BigQuery ML uses Identity and Access Management (IAM)
to manage access to model resources. To grant access to a model resource, assign
one or more BigQuery IAM roles
to a user, group, or service account.
BigQuery ML's permissions are incorporated into the BigQuery
IAM roles.
This page provides details on BigQuery ML Cloud Identity and Access Management permissions and
roles. For more information on access controls in BigQuery, see the
BigQuery access control
page.
BigQuery ML permissions
The following table describes the permissions available in BigQuery ML.
For more information on BigQuery ML releases, see the
Release notes.
Permission
Description
bigquery.models.list
List models and metadata on models.
bigquery.models.create
Create new models.
bigquery.models.delete
Delete models.
bigquery.models.getMetadata
Get model metadata. To get model data, you need
bigquery.models.getData.
bigquery.models.getData
Get model data. To get model metadata, you need
bigquery.models.getMetadata.
bigquery.models.updateMetadata
Update model metadata. To update model data, you need
bigquery.models.updateData.
bigquery.models.updateData
Update model data. To update model metadata, you need
bigquery.models.updateMetadata.
Roles
The following table lists the BigQuery predefined Cloud IAM
roles with a corresponding list of all the permissions each role includes.
BigQuery ML permissions are listed along with the BigQuery
permissions. Note that every permission is applicable to a particular resource
type.
BigQuery roles
Role
Title
Description
Permissions
Lowest resource
roles/ bigquery.admin
BigQuery Admin
Provides permissions to manage all resources within the project. Can manage
all data within the project, and can cancel jobs from other users running
within the project.
When applied to a dataset, dataViewer provides permissions to:
Read the dataset's metadata and to list tables in the dataset.
Read data and metadata from the dataset's tables.
When applied at the project or organization level, this role can also
enumerate all datasets in the project. Additional roles, however, are
necessary to allow the running of jobs.
Provides permissions to run jobs, including queries, within the project. The
user role can enumerate their own jobs, cancel their own jobs, and enumerate
datasets within a project. Additionally, allows the creation of new datasets
within the project; the creator is granted the
bigquery.dataOwner role for these new datasets.
In addition to the pre-defined roles, BigQuery ML also supports
custom roles. For more information, see
Creating and managing custom roles in the
Cloud IAM documentation.
Customers who used custom roles with BigQuery ML should note that new
permissions are currently available for use with
BigQuery ML, but they do not take effect until June 6, 2019.
Customers with custom roles should migrate to these permissions no later than
June 6. Pre-defined IAM roles and primitive roles are not impacted by this
change.
For more information on BigQuery ML releases, see the
Release notes.
