Overview
BigQuery supports the IAM basic roles for project-level access.
BigQuery's dataset-level basic roles existed prior to the introduction of Identity and Access Management. It is recommended that you use the predefined IAM roles instead.
Basic roles for projects
By default, granting access to a project also grants access to datasets within
it. Default access can be overridden on a per-dataset basis. Any user with the
project Owner
role has the ability to revoke or change any project role.
When a project is created, BigQuery grants the Owner
role
to the user who created the project.
Basic role | Capabilities |
---|---|
Viewer
|
|
Editor
|
|
Owner
|
|
Basic roles for projects are granted or revoked through the
Google Cloud Console. You must have Owner
access to the
project in order to grant or revoke a new project role.
For more information about how to grant or revoke access for project roles, see Granting, changing, and revoking access to resources in the Identity and Access Management documentation.
Basic roles for datasets
The following basic roles apply at the dataset level.
Dataset role | Capabilities |
---|---|
READER |
|
WRITER |
|
OWNER |
Note: A dataset must have at least one entity with the
|
For more information on assigning roles at the dataset level, see Controlling access to datasets.
When you create a new dataset, BigQuery adds default dataset access for the following entities. Roles that you specify on dataset creation overwrite the default values.
Entity | Dataset role |
---|---|
All users with Viewer access to the project |
READER |
All users with Editor access to the project |
WRITER |
All users with Owner access to the project |
Exception: When a user runs a query, an
anonymous dataset
is created to store the cached results table. Only the user that runs
the query is given |