Example scenarios
The following examples involve a group of data scientists who all belong to a Google group named AnalystGroup.
Read and write access to data in a dataset
CompanyProject is a project that includes dataset1 and dataset2. AnalystGroup1 is a group of data scientists who work only on dataset1 and AnalystGroup2 is a group that works only on dataset2. The data scientists should have full access only to the dataset that they work on, including access to run queries against the data.
| Read and write access to a dataset | |
|---|---|
| On dataset CompanyProject:dataset1 | Grant AnalystGroup1 WRITER
access on dataset1. This role maps to the predefined IAM role —
bigquery.dataEditor. |
| On dataset CompanyProject:dataset2 | Grant AnalystGroup2 WRITER
access on dataset2. This role maps to the predefined IAM role —
bigquery.dataEditor. |
| On project CompanyProject | Grant AnalystGroup1 and AnalystGroup2 bigquery.user
access on CompanyProject. |
Giving the data scientists WRITER access at the dataset level gives them the
ability to query data in the dataset's tables, but it does not give them
permissions to run query jobs in the project. To be able to run query jobs
against a dataset they've been given access to, the data scientist
groups must be granted the project-level, predefined role —
bigquery.user. The bigquery.user role
grants bigquery.jobs.create permissions.
Alternatively, you can add the data scientist groups to a project-level,
IAM custom role that grants bigquery.jobs.create permissions.
Full access to data in a project
AnalystGroup is a group of data scientists working on BigQuery, responsible for all facets of its use within a project named CompanyProject. The group prefers for all members to have read and write access to all data. Other groups at the organization work with other Cloud Platform products, but no one else interacts with BigQuery. AnalystGroup does not use any other Cloud Platform services.
| Full access to data in a project | |
|---|---|
| On project CompanyProject | Add AnalystGroup to the predefined role bigquery.admin. |
Full access across an organization
CompanyA is an organization that wants a specific person, named Admin1, to be the administrator for all BigQuery data across all of their projects. MonitoringServiceAccount is a service account that's responsible for monitoring the size of all the tables across all projects in the organization.
| Full access across an organization | |
|---|---|
| On organization CompanyA |
|
If the company decides that MonitoringServiceAccount should also trim the size
of tables that exceed a certain size and remove data that is older than a
specific time period, MonitoringServiceAccount would need to be added to the
predefined role bigquery.user.
Read access to data in the same project
AnalystGroup is a set of data scientists responsible for analytics services within a project named CompanyProject. OperationsServiceAccount is a service account that's responsible for loading application logs into BigQuery via bulk load jobs to a specific CompanyProject:AppLogs dataset. The analysts are not allowed to modify the logs.
| Read access to data in the same project | |
|---|---|
| On project CompanyProject |
|
| On dataset CompanyProject:AppLogs |
|
Read access to data in a different project
AnalystGroup is a set of data scientists responsible for analytics services within a project named CompanyAnalytics. The data they analyze, however, resides in a separate project named CompanyLogs. OperationsServiceAccount is a service account that's responsible for loading application logs into BigQuery via bulk load jobs to a variety of datasets in the CompanyLogs project.
AnalystGroup can only read data in the CompanyLogs project and cannot create additional storage or run any query jobs in that project. Instead, the analysts use project CompanyAnalytics to perform their work, and maintain their output within the CompanyAnalytics project.
| Read access to data in a different project | |
|---|---|
| On project CompanyLogs |
|
| On project CompanyAnalytics |
|