Access control with IAM

This page provides information on Identity and Access Management (IAM) roles and permissions for BigQuery. Before you configure access control for BigQuery, you can familiarize yourself with how to manage access to Google Cloud with IAM.

You might also need detailed guidance for roles and permissions for the following BigQuery services:

Overview

When an identity (a user or service account) calls a Google Cloud API, BigQuery requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.

This page describes the BigQuery IAM roles that you can grant to identities to access BigQuery resources.

IAM role types

You can manage the following types of roles in IAM:

  • Predefined roles provide granular access for a specific service and are managed by Google Cloud. Predefined roles are meant to support common use cases and access control patterns.
  • Custom roles provide access according to a user-specified list of permissions.

To determine if one or more permissions are included in a role, you can use one of the following methods:

When you assign multiple role types to a user, the permissions granted are a union of each role's permissions.

For additional information on using IAM to access resources, see Granting, changing, and revoking access to resources in the IAM documentation.

For information on creating custom roles, see Creating and managing custom roles in the IAM documentation.

BigQuery permissions and predefined IAM roles

Permissions are not assigned directly to users, groups, or service accounts. Instead, users, groups, or service accounts are granted access to predefined or custom roles to give them permissions to perform actions on resources.

You can grant access at the following BigQuery resource levels:

  • organization or Google Cloud project level
  • dataset level
  • table or view level

Roles applied at an organization or Cloud project level

When you assign roles at the organization and project level, you provide permission to run BigQuery jobs or to access all of a project's BigQuery resources.

Roles applied at a dataset level

You can assign roles at the dataset level to provide access to a specific dataset, without providing complete access to the project's resources. In the IAM policy hierarchy, BigQuery datasets are child resources of projects. For more information on assigning roles at the dataset level, see Controlling access to datasets.

Roles applied to individual resources within datasets

You can assign roles individually to certain types of resources within datasets, without providing complete access to the dataset's resources.

Roles can be applied to individual resources of the following types:

  • tables
  • views

Roles cannot be applied to individual resources of the following types:

  • routines
  • models

For more information on assigning roles at the table or view level, see Controlling access to tables or views.

BigQuery permissions

The following table describes the permissions available in BigQuery.

Permission Description
bigquery.bireservations.get Read BI Engine reservations.
bigquery.bireservations.update Update BI Engine reservations.
bigquery.capacityCommitments.create Create a capacity commitment in the project.
bigquery.capacityCommitments.delete Delete a capacity commitment.
bigquery.capacityCommitments.get Retrieve details about a capacity commitment.
bigquery.capacityCommitments.list List all capacity commitments in a project.
bigquery.capacityCommitments.update Update all capacity commitments in a project.
bigquery.connections.create Create new connections in a project.
bigquery.connections.delete Delete a connection.
bigquery.connections.get Get connection metadata. Credentials are excluded.
bigquery.connections.list List connections in a project.
bigquery.connections.update Update a connection and its credentials.
bigquery.connections.updateTag

Update tags for a connection.

bigquery.connections.use Use a connection configuration to connect to a remote data source.
bigquery.connections.delegate Delegate connection to create authorized external tables and remote functions.
bigquery.dataPolicies.create

Create new data policies.

This permission is in preview.

bigquery.dataPolicies.delete

Delete data policies.

This permission is in preview.

bigquery.dataPolicies.get

Get metadata about data policies.

This permission is in preview.

bigquery.dataPolicies.getIamPolicy

Read a data policy's IAM permissions.

This permission is in preview.

bigquery.dataPolicies.list

List data policies in a project.

This permission is in preview.

bigquery.dataPolicies.maskedGet

View the masked data of a column that has a policy tag associated with a data policy.

This permission is in preview.

bigquery.dataPolicies.setIamPolicy

Set a data policy's IAM permissions.

This permission is in preview

bigquery.dataPolicies.update

Update metadata for a data policy.

