BigQuery is a petabyte-scale analytics data warehouse that you can use to run SQL queries over vast amounts of data in near realtime.
Giving a view access to a dataset is also known as creating an authorized view in BigQuery. An authorized view allows you to share query results with particular users and groups without giving them access to the underlying tables. You can also use the view's SQL query to restrict the columns (fields) the users are able to query. In this tutorial, you create an authorized view.
Objectives
In this tutorial you:
- Create datasets and apply access controls to them
- Assign access controls to your project
- Create an authorized view that restricts the data users are able to query
Costs
BigQuery is a paid product and you will incur BigQuery usage costs in this tutorial. BigQuery query pricing provides the first 1 TB per month free of charge. For more information, see the Pricing page.
Before you begin
Before you begin this tutorial, use the Google Cloud Platform Console to create or select a project and enable billing.
-
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
-
Select or create a Google Cloud Platform project.
-
Make sure that billing is enabled for your Google Cloud Platform project.
- BigQuery is automatically enabled in new projects. To activate BigQuery in a pre-existing project, Enable the BigQuery API.
Introduction
In this tutorial, you create two datasets - one dataset for your source data and a second dataset for your authorized view. You populate the source dataset with data from the GitHub public dataset. You then create a view that queries a table in the source dataset.
Once you create your datasets and your view, you assign access controls to the project, to the dataset containing the view, and to the dataset containing the source data.
Giving a view access to the source dataset is also referred to as creating an authorized view. When you create an authorized view, follow these steps:
- Create a separate dataset to store the view
- Create the view in the new dataset
- Assign access controls to the project
- Assign access controls to the dataset containing the view
- Authorize the view to access the source dataset
Create a source dataset
You begin by creating a dataset to store your source data. For this tutorial, you populate a table in your source dataset by querying the GitHub public dataset. The data in your source dataset contains information you do not want your data analysts to see. You restrict access to the data using an authorized view.
To create your source dataset:
Console
Open the BigQuery web UI in the GCP Console.
Go to the BigQuery web UIIn the navigation panel, in the Resources section, select your project and click Create dataset.
For Dataset ID type
github_source_data.Leave all of the other default settings in place and click Create dataset.
Classic UI
Go to the BigQuery web UI.
Click the down arrow icon
next to your project name in the navigation, then click Create new dataset.For Dataset ID type
github_source_data.Leave all of the other default settings in place and click OK.
Command-line
Use the mk command to create your dataset.
bq mk github_source_data
Python
Before trying this sample, follow the Python setup instructions in the BigQuery Quickstart Using Client Libraries . For more information, see the BigQuery Python API reference documentation .
After creating the source dataset, you populate a table in it using a SQL query. This query retrieves data from the GitHub public dataset.
Console
Open the BigQuery web UI in the GCP Console.
Go to the BigQuery web UIClick Compose new query.
Copy and paste the following query into the Query editor text area.
#standardSQL SELECT commit, author, committer, repo_name FROM `bigquery-public-data.github_repos.commits` LIMIT 1000
Click More and select Query settings.
For Destination check the box for Set a destination table for query results.
- For Project name verify your project is selected.
- For Dataset name verify
github_source_datais selected. - For Table name type:
github_contributors. - Click Save.
Click Run.
When the query completes, click github_contributors and then click Preview to verify the data was written to the table.
Classic UI
Go to the BigQuery web UI.
Click the COMPOSE QUERY button.
Copy and paste the following query into the New Query text area.
#standardSQL SELECT commit, author, committer, repo_name FROM `bigquery-public-data.github_repos.commits` LIMIT 1000
Click Show Options.
For Destination Table click Select Table.
In the Select Destination Table dialog:
- For Project verify your project is selected.
- For Dataset verify
github_source_datais selected. - For Table ID type:
github_contributors. - Click Ok.
Click Run Query.
When the query completes, click github_contributors and then click Preview to verify the data was written to the table.
Command-line
Use the query command with the --destination_table flag to write the query
results to a table in the github_source_data dataset.
bq query --destination_table=github_source_data.github_contributors --use_legacy_sql=false 'SELECT commit, author, committer, repo_name FROM
`bigquery-public-data.github_repos.commits` LIMIT 1000'
Python
Before trying this sample, follow the Python setup instructions in the BigQuery Quickstart Using Client Libraries . For more information, see the BigQuery Python API reference documentation .
Create a separate dataset to store your view
After creating your source dataset you create a new dataset to store the view you will share with your data analysts. This view will have access to the data in the source dataset. Your data analysts will have access to the view, not the source data.
When you create the view, it must be created in a dataset separate from the source data queried by the view. Because you can assign access controls only at the dataset level, if the view is created in the same dataset as the source data, your data analysts would have access to both the view and the data.
To create a dataset to store your view:
Console
Open the BigQuery web UI in the GCP Console.
Go to the BigQuery web UIIn the navigation panel, in the Resources section, select your project and click Create dataset.
