Basic roles and permissions

Overview

BigQuery supports the IAM basic roles for project-level access.

Basic roles for projects

By default, granting access to a project also grants access to datasets within it. Default access can be overridden on a per-dataset basis. The following table describes what access is granted to members of the basic IAM roles.

Basic role	Capabilities
`Viewer`	Can start a job in the project. Additional dataset roles are required depending on the job type. Can list and get all jobs, and update jobs that they started for the project If you create a dataset in a project that contains any viewers, BigQuery grants those users the bigquery.dataViewer predefined role for the new dataset.
`Editor`	Same as `Viewer`, plus: Can create a new dataset in the project If you create a dataset in a project that contains any editors, BigQuery grants those users the bigquery.dataEditor predefined role for the new dataset.
`Owner`	Same as `Editor`, plus: Can revoke or change any project role Can list all datasets in the project Can delete any dataset in the project Can list and get all jobs run on the project, including jobs run by other project users If you create a dataset, BigQuery grants all project owners the bigquery.dataOwner predefined role for the new dataset. Exception: When a user runs a query, an anonymous dataset is created to store the cached results table. Only the user that runs the query is given `OWNER` access to the anonymous dataset.

Basic roles for projects are granted or revoked through the Google Cloud Console. When a project is created, the Owner role is granted to the user who created the project.

When BigQuery receives a call from an identity (either a user, a group, or a service account) that is assigned a basic role, BigQuery interprets that basic role as a member of a special group. Special group membership grants the identity permissions that are assigned to a BigQuery IAM role. The following chart identifies the special group and role for each basic role:

Basic role	Assigned group	BigQuery IAM Role
`roles/viewer`	`access.specialGroup: projectReaders`	`roles/bigquery.dataViewer`
`roles/editor`	`access.specialGroup: projectWriters`	`roles/bigquery.dataEditor`
`roles/owner`	`access.specialGroup: projectOwners`	`roles/bigquery.dataOwner`

Special group access is only granted at creation time. To remove or change permissions later, you can edit dataset IAM policies or your object access control lists (ACLs).

For more information about how to grant or revoke access for project roles, see Granting, changing, and revoking access to resources in the IAM documentation.

Basic roles for datasets

The following basic roles apply at the dataset level.

Dataset role Capabilities

Dataset role	Capabilities
`READER`	Can read, query, copy or export tables in the dataset. Can read routines in the dataset Can call get on the dataset Can call get and list on tables in the dataset Can call get and list on routines in the dataset Can call list on table data for tables in the dataset Maps to the `bigquery.dataViewer` predefined role
`WRITER`	Same as `READER`, plus: Can edit or append data in the dataset Can call insert, insertAll, update or delete on tables Can use tables in the dataset as destinations for load, copy or query jobs Can call insert, update, or delete on routines Maps to the `bigquery.dataEditor` predefined role
`OWNER`	Same as `WRITER`, plus: Can call update on the dataset Can call delete on the dataset Maps to the `bigquery.dataOwner` predefined role Note: A dataset must have at least one entity with the `OWNER` role. A user with the `OWNER` role can't remove their own `OWNER` role.

READER

Can read, query, copy or export tables in the dataset. Can read routines in the dataset
- Can call get on the dataset
- Can call get and list on tables in the dataset
- Can call get and list on routines in the dataset
- Can call list on table data for tables in the dataset
Maps to the bigquery.dataViewer predefined role

WRITER

Same as READER, plus:
- Can edit or append data in the dataset
  - Can call insert, insertAll, update or delete on tables
  - Can use tables in the dataset as destinations for load, copy or query jobs
  - Can call insert, update, or delete on routines
Maps to the bigquery.dataEditor predefined role

OWNER

Same as WRITER, plus:
- Can call update on the dataset
- Can call delete on the dataset
Maps to the bigquery.dataOwner predefined role

Note: A dataset must have at least one entity with the OWNER role. A user with the OWNER role can't remove their own OWNER role.

For more information on assigning roles at the dataset level, see Controlling access to datasets.

When you create a new dataset, BigQuery adds default dataset access for the following entities. Roles that you specify on dataset creation overwrite the default values.

Entity Dataset role

All users with Viewer access to the project READER

All users with Editor access to the project WRITER

Entity	Dataset role
All users with `Viewer` access to the project	`READER`
All users with `Editor` access to the project	`WRITER`
All users with `Owner` access to the project, and the dataset creator	`OWNER` Exception: When a user runs a query, an anonymous dataset is created to store the cached results table. Only the user that runs the query is given `OWNER` access to the anonymous dataset.

All users with Owner access to the project,
and the dataset creator

OWNER

Exception: When a user runs a query, an anonymous dataset is created to store the cached results table. Only the user that runs the query is given OWNER access to the anonymous dataset.