Controlling access to tables and views

This document describes how to use BigQuery Table ACL to control access to tables and views. For an overview of BigQuery Table ACL, see Introduction to table access controls.

After you create a table or view, you can set its policy in the following ways:

using the Cloud Console
using the bq set-iam-policy command
calling the tables.setIamPolicy method
using the GRANT or REVOKE data control language statements

You can use BigQuery Table ACL to set access on both logical views and dataset-level authorized views. A logical view can also reference other source tables and views that you shared using BigQuery Table ACL.

Before you begin

Create the table or view that you want to use with BigQuery Table ACL.
Grant the BigQuery Data Owner (roles/bigquery.dataOwner) role or the BigQuery Admin (roles/bigquery.admin) role to the person that will perform the steps in this topic.
For more information about Identity and Access Management (IAM) policies, see Understanding policies and the Policy reference topic.

Creating an access policy

To create an access policy on a table or view:

Console

In the Cloud Console, open the BigQuery page.

Go to BigQuery
In the Explorer panel, select the project.
Select the dataset that contains the table or view.
Select the table or view.
If you are modifying access for a table, click Share table. If you are modifying access for a view, click Share view.
The Table permissions or View permissions page opens. For Add members, enter the email address of the user that will receive access to the table or view.
From the Select a role dropdown, select the role that you want to grant to the user. The following shows granting joe@example.com to the BigQuery Data Viewer (roles/bigquery.dataViewer) role.
Click Done.

SQL

Use the following GRANT statement to grant the Data Viewer (roles/bigquery.dataViewer) role to user joe@example.com on a table in your dataset.

  GRANT `roles/bigquery.dataViewer`
  ON TABLE DATASET.TABLE_OR_VIEW
  TO "user:joe@example.com"

Replace DATASET with the name of the dataset that the resource is in.

Replace TABLE_OR_VIEW with the table or view that you are granting access to.

For more information on the GRANT DCL statement, see Data control language statements in standard SQL.

bq

Retrieve the existing policy to a local file.
```
bq get-iam-policy \
 project-id:dataset.table_or_view \
 > policy.json
```
where:
- project-id is your project ID.
- dataset is the name of the dataset that contains the resource (table or view) that you are updating.
- table_or_view is the name of the resource that you are updating.
More examples of identifying a table or view, and redirecting the policy output to a file:
- bq get-iam-policy dataset1.table1 > policy.json
- bq get-iam-policy --project_id=project1 -t dataset1.table1 > policy.json
- bq get-iam-policy project1:dataset1.table1 > policy.json
If you haven't yet added any members to the policy, the policy.json file will contain an etag value and no other fields. See For more information about how to format the policy.json file, see Understanding policies.
To add the first member, add a bindings field to the policy. For example, to grant the BigQuery Data Viewer (roles/bigquery.dataViewer) role to joe@example.com:
```
"bindings": [
 {
   "members": [
     "user:joe@example.com"
   ],
   "role": "roles/bigquery.dataViewer"
 }
]
```
If you need to add more members to an existing binding, just add the member. This example shows granting jane@example.com the BigQuery Data Viewer (roles/bigquery.dataViewer) role, for a binding that already exists.
```
"members": [
       "user:joe@example.com",
       "user:jane@example.com"
     ],
     "role": "roles/bigquery.dataViewer"
   }
```
Update the policy.
```
bq set-iam-policy \
 project-id:dataset.table_or_view \
 policy.json
```
Caution: After you create a policy, subsequent retrieval of the policy will show that its version field is 1. Do not change this version number in future updates to the policy. This version number refers to the IAM policy schema version, not the version of your policy for the table or view. The etag value is the policy version number.

For information about IAM policy schema versions, see Policy versions.

API

Call tables.getIamPolicy to retrieve the current policy.
Edit the policy to add members and/or bindings. See the bq example for the format of the policy.
Call tables.setIamPolicy to write the new policy.

For information about IAM policy schema versions, see Policy versions.

Java

Before trying this sample, follow the Java setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Java API reference documentation.

