Roles y permisos de IAM para BigQuery

En este documento, se proporciona información sobre los permisos y los roles de Identity and Access Management (IAM) de BigQuery. IAM te permite otorgar acceso detallado a recursos específicos de BigQuery y ayuda a evitar el acceso a otros recursos. IAM te permite aplicar el principio de seguridad de privilegio mínimo, que indica que nadie debe tener más permisos de los que realmente necesita.

Cuando una principal (un usuario, un grupo o una cuenta de servicio) llama a una API de Google Cloud, esa principal debe tener los permisos de IAM adecuados para usar el recurso. Para otorgar los permisos necesarios a una principal, debes otorgarle un rol de IAM.

En este documento, se describe cómo usar los roles predefinidos y personalizados de IAM para permitir que las principales accedan a los recursos de BigQuery.

Para familiarizarte con la administración del acceso en Google Cloud en general, consulta Descripción general de IAM.

Tipos de roles de IAM

Un rol es un conjunto de permisos Puedes usar los siguientes tipos de roles en IAM para proporcionar acceso a los recursos de BigQuery:

Google Cloud administra los roles predefinidos, que admiten casos de uso comunes y patrones de control de acceso.
Las funciones personalizadas proporcionan acceso según una lista de permisos especificada por el usuario.

Para determinar si se incluyen uno o más permisos en un rol, puedes usar uno de los siguientes métodos:

La referencia de búsqueda en los permisos de IAM
El comando gcloud iam roles describe
El método roles.get() en la API de IAM

Cuando asignas varios tipos de roles a un usuario, los permisos otorgados son una unión de los permisos de cada rol.

Si deseas obtener información adicional sobre el uso de IAM para acceder a los recursos, consulta Otorga, cambia y revoca el acceso a los recursos en la documentación de IAM.

Para obtener información sobre las funciones personalizadas, consulta Crea y administra funciones personalizadas en la documentación de IAM.

Roles de IAM en BigQuery

Los permisos no se asignan directamente a los usuarios, grupos o cuentas de servicio. En cambio, a los usuarios, grupos o cuentas de servicio se les otorga acceso a uno o más roles predefinidos o personalizados para darles permisos a fin de que realicen acciones en los recursos.

Puedes otorgar acceso en los siguientes niveles de recursos de BigQuery:

Organizaciones, carpetas o proyectos
Conexiones
Conjuntos de datos
Tablas o vistas
Etiquetas de política, políticas de acceso de fila o políticas de datos de BigQuery

Roles aplicados a nivel de la organización o del proyecto de Google Cloud

Cuando asignas funciones a nivel de organización y de proyecto, otorgas permiso para ejecutar trabajos de BigQuery o acceder a todos los recursos de BigQuery de un proyecto.

Funciones aplicadas a nivel del conjunto de datos

Puedes asignar funciones a nivel del conjunto de datos para proporcionar acceso a un conjunto de datos específico, sin proporcionar acceso completo a los recursos del proyecto. En la jerarquía de recursos de IAM, los conjuntos de datos de BigQuery son recursos secundarios de los proyectos. Para obtener más información sobre la asignación de funciones a nivel de conjunto de datos, consulta la página sobre el control de acceso a los conjuntos de datos.

Funciones aplicadas a recursos individuales dentro de conjuntos de datos

Puedes asignar funciones de forma individual a ciertos tipos de recursos dentro de conjuntos de datos, sin proporcionar acceso completo a los recursos del conjunto de datos.

Las funciones se pueden aplicar a recursos individuales de los siguientes tipos:

tablas
vistas

Las funciones no se pueden aplicar a recursos individuales de los siguientes tipos:

routines
modelos

Para obtener más información sobre cómo asignar funciones a nivel de tabla o vista, consulta Controla el acceso a tablas o vistas.

Funciones predefinidas de IAM de BigQuery

En la siguiente tabla, se enumeran los roles predefinidos de IAM de BigQuery con una lista correspondiente de todos los permisos que se incluyen en cada rol. Ten en cuenta que cada permiso es aplicable a un tipo de recurso específico.