This permission is in preview.

bigquery.datasets.create Create new empty datasets.
bigquery.datasets.createTagBinding Create tag bindings on a dataset.
bigquery.datasets.delete Delete a dataset.
bigquery.datasets.deleteTagBinding Delete tag bindings on a dataset.
bigquery.datasets.get Get metadata about a dataset.
bigquery.datasets.getIamPolicy Read a dataset's IAM permissions.
bigquery.datasets.link Create a linked dataset.
bigquery.datasets.listTagBindings List tag bindings on a dataset.
bigquery.datasets.setIamPolicy Change a dataset's IAM permissions.
bigquery.datasets.update Update metadata for a dataset.
bigquery.datasets.updateTag (beta) Update tags for a dataset.
bigquery.jobs.create Run jobs (including queries) within the project.
bigquery.jobs.get Get data and metadata on any job.1
bigquery.jobs.list List all jobs and retrieve metadata on any job submitted by any user. For jobs submitted by other users, details and metadata are redacted.
bigquery.jobs.listAll List all jobs and retrieve metadata on any job submitted by any user.
bigquery.jobs.listExecutionMetadata (beta) List all job execution metadata (without sensitive information) on any job submitted by any user. It can only be applied at the organization level and is used by Admin UI.
bigquery.jobs.delete Delete metadata for a job.
bigquery.jobs.update Cancel any job.1
bigquery.models.create Create new models.
bigquery.models.delete Delete models.
bigquery.models.getData Get model data. To get model metadata, you need bigquery.models.getMetadata.
bigquery.models.getMetadata Get model metadata. To get model data, you need bigquery.models.getData.
bigquery.models.list List models and metadata on models.
bigquery.models.updateData Update model data. To update model metadata, you need bigquery.models.updateMetadata.
bigquery.models.updateMetadata Update model metadata. To update model data, you need bigquery.models.updateData.
bigquery.models.export Export a model.
bigquery.readsessions.create Create a new read session via the BigQuery Storage Read API.
bigquery.readsessions.getData Read data from a read session via the Storage Read API.
bigquery.readsessions.update Update a read session via the Storage Read API.
bigquery.reservations.create Create a reservation in a project.
bigquery.reservations.delete Delete a reservation.
bigquery.reservations.get Retrieve details about a reservation.
bigquery.reservations.list List all reservations in a project.
bigquery.reservations.update Update a reservation's properties.
bigquery.reservationAssignments.create

Create a reservation assignment. This permission is required on the owner project and assignee resource.
To move a reservation assignment, you need bigquery.reservationAssignments.create on the new owner project and assignee resource.

bigquery.reservationAssignments.delete

Delete a reservation assignment. This permission is required on the owner project and assignee resource.
To move a reservation assignment, you need bigquery.reservationAssignments.delete on the old owner project and assignee resource.

bigquery.reservationAssignments.list List all reservation assignments in a project.
bigquery.reservationAssignments.search Search for a reservation assignment for a given project, folder, or organization.
bigquery.rowAccessPolicies.create Create a new row-level access policy on a table.
bigquery.rowAccessPolicies.delete Delete a row-level access policy from a table.
bigquery.rowAccessPolicies.getFilteredData Gets data in a table that you want to be visible only to the principals in a row-level access policy's grantee list. We recommend this permission only be granted on a row-level access policy resource.
bigquery.rowAccessPolicies.list List all row-level access policies on a table.
bigquery.rowAccessPolicies.overrideTimeTravelRestrictions Access historical data for a table that has, or has previously had, row-level access policies.
bigquery.rowAccessPolicies.getIamPolicy Get a row access policy's IAM permissions.
bigquery.rowAccessPolicies.setIamPolicy Set the row access policy's IAM permissions.
bigquery.rowAccessPolicies.update Re-create a row-level access policy.
bigquery.routines.create Create new routines (functions and stored procedures).
bigquery.routines.delete Delete routines.
bigquery.routines.get Get routine definitions and metadata.
bigquery.routines.list List routines and metadata on routines.
bigquery.routines.update

Update routine definitions and metadata.

bigquery.routines.updateTag

Update tags for a routine.

bigquery.savedqueries.create Create saved queries.
bigquery.savedqueries.delete Delete saved queries.
bigquery.savedqueries.get Get metadata on saved queries.
bigquery.savedqueries.list List saved queries.
bigquery.savedqueries.update Update saved queries.
bigquery.tables.create Create new tables.
bigquery.tables.createIndex Create search indexes on tables.
bigquery.tables.createSnapshot Create new table snapshots.
bigquery.tables.delete Delete tables.
bigquery.tables.deleteIndex Drop search indexes on tables.
bigquery.tables.deleteSnapshot Delete table snapshots.
bigquery.tables.export Export table data out of BigQuery.
bigquery.tables.get Get table metadata.
To get table data, you need bigquery.tables.getData.
bigquery.tables.getData Get table data. This permission is required for querying table data.
To get table metadata, you need bigquery.tables.get.
bigquery.tables.getIamPolicy Read a table's IAM policy.
bigquery.tables.list List tables and metadata on tables.
bigquery.tables.restoreSnapshot Restore table snapshots.
bigquery.tables.setCategory Set policy tags in table schema.
bigquery.tables.setIamPolicy Change a table's IAM policy.
bigquery.tables.update

