Scan for data quality issues

This document explains how to use BigQuery and Dataplex Universal Catalog together to ensure that data meets your quality expectations. Dataplex Universal Catalog automatic data quality lets you define and measure the quality of the data in your BigQuery tables. You can automate the scanning of data, validate data against defined rules, and log alerts if your data doesn't meet quality requirements.

For more information about automatic data quality, see the Auto data quality overview.

Before you begin

Enable the Dataplex API.
Enable the API
Optional: If you want Dataplex Universal Catalog to generate recommendations for data quality rules based on the results of a data profile scan, create and run the data profile scan.

Required roles

To run a data quality scan on a BigQuery table, you need permission to read the BigQuery table and permission to create a BigQuery job in the project used to scan the table.

Note: Dataplex Universal Catalog doesn't create a BigQuery job in your project. However, you need this permission to create a DryRun job to check for permissions for the table.
If the BigQuery table and the data quality scan are in different projects, then you need to give the Dataplex Universal Catalog service account of the project containing the data quality scan read permission for the corresponding BigQuery table.

Note: If you haven't created any data quality or data profile scans or you don't have a Dataplex Universal Catalog lake in this project, create a service identifier by running: gcloud beta services identity create --service=dataplex.googleapis.com. This command returns a Dataplex Universal Catalog service identifier if it exists.
If the data quality rules refer to additional tables, then the scan project's service account must have read permissions on the same tables.
To get the permissions that you need to export the scan results to a BigQuery table, ask your administrator to grant the Dataplex Universal Catalog service account the BigQuery Data Editor (roles/bigquery.dataEditor) IAM role on the results dataset and table. This grants the following permissions:
- bigquery.datasets.get
- bigquery.tables.create
- bigquery.tables.get
- bigquery.tables.getData
- bigquery.tables.update
- bigquery.tables.updateData
If the BigQuery data is organized in a Dataplex Universal Catalog lake, grant the Dataplex Universal Catalog service account the Dataplex Metadata Reader (roles/dataplex.metadataReader) and Dataplex Viewer (roles/dataplex.viewer) IAM roles. Alternatively, you need all of the following permissions:
- dataplex.lakes.list
- dataplex.lakes.get
- dataplex.zones.list
- dataplex.zones.get
- dataplex.entities.list
- dataplex.entities.get
- dataplex.operations.get
If you're scanning a BigQuery external table from Cloud Storage, grant the Dataplex Universal Catalog service account the Storage Object Viewer (roles/storage.objectViewer) role for the bucket. Alternatively, assign the Dataplex Universal Catalog service account the following permissions:
- storage.buckets.get
- storage.objects.get
If you want to publish the data quality scan results as Dataplex Universal Catalog metadata, you must be granted the BigQuery Data Editor (roles/bigquery.dataEditor) IAM role for the table, and the dataplex.entryGroups.useDataQualityScorecardAspect permission on the @bigquery entry group in the same location as the table. Alternatively, you must be granted the Dataplex Catalog Editor (roles/dataplex.catalogEditor) role for the @bigquery entry group in the same location as the table.

Alternatively, you need all of the following permissions:
- bigquery.tables.get - on the table
- bigquery.tables.update - on the table
- bigquery.tables.updateData - on the table
- bigquery.tables.delete - on the table
- dataplex.entryGroups.useDataQualityScorecardAspect - on the @bigquery entry group
Or, you need all of the following permissions:
- dataplex.entries.update - on the @bigquery entry group
- dataplex.entryGroups.useDataQualityScorecardAspect - on the @bigquery entry group
If you need to access columns protected by BigQuery column-level access policies, then assign the Dataplex Universal Catalog service account permissions for those columns. The user creating or updating a data scan also needs permissions for the columns.
If a table has BigQuery row-level access policies enabled, then you can only scan rows visible to the Dataplex Universal Catalog service account. Note that the individual user's access privileges are not evaluated for row-level policies.