Role Permissions

Role	Permissions
BigQuery Admin (`roles/bigquery.admin`) Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Lowest-level resources where you can grant this role: Datasets Row access policies Tables Views	`bigquery.bireservations.` `bigquery.bireservations.get` `bigquery.bireservations.update` `bigquery.capacityCommitments.` `bigquery.capacityCommitments.create` `bigquery.capacityCommitments.delete` `bigquery.capacityCommitments.get` `bigquery.capacityCommitments.list` `bigquery.capacityCommitments.update` `bigquery.config.` `bigquery.config.get` `bigquery.config.update` `bigquery.connections.` `bigquery.connections.create` `bigquery.connections.delegate` `bigquery.connections.delete` `bigquery.connections.get` `bigquery.connections.getIamPolicy` `bigquery.connections.list` `bigquery.connections.setIamPolicy` `bigquery.connections.update` `bigquery.connections.updateTag` `bigquery.connections.use` `bigquery.dataPolicies.create` `bigquery.dataPolicies.delete` `bigquery.dataPolicies.get` `bigquery.dataPolicies.getIamPolicy` `bigquery.dataPolicies.list` `bigquery.dataPolicies.setIamPolicy` `bigquery.dataPolicies.update` `bigquery.datasets.` `bigquery.datasets.create` `bigquery.datasets.createTagBinding` `bigquery.datasets.delete` `bigquery.datasets.deleteTagBinding` `bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.datasets.link` `bigquery.datasets.listEffectiveTags` `bigquery.datasets.listSharedDatasetUsage` `bigquery.datasets.listTagBindings` `bigquery.datasets.setIamPolicy` `bigquery.datasets.update` `bigquery.datasets.updateTag` `bigquery.jobs.` `bigquery.jobs.create` `bigquery.jobs.delete` `bigquery.jobs.get` `bigquery.jobs.list` `bigquery.jobs.listAll` `bigquery.jobs.listExecutionMetadata` `bigquery.jobs.update` `bigquery.models.` `bigquery.models.create` `bigquery.models.delete` `bigquery.models.export` `bigquery.models.getData` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.models.updateData` `bigquery.models.updateMetadata` `bigquery.models.updateTag` `bigquery.readsessions.` `bigquery.readsessions.create` `bigquery.readsessions.getData` `bigquery.readsessions.update` `bigquery.reservationAssignments.` `bigquery.reservationAssignments.create` `bigquery.reservationAssignments.delete` `bigquery.reservationAssignments.list` `bigquery.reservationAssignments.search` `bigquery.reservations.` `bigquery.reservations.create` `bigquery.reservations.delete` `bigquery.reservations.get` `bigquery.reservations.list` `bigquery.reservations.update` `bigquery.routines.` `bigquery.routines.create` `bigquery.routines.delete` `bigquery.routines.get` `bigquery.routines.list` `bigquery.routines.update` `bigquery.routines.updateTag` `bigquery.rowAccessPolicies.create` `bigquery.rowAccessPolicies.delete` `bigquery.rowAccessPolicies.getIamPolicy` `bigquery.rowAccessPolicies.list` `bigquery.rowAccessPolicies.overrideTimeTravelRestrictions` `bigquery.rowAccessPolicies.setIamPolicy` `bigquery.rowAccessPolicies.update` `bigquery.savedqueries.` `bigquery.savedqueries.create` `bigquery.savedqueries.delete` `bigquery.savedqueries.get` `bigquery.savedqueries.list` `bigquery.savedqueries.update` `bigquery.tables.` `bigquery.tables.create` `bigquery.tables.createIndex` `bigquery.tables.createSnapshot` `bigquery.tables.createTagBinding` `bigquery.tables.delete` `bigquery.tables.deleteIndex` `bigquery.tables.deleteSnapshot` `bigquery.tables.deleteTagBinding` `bigquery.tables.export` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `bigquery.tables.listEffectiveTags` `bigquery.tables.listTagBindings` `bigquery.tables.replicateData` `bigquery.tables.restoreSnapshot` `bigquery.tables.setCategory` `bigquery.tables.setColumnDataPolicy` `bigquery.tables.setIamPolicy` `bigquery.tables.update` `bigquery.tables.updateData` `bigquery.tables.updateTag` `bigquery.transfers.` `bigquery.transfers.get` `bigquery.transfers.update` `bigquerymigration.translation.translate` `dataform.*` `dataform.compilationResults.create` `dataform.compilationResults.get` `dataform.compilationResults.list` `dataform.compilationResults.query` `dataform.config.get` `dataform.config.update` `dataform.locations.get` `dataform.locations.list` `dataform.releaseConfigs.create` `dataform.releaseConfigs.delete` `dataform.releaseConfigs.get` `dataform.releaseConfigs.list` `dataform.releaseConfigs.update` `dataform.repositories.commit` `dataform.repositories.computeAccessTokenStatus` `dataform.repositories.create` `dataform.repositories.delete` `dataform.repositories.fetchHistory` `dataform.repositories.fetchRemoteBranches` `dataform.repositories.get` `dataform.repositories.getIamPolicy` `dataform.repositories.list` `dataform.repositories.queryDirectoryContents` `dataform.repositories.readFile` `dataform.repositories.setIamPolicy` `dataform.repositories.update` `dataform.workflowConfigs.create` `dataform.workflowConfigs.delete` `dataform.workflowConfigs.get` `dataform.workflowConfigs.list` `dataform.workflowConfigs.update` `dataform.workflowInvocations.cancel` `dataform.workflowInvocations.create` `dataform.workflowInvocations.delete` `dataform.workflowInvocations.get` `dataform.workflowInvocations.list` `dataform.workflowInvocations.query` `dataform.workspaces.commit` `dataform.workspaces.create` `dataform.workspaces.delete` `dataform.workspaces.fetchFileDiff` `dataform.workspaces.fetchFileGitStatuses` `dataform.workspaces.fetchGitAheadBehind` `dataform.workspaces.get` `dataform.workspaces.getIamPolicy` `dataform.workspaces.installNpmPackages` `dataform.workspaces.list` `dataform.workspaces.makeDirectory` `dataform.workspaces.moveDirectory` `dataform.workspaces.moveFile` `dataform.workspaces.pull` `dataform.workspaces.push` `dataform.workspaces.queryDirectoryContents` `dataform.workspaces.readFile` `dataform.workspaces.removeDirectory` `dataform.workspaces.removeFile` `dataform.workspaces.reset` `dataform.workspaces.searchFiles` `dataform.workspaces.setIamPolicy` `dataform.workspaces.writeFile` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Connection Admin (`roles/bigquery.connectionAdmin`)	`bigquery.connections.*` `bigquery.connections.create` `bigquery.connections.delegate` `bigquery.connections.delete` `bigquery.connections.get` `bigquery.connections.getIamPolicy` `bigquery.connections.list` `bigquery.connections.setIamPolicy` `bigquery.connections.update` `bigquery.connections.updateTag` `bigquery.connections.use`
BigQuery Connection User (`roles/bigquery.connectionUser`)	`bigquery.connections.get` `bigquery.connections.getIamPolicy` `bigquery.connections.list` `bigquery.connections.use`
BigQuery Data Editor (`roles/bigquery.dataEditor`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	`bigquery.config.get` `bigquery.datasets.create` `bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.datasets.updateTag` `bigquery.models.` `bigquery.models.create` `bigquery.models.delete` `bigquery.models.export` `bigquery.models.getData` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.models.updateData` `bigquery.models.updateMetadata` `bigquery.models.updateTag` `bigquery.routines.` `bigquery.routines.create` `bigquery.routines.delete` `bigquery.routines.get` `bigquery.routines.list` `bigquery.routines.update` `bigquery.routines.updateTag` `bigquery.tables.create` `bigquery.tables.createIndex` `bigquery.tables.createSnapshot` `bigquery.tables.delete` `bigquery.tables.deleteIndex` `bigquery.tables.export` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `bigquery.tables.replicateData` `bigquery.tables.restoreSnapshot` `bigquery.tables.update` `bigquery.tables.updateData` `bigquery.tables.updateTag` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Data Owner (`roles/bigquery.dataOwner`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	`bigquery.config.get` `bigquery.dataPolicies.create` `bigquery.dataPolicies.delete` `bigquery.dataPolicies.get` `bigquery.dataPolicies.getIamPolicy` `bigquery.dataPolicies.list` `bigquery.dataPolicies.setIamPolicy` `bigquery.dataPolicies.update` `bigquery.datasets.