Access control with IAM
This page provides information on Identity and Access Management (IAM) roles and permissions for BigQuery. Before you configure access control for BigQuery, you can familiarize yourself with how to manage access to Google Cloud with IAM.
You might also need detailed guidance for roles and permissions for the following BigQuery services:
Overview
When an identity (a user or service account) calls a Google Cloud API, BigQuery requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.
This page describes the BigQuery IAM roles that you can grant to identities to access BigQuery resources.
IAM role types
You can manage the following types of roles in IAM:
- Predefined roles provide granular access for a specific service and are managed by Google Cloud. Predefined roles are meant to support common use cases and access control patterns.
- Custom roles provide access according to a user-specified list of permissions.
To determine if one or more permissions are included in a role, you can use one of the following methods:
- The IAM permissions search reference
- The
gcloud iam roles describe
command - The
roles.get()
method in the IAM API
When you assign multiple role types to a user, the permissions granted are a union of each role's permissions.
For additional information on using IAM to access resources, see Granting, changing, and revoking access to resources in the IAM documentation.
For information on creating custom roles, see Creating and managing custom roles in the IAM documentation.
BigQuery permissions and predefined IAM roles
Permissions are not assigned directly to users, groups, or service accounts. Instead, users, groups, or service accounts are granted access to predefined or custom roles to give them permissions to perform actions on resources.
You can grant access at the following BigQuery resource levels:
- organization or Google Cloud project level
- dataset level
- table or view level
Roles applied at an organization or Cloud project level
When you assign roles at the organization and project level, you provide permission to run BigQuery jobs or to access all of a project's BigQuery resources.
Roles applied at a dataset level
You can assign roles at the dataset level to provide access to a specific dataset, without providing complete access to the project's resources. In the IAM policy hierarchy, BigQuery datasets are child resources of projects. For more information on assigning roles at the dataset level, see Controlling access to datasets.
Roles applied to individual resources within datasets
You can assign roles individually to certain types of resources within datasets, without providing complete access to the dataset's resources.
Roles can be applied to individual resources of the following types:
- tables
- views
Roles cannot be applied to individual resources of the following types:
- routines
- models
For more information on assigning roles at the table or view level, see Controlling access to tables or views.
BigQuery permissions
The following table describes the permissions available in BigQuery.
Permission | Description |
---|---|
bigquery.bireservations.get |
Read BI Engine reservations. |
bigquery.bireservations.update |
Update BI Engine reservations. |
bigquery.capacityCommitments.create |
Create a capacity commitment in the project. |
bigquery.capacityCommitments.delete |
Delete a capacity commitment. |
bigquery.capacityCommitments.get |
Retrieve details about a capacity commitment. |
bigquery.capacityCommitments.list |
List all capacity commitments in a project. |
bigquery.capacityCommitments.update |
Update all capacity commitments in a project. |
bigquery.connections.create |
Create new connections in a project. |
bigquery.connections.delete |
Delete a connection. |
bigquery.connections.get |
Get connection metadata. Credentials are excluded. |
bigquery.connections.list |
List connections in a project. |
bigquery.connections.update |
Update a connection and its credentials. |
bigquery.connections.updateTag |
Update tags for a connection. |
bigquery.connections.use |
Use a connection configuration to connect to a remote data source. |
bigquery.connections.delegate |
Delegate connection to create authorized external tables and remote functions. |
bigquery.datasets.create |
Create new empty datasets. |
bigquery.datasets.delete |
Delete a dataset. |
bigquery.datasets.get |
Get metadata about a dataset. |
bigquery.datasets.getIamPolicy |
Read a dataset's IAM permissions. |
bigquery.datasets.link |
Create a linked dataset. |
bigquery.datasets.setIamPolicy |
Change a dataset's IAM permissions. |
bigquery.datasets.update |
Update metadata for a dataset. |
bigquery.datasets.updateTag (beta) |
Update tags for a dataset. |
bigquery.jobs.create |
Run jobs (including queries) within the project. |
bigquery.jobs.get |
Get data and metadata on any job.1 |
bigquery.jobs.list |
List all jobs and retrieve metadata on any job submitted by any user. For jobs submitted by other users, details and metadata are redacted. |
bigquery.jobs.listAll |
List all jobs and retrieve metadata on any job submitted by any user. |
bigquery.jobs.listExecutionMetadata (beta) |
List all job execution metadata (without sensitive information) on any job submitted by any user. It can only be applied at the organization level and is used by Admin UI. |
bigquery.jobs.delete |
Delete metadata for a job. |
bigquery.jobs.update |
Cancel any job.1 |
bigquery.models.create |
Create new models. |
bigquery.models.delete |
Delete models. |
bigquery.models.getData |
Get model data. To get model metadata, you need
bigquery.models.getMetadata . |
bigquery.models.getMetadata |
Get model metadata. To get model data, you need
bigquery.models.getData . |
bigquery.models.list |
List models and metadata on models. |
bigquery.models.updateData |
Update model data. To update model metadata, you need
bigquery.models.updateMetadata . |
bigquery.models.updateMetadata |
Update model metadata. To update model data, you need
bigquery.models.updateData . |
bigquery.models.export |
Export a model. |
bigquery.readsessions.create |
