Primitive roles and permissions

Overview

BigQuery supports the Cloud IAM primitive roles for project-level access.

BigQuery's dataset-level primitive roles existed prior to the introduction of Cloud Identity and Access Management. It is recommended that you use the predefined Cloud IAM roles instead.

Primitive roles for projects

By default, granting access to a project also grants access to datasets within it. Default access can be overridden on a per-dataset basis. Any user with the project Owner role has the ability to revoke or change any project role.

When a project is created, BigQuery grants the Owner role to the user who created the project.

Primitive role Capabilities
Viewer
  • Can start a job in the project. Additional dataset roles are required depending on the job type.
  • Can list and get all jobs, and update jobs that they started for the project
  • If you create a dataset in a project that contains any viewers, BigQuery grants those users the bigquery.dataViewer predefined role for the new dataset.
Editor
  • Same as Viewer, plus:
    • Can create a new dataset in the project
    • If you create a dataset in a project that contains any editors, BigQuery grants those users the bigquery.dataEditor predefined role for the new dataset.
Owner
  • Same as Editor, plus:
    • Can list all datasets in the project
    • Can delete any dataset in the project
    • Can list and get all jobs run on the project, including jobs run by other project users
    • If you create a dataset, BigQuery grants all project owners the bigquery.dataOwner predefined role for the new dataset.

      Exception: When a user runs a query, an anonymous dataset is created to store the cached results table. Only the user that runs the query is given OWNER access to the anonymous dataset.

Primitive roles for projects are granted or revoked through the Google Cloud Console. You must have Owner access to the project in order to grant or revoke a new project role.

For more information about how to grant or revoke access for project roles, see Granting, changing, and revoking access to resources in the Cloud Identity and Access Management documentation.

Primitive roles for datasets

The following primitive roles apply at the dataset level.

Dataset role Capabilities
READER
  • Can read, query, copy or export tables in the dataset. Can read routines in the dataset
    • Can call get on the dataset
    • Can call get and list on tables in the dataset
    • Can call get and list on routines in the dataset
    • Can call list on table data for tables in the dataset
  • Maps to the bigquery.dataViewer predefined role
WRITER
OWNER

Note: A dataset must have at least one entity with the OWNER role. A user with the OWNER role can't remove their own OWNER role.

For more information on assigning roles at the dataset level, see Controlling access to datasets.

When you create a new dataset, BigQuery adds default dataset access for the following entities. Roles that you specify on dataset creation overwrite the default values.

Entity Dataset role
All users with Viewer access to the project READER
All users with Editor access to the project WRITER
All users with Owner access to the project

OWNER

Exception: When a user runs a query, an anonymous dataset is created to store the cached results table. Only the user that runs the query is given OWNER access to the anonymous dataset.

Was deze pagina nuttig? Laat ons weten hoe goed we u hebben geholpen:

Feedback verzenden over...

Hulp nodig? Ga naar onze ondersteuningspagina.