` `bigquery.datasets.create` `bigquery.datasets.createTagBinding` `bigquery.datasets.delete` `bigquery.datasets.deleteTagBinding` `bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.datasets.link` `bigquery.datasets.listEffectiveTags` `bigquery.datasets.listSharedDatasetUsage` `bigquery.datasets.listTagBindings` `bigquery.datasets.setIamPolicy` `bigquery.datasets.update` `bigquery.datasets.updateTag` `bigquery.models.` `bigquery.models.create` `bigquery.models.delete` `bigquery.models.export` `bigquery.models.getData` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.models.updateData` `bigquery.models.updateMetadata` `bigquery.models.updateTag` `bigquery.routines.` `bigquery.routines.create` `bigquery.routines.delete` `bigquery.routines.get` `bigquery.routines.list` `bigquery.routines.update` `bigquery.routines.updateTag` `bigquery.rowAccessPolicies.create` `bigquery.rowAccessPolicies.delete` `bigquery.rowAccessPolicies.getIamPolicy` `bigquery.rowAccessPolicies.list` `bigquery.rowAccessPolicies.setIamPolicy` `bigquery.rowAccessPolicies.update` `bigquery.tables.` `bigquery.tables.create` `bigquery.tables.createIndex` `bigquery.tables.createSnapshot` `bigquery.tables.createTagBinding` `bigquery.tables.delete` `bigquery.tables.deleteIndex` `bigquery.tables.deleteSnapshot` `bigquery.tables.deleteTagBinding` `bigquery.tables.export` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `bigquery.tables.listEffectiveTags` `bigquery.tables.listTagBindings` `bigquery.tables.replicateData` `bigquery.tables.restoreSnapshot` `bigquery.tables.setCategory` `bigquery.tables.setColumnDataPolicy` `bigquery.tables.setIamPolicy` `bigquery.tables.update` `bigquery.tables.updateData` `bigquery.tables.updateTag` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Data Viewer (`roles/bigquery.dataViewer`) When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to list all of the resources in the dataset (such as tables, views, snapshots, models, and routines) and to read their data and metadata with applicable APIs and in queries. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	`bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.models.export` `bigquery.models.getData` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.routines.get` `bigquery.routines.list` `bigquery.tables.createSnapshot` `bigquery.tables.export` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `bigquery.tables.replicateData` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Filtered Data Viewer (`roles/bigquery.filteredDataViewer`) Access to view filtered table data defined by a row access policy	`bigquery.rowAccessPolicies.getFilteredData`
BigQuery Job User (`roles/bigquery.jobUser`) Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role: Project	`bigquery.config.get` `bigquery.jobs.create` `dataform.locations.*` `dataform.locations.get` `dataform.locations.list` `dataform.repositories.create` `dataform.repositories.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) When applied to a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	`bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.routines.get` `bigquery.routines.list` `bigquery.tables.get` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Read Session User (`roles/bigquery.readSessionUser`) Provides the ability to create and use read sessions. Lowest-level resources where you can grant this role: Project	`bigquery.readsessions.*` `bigquery.readsessions.create` `bigquery.readsessions.getData` `bigquery.readsessions.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) Administers BigQuery workloads, including slot assignments, commitments, and reservations.	`bigquery.bireservations.` `bigquery.bireservations.get` `bigquery.bireservations.update` `bigquery.capacityCommitments.` `bigquery.capacityCommitments.create` `bigquery.capacityCommitments.delete` `bigquery.capacityCommitments.get` `bigquery.capacityCommitments.list` `bigquery.capacityCommitments.update` `bigquery.jobs.get` `bigquery.jobs.list` `bigquery.jobs.listAll` `bigquery.jobs.listExecutionMetadata` `bigquery.reservationAssignments.` `bigquery.reservationAssignments.create` `bigquery.reservationAssignments.delete` `bigquery.reservationAssignments.list` `bigquery.reservationAssignments.search` `bigquery.reservations.` `bigquery.reservations.create` `bigquery.reservations.delete` `bigquery.reservations.get` `bigquery.reservations.list` `bigquery.reservations.update` `recommender.bigqueryCapacityCommitmentsInsights.` `recommender.bigqueryCapacityCommitmentsInsights.get` `recommender.bigqueryCapacityCommitmentsInsights.list` `recommender.bigqueryCapacityCommitmentsInsights.update` `recommender.bigqueryCapacityCommitmentsRecommendations.` `recommender.bigqueryCapacityCommitmentsRecommendations.get` `recommender.bigqueryCapacityCommitmentsRecommendations.list` `recommender.bigqueryCapacityCommitmentsRecommendations.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Resource Editor (`roles/bigquery.resourceEditor`) Manages BigQuery workloads, but is unable to create or modify slot commitments.	`bigquery.bireservations.get` `bigquery.capacityCommitments.get` `bigquery.capacityCommitments.list` `bigquery.jobs.get` `bigquery.jobs.list` `bigquery.jobs.listAll` `bigquery.jobs.listExecutionMetadata` `bigquery.reservationAssignments.` `bigquery.reservationAssignments.create` `bigquery.reservationAssignments.delete` `bigquery.reservationAssignments.list` `bigquery.reservationAssignments.search` `bigquery.reservations.` `bigquery.reservations.create` `bigquery.reservations.delete` `bigquery.reservations.get` `bigquery.reservations.list` `bigquery.reservations.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) Can view BigQuery workloads, but cannot create or modify slot reservations or commitments.	`bigquery.bireservations.get` `bigquery.capacityCommitments.get` `bigquery.capacityCommitments.list` `bigquery.jobs.get` `bigquery.jobs.list` `bigquery.jobs.listAll` `bigquery.jobs.listExecutionMetadata` `bigquery.reservationAssignments.list` `bigquery.reservationAssignments.search` `bigquery.reservations.get` `bigquery.reservations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Combination role of BigQuery Admin, Dataform Admin, and Notebook Runtime Admin.	`aiplatform.notebookRuntimeTemplates.` `aiplatform.notebookRuntimeTemplates.apply` `aiplatform.notebookRuntimeTemplates.create` `aiplatform.notebookRuntimeTemplates.delete` `aiplatform.notebookRuntimeTemplates.get` `aiplatform.notebookRuntimeTemplates.getIamPolicy` `aiplatform.notebookRuntimeTemplates.list` `aiplatform.notebookRuntimeTemplates.setIamPolicy` `aiplatform.notebookRuntimeTemplates.update` `aiplatform.notebookRuntimes.` `aiplatform.notebookRuntimes.assign` `aiplatform.notebookRuntimes.delete` `aiplatform.notebookRuntimes.get` `aiplatform.notebookRuntimes.list` `aiplatform.notebookRuntimes.start` `aiplatform.notebookRuntimes.update` `aiplatform.notebookRuntimes.upgrade` `aiplatform.operations.list` `bigquery.bireservations.` `bigquery.bireservations.get` `bigquery.bireservations.update` `bigquery.capacityCommitments.` `bigquery.capacityCommitments.create` `bigquery.capacityCommitments.delete` `bigquery.capacityCommitments.get` `bigquery.capacityCommitments.list` `bigquery.capacityCommitments.update` `bigquery.config.` `bigquery.config.get` `bigquery.config.update` `bigquery.connections.` `bigquery.connections.create` `bigquery.connections.delegate` `bigquery.connections.delete` `bigquery.connections.get` `bigquery.connections.getIamPolicy` `bigquery.connections.list` `bigquery.connections.setIamPolicy` `bigquery.connections.update` `bigquery.connections.updateTag` `bigquery.connections.use` `bigquery.dataPolicies.create` `bigquery.dataPolicies.delete` `bigquery.dataPolicies.get` `bigquery.dataPolicies.getIamPolicy` `bigquery.dataPolicies.list` `bigquery.dataPolicies.setIamPolicy` `bigquery.dataPolicies.update` `bigquery.datasets.