Stay organized with collections Save and categorize content based on your preferences.

Table access policy FAQ

This document provides answers to frequently asked questions about the table access policy.

What actions are logged?

The tables.setIamPolicy action is always logged to Cloud Logging. For more information, see Audit logging.

When I copy data to a new table, are the table access policies automatically copied?

No. When you copy data to a new table, any table access policies on the source table are not automatically copied. If you want a table ACL on a new table created via copy, you need to explicitly set a table ACL on the new table.

If I delete a table and recreate it, are the table access policies preserved?

No. If you delete a table and then recreate with the same name, you need to explicitly set the table ACL because BigQuery considers it a new table.

I removed my access. Why am I still getting query results?

BigQuery caches the results of successful access checks for up to a few minutes. For more information, see Policy change time lag.

Is there an API that checks whether a user has access to a particular table?

Yes, you can use the tables.testIamPermissions method to check access on a specific table resource. For more information, see Testing permissions.

Is a table access policy compatible with VPC Service Controls?

Yes. VPC Service Controls leverages IAM to control access to services such as BigQuery and Cloud Storage. A table access policy uses IAM to provide a deeper granularity of access control on individual BigQuery tables. Since they use IAM in a complementary manner, VPC Service Controls and a table access policy are compatible.

Are federated tables supported?

Yes, federated tables, also known as external data sources, are supported. You can set access control on a federated table the same as any other BigQuery table.

I received an error running bq get-iam-policy. What do I do?

If you receive an error such as:

FATAL Command 'get-iam-policy' unknown error.

Upgrade your bq command-line tool to version 2.0.50 or later.