Overview
BigQuery Data Transfer Service uses Identity and Access Management to manage access to resources. To grant access to a resource, assign one or more BigQuery IAM roles to an entity. BigQuery Data Transfer Service's permissions are incorporated into the BigQuery IAM roles.
This page provides details on BigQuery Data Transfer Service Identity and Access Management permissions and roles. For more information on access controls in BigQuery, see the BigQuery predefined roles and permissions page.
BigQuery Data Transfer Service permissions
The following table describes the permissions available in BigQuery Data Transfer Service.
Permission | Description |
---|---|
bigquery.transfers.get |
Get transfer metadata. |
bigquery.transfers.update |
Create, update, and delete transfers. |
Roles
The following table lists the BigQuery predefined IAM roles with a corresponding list of all the permissions each role includes. BigQuery Data Transfer Service permissions are listed along with the BigQuery permissions. Note that every permission is applicable to a particular resource type.
Role | Title | Description | Permissions | Lowest resource |
---|---|---|---|---|
roles/ |
BigQuery Admin | Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. |
|
Project |
roles/ |
BigQuery Connection Admin |
|
||
roles/ |
BigQuery Connection User |
|
||
roles/ |
BigQuery Data Editor |
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also create new datasets. |
|
Table or view |
roles/ |
BigQuery Data Owner |
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also create new datasets. |
|
Table or view |
roles/ |
BigQuery Data Viewer |
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. |
|
Table or view |
roles/ |
BigQuery Job User | Provides permissions to run jobs, including queries, within the project. |
|
Project |
roles/ |
BigQuery Metadata Viewer |
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role provides permissions to:
Additional roles are necessary to allow the running of jobs. |
|
Table or view |
roles/ |
BigQuery Read Session User | Access to create and use read sessions |
|
|
roles/ |
BigQuery Resource Admin | Administer all BigQuery resources. |
|
|
roles/ |
BigQuery Resource Editor | Manage all BigQuery resources, but cannot make purchasing decisions. |
|
|
roles/ |
BigQuery Resource Viewer | View all BigQuery resources but cannot make changes or purchasing decisions. |
|
|
roles/ |
BigQuery User |
When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A member with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role ( |
|
Dataset |
Custom roles
In addition to the predefined roles, BigQuery Data Transfer Service also supports custom roles. For more information, see Creating and managing custom roles in the IAM documentation.