` `bigquery.datasets.create` `bigquery.datasets.createTagBinding` `bigquery.datasets.delete` `bigquery.datasets.deleteTagBinding` `bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.datasets.link` `bigquery.datasets.listEffectiveTags` `bigquery.datasets.listSharedDatasetUsage` `bigquery.datasets.listTagBindings` `bigquery.datasets.setIamPolicy` `bigquery.datasets.update` `bigquery.datasets.updateTag` `bigquery.jobs.` `bigquery.jobs.create` `bigquery.jobs.delete` `bigquery.jobs.get` `bigquery.jobs.list` `bigquery.jobs.listAll` `bigquery.jobs.listExecutionMetadata` `bigquery.jobs.update` `bigquery.models.` `bigquery.models.create` `bigquery.models.delete` `bigquery.models.export` `bigquery.models.getData` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.models.updateData` `bigquery.models.updateMetadata` `bigquery.models.updateTag` `bigquery.readsessions.` `bigquery.readsessions.create` `bigquery.readsessions.getData` `bigquery.readsessions.update` `bigquery.reservationAssignments.` `bigquery.reservationAssignments.create` `bigquery.reservationAssignments.delete` `bigquery.reservationAssignments.list` `bigquery.reservationAssignments.search` `bigquery.reservations.` `bigquery.reservations.create` `bigquery.reservations.delete` `bigquery.reservations.get` `bigquery.reservations.list` `bigquery.reservations.update` `bigquery.routines.` `bigquery.routines.create` `bigquery.routines.delete` `bigquery.routines.get` `bigquery.routines.list` `bigquery.routines.update` `bigquery.routines.updateTag` `bigquery.rowAccessPolicies.create` `bigquery.rowAccessPolicies.delete` `bigquery.rowAccessPolicies.getIamPolicy` `bigquery.rowAccessPolicies.list` `bigquery.rowAccessPolicies.overrideTimeTravelRestrictions` `bigquery.rowAccessPolicies.setIamPolicy` `bigquery.rowAccessPolicies.update` `bigquery.savedqueries.` `bigquery.savedqueries.create` `bigquery.savedqueries.delete` `bigquery.savedqueries.get` `bigquery.savedqueries.list` `bigquery.savedqueries.update` `bigquery.tables.` `bigquery.tables.create` `bigquery.tables.createIndex` `bigquery.tables.createSnapshot` `bigquery.tables.createTagBinding` `bigquery.tables.delete` `bigquery.tables.deleteIndex` `bigquery.tables.deleteSnapshot` `bigquery.tables.deleteTagBinding` `bigquery.tables.export` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `bigquery.tables.listEffectiveTags` `bigquery.tables.listTagBindings` `bigquery.tables.replicateData` `bigquery.tables.restoreSnapshot` `bigquery.tables.setCategory` `bigquery.tables.setColumnDataPolicy` `bigquery.tables.setIamPolicy` `bigquery.tables.update` `bigquery.tables.updateData` `bigquery.tables.updateTag` `bigquery.transfers.` `bigquery.transfers.get` `bigquery.transfers.update` `bigquerymigration.translation.translate` `compute.reservations.get` `compute.reservations.list` `dataform.*` `dataform.compilationResults.create` `dataform.compilationResults.get` `dataform.compilationResults.list` `dataform.compilationResults.query` `dataform.config.get` `dataform.config.update` `dataform.locations.get` `dataform.locations.list` `dataform.releaseConfigs.create` `dataform.releaseConfigs.delete` `dataform.releaseConfigs.get` `dataform.releaseConfigs.list` `dataform.releaseConfigs.update` `dataform.repositories.commit` `dataform.repositories.computeAccessTokenStatus` `dataform.repositories.create` `dataform.repositories.delete` `dataform.repositories.fetchHistory` `dataform.repositories.fetchRemoteBranches` `dataform.repositories.get` `dataform.repositories.getIamPolicy` `dataform.repositories.list` `dataform.repositories.queryDirectoryContents` `dataform.repositories.readFile` `dataform.repositories.setIamPolicy` `dataform.repositories.update` `dataform.workflowConfigs.create` `dataform.workflowConfigs.delete` `dataform.workflowConfigs.get` `dataform.workflowConfigs.list` `dataform.workflowConfigs.update` `dataform.workflowInvocations.cancel` `dataform.workflowInvocations.create` `dataform.workflowInvocations.delete` `dataform.workflowInvocations.get` `dataform.workflowInvocations.list` `dataform.workflowInvocations.query` `dataform.workspaces.commit` `dataform.workspaces.create` `dataform.workspaces.delete` `dataform.workspaces.fetchFileDiff` `dataform.workspaces.fetchFileGitStatuses` `dataform.workspaces.fetchGitAheadBehind` `dataform.workspaces.get` `dataform.workspaces.getIamPolicy` `dataform.workspaces.installNpmPackages` `dataform.workspaces.list` `dataform.workspaces.makeDirectory` `dataform.workspaces.moveDirectory` `dataform.workspaces.moveFile` `dataform.workspaces.pull` `dataform.workspaces.push` `dataform.workspaces.queryDirectoryContents` `dataform.workspaces.readFile` `dataform.workspaces.removeDirectory` `dataform.workspaces.removeFile` `dataform.workspaces.reset` `dataform.workspaces.searchFiles` `dataform.workspaces.setIamPolicy` `dataform.workspaces.writeFile` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Studio User (`roles/bigquery.studioUser`) Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, and Notebook Runtime User.	`aiplatform.notebookRuntimeTemplates.apply` `aiplatform.notebookRuntimeTemplates.get` `aiplatform.notebookRuntimeTemplates.getIamPolicy` `aiplatform.notebookRuntimeTemplates.list` `aiplatform.notebookRuntimes.assign` `aiplatform.notebookRuntimes.get` `aiplatform.notebookRuntimes.list` `aiplatform.operations.list` `bigquery.config.get` `bigquery.jobs.create` `bigquery.readsessions.` `bigquery.readsessions.create` `bigquery.readsessions.getData` `bigquery.readsessions.update` `dataform.locations.` `dataform.locations.get` `dataform.locations.list` `dataform.repositories.create` `dataform.repositories.list` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery User (`roles/bigquery.user`) When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (`roles/bigquery.dataOwner`) on these new datasets. Lowest-level resources where you can grant this role: Dataset	`bigquery.bireservations.get` `bigquery.capacityCommitments.get` `bigquery.capacityCommitments.list` `bigquery.config.get` `bigquery.datasets.create` `bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.jobs.create` `bigquery.jobs.list` `bigquery.models.list` `bigquery.readsessions.` `bigquery.readsessions.create` `bigquery.readsessions.getData` `bigquery.readsessions.update` `bigquery.reservationAssignments.list` `bigquery.reservationAssignments.search` `bigquery.reservations.get` `bigquery.reservations.list` `bigquery.routines.list` `bigquery.savedqueries.get` `bigquery.savedqueries.list` `bigquery.tables.list` `bigquery.transfers.get` `bigquerymigration.translation.translate` `dataform.locations.` `dataform.locations.get` `dataform.locations.list` `dataform.repositories.create` `dataform.repositories.list` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Data Policy Admin (`roles/bigquerydatapolicy.admin`) Role for managing Data Policies in BigQuery	`bigquery.dataPolicies.create` `bigquery.dataPolicies.delete` `bigquery.dataPolicies.get` `bigquery.dataPolicies.getIamPolicy` `bigquery.dataPolicies.list` `bigquery.dataPolicies.setIamPolicy` `bigquery.dataPolicies.update`
Masked Reader (`roles/bigquerydatapolicy.maskedReader`) Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns	`bigquery.dataPolicies.maskedGet`
Raw Data Reader ^Beta (`roles/bigquerydatapolicy.rawDataReader`) Raw read access to sub-resources associated with a data policy, for example, BigQuery columns	`bigquery.dataPolicies.getRawData`
BigQuery Data Policy Viewer (`roles/bigquerydatapolicy.viewer`) Role for viewing Data Policies in BigQuery	`bigquery.dataPolicies.get` `bigquery.dataPolicies.list`

