Access control

Overview

BigQuery ML uses Identity and Access Management (IAM) to manage access to model resources. To grant access to a model resource, assign one or more BigQuery IAM roles to a user, group, or service account. BigQuery ML's permissions are incorporated into the BigQuery IAM roles.

This page provides details on BigQuery ML Cloud Identity and Access Management permissions and roles. For more information on access controls in BigQuery, see the BigQuery access control page.

BigQuery ML permissions

The following table describes the permissions available in BigQuery ML.

For more information on BigQuery ML releases, see the Release notes.

Permission	Description
`bigquery.models.list`	List models and metadata on models.
`bigquery.models.create`	Create new models.
`bigquery.models.delete`	Delete models.
`bigquery.models.getMetadata`	Get model metadata. To get model data, you need `bigquery.models.getData`.
`bigquery.models.getData`	Get model data. To get model metadata, you need `bigquery.models.getMetadata`.
`bigquery.models.updateMetadata`	Update model metadata. To update model data, you need `bigquery.models.updateData`.
`bigquery.models.updateData`	Update model data. To update model metadata, you need `bigquery.models.updateMetadata`.

Roles

The following table lists the BigQuery predefined Cloud IAM roles with a corresponding list of all the permissions each role includes. BigQuery ML permissions are listed along with the BigQuery permissions. Note that every permission is applicable to a particular resource type.

Role	Title	Description	Permissions	Lowest resource
`roles/ bigquery.admin`	BigQuery Admin	Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.	bigquery.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ bigquery.connectionAdmin`	BigQuery Connection Admin ^Beta		bigquery.connections.*
`roles/ bigquery.connectionUser`	BigQuery Connection User ^Beta		bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
`roles/ bigquery.dataEditor`	BigQuery Data Editor	When applied to a dataset, dataEditor provides permissions to: Read the dataset's metadata and to list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list	Dataset
`roles/ bigquery.dataOwner`	BigQuery Data Owner	When applied to a dataset, dataOwner provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list	Dataset
`roles/ bigquery.dataViewer`	BigQuery Data Viewer	When applied to a dataset, dataViewer provides permissions to: Read the dataset's metadata and to list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	Dataset
`roles/ bigquery.jobUser`	BigQuery Job User	Provides permissions to run jobs, including queries, within the project. This role can check the existence of all jobs, enumerate their own jobs, and cancel their own jobs.	bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ bigquery.metadataViewer`	BigQuery Metadata Viewer	When applied at the project or organization level, metadataViewer provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ bigquery.readSessionUser`	BigQuery Read Session User ^Beta	Access to create and use read sessions	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ bigquery.user`	BigQuery User	Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the `bigquery.dataOwner` role for these new datasets.	bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list	Project

Custom roles

In addition to the pre-defined roles, BigQuery ML also supports custom roles. For more information, see Creating and managing custom roles in the Cloud IAM documentation.

Customers who used custom roles with BigQuery ML should note that new permissions are currently available for use with BigQuery ML, but they do not take effect until June 6, 2019. Customers with custom roles should migrate to these permissions no later than June 6. Pre-defined IAM roles and primitive roles are not impacted by this change.

For more information on BigQuery ML releases, see the Release notes.

Was this page helpful? Let us know how we did:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated December 14, 2019.

Access control

Overview

BigQuery ML permissions

Roles

Custom roles

Send feedback about...