This page provides information on BigQuery's Cloud Identity and Access Management roles and permissions.
This page includes roles and permissions relevant to each of BigQuery's companion products:
- BigQuery ML
- BigQuery Data Transfer Service
- BigQuery BI Engine
For additional information on access controls in BigQuery ML, see Access control in the BigQuery ML documentation.
Overview
When an identity calls a Google Cloud Platform API, Google BigQuery requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.
This page describes the BigQuery Cloud IAM roles that you can grant to identities to access BigQuery resources.
Cloud IAM role types
There are three types of roles in Cloud Identity and Access Management:
- Primitive roles include the Owner, Editor, and Viewer roles that existed prior to the introduction of Cloud Identity and Access Management.
- Predefined roles provide granular access for a specific service and are managed by GCP. Predefined roles are meant to support common use cases and access control patterns.
- Custom roles provide granular access according to a user-specified list of permissions.
To determine if one or more permissions are included in a primitive, predefined, or custom role, you can use one of the following methods:
- The
gcloud iam roles describecommand - The
roles.get()method in the Cloud IAM API
When you assign both predefined and primitive roles to a user, the permissions granted are a union of each role's permissions.
For additional information on using IAM to access resources, see Granting, changing, and revoking access to resources in the Cloud Identity and Access Management documentation.
For information on creating custom roles, see Creating and managing custom roles in the Cloud Identity and Access Management documentation.
BigQuery permissions and predefined Cloud IAM roles
To grant access to a BigQuery resource, assign one or more roles to a user, group, or service account. When you assign roles at the organization and project level, you provide permission to run BigQuery jobs or to manage all of a project's BigQuery resources.
You can also assign roles at the dataset level to provide access only to one or more datasets. In the IAM policy hierarchy, BigQuery datasets are child resources of projects. Tables and views are child resources of datasets — they inherit permissions from their parent dataset.
For more information on assigning roles at the dataset level, see Controlling access to datasets.
BigQuery permissions
The following table describes the permissions available in BigQuery.
| Permission | Description |
|---|---|
bigquery.jobs.create |
Create new jobs. |
bigquery.jobs.listAll |
List all jobs and retrieve metadata on any job submitted by any user.* |
bigquery.jobs.list |
List all jobs and retrieve metadata on any job submitted by any user.* For jobs submitted by other users, details and metadata are redacted. |
bigquery.jobs.get |
Get data and metadata on any job.* |
bigquery.jobs.update |
Cancel any job.* |
bigquery.datasets.create |
Create new empty datasets. |
bigquery.datasets.delete |
Delete a dataset. |
bigquery.datasets.get |
Get metadata about a dataset. |
bigquery.datasets.update |
Update metadata for a dataset. |
bigquery.tables.create |
Create new tables. |
bigquery.tables.list |
List tables and metadata on tables. |
bigquery.tables.delete |
Delete tables. |
bigquery.tables.get |
Get table metadata. To get table data, you need bigquery.tables.getData. |
bigquery.tables.getData |
Get table data. To get table metadata, you need bigquery.tables.get. |
bigquery.tables.export |
Export table data out of BigQuery. |
bigquery.tables.update |
Update table metadata. |
bigquery.tables.updateData |
Update table data. |
bigquery.routines.create (beta) |
Create new routines (functions and stored procedures). |
bigquery.routines.list (beta) |
List routines and metadata on routines. |
bigquery.routines.delete (beta) |
Delete routines. |
bigquery.routines.get (beta) |
Get routine definitions and metadata. |
bigquery.routines.update (beta) |
Update routine definitions and metadata. |
bigquery.transfers.get |
Get transfer metadata. |
bigquery.transfers.update |
Create, update, and delete transfers. |
bigquery.savedqueries.create |
Create saved queries. |
bigquery.savedqueries.get |
Get metadata on saved queries. |
bigquery.savedqueries.list |
List saved queries. |
bigquery.savedqueries.update |
Update saved queries. |
bigquery.savedqueries.delete |
Delete saved queries. |
bigquery.readsessions.create (beta) |
Create a new read session via the BigQuery BigQuery Storage API. |
bigquery.connections.create (beta) |
Create new connections in a project. |
bigquery.connections.get (beta) |
Get connection metadata. Credentials are excluded. |
bigquery.connections.list (beta) |
List connections in a project. |
bigquery.connections.use (beta) |
Use a connection configuration to connect to a remote data source. |
bigquery.connections.update (beta) |
Update a connection and its credentials. |
bigquery.connections.delete (beta) |
Delete a connection. |
* For any job you create, you automatically have the equivalent of the
bigquery.jobs.get and bigquery.jobs.update
permissions for that job.
BigQuery predefined Cloud IAM roles
The following table lists the predefined BigQuery IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.
BigQuery roles
BigQuery primitive roles
For information on BigQuery primitive roles, see BigQuery primitive roles and permissions.
BigQuery custom roles
To create a custom Cloud IAM role for BigQuery, follow the steps outlined in the Cloud IAM custom roles documentation.
What's next
- See the BigQuery access control examples.
- For information on BigQuery primitve roles, see BigQuery primitive roles and permissions.
- For more information on assigning roles at the dataset level, see Controlling access to datasets.
Bạn cần trợ giúp? Truy cập