Required data scan roles

To use auto data quality, ask your administrator to grant you one of the following IAM roles:

Full access to DataScan resources: Dataplex DataScan Administrator (roles/dataplex.dataScanAdmin)
To create DataScan resources: Dataplex DataScan Creator (roles/dataplex.dataScanCreator) on the project
Write access to DataScan resources: Dataplex DataScan Editor (roles/dataplex.dataScanEditor)
Read access to DataScan resources excluding rules and results: Dataplex DataScan Viewer (roles/dataplex.dataScanViewer)
Read access to DataScan resources, including rules and results: Dataplex DataScan DataViewer (roles/dataplex.dataScanDataViewer)

The following table lists the DataScan permissions:

Permission name	Grants permission to do the following:
`dataplex.datascans.create`	Create a `DataScan`
`dataplex.datascans.delete`	Delete a `DataScan`
`dataplex.datascans.get`	View operational metadata such as ID or schedule, but not results and rules
`dataplex.datascans.getData`	View `DataScan` details including rules and results
`dataplex.datascans.list`	List `DataScan`s
`dataplex.datascans.run`	Run a `DataScan`
`dataplex.datascans.update`	Update the description of a `DataScan`
`dataplex.datascans.getIamPolicy`	View the current IAM permissions on the scan
`dataplex.datascans.setIamPolicy`	Set IAM permissions on the scan

Create a data quality scan

Console

In the Google Cloud console, on the BigQuery Metadata curation page, go to the Data profiling & quality tab.

Go to Data profiling & quality
Click Create data quality scan.
In the Define scan window, fill in the following fields:
1. Optional: Enter a Display name.
2. Enter an ID. See the resource naming conventions.
3. Optional: Enter a Description.
4. In the Table field, click Browse. Choose the table to scan, and then click Select. Only standard BigQuery tables are supported.
  
  For tables in multi-region datasets, choose a region where to create the data scan.
  
  To browse the tables organized within Dataplex Universal Catalog lakes, click Browse within Dataplex Lakes.
5. In the Scope field, choose Incremental or Entire data.
  - If you choose Incremental: In the Timestamp column field, select a column of type DATE or TIMESTAMP from your BigQuery table that increases as new records are added, and that can be used to identify new records. It can be a column that partitions the table.
6. To filter your data, select the Filter rows checkbox. Provide a row filter consisting of a valid SQL expression that can be used as a part of a WHERE clause in GoogleSQL syntax. For example, col1 >= 0. The filter can be a combination of multiple column conditions. For example, col1 >= 0 AND col2 < 10.
7. To sample your data, in the Sampling size list, select a sampling percentage. Choose a percentage value that ranges between 0.0% and 100.0% with up to 3 decimal digits. For larger datasets, choose a lower sampling percentage. For example, for a 1 PB table, if you enter a value between 0.1% and 1.0%, the data quality scan samples between 1-10 TB of data. For incremental data scans, the data quality scan applies sampling to the latest increment.
8. To publish the data quality scan results as Dataplex Universal Catalog metadata, select the Publish results to BigQuery and Dataplex Catalog checkbox.
  
