Overview
BigQuery ML uses Identity and Access Management (IAM) to manage access to model resources. To grant access to a model resource, assign one or more BigQuery IAM roles to a user, group, or service account. BigQuery ML's permissions are incorporated into the BigQuery IAM roles.
This page focuses only on the permissions related to using BigQuery ML to access model resources. For more information on access controls in BigQuery, see the BigQuery access control page.
Permissions at a glance
The following table shows the permissions required for each operation you can perform on a BigQuery ML resource. For each permission, the predefined IAM roles that are granted that permission are listed.
For a complete list of all BigQuery permissions supported by each predefined role, see the BigQuery access control page.
| Operation | Permissions required | Roles granted permissions |
|---|---|---|
| Create models | bigquery.models.create |
bigquery.dataEditor
bigquery.dataOwner
bigquery.admin
|
| List models | bigquery.models.list |
bigquery.dataViewer
bigquery.dataEditor
bigquery.dataOwner
bigquery.metadataViewer
bigquery.user
bigquery.admin
|
| Get model metadata | bigquery.models.getMetadata |
bigquery.dataViewer
bigquery.dataEditor
bigquery.dataOwner
bigquery.metadataViewer
bigquery.admin
|
| Get model data | bigquery.models.getData |
bigquery.dataViewer
bigquery.dataEditor
bigquery.dataOwner
bigquery.admin
|
| Update model metadata | bigquery.models.updateMetadata |
bigquery.dataEditor
bigquery.dataOwner
bigquery.admin
|
| Update model data | bigquery.models.updateData |
bigquery.dataEditor
bigquery.dataOwner
bigquery.admin
|
| Delete models | bigquery.models.delete |
bigquery.dataEditor
bigquery.dataOwner
bigquery.admin
|
BigQuery ML permissions
The following table describes the permissions available in BigQuery ML. These permissions are currently available, but they do not take effect until June 6, 2019. Customers with custom roles should migrate to these permissions no later than June 6. Pre-defined IAM roles and primitive roles are not impacted by this change.
For more information on BigQuery ML releases, see the Release notes.
| Permission | Description |
|---|---|
bigquery.models.list |
List models and metadata on models. |
bigquery.models.create |
Create new models. |
bigquery.models.delete |
Delete models. |
bigquery.models.getMetadata |
Get model metadata. To get model data, you need bigquery.models.getData. |
bigquery.models.getData |
Get model data. To get model metadata, you need bigquery.models.getMetadata. |
bigquery.models.updateMetadata |
Update model metadata. To update model data, you need bigquery.models.updateData. |
bigquery.models.updateData |
Update model data. To update model metadata, you need bigquery.models.updateMetadata. |
Roles
The following table lists the BigQuery ML Models API IAM roles with a corresponding list of all the BigQuery ML permissions each role includes.
For a list of all BigQuery permissions in each role, see Predefined IAM roles on the BigQuery access control page.
| Role | Granted permissions |
|---|---|
bigquery.dataViewer |
bigquery.models.list
bigquery.models.getData
bigquery.models.getMetadata |
bigquery.dataEditor |
bigquery.models.create
bigquery.models.list
bigquery.models.delete
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.updateData
bigquery.models.updateMetadata |
bigquery.dataOwner |
bigquery.models.create
bigquery.models.list
bigquery.models.delete
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.updateData
bigquery.models.updateMetadata |
bigquery.metadataViewer |
bigquery.models.list
bigquery.models.getMetadata |
bigquery.user |
bigquery.models.list |
bigquery.jobUser |
None |
bigquery.admin |
bigquery.models.create
bigquery.models.list
bigquery.models.delete
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.updateData
bigquery.models.updateMetadata |
bigquery.readSessionUser |
None |
Custom roles
In addition to the pre-defined roles, BigQuery ML also supports custom roles. For more information, see Creating and managing custom roles in the Cloud IAM documentation.
Customers who used custom roles with BigQuery ML should note that new permissions are currently available for use with BigQuery ML, but they do not take effect until June 6, 2019. Customers with custom roles should migrate to these permissions no later than June 6. Pre-defined IAM roles and primitive roles are not impacted by this change.
For more information on BigQuery ML releases, see the Release notes.
