This page provides information on BigQuery's Cloud Identity and Access Management roles and permissions.
This page includes roles and permissions relevant to each of BigQuery's companion products:
- BigQuery ML
- BigQuery Data Transfer Service
- BigQuery BI Engine
For additional information on access controls in BigQuery ML, see Access control in the BigQuery ML documentation.
Overview
When an identity calls a Google Cloud API, BigQuery requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.
This page describes the BigQuery Cloud IAM roles that you can grant to identities to access BigQuery resources.
Cloud IAM role types
There are three types of roles in Cloud Identity and Access Management:
- Primitive roles include the Owner, Editor, and Viewer roles that existed prior to the introduction of Cloud Identity and Access Management.
- Predefined roles provide granular access for a specific service and are managed by Google Cloud. Predefined roles are meant to support common use cases and access control patterns.
- Custom roles provide granular access according to a user-specified list of permissions.
To determine if one or more permissions are included in a primitive, predefined, or custom role, you can use one of the following methods:
- The
gcloud iam roles describecommand - The
roles.get()method in the Cloud IAM API
When you assign both predefined and primitive roles to a user, the permissions granted are a union of each role's permissions.
For additional information on using Cloud IAM to access resources, see Granting, changing, and revoking access to resources in the Cloud Identity and Access Management documentation.
For information on creating custom roles, see Creating and managing custom roles in the Cloud Identity and Access Management documentation.
BigQuery permissions and predefined Cloud IAM roles
To grant access to a BigQuery resource, assign one or more roles to a user, group, or service account. When you assign roles at the organization and project level, you provide permission to run BigQuery jobs or to manage all of a project's BigQuery resources.
You can also assign roles at the dataset level to provide access only to one or more datasets. In the Cloud IAM policy hierarchy, BigQuery datasets are child resources of projects. Tables and views are child resources of datasets — they inherit permissions from their parent dataset.
For more information on assigning roles at the dataset level, see Controlling access to datasets.
BigQuery permissions
The following table describes the permissions available in BigQuery.
| Permission | Description |
|---|---|
bigquery.capacityCommitments.create (beta) |
Create a capacity commitment in the project. |
bigquery.capacityCommitments.delete (beta) |
Delete a capacity commitment. |
bigquery.capacityCommitments.get (beta) |
Retrieve details about a capacity commitment. |
bigquery.capacityCommitments.list (beta) |
List all capacity commitments in a project. |
bigquery.connections.create (beta) |
Create new connections in a project. |
bigquery.connections.delete (beta) |
Delete a connection. |
bigquery.connections.get (beta) |
Get connection metadata. Credentials are excluded. |
bigquery.connections.list (beta) |
List connections in a project. |
bigquery.connections.update (beta) |
Update a connection and its credentials. |
bigquery.connections.use (beta) |
Use a connection configuration to connect to a remote data source. |
bigquery.datasets.create |
Create new empty datasets. |
bigquery.datasets.delete |
Delete a dataset. |
bigquery.datasets.get |
Get metadata about a dataset. |
bigquery.datasets.getIamPolicy |
Read Cloud IAM policy |
bigquery.datasets.setIamPolicy |
Change Cloud IAM policy |
bigquery.datasets.update |
Update metadata for a dataset. |
bigquery.jobs.create |
Run jobs (including queries) within the project. |
bigquery.jobs.get |
Get data and metadata on any job.* |
bigquery.jobs.list |
List all jobs and retrieve metadata on any job submitted by any user.* For jobs submitted by other users, details and metadata are redacted. |
bigquery.jobs.listAll |
List all jobs and retrieve metadata on any job submitted by any user.* |
bigquery.jobs.update |
Cancel any job.* |
bigquery.models.create |
Create new models. |
bigquery.models.delete |
Delete models. |
bigquery.models.getData |
Get model data. To get model metadata, you need
bigquery.models.getMetadata. |
bigquery.models.getMetadata |
Get model metadata. To get model data, you need
bigquery.models.getData. |
bigquery.models.list |
List models and metadata on models. |
bigquery.models.updateData |
Update model data. To update model metadata, you need
bigquery.models.updateMetadata. |
bigquery.models.updateMetadata |
Update model metadata. To update model data, you need
bigquery.models.updateData. |
bigquery.readsessions.create (beta) |
Create a new read session via the BigQuery Storage API. |
bigquery.readsessions.getData (beta) |
Read data from a read session via the BigQuery Storage API. |
bigquery.readsessions.update (beta) |
