Access control reference

Overview

BigQuery Data Transfer Service uses Cloud Identity and Access Management to manage access to resources. To grant access to a resource, assign one or more BigQuery Cloud IAM roles to an entity. BigQuery Data Transfer Service's permissions are incorporated into the BigQuery Cloud IAM roles.

This page provides details on BigQuery Data Transfer Service Cloud Identity and Access Management permissions and roles. For more information on access controls in BigQuery, see the BigQuery predefined roles and permissions page.

BigQuery Data Transfer Service permissions

The following table describes the permissions available in BigQuery Data Transfer Service.

Permission Description
bigquery.transfers.get Get transfer metadata.
bigquery.transfers.update Create, update, and delete transfers.

Roles

The following table lists the BigQuery predefined Cloud IAM roles with a corresponding list of all the permissions each role includes. BigQuery Data Transfer Service permissions are listed along with the BigQuery permissions. Note that every permission is applicable to a particular resource type.

Role Title Description Permissions Lowest resource
roles/bigquery.admin BigQuery Admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.
  • bigquery.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Project
roles/bigquery.connectionAdmin BigQuery Connection Admin Beta
  • bigquery.connections.*
roles/bigquery.connectionUser BigQuery Connection User Beta
  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.use
roles/bigquery.dataEditor BigQuery Data Editor

When applied to a dataset, dataEditor provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.create
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Dataset
roles/bigquery.dataOwner BigQuery Data Owner

When applied to a dataset, dataOwner provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

  • bigquery.datasets.*
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Dataset
roles/bigquery.dataViewer BigQuery Data Viewer

When applied to a dataset, dataViewer provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Dataset
roles/bigquery.jobUser BigQuery Job User Provides permissions to run jobs, including queries, within the project. This role can check the existence of all jobs, enumerate their own jobs, and cancel their own jobs.
  • bigquery.jobs.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Project
roles/bigquery.metadataViewer BigQuery Metadata Viewer

When applied at the project or organization level, metadataViewer provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.get
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Project
roles/bigquery.readSessionUser BigQuery Read Session User Access to create and use read sessions
  • bigquery.readsessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.resourceAdmin BigQuery Resource Admin Beta Administer all BigQuery resources.
  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.user BigQuery User Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the bigquery.dataOwner role for these new datasets.
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.list
  • bigquery.transfers.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
 Project

Custom roles

In addition to the pre-defined roles, BigQuery Data Transfer Service also supports custom roles. For more information, see Creating and managing custom roles in the Cloud IAM documentation.