  You can view the latest scan results on the Data quality tab in the BigQuery and Dataplex Universal Catalog pages for the source table. To enable users to access the published scan results, see the Grant access to data profile scan results section of this document.
9. In the Schedule section, choose one of the following options:
  - Repeat: Run the data quality scan on a schedule: hourly, daily, weekly, monthly, or custom. Specify how often the scan runs and at what time. If you choose custom, use cron format to specify the schedule.
  - On-demand: Run the data quality scan on demand.
10. Click Continue.
In the Data quality rules window, define the rules to configure for this data quality scan.
1. Click Add rules, and then choose from the following options.
  - Profile based recommendations: Build rules from the recommendations based on an existing data profiling scan.
    1. Choose columns: Select the columns to get recommended rules for.
    2. Choose scan project: If the data profiling scan is in a different project than the project where you are creating the data quality scan, then select the project to pull profile scans from.
    3. Choose profile results: Select one or more profile results and then click OK. This populates a list of suggested rules that you can use as a starting point.
    4. Select the checkbox for the rules that you want to add, and then click Select. Once selected, the rules are added to your current rule list. Then, you can edit the rules.
  - Built-in rule types: Build rules from predefined rules. See the list of predefined rules.
    1. Choose columns: Select the columns to select rules for.
    2. Choose rule types: Select the rule types that you want to choose from, and then click OK. The rule types that appear depend on the columns that you selected.
    3. Select the checkbox for the rules that you want to add, and then click Select. Once selected, the rules are added to your current rules list. Then, you can edit the rules.
  - SQL row check rule: Create a custom SQL rule to apply to each row.
    1. In Dimension, choose one dimension.
    2. In Passing threshold, choose a percentage of records that must pass the check.
    3. In Column name, choose a column.
    4. In the Provide a SQL expression field, enter a SQL expression that evaluates to a boolean true (pass) or false (fail). For more information, see Supported custom SQL rule types and the examples in Define data quality rules.
    5. Click Add.
  - SQL aggregate check rule: Create a custom SQL table condition rule.
    1. In Dimension, choose one dimension.
    2. In Column name, choose a column.
    3. In the Provide a SQL expression field, enter a SQL expression that evaluates to a boolean true (pass) or false (fail). For more information, see Supported custom SQL rule types and the examples in Define data quality rules.
    4. Click Add.
  - SQL assertion rule: Create a custom SQL assertion rule to check for an invalid state of the data.
    1. In Dimension, choose one dimension.
    2. Optional: In Column name, choose a column.
    3. In the Provide a SQL statement field, enter a SQL statement that returns rows that match the invalid state. If any rows are returned, this rule fails. Omit the trailing semicolon from the SQL statement. For more information, see Supported custom SQL rule types and the examples in Define data quality rules.
    4. Click Add.
2. Optional: For any data quality rule, you can assign a custom rule name to use for monitoring and alerting, and a description. To do this, edit a rule and specify the following details:
  - Rule name: Enter a custom rule name with up to 63 characters. The rule name can include letters (a-z, A-Z), digits (0-9), and hyphens (-) and must start with a letter and end with a number or a letter.
  - Description: Enter a rule description with a maximum length of 1,024 characters.
3. Repeat the previous steps to add additional rules to the data quality scan. When finished, click Continue.
Optional: Export the scan results to a BigQuery standard table. In the Export scan results to BigQuery table section, do the following:
1. In the Select BigQuery dataset field, click Browse. Select a BigQuery dataset to store the data quality scan results.
2. In the BigQuery table field, specify the table to store the data quality scan results. If you're using an existing table, make sure that it is compatible with the export table schema. If the specified table doesn't exist, Dataplex Universal Catalog creates it for you.
  
  Note: You can use the same results table for multiple data quality scans.
Optional: Add labels. Labels are key-value pairs that let you group related objects together or with other Google Cloud resources.
Optional: Set up email notification reports to alert people about the status and results of a data quality scan job. In the Notification report section, click Add email ID and enter up to five email addresses. Then, select the scenarios that you want to send reports for:
- Quality score (<=): sends a report when a job succeeds with a data quality score that is lower than the specified target score. Enter a target quality score between 0 and 100.
- Job failures: sends a report when the job itself fails, regardless of the data quality results.
- Job completion (success or failure): sends a report when the job ends, regardless of the data quality results.
Click Create.

After the scan is created, you can run it at any time by clicking Run now.

gcloud

To create a data quality scan, use the gcloud dataplex datascans create data-quality command.

If the source data is organized in a Dataplex Universal Catalog lake, include the --data-source-entity flag:

gcloud dataplex datascans create data-quality DATASCAN \
    --location=LOCATION \
    --data-quality-spec-file=DATA_QUALITY_SPEC_FILE \
    --data-source-entity=DATA_SOURCE_ENTITY

If the source data isn't organized in a Dataplex Universal Catalog lake, include the --data-source-resource flag:

gcloud dataplex datascans create data-quality DATASCAN \
    --location=LOCATION \
    --data-quality-spec-file=DATA_QUALITY_SPEC_FILE \
    --data-source-resource=DATA_SOURCE_RESOURCE

Replace the following variables:

DATASCAN: The name of the data quality scan.
LOCATION: The Google Cloud region in which to create the data quality scan.
DATA_QUALITY_SPEC_FILE: The path to the JSON or YAML file containing the specifications for the data quality scan. The file can be a local file or a Cloud Storage path with the prefix gs://. Use this file to specify the data quality rules for the scan. You can also specify additional details in this file, such as filters, sampling percent, and post-scan actions like exporting to BigQuery or sending email notification reports. See the documentation for JSON representation.
DATA_SOURCE_ENTITY: The Dataplex Universal Catalog entity that contains the data for the data quality scan. For example, projects/test-project/locations/test-location/lakes/test-lake/zones/test-zone/entities/test-entity.
DATA_SOURCE_RESOURCE: The name of the resource that contains the data for the data quality scan. For example, //bigquery.googleapis.com/projects/test-project/datasets/test-dataset/tables/test-table.