Create a new read session via the BigQuery Storage Read API. |
bigquery.readsessions.getData |
Read data from a read session via the Storage Read API. |
bigquery.readsessions.update |
Update a read session via the Storage Read API. |
bigquery.reservations.create |
Create a reservation in a project. |
bigquery.reservations.delete |
Delete a reservation. |
bigquery.reservations.get |
Retrieve details about a reservation. |
bigquery.reservations.list |
List all reservations in a project. |
bigquery.reservations.update |
Update a reservation's properties. |
bigquery.reservationAssignments.create |
Create a reservation assignment. This permission is required on the
owner project and assignee resource. |
bigquery.reservationAssignments.delete |
Delete a reservation assignment. This permission is required on the
owner project and assignee resource. |
bigquery.reservationAssignments.list |
List all reservation assignments in a project. |
bigquery.reservationAssignments.search |
Search for a reservation assignment for a given project, folder, or organization. |
bigquery.rowAccessPolicies.create |
Create a new row-level access policy on a table. |
bigquery.rowAccessPolicies.delete |
Delete a row-level access policy from a table. |
bigquery.rowAccessPolicies.getFilteredData |
Gets data in a table that you want to be visible only to the principals in a row-level access policy's grantee list. We recommend this permission only be granted on a row-level access policy resource. |
bigquery.rowAccessPolicies.list |
List all row-level access policies on a table. |
bigquery.rowAccessPolicies.overrideTimeTravelRestrictions |
Access historical data for a table that has, or has previously had, row-level access policies. |
bigquery.rowAccessPolicies.getIamPolicy |
Get a row access policy's IAM permissions. |
bigquery.rowAccessPolicies.setIamPolicy |
Set the row access policy's IAM permissions. |
bigquery.rowAccessPolicies.update |
Re-create a row-level access policy. |
bigquery.routines.create |
Create new routines (functions and stored procedures). |
bigquery.routines.delete |
Delete routines. |
bigquery.routines.get |
Get routine definitions and metadata. |
bigquery.routines.list |
List routines and metadata on routines. |
bigquery.routines.update |
Update routine definitions and metadata. |
bigquery.routines.updateTag |
Update tags for a routine. |
bigquery.savedqueries.create |
Create saved queries. |
bigquery.savedqueries.delete |
Delete saved queries. |
bigquery.savedqueries.get |
Get metadata on saved queries. |
bigquery.savedqueries.list |
List saved queries. |
bigquery.savedqueries.update |
Update saved queries. |
bigquery.tables.create |
Create new tables. |
bigquery.tables.createIndex |
Create search indexes on tables. |
bigquery.tables.createSnapshot
|
Create new table snapshots. |
bigquery.tables.delete |
Delete tables. |
bigquery.tables.deleteIndex |
Drop search indexes on tables. |
bigquery.tables.deleteSnapshot
|
Delete table snapshots. |
bigquery.tables.export |
Export table data out of BigQuery. |
bigquery.tables.get |
Get table metadata. To get table data, you need bigquery.tables.getData . |
bigquery.tables.getData |
Get table data. This permission is required for querying table data. To get table metadata, you need bigquery.tables.get . |
bigquery.tables.getIamPolicy |
Read a table's IAM policy. |
bigquery.tables.list |
List tables and metadata on tables. |
bigquery.tables.restoreSnapshot
|
Restore table snapshots. |
bigquery.tables.setCategory |
Set policy tags in table schema. |
bigquery.tables.setIamPolicy |
Change a table's IAM policy. |
bigquery.tables.update |
Update table metadata. |
bigquery.tables.updateData |
Update table data. |
bigquery.tables.updateTag (beta) |
Update tags for a table. |
bigquery.transfers.get |
Get transfer metadata. |
bigquery.transfers.update |
Create, update, and delete transfers. |
1 For any job you create, you automatically have the equivalent of the
bigquery.jobs.get
and bigquery.jobs.update
permissions for that job.
BigQuery predefined IAM roles
The following table lists the predefined BigQuery IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.
Role | Permissions |
---|---|
BigQuery Admin
Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Lowest-level resources where you can grant this role:
|
|
BigQuery Connection Admin
|
|
BigQuery Connection User
|
|
BigQuery Data Editor
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role:
|
|
BigQuery Data Owner
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role:
|
|
BigQuery Data Viewer
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role:
|
|
BigQuery Filtered Data Viewer
Access to view filtered table data defined by a row access policy |
|
BigQuery Job User
Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role:
|
|
BigQuery Metadata Viewer
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role provides permissions to:
Additional roles are necessary to allow the running of jobs. Lowest-level resources where you can grant this role:
|
|
BigQuery Read Session User
Access to create and use read sessions |
|
BigQuery Resource Admin
Administer all BigQuery resources. |
|
BigQuery Resource Editor
Manage all BigQuery resources, but cannot make purchasing decisions. |
|
BigQuery Resource Viewer
View all BigQuery resources but cannot make changes or purchasing decisions. |
|
BigQuery User
When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role ( Lowest-level resources where you can grant this role:
|
|
Masked Reader
Beta
Maksed read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns |
|
BigQuery custom roles
To create a custom IAM role for BigQuery, follow the steps outlined in the IAM custom roles documentation.
BigQuery basic roles
For information on BigQuery basic roles, see BigQuery basic roles and permissions.
What's next
- See the BigQuery access control examples.
- For more information about assigning roles at the dataset level, see Controlling access to datasets.
- For more information about assigning roles at the table or view level, see Controlling access to tables and views.