Example scenarios
The following examples involve a group of data scientists who all belong to a Google group named AnalystGroup.
Read and write access to data in a dataset
CompanyProject is a project that includes dataset1 and dataset2. AnalystGroup1 is a group of data scientists who work only on dataset1 and AnalystGroup2 is a group that works only on dataset2. The data scientists should have full access only to the dataset that they work on, including access to run queries against the data.
Read and write access to a dataset | |
---|---|
On dataset CompanyProject:dataset1 | Grant AnalystGroup1 WRITER
access on dataset1. This role maps to the predefined IAM role:
bigquery.dataEditor . |
On dataset CompanyProject:dataset2 | Grant AnalystGroup2 WRITER
access on dataset2. This role maps to the predefined IAM role:
bigquery.dataEditor . |
On project CompanyProject | Grant AnalystGroup1 and AnalystGroup2 bigquery.user
access on CompanyProject. |
Giving the data scientists WRITER
access at the dataset level gives them the
ability to query data in the dataset's tables, but it does not give them
permissions to run query jobs in the project. To be able to run query jobs
against a dataset they've been given access to, the data scientist
groups must be granted the project-level, predefined role:
bigquery.user
. The bigquery.user
role
grants bigquery.jobs.create
permissions.
Alternatively, you can add the data scientist groups to a project-level,
IAM custom role that grants
bigquery.jobs.create
permissions.
Full access to data in a project
AnalystGroup is a group of data scientists working on BigQuery, responsible for all facets of its use within a project named CompanyProject. The group prefers for all members to have read and write access to all data. Other groups at the organization work with other Google Cloud products, but no one else interacts with BigQuery. AnalystGroup does not use any other Google Cloud services.
Full access to data in a project | |
---|---|
On project CompanyProject | Add AnalystGroup to the predefined role
bigquery.admin . |
Full access across an organization
CompanyA is an organization that wants a specific person, named Admin1, to be the administrator for all BigQuery data across all of their projects. MonitoringServiceAccount is a service account that's responsible for monitoring the size of all the tables across all projects in the organization.
Full access across an organization | |
---|---|
On organization CompanyA |
|
If the company decides that MonitoringServiceAccount should also trim the size
of tables that exceed a certain size and remove data that is older than a
specific time period, MonitoringServiceAccount would need to be added to the
predefined role bigquery.user
.
Read access to data in the same project
AnalystGroup is a set of data scientists responsible for analytics services within a project named CompanyProject. OperationsServiceAccount is a service account that's responsible for loading application logs into BigQuery by using bulk load jobs to a specific CompanyProject:AppLogs dataset. The analysts are not allowed to modify the logs.
Read access to data in the same project | |
---|---|
On project CompanyProject |
|
On dataset CompanyProject:AppLogs |
|
Read access to data in a different project
AnalystGroup is a set of data scientists responsible for analytics services within a project named CompanyAnalytics. The data they analyze, however, resides in a separate project named CompanyLogs. OperationsServiceAccount is a service account that's responsible for loading application logs into BigQuery by using bulk load jobs to a variety of datasets in the CompanyLogs project.
AnalystGroup can only read data in the CompanyLogs project and cannot create additional storage or run any query jobs in that project. Instead, the analysts use project CompanyAnalytics to perform their work, and maintain their output within the CompanyAnalytics project.
Read access to data in a different project | |
---|---|
On project CompanyLogs |
|
On project CompanyAnalytics |
|
Additional information
The following topics provide more information about BigQuery access control.
- Controlling access to datasets
- Controlling access to tables and views
- Restricting access with BigQuery Column-level security