BigQuery Admin

(roles/bigquery.admin)

Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.

Lowest-level resources where you can grant this role:

Datasets
Row access policies
Tables
Views

bigquery.bireservations.*

bigquery.bireservations.get
bigquery.bireservations.update

bigquery.capacityCommitments.*

bigquery.capacityCommitments.create
bigquery.capacityCommitments.delete
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.capacityCommitments.update

bigquery.config.*

bigquery.config.get
bigquery.config.update

bigquery.connections.*

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.datasets.create
bigquery.datasets.createTagBinding
bigquery.datasets.delete
bigquery.datasets.deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.link
bigquery.datasets.listEffectiveTags
bigquery.datasets.listSharedDatasetUsage
bigquery.datasets.listTagBindings
bigquery.datasets.setIamPolicy
bigquery.datasets.update
bigquery.datasets.updateTag

bigquery.jobs.*

bigquery.jobs.create
bigquery.jobs.delete
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.jobs.update

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.update

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

bigquery.savedqueries.create
bigquery.savedqueries.delete
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.savedqueries.update

bigquery.tables.*

bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.createTagBinding
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.deleteSnapshot
bigquery.tables.deleteTagBinding
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings
bigquery.tables.replicateData
bigquery.tables.restoreSnapshot
bigquery.tables.setCategory
bigquery.tables.setColumnDataPolicy
bigquery.tables.setIamPolicy
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag

bigquery.transfers.*

bigquery.transfers.get
bigquery.transfers.update

bigquerymigration.translation.translate

dataform.*

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.config.get
dataform.config.update
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Connection Admin

(roles/bigquery.connectionAdmin)

bigquery.connections.*

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use

BigQuery Connection User

(roles/bigquery.connectionUser)

bigquery.connections.get

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.connections.use

BigQuery Data Editor

(roles/bigquery.dataEditor)

When applied to a table or view, this role provides permissions to:

Read and update data and metadata for the table or view.
Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

Read the dataset's metadata and list tables in the dataset.
Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

Table
View

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Data Owner

(roles/bigquery.dataOwner)

When applied to a table or view, this role provides permissions to:

Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

Read, update, and delete the dataset.
Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

Table
View

bigquery.config.get

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.datasets.create
bigquery.datasets.createTagBinding
bigquery.datasets.delete
bigquery.datasets.deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.link
bigquery.datasets.listEffectiveTags
bigquery.datasets.listSharedDatasetUsage
bigquery.datasets.listTagBindings
bigquery.datasets.setIamPolicy
bigquery.datasets.update
bigquery.datasets.updateTag

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.tables.*

bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.createTagBinding
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.deleteSnapshot
bigquery.tables.deleteTagBinding
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings
bigquery.tables.replicateData
bigquery.tables.restoreSnapshot
bigquery.tables.setCategory
bigquery.tables.setColumnDataPolicy
bigquery.tables.setIamPolicy
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Data Viewer

(roles/bigquery.dataViewer)

When applied to a table or view, this role provides permissions to:

Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to list all of the resources in the dataset (such as tables, views, snapshots, models, and routines) and to read their data and metadata with applicable APIs and in queries.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

Table
View

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.createSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Filtered Data Viewer

(roles/bigquery.filteredDataViewer)

Access to view filtered table data defined by a row access policy

bigquery.rowAccessPolicies.getFilteredData

BigQuery Job User

(roles/bigquery.jobUser)

Provides permissions to run jobs, including queries, within the project.

Lowest-level resources where you can grant this role:

Project

bigquery.config.get

bigquery.jobs.create

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Metadata Viewer

(roles/bigquery.metadataViewer)

When applied to a table or view, this role provides permissions to:

Read metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

List tables and views in the dataset.
Read metadata from the dataset's tables and views.

When applied at the project or organization level, this role provides permissions to:

List all datasets and read metadata for all datasets in the project.
List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

Table
View

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.get

bigquery.tables.getIamPolicy

bigquery.tables.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Read Session User

(roles/bigquery.readSessionUser)

Provides the ability to create and use read sessions.

