Access control

Overview

BigQuery ML uses Identity and Access Management (IAM) to manage access to model resources. To grant access to a model resource, assign one or more BigQuery IAM roles to a user, group, or service account. BigQuery ML's permissions are incorporated into the BigQuery IAM roles.

This page focuses only on the permissions related to using BigQuery ML to access model resources. For more information on access controls in BigQuery, see the BigQuery access control page.

Permissions at a glance

The following table shows the permissions required for each operation you can perform on a BigQuery ML resource. For each permission, the predefined IAM roles that are granted that permission are listed.

For a complete list of all BigQuery permissions supported by each predefined role, see the BigQuery access control page.

Operation Permissions required Roles granted permissions
Create models bigquery.models.create bigquery.dataEditor
bigquery.dataOwner
bigquery.admin
List models bigquery.models.list bigquery.dataViewer
bigquery.dataEditor
bigquery.dataOwner
bigquery.metadataViewer
bigquery.user
bigquery.admin
Get model metadata bigquery.models.getMetadata bigquery.dataViewer
bigquery.dataEditor
bigquery.dataOwner
bigquery.metadataViewer
bigquery.admin
Get model data bigquery.models.getData bigquery.dataViewer
bigquery.dataEditor
bigquery.dataOwner
bigquery.admin
Update model metadata bigquery.models.updateMetadata bigquery.dataEditor
bigquery.dataOwner
bigquery.admin
Update model data bigquery.models.updateData bigquery.dataEditor
bigquery.dataOwner
bigquery.admin
Delete models bigquery.models.delete bigquery.dataEditor
bigquery.dataOwner
bigquery.admin

BigQuery ML permissions

The following table describes the permissions available in BigQuery ML. These permissions are currently available, but they do not take effect until June 6, 2019. Customers with custom roles should migrate to these permissions no later than June 6. Pre-defined IAM roles and primitive roles are not impacted by this change.

For more information on BigQuery ML releases, see the Release notes.

Permission Description
bigquery.models.list List models and metadata on models.
bigquery.models.create Create new models.
bigquery.models.delete Delete models.
bigquery.models.getMetadata Get model metadata. To get model data, you need bigquery.models.getData.
bigquery.models.getData Get model data. To get model metadata, you need bigquery.models.getMetadata.
bigquery.models.updateMetadata Update model metadata. To update model data, you need bigquery.models.updateData.
bigquery.models.updateData Update model data. To update model metadata, you need bigquery.models.updateMetadata.

Roles

The following table lists the BigQuery ML Models API IAM roles with a corresponding list of all the BigQuery ML permissions each role includes.

For a list of all BigQuery permissions in each role, see Predefined IAM roles on the BigQuery access control page.

Role Granted permissions
bigquery.dataViewer bigquery.models.list
bigquery.models.getData
bigquery.models.getMetadata
bigquery.dataEditor bigquery.models.create
bigquery.models.list
bigquery.models.delete
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.dataOwner bigquery.models.create
bigquery.models.list
bigquery.models.delete
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.metadataViewer bigquery.models.list
bigquery.models.getMetadata
bigquery.user bigquery.models.list
bigquery.jobUser None
bigquery.admin bigquery.models.create
bigquery.models.list
bigquery.models.delete
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.readSessionUser None

Custom roles

In addition to the pre-defined roles, BigQuery ML also supports custom roles. For more information, see Creating and managing custom roles in the Cloud IAM documentation.

Customers who used custom roles with BigQuery ML should note that new permissions are currently available for use with BigQuery ML, but they do not take effect until June 6, 2019. Customers with custom roles should migrate to these permissions no later than June 6. Pre-defined IAM roles and primitive roles are not impacted by this change.

For more information on BigQuery ML releases, see the Release notes.

¿Te sirvió esta página? Envíanos tu opinión:

Enviar comentarios sobre…

BigQuery ML Documentation