This page provides answers to frequently asked questions about BigQuery Table ACL.
What actions are logged?
When I copy data to a new table, are the table ACLs automatically copied?
No. When you copy data to a new table, any table ACLs on the source table are not automatically copied. If you want a table ACL on a new table created via copy, you need to explicitly set a table ACL on the new table.
If I delete a table and recreate it, are the table ACLs preserved?
No. If you delete a table and then recreate with the same name, you need to explicitly set the table ACL because BigQuery considers it a new table.
I removed my access. Why am I still getting query results?
If caching is enabled, it is possible for an account to see previously authorized query results after the account is no longer granted access to the table. Specifically, if the user previously ran the query successfully and then you removed access for the user, the user could get results from the query result cache. BigQuery caches only authorized accesses, and they are cached for only a few minutes. For related information, see Policy change time lag.
Is there an API that checks whether a user has access to a particular table?
Is BigQuery Table ACL compatible with VPC Service Controls?
Yes. VPC Service Controls leverages IAM to control access to services such as BigQuery and Cloud Storage. BigQuery Table ACL uses IAM to provide a deeper granularity of access control on individual BigQuery tables. Since they use IAM in a complementary manner, VPC Service Controls and BigQuery Table ACL are compatible.
Are federated tables supported?
Yes, federated tables, also known as external data sources, are supported. You can set access control on a federated table the same as any other BigQuery table.
I received an error running
bq get-iam-policy. What do I do?
If you receive an error such as:
FATAL Command 'get-iam-policy' unknown error.
bq command-line tool to version
2.0.50 or later.