REST

To create a data quality scan, use the dataScans.create method.

If you want to build rules for the data quality scan by using rule recommendations that are based on the results of a data profiling scan, get the recommendations by calling the dataScans.jobs.generateDataQualityRules method on the data profiling scan.

Note: If your BigQuery table is configured with the Require partition filter set to true, use the BigQuery partition column as the data quality scan row filter or timestamp column.

Run a data quality scan

Console

In the Google Cloud console, on the BigQuery Metadata curation page, go to the Data profiling & quality tab.

Go to Data profiling & quality
Click the data quality scan to run.
Click Run now.

gcloud

To run a data quality scan, use the gcloud dataplex datascans run command:

gcloud dataplex datascans run DATASCAN \
--location=LOCATION \

Replace the following variables:

LOCATION: The Google Cloud region in which the data quality scan was created.
DATASCAN: The name of the data quality scan.

REST

To run a data quality scan, use the dataScans.run method.

View data quality scan results

Console

In the Google Cloud console, on the BigQuery Metadata curation page, go to the Data profiling & quality tab.

Go to Data profiling & quality
Click the name of a data quality scan.
- The Overview section displays information about the most recent jobs, including when the scan was run, the number of records scanned in each job, whether all the data quality checks passed, and if there were failures, the number of data quality checks that failed.
- The Data quality scan configuration section displays details about the scan.
To see detailed information about a job, such as data quality scores that indicate the percentage of rules that passed, which rules failed, and the job logs, click the Jobs history tab. Then, click a job ID.

gcloud

To view the results of a data quality scan job, use the gcloud dataplex datascans jobs describe command:

gcloud dataplex datascans jobs describe JOB \
--location=LOCATION \
--datascan=DATASCAN \
--view=FULL

Replace the following variables:

JOB: The job ID of the data quality scan job.
LOCATION: The Google Cloud region in which the data quality scan was created.
DATASCAN: The name of the data quality scan the job belongs to.
--view=FULL: To see the scan job result, specify FULL.

REST

To view the results of a data quality scan, use the dataScans.get method.

View published results

If the data quality scan results are published as Dataplex Universal Catalog metadata, then you can see the latest scan results on the BigQuery and Dataplex Universal Catalog pages in the Google Cloud console, on the source table's Data quality tab.

In the Google Cloud console, go to the BigQuery page.

Go to BigQuery
In the Explorer pane, select the table whose data quality scan results you want to see.
Click the Data quality tab.

The latest published results are displayed.

Note: Published results might not be available if a scan is running for the first time.

View historical scan results

Dataplex Universal Catalog saves the data quality scan history of the last 300 jobs or for the past year, whichever occurs first.

Console

In the Google Cloud console, on the BigQuery Metadata curation page, go to the Data profiling & quality tab.

Go to Data profiling & quality
Click the name of a data quality scan.
Click the Jobs history tab.

The Jobs history tab provides information about past jobs, such as the number of records scanned in each job, the job status, the time the job was run, and whether each rule passed or failed.
To view detailed information about a job, click any of the jobs in the Job ID column.

gcloud

To view historical data quality scan jobs, use the gcloud dataplex datascans jobs list command:

gcloud dataplex datascans jobs list \
--location=LOCATION \
--datascan=DATASCAN \

Replace the following variables:

LOCATION: The Google Cloud region in which the data quality scan was created.
DATASCAN: The name of the data quality scan to view historical jobs for.

REST

To view historical data quality scan jobs, use the dataScans.jobs.list method.

Grant access to data quality scan results

To enable the users in your organization to view the scan results, do the following:

In the Google Cloud console, on the BigQuery Metadata curation page, go to the Data profiling & quality tab.

Go to Data profiling & quality
Click the data quality scan you want to share the results of.
Click the Permissions tab.
Do the following:
- To grant access to a principal, click Grant access. Grant the Dataplex DataScan DataViewer role to the associated principal.
- To remove access from a principal, select the principal that you want to remove the Dataplex DataScan DataViewer role from. Click Remove access, and then confirm when prompted.

Troubleshoot a data quality failure

You can set alerts for data quality failures using the logs in Cloud Logging. For more information, including sample queries, see Set alerts in Cloud Logging.

