigQuery Connection User (`roles/bigquery.connectionUser`)	bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
BigQuery Data Editor (`roles/bigquery.dataEditor`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Owner (`roles/bigquery.dataOwner`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	bigquery.config.get bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Viewer (`roles/bigquery.dataViewer`) When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.createSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Filtered Data Viewer (`roles/bigquery.filteredDataViewer`) Access to view filtered table data defined by a row access policy	bigquery.rowAccessPolicies.getFilteredData
BigQuery Job User (`roles/bigquery.jobUser`) Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role: Project	bigquery.config.get bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list
BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) When applied to a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Read Session User (`roles/bigquery.readSessionUser`) Access to create and use read sessions	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) Administer all BigQuery resources.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.* bigquery.reservations.* recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Editor (`roles/bigquery.resourceEditor`) Manage all BigQuery resources, but cannot make purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) View all BigQuery resources but cannot make changes or purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery User (`roles/bigquery.user`) When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (`roles/bigquery.dataOwner`) on these new datasets. Lowest-level resources where you can grant this role: Dataset	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get bigquerymigration.translation.* resourcemanager.projects.get resourcemanager.projects.list
Masked Reader ^Beta (`roles/bigquerydatapolicy.maskedReader`) Maksed read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns	bigquery.dataPolicies.maskedGet

Custom roles

In addition to the predefined roles, BigQuery ML also supports custom roles. For more information, see Creating and managing custom roles in the IAM documentation.

For more information on BigQuery ML releases, see the Release notes.