For Dataset ID type
shared_views.Leave all of the other default settings in place and click Create dataset.
Classic UI
Go to the BigQuery web UI.
Click the down arrow icon
next to your project name in the navigation, then click Create new dataset.For Dataset ID type
shared_views.Leave all of the other default settings in place and click OK.
Command-line
Use the mk command to create your dataset.
bq mk shared_views
Python
Before trying this sample, follow the Python setup instructions in the BigQuery Quickstart Using Client Libraries . For more information, see the BigQuery Python API reference documentation .
Create the view in the new dataset
In the new dataset, you create the view you intend to authorize. This is the view you share with your data analysts. This view is created using a SQL query that excludes the columns you do not want the data analysts to see.
For this tutorial, your shared view excludes all of the author's information except for the author's name, and all of the committer's information except for the committer's name.
To create the view in the new dataset:
Console
Open the BigQuery web UI in the GCP Console.
Go to the BigQuery web UIClick Compose new query.
Copy and paste the following query into the Query editor text area. Replace
[PROJECT_ID]with your project ID.#standardSQL SELECT commit, author.name as author, committer.name as committer, repo_name FROM `[PROJECT_ID].github_source_data.github_contributors`
Click More and select Query settings.
Under SQL dialect select Standard. Click Save to update query settings.
Click Save view.
In the Save view dialog:
- For Project name verify your project is selected.
- For Dataset name verify
shared_viewsis selected. - For Table name type:
github_analyst_view. - Click Save.
Classic UI
Go to the BigQuery web UI.
Click the COMPOSE QUERY button.
Copy and paste the following query into the New Query text area. Replace
[PROJECT_ID]with your project ID.#standardSQL SELECT commit, author.name as author, committer.name as committer, repo_name FROM `[PROJECT_ID].github_source_data.github_contributors`
Click Show Options.
Uncheck Use Legacy SQL.
Click Save View.
In the Save View dialog:
- For Project verify your project is selected.
- For Dataset verify
shared_viewsis selected. - For Table ID type:
github_analyst_view. - Click Ok.
Command-line
Use the mk command with the --view flag. Replace [PROJECT_ID] with
your project ID.
bq mk --use_legacy_sql=false --view='SELECT commit, author.name as author, committer.name as committer, repo_name FROM `[PROJECT_ID].github_source_data.github_contributors`' shared_views.github_analyst_view
Python
Before trying this sample, follow the Python setup instructions in the BigQuery Quickstart Using Client Libraries . For more information, see the BigQuery Python API reference documentation .
Assign a project-level IAM role to your data analysts
In order to query the view, your data analysts need permission to run query
jobs. The bigquery.user role includes permissions to run jobs, including
query jobs, within the project. If you grant a user or group the
bigquery.user role at the project level, the user can create datasets and can
run query jobs against tables in those datasets. The bigquery.user role does
not give users permission to query data, view table data, or view table schema
details for datasets the user did not create.
Assigning your data analysts the project-level bigquery.user role does not
give them the ability to view or query table data in the dataset containing the
tables queried by the view. Most individuals (data scientists, business
intelligence analysts, data analysts) in an enterprise should be assigned the
project-level bigquery.user role.
For this tutorial, your data analysts are in a group named
data_analysts@example.com. This group name is for example purposes only. When
you add a group to an IAM role, the email address and domain must be associated
with an active Google Account or Google Apps account.
To assign the data analysts group to the bigquery.user role at the project
level:
Console
Open the IAM page in the Google Cloud Platform Console.
Click Select a project.
Select your project and click Open.
On the IAM page, click Add.
In the Add members dialog:
- For Members type the group name:
data_analysts@example.com. - For Roles, click Select a role and choose BigQuery > BigQuery User.
- Click Add.
- For Members type the group name:
Classic UI
Open the IAM page in the Google Cloud Platform Console.
Click Select a project.
Select your project and click Open.
On the IAM page, click Add.
In the Add members dialog:
- For Members type the group name:
data_analysts@example.com. - For Roles, click Select a role and choose BigQuery > BigQuery User.
- Click Add.
- For Members type the group name:
Command-line
To add a single binding to the project's IAM policy, type the following command. Replace
[PROJECT_ID]with your project ID.gcloud projects add-iam-policy-binding [PROJECT_ID] --member group:data_analysts@example.com --role roles/bigquery.userThe command outputs the updated policy:
bindings: - members: - group:data_analysts@example.com role: roles/BigQuery.user
Assign access controls to the dataset containing the view
In order for your data analysts to query the view, they need READER access to
the dataset containing the view. The bigquery.user role gives your data
analysts the permissions required to create query jobs, but they cannot
successfully query the view unless they also have at least READER access to
the dataset containing the view.
To give your data analysts READER access to the dataset:
Console
Select the
shared_viewsdataset in Resources and click Share dataset.In the Dataset permissions panel, click Add members.
Type
data_analysts@example.comin the New members text box.Cick Select role and select Viewer. This maps to the
bigquery.dataViewerrole at the dataset level.Click Save and then click Done.