For each job with row-level rules that fail, Dataplex Universal Catalog provides a query to get the failed records. Run this query to see the records that did not match your rule.

Console

In the Google Cloud console, on the BigQuery Metadata curation page, go to the Data profiling & quality tab.

Go to Data profiling & quality
Click the name of the data quality scan whose records you want to troubleshoot.
Click the Jobs history tab.
Click the job ID of the job that identified data quality failures.
In the job results window that opens, in the Rules section, find the column Query to get failed records. Click Copy query to clipboard for the failed rule.
Run the query in BigQuery to see the records that caused the job to fail.

gcloud

Not supported.

REST

To get the job that identified data quality failures, use the dataScans.get method.

In the response object, the failingRowsQuery field shows the query.
Run the query in BigQuery to see the records that caused the job to fail.

Manage data quality scans for a specific table

The steps in this document show how to manage data quality scans across your project by using the BigQuery Metadata curation > Data profiling & quality page in the Google Cloud console.

You can also create and manage data quality scans when working with a specific table. In the Google Cloud console, on the BigQuery page for the table, use the Data quality tab. Do the following:

In the Google Cloud console, go to the BigQuery page.

Go to BigQuery

In the Explorer pane, select the table.
Click the Data quality tab.
Depending on whether the table has a data quality scan whose results are published as Dataplex Universal Catalog metadata, you can work with the table's data quality scans in the following ways:
- Data quality scan results are published: the latest scan results are displayed on the page.
  
  To manage the data quality scans for this table, click Data quality scan, and then select from the following options:
  - Create new scan: create a new data quality scan. For more information, see the Create a data quality scan section of this document. When you create a scan from a table's details page, the table is preselected.
  - Run now: run the scan.
  - Edit scan configuration: edit settings including the display name, filters, and schedule.
    
    To edit the data quality rules, on the Data quality tab, click the Rules tab. Click Modify rules. Update the rules and then click Save.
  - Manage scan permissions: control who can access the scan results. For more information, see the Grant access to data quality scan results section of this document.
  - View historical results: view detailed information about previous data quality scan jobs. For more information, see the View data quality scan results and View historical scan results sections of this document.
  - View all scans: view a list of data quality scans that apply to this table.
- Data quality scan results aren't published: select from the following options:
  - Create data quality scan: create a new data quality scan. For more information, see the Create a data quality scan section of this document. When you create a scan from a table's details page, the table is preselected.
  - View existing scans: view a list of data quality scans that apply to this table.

View the data quality scans for a table

To view the data quality scans that apply to a specific table, do the following:

In the Google Cloud console, on the BigQuery Metadata curation page, go to the Data profiling & quality tab.

Go to Data profiling & quality
Filter the list by table name and scan type.

Update a data quality scan

You can edit various settings for an existing data quality scan, such as the display name, filters, schedule, and data quality rules.

Console

In the Google Cloud console, on the BigQuery Metadata curation page, go to the Data profiling & quality tab.

Go to Data profiling & quality
Click the name of a data quality scan.
To edit settings including the display name, filters, and schedule, click Edit. Edit the values and then click Save.
To edit the data quality rules, on the scan details page, click the Current rules tab. Click Modify rules. Update the rules and then click Save.

gcloud

To update the description of a data quality scan, use the gcloud dataplex datascans update data-quality command:

gcloud dataplex datascans update data-quality DATASCAN \
--location=LOCATION \
--description=DESCRIPTION

Replace the following:

DATASCAN: The name of the data quality scan to update.
LOCATION: The Google Cloud region in which the data quality scan was created.
DESCRIPTION: The new description for the data quality scan.

REST

To edit a data quality scan, use the dataScans.patch method.

Delete a data quality scan

Console

In the Google Cloud console, on the BigQuery Metadata curation page, go to the Data profiling & quality tab.

Go to Data profiling & quality
Click the scan you want to delete.
Click Delete, and then confirm when prompted.

gcloud

To delete a data quality scan, use the gcloud dataplex datascans delete command:

gcloud dataplex datascans delete DATASCAN \
--location=LOCATION \
--async

Replace the following variables:

DATASCAN: The name of the data quality scan to delete.
LOCATION: The Google Cloud region in which the data quality scan was created.

REST

To delete a data quality scan, use the dataScans.delete method.

What's next

Learn more about data governance in BigQuery.