Access control

Overview

BigQuery ML uses Identity and Access Management (IAM) to manage access to model resources. To grant access to a model resource, assign one or more BigQuery IAM roles to a user, group, or service account. BigQuery ML's permissions are incorporated into the BigQuery IAM roles.

This page provides details on BigQuery ML Cloud Identity and Access Management permissions and roles. For more information on access controls in BigQuery, see the BigQuery access control page.

BigQuery ML permissions

The following table describes the permissions available in BigQuery ML.

For more information on BigQuery ML releases, see the Release notes.

Permission Description
bigquery.models.create Create new models.
bigquery.models.delete Delete models.
bigquery.models.getData Get model data. To get model metadata, you need bigquery.models.getMetadata.
bigquery.models.getMetadata Get model metadata. To get model data, you need bigquery.models.getData.
bigquery.models.list List models and metadata on models.
bigquery.models.updateData Update model data. To update model metadata, you need bigquery.models.updateMetadata.
bigquery.models.updateMetadata Update model metadata. To update model data, you need bigquery.models.updateData.
bigquery.models.create and bigquery.models.getData Perform ML operations: ML.PREDICT, ML.WEIGHTS, ML.TRAINING_INFO, and ML.FEATURE_INFO

Roles

The following table lists the BigQuery predefined Cloud IAM roles with a corresponding list of all the permissions each role includes. BigQuery ML permissions are listed along with the BigQuery permissions. Note that every permission is applicable to a particular resource type.

Role Title Description Permissions Lowest resource
roles/bigquery.admin BigQuery Admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.
  • bigquery.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/bigquery.connectionAdmin BigQuery Connection Admin Beta
  • bigquery.connections.*
roles/bigquery.connectionUser BigQuery Connection User Beta
  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.use
roles/bigquery.dataEditor BigQuery Data Editor

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.create
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Dataset
roles/bigquery.dataOwner BigQuery Data Owner

When applied to a dataset, this role provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

  • bigquery.datasets.*
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Dataset
roles/bigquery.dataViewer BigQuery Data Viewer

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Dataset
roles/bigquery.jobUser BigQuery Job User Provides permissions to run jobs, including queries, within the project. This role can check the existence of all jobs, enumerate their own jobs, and cancel their own jobs.
  • bigquery.jobs.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/bigquery.metadataViewer BigQuery Metadata Viewer

When applied at the project or organization level, this role provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.get
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/bigquery.readSessionUser BigQuery Read Session User Access to create and use read sessions
  • bigquery.readsessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.resourceAdmin BigQuery Resource Admin Beta Administer all BigQuery resources.
  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.user BigQuery User

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A member with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.list
  • bigquery.transfers.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Dataset

Custom roles

In addition to the pre-defined roles, BigQuery ML also supports custom roles. For more information, see Creating and managing custom roles in the Cloud IAM documentation.

Customers who used custom roles with BigQuery ML should note that new permissions are currently available for use with BigQuery ML, but they do not take effect until June 6, 2019. Customers with custom roles should migrate to these permissions no later than June 6. Pre-defined IAM roles and primitive roles are not impacted by this change.

For more information on BigQuery ML releases, see the Release notes.