Lowest-level resources where you can grant this role:

Project

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Admin

(roles/bigquery.resourceAdmin)

Administers BigQuery workloads, including slot assignments, commitments, and reservations.

bigquery.bireservations.*

bigquery.bireservations.get
bigquery.bireservations.update

bigquery.capacityCommitments.*

bigquery.capacityCommitments.create
bigquery.capacityCommitments.delete
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.capacityCommitments.update

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.update

recommender.bigqueryCapacityCommitmentsInsights.*

recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsInsights.update

recommender.bigqueryCapacityCommitmentsRecommendations.*

recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.bigqueryCapacityCommitmentsRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Editor

(roles/bigquery.resourceEditor)

Manages BigQuery workloads, but is unable to create or modify slot commitments.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Viewer

(roles/bigquery.resourceViewer)

Can view BigQuery workloads, but cannot create or modify slot reservations or commitments.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Studio Admin

(roles/bigquery.studioAdmin)

Combination role of BigQuery Admin, Dataform Admin, and Notebook Runtime Admin.

aiplatform.notebookRuntimeTemplates.*

aiplatform.notebookRuntimeTemplates.apply
aiplatform.notebookRuntimeTemplates.create
aiplatform.notebookRuntimeTemplates.delete
aiplatform.notebookRuntimeTemplates.get
aiplatform.notebookRuntimeTemplates.getIamPolicy
aiplatform.notebookRuntimeTemplates.list
aiplatform.notebookRuntimeTemplates.setIamPolicy
aiplatform.notebookRuntimeTemplates.update

aiplatform.notebookRuntimes.*

aiplatform.notebookRuntimes.assign
aiplatform.notebookRuntimes.delete
aiplatform.notebookRuntimes.get
aiplatform.notebookRuntimes.list
aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
aiplatform.notebookRuntimes.upgrade

aiplatform.operations.list

bigquery.bireservations.*

bigquery.bireservations.get
bigquery.bireservations.update

bigquery.capacityCommitments.*

bigquery.capacityCommitments.create
bigquery.capacityCommitments.delete
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.capacityCommitments.update

bigquery.config.*

bigquery.config.get
bigquery.config.update

bigquery.connections.*

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.datasets.create
bigquery.datasets.createTagBinding
bigquery.datasets.delete
bigquery.datasets.deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.link
bigquery.datasets.listEffectiveTags
bigquery.datasets.listSharedDatasetUsage
bigquery.datasets.listTagBindings
bigquery.datasets.setIamPolicy
bigquery.datasets.update
bigquery.datasets.updateTag

bigquery.jobs.*

bigquery.jobs.create
bigquery.jobs.delete
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.jobs.update

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.update

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

bigquery.savedqueries.create
bigquery.savedqueries.delete
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.savedqueries.update

bigquery.tables.*

bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.createTagBinding
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.deleteSnapshot
bigquery.tables.deleteTagBinding
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings
bigquery.tables.replicateData
bigquery.tables.restoreSnapshot
bigquery.tables.setCategory
bigquery.tables.setColumnDataPolicy
bigquery.tables.setIamPolicy
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag

bigquery.transfers.*

bigquery.transfers.get
bigquery.transfers.update

bigquerymigration.translation.translate

compute.reservations.get

compute.reservations.list

dataform.*

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.config.get
dataform.config.update
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Studio User

(roles/bigquery.studioUser)

Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, and Notebook Runtime User.

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimes.assign

aiplatform.notebookRuntimes.get

aiplatform.notebookRuntimes.list

aiplatform.operations.list

bigquery.config.get

bigquery.jobs.create

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.create

dataform.repositories.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery User

(roles/bigquery.user)

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

Lowest-level resources where you can grant this role:

Dataset

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.jobs.create

bigquery.jobs.list

bigquery.models.list

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.routines.list

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.list

bigquery.transfers.get

bigquerymigration.translation.translate

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.create

dataform.repositories.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Data Policy Admin

(roles/bigquerydatapolicy.admin)

Role for managing Data Policies in BigQuery

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

Masked Reader

(roles/bigquerydatapolicy.maskedReader)

Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns

bigquery.dataPolicies.maskedGet

Raw Data Reader ^Beta

(roles/bigquerydatapolicy.rawDataReader)

Raw read access to sub-resources associated with a data policy, for example, BigQuery columns

bigquery.dataPolicies.getRawData

BigQuery Data Policy Viewer

(roles/bigquerydatapolicy.viewer)

Role for viewing Data Policies in BigQuery

bigquery.dataPolicies.get

bigquery.dataPolicies.list

Roles de IAM personalizados para BigQuery

A fin de crear un rol de IAM personalizado para BigQuery, sigue los pasos descritos para Roles personalizados de IAM mediante los permisos de BigQuery.

Roles básicos de BigQuery

Para obtener información sobre las funciones básicas de BigQuery, consulta los permisos y las funciones básicos de BigQuery.

Permisos de BigQuery

En la tabla siguiente, se describen los permisos disponibles en BigQuery. Estos están incluidos en roles predefinidos y pueden usarse en las definiciones de roles personalizados.

