Access control

Overview

BigQuery ML uses Identity and Access Management (IAM) to manage access to model resources. To grant access to a model resource, assign one or more IAM roles to a user, group, or service account. BigQuery ML's permissions are incorporated into the IAM roles.

This page provides details on BigQuery ML IAM permissions and roles. For more information on access controls in BigQuery, see the BigQuery access control page.

BigQuery ML permissions

The following table describes the permissions available in BigQuery ML.

For more information on BigQuery ML releases, see the Release notes.

Permission Description
bigquery.models.create Create new models.
bigquery.models.delete Delete models.
bigquery.models.getData Get model data. To get model metadata, you need bigquery.models.getMetadata.
bigquery.models.getMetadata Get model metadata. To get model data, you need bigquery.models.getData.
bigquery.models.list List models and metadata on models.
bigquery.models.updateData Update model data. To update model metadata, you need bigquery.models.updateMetadata.
bigquery.models.updateMetadata Update model metadata. To update model data, you need bigquery.models.updateData.
bigquery.models.create and bigquery.models.getData Perform ML operations: ML.PREDICT, ML.WEIGHTS, ML.TRAINING_INFO, and ML.FEATURE_INFO

Roles

The following table lists the BigQuery predefined IAM roles with a corresponding list of all the permissions each role includes. BigQuery ML permissions are listed along with the BigQuery permissions. Note that every permission is applicable to a particular resource type.

Role Title Description Permissions Lowest resource
roles/bigquery.admin BigQuery Admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.
  • bigquery.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Project
roles/bigquery.connectionAdmin BigQuery Connection Admin Beta
  • bigquery.connections.*
roles/bigquery.connectionUser BigQuery Connection User Beta
  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.use
roles/bigquery.dataEditor BigQuery Data Editor

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.create
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Table or view
roles/bigquery.dataOwner BigQuery Data Owner

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Share the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

  • bigquery.datasets.*
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Table or view
roles/bigquery.dataViewer BigQuery Data Viewer

When applied to a table or view, this role provides permissions to:

  • Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Table or view
roles/bigquery.jobUser BigQuery Job User Provides permissions to run jobs, including queries, within the project.
  • bigquery.jobs.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Project
roles/bigquery.metadataViewer BigQuery Metadata Viewer

When applied to a table or view, this role provides permissions to:

  • Read metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • List tables and views in the dataset.
  • Read metadata from the dataset's tables and views.

When applied at the project or organization level, this role provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.get
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Table or view
roles/bigquery.readSessionUser BigQuery Read Session User Access to create and use read sessions
  • bigquery.readsessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.resourceAdmin BigQuery Resource Admin Beta Administer all BigQuery resources.
  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.resourceEditor BigQuery Resource Editor Beta Manage all BigQuery resources, but cannot make purchasing decisions.
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.resourceViewer BigQuery Resource Viewer Beta View all BigQuery resources but cannot make changes or purchasing decisions.
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.user BigQuery User

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A member with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.list
  • bigquery.transfers.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Dataset

Custom roles

In addition to the predefined roles, BigQuery ML also supports custom roles. For more information, see Creating and managing custom roles in the IAM documentation.

Customers who used custom roles with BigQuery ML should note that new permissions are currently available for use with BigQuery ML, but they do not take effect until June 6, 2019. Customers with custom roles should migrate to these permissions no later than June 6, 2019. Predefined IAM roles and primitive roles are not impacted by this change.

For more information on BigQuery ML releases, see the Release notes.