BigQuery Admin
(roles/bigquery.admin )
Provides permissions to manage all resources within the project. Can manage
all data within the project, and can cancel jobs from other users running
within the project.
Lowest-level resources where you can grant this role:
-
Datasets
-
Row access policies
-
Tables
-
Views
|
- bigquery.bireservations.*
- bigquery.capacityCommitments.*
- bigquery.config.*
- bigquery.connections.*
- bigquery.dataPolicies.create
- bigquery.dataPolicies.delete
- bigquery.dataPolicies.get
- bigquery.dataPolicies.getIamPolicy
- bigquery.dataPolicies.list
- bigquery.dataPolicies.setIamPolicy
- bigquery.dataPolicies.update
- bigquery.datasets.*
- bigquery.jobs.*
- bigquery.models.*
- bigquery.readsessions.*
- bigquery.reservationAssignments.*
- bigquery.reservations.*
- bigquery.routines.*
- bigquery.rowAccessPolicies.create
- bigquery.rowAccessPolicies.delete
- bigquery.rowAccessPolicies.getIamPolicy
- bigquery.rowAccessPolicies.list
- bigquery.rowAccessPolicies.overrideTimeTravelRestrictions
- bigquery.rowAccessPolicies.setIamPolicy
- bigquery.rowAccessPolicies.update
- bigquery.savedqueries.*
- bigquery.tables.*
- bigquery.transfers.*
- bigquerymigration.translation.translate
- resourcemanager.projects.get
- resourcemanager.projects.list
|
BigQuery Connection Admin
(roles/bigquery.connectionAdmin )
|
|
BigQuery Connection User
(roles/bigquery.connectionUser )
|
- bigquery.connections.get
- bigquery.connections.getIamPolicy
- bigquery.connections.list
- bigquery.connections.use
|
BigQuery Data Editor
(roles/bigquery.dataEditor )
When applied to a table or view, this role provides permissions to:
- Read and update data and metadata for the table or view.
- Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
- Read the dataset's metadata and list tables in the dataset.
- Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
|
- bigquery.config.get
- bigquery.datasets.create
- bigquery.datasets.get
- bigquery.datasets.getIamPolicy
- bigquery.datasets.updateTag
- bigquery.models.*
- bigquery.routines.*
- bigquery.tables.create
- bigquery.tables.createIndex
- bigquery.tables.createSnapshot
- bigquery.tables.delete
- bigquery.tables.deleteIndex
- bigquery.tables.export
- bigquery.tables.get
- bigquery.tables.getData
- bigquery.tables.getIamPolicy
- bigquery.tables.list
- bigquery.tables.restoreSnapshot
- bigquery.tables.update
- bigquery.tables.updateData
- bigquery.tables.updateTag
- resourcemanager.projects.get
- resourcemanager.projects.list
|
BigQuery Data Owner
(roles/bigquery.dataOwner )
When applied to a table or view, this role provides permissions to:
- Read and update data and metadata for the table or view.
- Share the table or view.
- Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
- Read, update, and delete the dataset.
- Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
|
- bigquery.config.get
- bigquery.dataPolicies.create
- bigquery.dataPolicies.delete
- bigquery.dataPolicies.get
- bigquery.dataPolicies.getIamPolicy
- bigquery.dataPolicies.list
- bigquery.dataPolicies.setIamPolicy
- bigquery.dataPolicies.update
- bigquery.datasets.*
- bigquery.models.*
- bigquery.routines.*
- bigquery.rowAccessPolicies.create
- bigquery.rowAccessPolicies.delete
- bigquery.rowAccessPolicies.getIamPolicy
- bigquery.rowAccessPolicies.list
- bigquery.rowAccessPolicies.setIamPolicy
- bigquery.rowAccessPolicies.update
- bigquery.tables.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
BigQuery Data Viewer
(roles/bigquery.dataViewer )
When applied to a table or view, this role provides permissions to:
- Read data and metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
- Read the dataset's metadata and list tables in the dataset.
- Read data and metadata from the dataset's tables.