Classic UI
Click the drop-down arrow to the right of the
shared_viewsdataset and choose Share Dataset.In the Share Dataset dialog, for Add People, click the drop-down to the left of the field, and choose
Group by e-mail.Type
data_analysts@example.comin the text box.To the right of the Add People field, verify Can view is selected. "Can View" maps to the
bigquery.dataViewerrole at the dataset level.Click Add and then click Save changes.
Command-line
When you apply access controls to a dataset using the command-line tool, the existing controls are overwritten. First, export the existing access controls to a JSON file using the
showcommand.bq --format=json show shared_views >shared_views.jsonMake your changes to the "access" section of the JSON file using the
READERrole andgroupByEmail.For example:
{ "access": [ { "role": "READER", "specialGroup": "projectReaders" }, { "role": "WRITER", "specialGroup": "projectWriters" }, { "role": "OWNER", "specialGroup": "projectOwners" } { "role": "READER", "specialGroup": "allAuthenticatedUsers" } { "role": "READER", "domain": "[DOMAIN_NAME]" } { "role": "WRITER", "userByEmail": "[USER_EMAIL]" } { "role": "READER", "groupByEmail": "data_analysts@example.com" } ], }When your edits are complete, use the
updatecommand and include the JSON file using the--sourceflag.bq update --source=shared_views.json shared_viewsTo verify your access control changes, use the
showcommand.bq show shared_views
Python
Before trying this sample, follow the Python setup instructions in the BigQuery Quickstart Using Client Libraries . For more information, see the BigQuery Python API reference documentation .
Authorize the view to access the source dataset
Once you create access controls for the dataset containing the view, you add the view as an authorized view in the source dataset. This gives the view access to the source data, not your data analysts group.
To authorize the view to access the source data:
Console
Select the
github_source_datadataset from Resources and click Share dataset.In the Dataset permissions panel, click the Authorized views tab.
Under Share authorized view:
- For Select project, verify your project is selected.
- For Select dataset, choose
shared_views. - For Select view, type the view name:
github_analyst_view. - Click OK.
Click Add and then click Done.
Classic UI
Click the drop-down arrow to the right of the
github_source_datadataset and choose Share Dataset.In the Share Dataset dialog, for Add People, click the drop-down to the left of the field, and choose Authorized View.
Click Select View.
In the Select View dialog:
- For Project, verify your project is selected.
- For Dataset, choose
shared_views. - For Table ID, type the view name:
github_analyst_view. - Click OK.
Click Add and then click Save changes.
Command-line
When you apply access controls to a dataset using the CLI, the existing controls are overwritten. First, export the existing access controls to a JSON file using the
showcommand.bq --format=prettyjson show github_source_data >github_source_data.jsonAdd the authorized view to the "access" section of the JSON file. Replace
[PROJECT_ID]with your project ID.For example:
{ "access": [ { "role": "READER", "specialGroup": "projectReaders" }, { "view":{ "datasetId": "shared_views", "projectId": "[PROJECT_ID]", "tableId": "github_analyst_view" } }, ... ], ... }Some text in the JSON file is omitted for brevity.
When your edits are complete, use the
updatecommand and include the JSON file using the--sourceflag.bq update --source=github_source_data.json github_source_dataTo verify your access control changes, use the
showcommand.bq show github_source_data
Python
Before trying this sample, follow the Python setup instructions in the BigQuery Quickstart Using Client Libraries . For more information, see the BigQuery Python API reference documentation .
Verify the configuration
When your configuration is complete, a member of the data_analysts group can
verify the configuration by querying the view.
To verify the configuration:
Console
Have a member of the
data_analystsgroup go to the BigQuery web UI in the GCP Console.
Go to the BigQuery web UIClick the Compose new query button.
Copy and paste the following query into the Query editor text area.
#standardSQL SELECT * FROM `shared_views.github_analyst_view`
Classic UI
Have a member of the
data_analystsgroup go to the BigQuery web UI.Click the COMPOSE QUERY button.
Copy and paste the following query into the New Query text area.
#standardSQL SELECT * FROM `shared_views.github_analyst_view`
Command-line
Use the query command to query the view.
bq query --use_legacy_sql=false 'SELECT * FROM `shared_views.github_analyst_view`'
Complete source code
Here is the complete source code for the tutorial for your reference.
Python
Before trying this sample, follow the Python setup instructions in the BigQuery Quickstart Using Client Libraries . For more information, see the BigQuery Python API reference documentation .
Cleaning up
To avoid incurring charges to your Google Cloud Platform account for the resources used in this tutorial:
- In the GCP Console, go to the Projects page.
- In the project list, select the project you want to delete and click Delete delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
What's next
- Read Access control to learn about access controls in BigQuery.
- Read Introduction to views to learn about BigQuery views.
- Read IAM overview to learn the basic IAM concepts.
- Read Managing policies to learn how to manage access control.