Permiso	Descripción
`bigquery.bireservations.get`	Lee las reservas de BI Engine.
`bigquery.bireservations.update`	Actualiza las reservas de BI Engine.
`bigquery.capacityCommitments.create`	Crear compromisos de capacidad en el proyecto
`bigquery.capacityCommitments.delete`	Borra un compromiso de capacidad.
`bigquery.capacityCommitments.get`	Recupera los detalles sobre un compromiso de capacidad.
`bigquery.capacityCommitments.list`	Enumera todos los compromisos de capacidad en un proyecto.
`bigquery.capacityCommitments.update`	Actualiza todos los compromisos de capacidad de un proyecto.
`bigquery.config.update`	Crea una configuración.
`bigquery.config.get`	Obtén detalles sobre una configuración.
`bigquery.connections.create`	Crea conexiones nuevas en un proyecto.
`bigquery.connections.delete`	Borra una conexión.
`bigquery.connections.get`	Obtiene metadatos de conexión. Se excluyen las credenciales.
`bigquery.connections.list`	Enumera las conexiones en un proyecto.
`bigquery.connections.update`	Actualiza una conexión y sus credenciales.
`bigquery.connections.updateTag`	Actualiza las etiquetas de una conexión.
`bigquery.connections.use`	Usa una configuración de conexión para conectarse a una fuente de datos remota.
`bigquery.connections.delegate`	Delega la conexión para crear funciones remotas y tablas externas autorizadas.
`bigquery.dataPolicies.create`	Crea políticas de datos nuevas.
`bigquery.dataPolicies.delete`	Borra políticas de datos.
`bigquery.dataPolicies.get`	Obtiene metadatos sobre las políticas de datos.
`bigquery.dataPolicies.getIamPolicy`	Lee los permisos de IAM de una política de datos.
`bigquery.dataPolicies.list`	Muestra la lista de políticas de datos de un proyecto.
`bigquery.dataPolicies.maskedGet`	Observa los datos enmascarados de una columna que tiene una etiqueta de política asociada con una política de datos.
`bigquery.dataPolicies.setIamPolicy`	Configura los permisos de IAM de una política de datos
`bigquery.dataPolicies.update`	Actualiza los metadatos de una política de datos.
`bigquery.datasets.create`	Crea conjuntos de datos vacíos nuevos.
`bigquery.datasets.createTagBinding`	Crea vinculaciones de etiquetas de recursos en un conjunto de datos.
`bigquery.datasets.delete`	Borra un conjunto de datos.
`bigquery.datasets.deleteTagBinding`	Borra vinculaciones de etiquetas de recursos en un conjunto de datos.
`bigquery.datasets.get`	Obtén metadatos y permisos sobre un conjunto de datos. Visualizar permisos en la consola de Google Cloud también requiere el permiso `bigquery.datasets.getIamPolicy`.
`bigquery.datasets.getIamPolicy`	Obligatorio para Cloud Console a fin de brindar al usuario la opción de obtener los permisos de IAM de un conjunto de datos. Esto permitirá abrir la falla. La capacidad para realizar la operación de obtención de los permisos está restringida por el permiso `bigquery.datasets.get`.
`bigquery.datasets.link`	Crea un conjunto de datos vinculado.
`bigquery.datasets.listTagBindings`	Enumera las vinculaciones de etiquetas de recursos en un conjunto de datos.
`bigquery.datasets.setIamPolicy`	Cloud Console lo requiere para dar al usuario la opción de configurar los permisos de IAM de un conjunto de datos. Esto permitirá abrir la falla. La capacidad para realizar la operación de configuración de los permisos está restringida por el permiso `bigquery.datasets.update`.
`bigquery.datasets.update`	Actualiza los metadatos y los permisos para un conjunto de datos. Otorgar permisos en la consola de Google Cloud también requiere el permiso `bigquery.datasets.setIamPolicy`.
`bigquery.datasets.updateTag`	Actualiza las etiquetas de Data Catalog para un conjunto de datos.
`bigquery.jobs.create`	Ejecuta trabajos (incluidas consultas) en el proyecto.
`bigquery.jobs.get`	Obtiene datos y metadatos de cualquier trabajo*.¹
`bigquery.jobs.list`	Enumera todos los trabajos y recupera los metadatos de cualquier trabajo enviado por un usuario. Para los trabajos que enviaron otros usuarios, se ocultan los detalles y los metadatos.
`bigquery.jobs.listAll`	Enumera todos los trabajos y recupera los metadatos de cualquier trabajo que envíe un usuario.
`bigquery.jobs.listExecutionMetadata`	Enumera todos los metadatos de ejecución de trabajos (sin información sensible) en cualquier trabajo que envíe un usuario. Solo se puede aplicar a nivel de la organización y la usa la IU para administrar.
`bigquery.jobs.delete`	Borra metadatos para un trabajo.
`bigquery.jobs.update`	Cancela cualquier trabajo.¹
`bigquery.models.create`	Crea modelos de aprendizaje automático nuevos.
`bigquery.models.delete`	Borra los modelos de aprendizaje automático.
`bigquery.models.getData`	Obtén datos del modelo de aprendizaje automático. Para obtener metadatos del modelo, necesitas `bigquery.models.getMetadata`.
`bigquery.models.getMetadata`	Obtén metadatos del modelo de aprendizaje automático. Para obtener datos del modelo, necesitas `bigquery.models.getData`.
`bigquery.models.list`	Enumera los modelos de aprendizaje automático y los metadatos en los modelos.
`bigquery.models.updateData`	Actualiza los datos del modelo de aprendizaje automático. Para actualizar los metadatos del modelo, necesitas `bigquery.models.updateMetadata`.
`bigquery.models.updateMetadata`	Actualiza los metadatos del modelo de aprendizaje automático. Para actualizar los datos del modelo, necesitas `bigquery.models.updateData`.
`bigquery.models.export`	Exporta los modelos de aprendizaje automático.
`bigquery.models.updateTag`	Actualiza las etiquetas de Data Catalog para un modelo.
`bigquery.readsessions.create`	Crea una sesión de lectura nueva con la API de Storage Read.
`bigquery.readsessions.getData`	Lee datos desde una sesión de lectura con la API de Storage Read.
`bigquery.readsessions.update`	Actualiza una sesión de lectura con la API de Storage Read.
`bigquery.reservations.create`	Crea una reserva de ranura en un proyecto de administración.
`bigquery.reservations.delete`	Borra una reserva de ranura.
`bigquery.reservations.get`	Recupera los detalles de una reserva de ranura.
`bigquery.reservations.list`	Enumera todas las reservas de ranuras en un proyecto de administración.
`bigquery.reservations.update`	Actualiza las propiedades de una reserva de ranura.
`bigquery.reservationAssignments.create`	Crea una asignación de reserva. Este permiso es obligatorio en el proyecto del propietario y el recurso asignado. Para mover una asignación de reserva, necesitas `bigquery.reservationAssignments.create` en el nuevo proyecto del propietario y el recurso asignado.
`bigquery.reservationAssignments.delete`	Borra una asignación de reserva. Este permiso es obligatorio en el proyecto del propietario y el recurso asignado. Para mover una asignación de reserva, necesitas `bigquery.reservationAssignments.delete` en el anterior proyecto del propietario y el recurso asignado.
`bigquery.reservationAssignments.list`	Enumera todas las asignaciones de reservas en un proyecto.
`bigquery.reservationAssignments.search`	Busca una asignación de reserva para un proyecto, carpeta u organización determinada.
`bigquery.rowAccessPolicies.create`	Crea una política de acceso nueva a nivel de las filas en una tabla.
`bigquery.rowAccessPolicies.delete`	Borra una política de acceso a nivel de las filas de una tabla.
`bigquery.rowAccessPolicies.getFilteredData`	Obtiene datos en una tabla que deseas que solo esté visible para las principales de la lista de beneficiarios de las políticas de acceso a nivel de las filas. Recomendamos que este permiso solo se otorgue en un recurso de política de acceso a nivel de las filas.
`bigquery.rowAccessPolicies.list`	Enumera todas las políticas de acceso a nivel de las filas en una tabla.
`bigquery.rowAccessPolicies.overrideTimeTravelRestrictions`	Accede a los datos históricos de una tabla que tiene o tuvo políticas de acceso a nivel de fila con anterioridad.
`bigquery.rowAccessPolicies.getIamPolicy`	Obtén los permisos de IAM de una política de acceso de fila.
`bigquery.rowAccessPolicies.setIamPolicy`	Configura los permisos de IAM de la política de acceso de fila.
`bigquery.rowAccessPolicies.update`	Vuelve a crear una política de acceso a nivel de las filas.
`bigquery.routines.create`	Crea rutinas nuevas (funciones y procedimientos almacenados).
`bigquery.routines.delete`	Borra rutinas.
`bigquery.routines.get`	Obtiene metadatos y definiciones de rutinas.
`bigquery.routines.list`	Enumera rutinas y metadatos en rutinas.
`bigquery.routines.update`	Actualiza metadatos y definiciones de rutinas.
`bigquery.routines.updateTag`	Actualiza las etiquetas de Data Catalog para una rutina.
`bigquery.savedqueries.create`	Crea consultas guardadas.
`bigquery.savedqueries.delete`	Borra las consultas guardadas.
`bigquery.savedqueries.get`	Obtiene los metadatos de las consultas guardadas.
`bigquery.savedqueries.list`	Enumera las consultas guardadas.
`bigquery.savedqueries.update`	Actualiza las consultas guardadas.
`bigquery.tables.create`	Crea tablas nuevas.
`bigquery.tables.createIndex`	Crea índices de búsqueda en tablas.
`bigquery.tables.createSnapshot`	Crea nuevas instantáneas de tablas.
`bigquery.tables.createTagBinding`	Crea vinculaciones de etiquetas de recursos en una tabla.
`bigquery.tables.delete`	Borra tablas.
`bigquery.tables.deleteIndex`	Quita índices de búsqueda en las tablas.
`bigquery.tables.deleteSnapshot`	Borra instantáneas de tablas.
`bigquery.tables.deleteTagBinding`	Borra vinculaciones de etiquetas de recursos en una tabla.
`bigquery.tables.export`	Exporta los datos de las tablas fuera de BigQuery.
`bigquery.tables.get`	Obtiene metadatos de tablas. Para obtener datos de tablas, necesitas `bigquery.tables.getData`.
`bigquery.tables.getData`	Obtiene datos de tablas. Este permiso es necesario para consultar los datos de la tabla. Para obtener los metadatos de la tabla, necesitas `bigquery.tables.get`.
`bigquery.tables.getIamPolicy`	Lee la política de IAM de una tabla.
`bigquery.tables.list`	Enumera las tablas y los metadatos de las tablas.
`bigquery.tables.listEffectiveTags`	Enumera vinculaciones de etiquetas efectivas con la API de Cloud Resource Manager. Se verifica cuándo se usa la marca `--effective`.
`bigquery.tables.listTagBindings`	Enumera las vinculaciones de etiquetas con la API de Cloud Resource Manager.
`bigquery.tables.replicateData`	Replica los datos de la tabla. Este permiso es necesario para crear vistas materializadas de réplica.
`bigquery.tables.restoreSnapshot`	Restablece las instantáneas tablas.
`bigquery.tables.setCategory`	Establece etiquetas de política en el esquema de tabla.
`bigquery.tables.setIamPolicy`	Cambia la política de IAM de una tabla.
`bigquery.tables.update`	Actualiza los metadatos de la tabla. Para actualizar los datos de la tabla, necesitas `bigquery.tables.updateData`.
`bigquery.tables.updateData`	Actualiza los datos de la tabla. Para actualizar los metadatos de la tabla, necesitas `bigquery.tables.update`.
`bigquery.tables.updateTag`	Actualiza las etiquetas de Data Catalog para una tabla.
`bigquery.transfers.get`	Obtiene los metadatos de las transferencias.
`bigquery.transfers.update`	Crea, actualiza y borra las transferencias.

