Overview
BigQuery ML uses Identity and Access Management (IAM) to manage access to model resources. To grant access to a model resource, assign one or more IAM roles to a user, group, or service account. BigQuery ML's permissions are incorporated into the IAM roles.
This page provides details on BigQuery ML IAM permissions and roles. For more information on access controls in BigQuery, see the BigQuery access control page.
BigQuery ML permissions
The following table describes the permissions available in BigQuery ML.
For more information on BigQuery ML releases, see the Release notes.
Permission | Description |
---|---|
bigquery.jobs.create bigquery.models.create bigquery.models.getData bigquery.models.updateData |
Create a new model using CREATE MODEL statement |
bigquery.jobs.create bigquery.models.create bigquery.models.getData bigquery.models.updateData bigquery.models.updateMetadata |
Replace an existing model using CREATE OR REPLACE MODEL statement |
bigquery.models.delete |
Delete model using models.delete API |
bigquery.jobs.create bigquery.models.delete |
Delete model using DROP MODEL statement |
bigquery.models.getMetadata |
Get model metadata using models.get API |
bigquery.models.list |
List models and metadata on models using models.list API |
bigquery.models.updateMetadata |
Update model metadata using models.delete API. If setting or updating a non-zero expiration
time for Model, bigquery.models.delete permission is also needed |
bigquery.jobs.create bigquery.models.getData
|
Perform evaluation, prediction and model and feature inspections using
ML.EVALUATE , ML.PREDICT , ML.TRAINING_INFO , and
ML.WEIGHTS , etc. |
bigquery.jobs.create bigquery.models.export
|
Export a model |
Roles
The following table lists the BigQuery predefined IAM roles with a corresponding list of all the permissions each role includes. BigQuery ML permissions are listed along with the BigQuery permissions. Note that every permission is applicable to a particular resource type.
Role | Permissions |
---|---|
BigQuery Admin
Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Lowest-level resources where you can grant this role:
|
|
BigQuery Connection Admin
|
|
BigQuery Connection User
|
|
BigQuery Data Editor
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role:
|
|
BigQuery Data Owner
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role:
|
|
BigQuery Data Viewer
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role:
|
|
BigQuery Filtered Data Viewer
Access to view filtered table data defined by a row access policy |
|
BigQuery Job User
Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role:
|
|
BigQuery Metadata Viewer
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role provides permissions to:
Additional roles are necessary to allow the running of jobs. Lowest-level resources where you can grant this role:
|
|
BigQuery Read Session User
Access to create and use read sessions |
|
BigQuery Resource Admin
Administer all BigQuery resources. |
|
BigQuery Resource Editor
Manage all BigQuery resources, but cannot make purchasing decisions. |
|
BigQuery Resource Viewer
View all BigQuery resources but cannot make changes or purchasing decisions. |
|
BigQuery User
When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role ( Lowest-level resources where you can grant this role:
|
|
Masked Reader
Beta
Maksed read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns |
|
Custom roles
In addition to the predefined roles, BigQuery ML also supports custom roles. For more information, see Creating and managing custom roles in the IAM documentation.
For more information on BigQuery ML releases, see the Release notes.