Update a read session via the BigQuery Storage API. |
bigquery.reservations.create (beta) |
Create a reservation in a project. |
bigquery.reservations.delete (beta) |
Delete a reservation. |
bigquery.reservations.get (beta) |
Retrieve details about a reservation. |
bigquery.reservations.list (beta) |
List all reservations in a project. |
bigquery.reservations.update (beta) |
Update a reservation's properties. |
bigquery.reservationAssignments.create (beta) |
Create a reservation assignment. This permission is required on the
owner project and assignee resource. |
bigquery.reservationAssignments.delete (beta) |
Delete a reservation assignment. This permission is required on the
owner project and assignee resource. |
bigquery.reservationAssignments.list (beta) |
List reservation assignments. |
bigquery.routines.create (beta) |
Create new routines (functions and stored procedures). |
bigquery.routines.delete (beta) |
Delete routines. |
bigquery.routines.get (beta) |
Get routine definitions and metadata. |
bigquery.routines.list (beta) |
List routines and metadata on routines. |
bigquery.routines.update (beta) |
Update routine definitions and metadata. |
bigquery.savedqueries.create |
Create saved queries. |
bigquery.savedqueries.delete |
Delete saved queries. |
bigquery.savedqueries.get |
Get metadata on saved queries. |
bigquery.savedqueries.list |
List saved queries. |
bigquery.savedqueries.update |
Update saved queries. |
bigquery.tables.create |
Create new tables. |
bigquery.tables.delete |
Delete tables. |
bigquery.tables.export |
Export table data out of BigQuery. |
bigquery.tables.get |
Get table metadata. To get table data, you need bigquery.tables.getData. |
bigquery.tables.getData |
Get table data. This permission is required for querying table data. To get table metadata, you need bigquery.tables.get. |
bigquery.tables.list |
List tables and metadata on tables. |
bigquery.tables.update |
Update table metadata. |
bigquery.tables.updateData |
Update table data. |
bigquery.transfers.get |
Get transfer metadata. |
bigquery.transfers.update |
Create, update, and delete transfers. |
* For any job you create, you automatically have the equivalent of the
bigquery.jobs.get and bigquery.jobs.update
permissions for that job.
BigQuery predefined Cloud IAM roles
The following table lists the predefined BigQuery Cloud IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
BigQuery Admin | Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. |
bigquery.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
BigQuery Connection Admin Beta |
bigquery.connections.* |
||
roles/ |
BigQuery Connection User Beta |
bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use |
||
roles/ |
BigQuery Data Editor |
When applied to a dataset, dataEditor provides permissions to:
When applied at the project or organization level, this role can also create new datasets. |
bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list |
Dataset |
roles/ |
BigQuery Data Owner |
When applied to a dataset, dataOwner provides permissions to:
When applied at the project or organization level, this role can also create new datasets. |
bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list |
Dataset |
roles/ |
BigQuery Data Viewer |
When applied to a dataset, dataViewer provides permissions to:
When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. |
bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list |
Dataset |
roles/ |
BigQuery Job User | Provides permissions to run jobs, including queries, within the project. This role can check the existence of all jobs, enumerate their own jobs, and cancel their own jobs. |
bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
BigQuery Metadata Viewer |
When applied at the project or organization level, metadataViewer provides permissions to:
Additional roles are necessary to allow the running of jobs. |
bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
BigQuery Read Session User Beta | Access to create and use read sessions |
bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
BigQuery User |
Provides permissions to run jobs, including queries, within the project. The
user role can enumerate their own jobs, cancel their own jobs, and enumerate
datasets within a project. Additionally, allows the creation of new datasets
within the project; the creator is granted the
bigquery.dataOwner role for these new datasets.
|
bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list |
Project |
BigQuery primitive roles
For information on BigQuery primitive roles, see BigQuery primitive roles and permissions.
BigQuery custom roles
To create a custom Cloud IAM role for BigQuery, follow the steps outlined in the Cloud IAM custom roles documentation.
What's next
- See the BigQuery access control examples.
- For information on BigQuery primitive roles, see BigQuery primitive roles and permissions.
- For more information on assigning roles at the dataset level, see Controlling access to datasets.