Table access policy FAQ
This document provides answers to frequently asked questions about the table access policy.
What actions are logged?
When I copy data to a new table, are the table access policies automatically copied?
No. When you copy data to a new table, any table access policies on the source table are not automatically copied. If you want a table ACL on a new table created via copy, you need to explicitly set a table ACL on the new table.
If I delete a table and recreate it, are the table access policies preserved?
No. If you delete a table and then recreate with the same name, you need to explicitly set the table ACL because BigQuery considers it a new table.
I removed my access. Why am I still getting query results?
BigQuery caches the results of successful access checks for up to a few minutes. For more information, see Policy change time lag.
Is there an API that checks whether a user has access to a particular table?
Is a table access policy compatible with VPC Service Controls?
Yes. VPC Service Controls leverages IAM to control access to services such as BigQuery and Cloud Storage. A table access policy uses IAM to provide a deeper granularity of access control on individual BigQuery tables. Since they use IAM in a complementary manner, VPC Service Controls and a table access policy are compatible.
Are federated tables supported?
Yes, federated tables, also known as external data sources, are supported. You can set access control on a federated table the same as any other BigQuery table.
I received an error running
bq get-iam-policy. What do I do?
If you receive an error such as:
FATAL Command 'get-iam-policy' unknown error.
bq command-line tool to version
2.0.50 or later.