BigQuery Table ACL FAQ

This document provides answers to frequently asked questions about BigQuery Table ACL.

What actions are logged?

The tables.setIamPolicy action is always logged to Cloud Logging. For more information, see Audit logging.

When I copy data to a new table, are the table ACLs automatically copied?

No. When you copy data to a new table, any table ACLs on the source table are not automatically copied. If you want a table ACL on a new table created via copy, you need to explicitly set a table ACL on the new table.

If I delete a table and recreate it, are the table ACLs preserved?

No. If you delete a table and then recreate with the same name, you need to explicitly set the table ACL because BigQuery considers it a new table.

I removed my access. Why am I still getting query results?

BigQuery caches the results of successful access checks for up to a few minutes. For more information, see Policy change time lag.

Is there an API that checks whether a user has access to a particular table?

Yes, you can use the tables.testIamPermissions method to check access on a specific table resource. For more information, see Testing permissions.

Is BigQuery Table ACL compatible with VPC Service Controls?

Yes. VPC Service Controls leverages IAM to control access to services such as BigQuery and Cloud Storage. BigQuery Table ACL uses IAM to provide a deeper granularity of access control on individual BigQuery tables. Since they use IAM in a complementary manner, VPC Service Controls and BigQuery Table ACL are compatible.

Are federated tables supported?

Yes, federated tables, also known as external data sources, are supported. You can set access control on a federated table the same as any other BigQuery table.

I received an error running bq get-iam-policy. What do I do?

If you receive an error such as:

FATAL Command 'get-iam-policy' unknown error.

Upgrade your bq command-line tool to version 2.0.50 or later.