When applied at the project or organization level, this role can also
enumerate all datasets in the project. Additional roles, however, are
necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
|
- bigquery.datasets.get
- bigquery.datasets.getIamPolicy
- bigquery.models.export
- bigquery.models.getData
- bigquery.models.getMetadata
- bigquery.models.list
- bigquery.routines.get
- bigquery.routines.list
- bigquery.tables.createSnapshot
- bigquery.tables.export
- bigquery.tables.get
- bigquery.tables.getData
- bigquery.tables.getIamPolicy
- bigquery.tables.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
BigQuery Filtered Data Viewer
(roles/bigquery.filteredDataViewer )
Access to view filtered table data defined by a row access policy
|
- bigquery.rowAccessPolicies.getFilteredData
|
BigQuery Job User
(roles/bigquery.jobUser )
Provides permissions to run jobs, including queries, within the project.
Lowest-level resources where you can grant this role:
|
- bigquery.config.get
- bigquery.jobs.create
- resourcemanager.projects.get
- resourcemanager.projects.list
|
BigQuery Metadata Viewer
(roles/bigquery.metadataViewer )
When applied to a table or view, this role provides permissions to:
- Read metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
- List tables and views in the dataset.
- Read metadata from the dataset's tables and views.
When applied at the project or organization level, this role provides permissions to:
- List all datasets and read metadata for all datasets in the project.
- List all tables and views and read metadata for all tables and views
in the project.
Additional roles are necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
|
- bigquery.datasets.get
- bigquery.datasets.getIamPolicy
- bigquery.models.getMetadata
- bigquery.models.list
- bigquery.routines.get
- bigquery.routines.list
- bigquery.tables.get
- bigquery.tables.getIamPolicy
- bigquery.tables.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
BigQuery Read Session User
(roles/bigquery.readSessionUser )
Access to create and use read sessions
|
- bigquery.readsessions.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
BigQuery Resource Admin
(roles/bigquery.resourceAdmin )
Administer all BigQuery resources.
|
- bigquery.bireservations.*
- bigquery.capacityCommitments.*
- bigquery.jobs.get
- bigquery.jobs.list
- bigquery.jobs.listAll
- bigquery.jobs.listExecutionMetadata
- bigquery.reservationAssignments.*
- bigquery.reservations.*
- recommender.bigqueryCapacityCommitmentsInsights.*
- recommender.bigqueryCapacityCommitmentsRecommendations.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
BigQuery Resource Editor
(roles/bigquery.resourceEditor )
Manage all BigQuery resources, but cannot make purchasing decisions.
|
- bigquery.bireservations.get
- bigquery.capacityCommitments.get
- bigquery.capacityCommitments.list
- bigquery.jobs.get
- bigquery.jobs.list
- bigquery.jobs.listAll
- bigquery.jobs.listExecutionMetadata
- bigquery.reservationAssignments.*
- bigquery.reservations.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
BigQuery Resource Viewer
(roles/bigquery.resourceViewer )
View all BigQuery resources but cannot make changes or purchasing decisions.
|
- bigquery.bireservations.get
- bigquery.capacityCommitments.get
- bigquery.capacityCommitments.list
- bigquery.jobs.get
- bigquery.jobs.list
- bigquery.jobs.listAll
- bigquery.jobs.listExecutionMetadata
- bigquery.reservationAssignments.list
- bigquery.reservationAssignments.search
- bigquery.reservations.get
- bigquery.reservations.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
BigQuery User
(roles/bigquery.user )
When applied to a dataset, this role provides the ability to read the dataset's metadata and list
tables in the dataset.
When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner )
on these new datasets.
Lowest-level resources where you can grant this role:
|
- bigquery.bireservations.get
- bigquery.capacityCommitments.get
- bigquery.capacityCommitments.list
- bigquery.config.get
- bigquery.datasets.create
- bigquery.datasets.get
- bigquery.datasets.getIamPolicy
- bigquery.jobs.create
- bigquery.jobs.list
- bigquery.models.list
- bigquery.readsessions.*
- bigquery.reservationAssignments.list
- bigquery.reservationAssignments.search
- bigquery.reservations.get
- bigquery.reservations.list
- bigquery.routines.list
- bigquery.savedqueries.get
- bigquery.savedqueries.list
- bigquery.tables.list
- bigquery.transfers.get
- bigquerymigration.translation.translate
- resourcemanager.projects.get
- resourcemanager.projects.list
|
Masked Reader
Beta
(roles/bigquerydatapolicy.maskedReader )
Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns
|
- bigquery.dataPolicies.maskedGet
|