Access control

Overview

BigQuery ML uses Identity and Access Management (IAM) to manage access to model resources. To grant access to a model resource, assign one or more BigQuery IAM roles to a user, group, or service account. BigQuery ML's permissions are incorporated into the BigQuery IAM roles.

This page provides details on BigQuery ML Cloud Identity and Access Management permissions and roles. For more information on access controls in BigQuery, see the BigQuery access control page.

BigQuery ML permissions

The following table describes the permissions available in BigQuery ML.

For more information on BigQuery ML releases, see the Release notes.

Permission Description
bigquery.models.create Create new models.
bigquery.models.delete Delete models.
bigquery.models.getData Get model data. To get model metadata, you need bigquery.models.getMetadata.
bigquery.models.getMetadata Get model metadata. To get model data, you need bigquery.models.getData.
bigquery.models.list List models and metadata on models.
bigquery.models.updateData Update model data. To update model metadata, you need bigquery.models.updateMetadata.
bigquery.models.updateMetadata Update model metadata. To update model data, you need bigquery.models.updateData.

Roles

The following table lists the BigQuery predefined Cloud IAM roles with a corresponding list of all the permissions each role includes. BigQuery ML permissions are listed along with the BigQuery permissions. Note that every permission is applicable to a particular resource type.

Role Title Description Permissions Lowest resource
roles/bigquery.admin BigQuery Admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. bigquery.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/bigquery.connectionAdmin BigQuery Connection Admin Beta bigquery.connections.*
roles/bigquery.connectionUser BigQuery Connection User Beta bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.use
roles/bigquery.dataEditor BigQuery Data Editor

When applied to a dataset, dataEditor provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.models.*
bigquery.routines.*
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
 Dataset
roles/bigquery.dataOwner BigQuery Data Owner

When applied to a dataset, dataOwner provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

bigquery.datasets.*
bigquery.models.*
bigquery.routines.*
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
 Dataset
roles/bigquery.dataViewer BigQuery Data Viewer

When applied to a dataset, dataViewer provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
 Dataset
roles/bigquery.jobUser BigQuery Job User Provides permissions to run jobs, including queries, within the project. This role can check the existence of all jobs, enumerate their own jobs, and cancel their own jobs. bigquery.jobs.create
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/bigquery.metadataViewer BigQuery Metadata Viewer

When applied at the project or organization level, metadataViewer provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.get
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/bigquery.readSessionUser BigQuery Read Session User Beta Access to create and use read sessions bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/bigquery.user BigQuery User Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the bigquery.dataOwner role for these new datasets. bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
resourcemanager.projects.get
resourcemanager.projects.list
 Project

Custom roles

In addition to the pre-defined roles, BigQuery ML also supports custom roles. For more information, see Creating and managing custom roles in the Cloud IAM documentation.

Customers who used custom roles with BigQuery ML should note that new permissions are currently available for use with BigQuery ML, but they do not take effect until June 6, 2019. Customers with custom roles should migrate to these permissions no later than June 6. Pre-defined IAM roles and primitive roles are not impacted by this change.

For more information on BigQuery ML releases, see the Release notes.