¹ En cualquier trabajo que crees, tendrás de forma automática el equivalente a los permisos bigquery.jobs.get y bigquery.jobs.update para ese trabajo.

Permisos para tareas de BigQuery ML

En la siguiente tabla, se describen los permisos necesarios para las tareas comunes de BigQuery ML.

Permiso	Descripción
`bigquery.jobs.create` `bigquery.models.create` `bigquery.models.getData` `bigquery.models.updateData`	Crear un modelo nuevo mediante la declaración `CREATE MODEL`
`bigquery.jobs.create` `bigquery.models.create` `bigquery.models.getData` `bigquery.models.updateData` `bigquery.models.updateMetadata`	Reemplaza un modelo existente mediante la declaración `CREATE OR REPLACE MODEL`
`bigquery.models.delete`	Borra un modelo mediante la API models.delete
`bigquery.jobs.create` `bigquery.models.delete`	Borrar un modelo mediante la declaración `DROP MODEL`
`bigquery.models.getMetadata`	Obtiene metadatos del modelo mediante la API models.get
`bigquery.models.list`	Enumera modelos y los metadatos en estos mediante la API models.list
`bigquery.models.updateMetadata`	Actualiza los metadatos del modelo mediante la API models.delete. Si configuras o actualizas un tiempo de vencimiento distinto de cero para el modelo, también se necesita el permiso `bigquery.models.delete`
`bigquery.jobs.create` `bigquery.models.getData`	Realiza evaluaciones, predicciones e inspecciones de modelos y características mediante funciones como `ML.EVALUATE`, `ML.PREDICT`, `ML.TRAINING_INFO` y `ML.WEIGHTS`.
`bigquery.jobs.create` `bigquery.models.export`	Exporta un modelo
`bigquery.models.updateTag`	Actualiza las etiquetas de Data Catalog para un modelo.

¿Qué sigue?

Para obtener más información sobre la asignación de roles a nivel de conjunto de datos, consulta la página sobre el control de acceso a los conjuntos de datos.
Para obtener más información sobre cómo asignar funciones a nivel de tabla o vista, consulta Controla el acceso a las tablas y vistas.

Roles y permisos de IAM para BigQuery

Tipos de roles de IAM

Roles de IAM en BigQuery

Roles aplicados a nivel de la organización o del proyecto de Google Cloud

Funciones aplicadas a nivel del conjunto de datos

Funciones aplicadas a recursos individuales dentro de conjuntos de datos

Funciones predefinidas de IAM de BigQuery

BigQuery Admin

BigQuery Connection Admin

BigQuery Connection User

BigQuery Data Editor

BigQuery Data Owner

BigQuery Data Viewer

BigQuery Filtered Data Viewer

BigQuery Job User

BigQuery Metadata Viewer

BigQuery Read Session User

BigQuery Resource Admin

BigQuery Resource Editor

BigQuery Resource Viewer

BigQuery Studio Admin

BigQuery Studio User

BigQuery User

BigQuery Data Policy Admin

Masked Reader

Raw Data Reader Beta

BigQuery Data Policy Viewer

Roles de IAM personalizados para BigQuery

Roles básicos de BigQuery

Permisos de BigQuery

Permisos para tareas de BigQuery ML

¿Qué sigue?

Raw Data Reader ^Beta