Update table metadata.
To update table data, you need bigquery.tables.updateData.

bigquery.tables.updateData

Update table data.
To update table metadata, you need bigquery.tables.update.

bigquery.tables.updateTag (beta) Update tags for a table.
bigquery.transfers.get Get transfer metadata.
bigquery.transfers.update Create, update, and delete transfers.

1 For any job you create, you automatically have the equivalent of the bigquery.jobs.get and bigquery.jobs.update permissions for that job.

BigQuery predefined IAM roles

The following table lists the predefined BigQuery IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

Role Permissions

BigQuery Admin
(roles/bigquery.admin)

Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.

Lowest-level resources where you can grant this role:

  • Datasets
  • Row access policies
  • Tables
  • Views
  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.config.*
  • bigquery.connections.*
  • bigquery.dataPolicies.create
  • bigquery.dataPolicies.delete
  • bigquery.dataPolicies.get
  • bigquery.dataPolicies.getIamPolicy
  • bigquery.dataPolicies.list
  • bigquery.dataPolicies.setIamPolicy
  • bigquery.dataPolicies.update
  • bigquery.datasets.*
  • bigquery.jobs.*
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.overrideTimeTravelRestrictions
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.savedqueries.*
  • bigquery.tables.*
  • bigquery.transfers.*
  • bigquerymigration.translation.translate
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Connection Admin
(roles/bigquery.connectionAdmin)

  • bigquery.connections.*

BigQuery Connection User
(roles/bigquery.connectionUser)

  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.use

BigQuery Data Editor
(roles/bigquery.dataEditor)

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

  • Table
  • View
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Data Owner
(roles/bigquery.dataOwner)

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Share the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

  • Table
  • View
  • bigquery.config.get
  • bigquery.dataPolicies.create
  • bigquery.dataPolicies.delete
  • bigquery.dataPolicies.get
  • bigquery.dataPolicies.getIamPolicy
  • bigquery.dataPolicies.list
  • bigquery.dataPolicies.setIamPolicy
  • bigquery.dataPolicies.update
  • bigquery.datasets.*
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.tables.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Data Viewer
(roles/bigquery.dataViewer)

When applied to a table or view, this role provides permissions to:

  • Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

  • Table
  • View
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.createSnapshot
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Filtered Data Viewer
(roles/bigquery.filteredDataViewer)

Access to view filtered table data defined by a row access policy

  • bigquery.rowAccessPolicies.getFilteredData

BigQuery Job User
(roles/bigquery.jobUser)

Provides permissions to run jobs, including queries, within the project.

Lowest-level resources where you can grant this role:

  • Project
  • bigquery.config.get
  • bigquery.jobs.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Metadata Viewer
(roles/bigquery.metadataViewer)

When applied to a table or view, this role provides permissions to:

  • Read metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • List tables and views in the dataset.
  • Read metadata from the dataset's tables and views.

When applied at the project or organization level, this role provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

  • Table
  • View
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.get
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Read Session User
(roles/bigquery.readSessionUser)

Access to create and use read sessions

  • bigquery.readsessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Admin
(roles/bigquery.resourceAdmin)

Administer all BigQuery resources.

  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • recommender.bigqueryCapacityCommitmentsInsights.*
  • recommender.bigqueryCapacityCommitmentsRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Editor
(roles/bigquery.resourceEditor)

Manage all BigQuery resources, but cannot make purchasing decisions.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Viewer
(roles/bigquery.resourceViewer)

View all BigQuery resources but cannot make changes or purchasing decisions.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery User
(roles/bigquery.user)

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

Lowest-level resources where you can grant this role:

  • Dataset
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.list
  • bigquery.transfers.get
  • bigquerymigration.translation.translate
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Masked Reader Beta
(roles/bigquerydatapolicy.maskedReader)

Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns

  • bigquery.dataPolicies.maskedGet

BigQuery custom roles

To create a custom IAM role for BigQuery, follow the steps outlined in the IAM custom roles documentation.

BigQuery basic roles

For information on BigQuery basic roles, see BigQuery basic roles and permissions.

What's next