View on GitHub Feedback

import com.google.cloud.Identity;
import com.google.cloud.Policy;
import com.google.cloud.Role;
import com.google.cloud.bigquery.BigQuery;
import com.google.cloud.bigquery.BigQueryException;
import com.google.cloud.bigquery.BigQueryOptions;
import com.google.cloud.bigquery.TableId;

// Sample to create iam policy for table
public class CreateIamPolicy {

  public static void main(String[] args) {
    // TODO(developer): Replace these variables before running the sample.
    String datasetName = "MY_DATASET_NAME";
    String tableName = "MY_TABLE_NAME";
    createIamPolicy(datasetName, tableName);
  }

  public static void createIamPolicy(String datasetName, String tableName) {
    try {
      // Initialize client that will be used to send requests. This client only needs to be created
      // once, and can be reused for multiple requests.
      BigQuery bigquery = BigQueryOptions.getDefaultInstance().getService();

      TableId tableId = TableId.of(datasetName, tableName);

      Policy policy = bigquery.getIamPolicy(tableId);
      policy
          .toBuilder()
          .addIdentity(Role.of("roles/bigquery.dataViewer"), Identity.allUsers())
          .build();
      bigquery.setIamPolicy(tableId, policy);
      System.out.println("Iam policy created successfully");
    } catch (BigQueryException e) {
      System.out.println("Iam policy was not created. \n" + e.toString());
    }
  }
}

Updating an access policy

To update an access policy on a table or view:

Console

In the Cloud Console, open the BigQuery page.

Go to BigQuery
In the Explorer panel, select the project.
Select the dataset that contains the table or view.
Select the table or view.
If you are modifying access for a table, click Share table. If you are modifying access for view, click Share view.
The Table permissions or View permissions page opens.
- If you want to add new members, use the same technique shown in Creating an access policy.
- If you want to remove access for a user, search for the user by using the Search members field. For each group where you want to remove the user, expand the group, and then click the Delete button for the user.
- If you want to change group membership for a user, make additions and/or deletions as described in the immediate 2 steps above.
Repeat as needed for other users whose access you want to add, modify, or remove. When you are done, click Done.

SQL

Use the following REVOKE statement to remove the Data Viewer (roles/bigquery.dataViewer) role from user joe@example.com on a table in your dataset.

  REVOKE `roles/bigquery.dataViewer`
  ON TABLE DATASET.TABLE_OR_VIEW
  FROM "user:joe@example.com"

Replace DATASET with the name of the dataset that the resource is in.

Replace TABLE_OR_VIEW with the table or view that you are revoking access from.

For more information on the REVOKE DCL statement, see Data control language statements in standard SQL.

bq

Retrieve the existing policy to a local file.
```
bq get-iam-policy --format=prettyjson \
 project-id:dataset.table_or_view \
 > policy.json
```
where:
- project-id is your project ID.
- dataset is the name of the dataset that contains the table that you are updating.
- table_or_view is the name of the table or view you are updating.
More examples of identifying a table or view, and redirecting the policy output to a file:
- bq get-iam-policy dataset1.table1 > policy.json
- bq get-iam-policy --project_id=project1 -t dataset1.table1 > policy.json
- bq get-iam-policy project1:dataset1.table1 > policy.json
Caution: When setting the policy, always retrieve the current policy as a first step, to obtain the current etag value. Your updated policy file must include the same etag value as the current policy you are replacing, or the update fails. This feature prevents concurrent updates from happening.

Note that the version number in the policy file remains 1. This version number refers to the IAM policy schema version, not the version of the policy. The etag value is the policy version number.
Modify policy.json as needed.

For more information about how to format the policy.json file, see Understanding policies.

For information about IAM policy schema versions, see Policy versions.

Caution: Empty bindings with no members are not allowed and result in an error.

Update the policy.

bq set-iam-policy \
 project-id:dataset.table_or_view \
 policy.json

API

Call tables.getIamPolicy to retrieve the current policy.
Edit the policy to add members and/or bindings.

For the format required for the policy, see the Policy reference topic.

Caution: When setting the policy, always retrieve the current policy as a first step, to obtain the current etag value. Your updated policy file must include the same etag value as the current policy you are replacing, or the update will fail. This feature prevents concurrent updates from happening.

Note that the version number in the policy file remains 1. This version number refers to the IAM policy schema version, not the version of the policy. The etag value is the policy version number.
Call tables.setIamPolicy to write the updated policy.

Caution: Empty bindings with no members are not allowed and will result in an error.

Java

Before trying this sample, follow the Java setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Java API reference documentation.

View on GitHub Feedback

import com.google.cloud.Identity;
import com.google.cloud.Policy;
import com.google.cloud.Role;
import com.google.cloud.bigquery.BigQuery;
import com.google.cloud.bigquery.BigQueryException;
import com.google.cloud.bigquery.BigQueryOptions;
import com.google.cloud.bigquery.TableId;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;

// Sample to update iam policy in table
public class UpdateIamPolicy {

  public static void main(String[] args) {
    // TODO(developer): Replace these variables before running the sample.
    String datasetName = "MY_DATASET_NAME";
    String tableName = "MY_TABLE_NAME";
    updateIamPolicy(datasetName, tableName);
  }

  public static void updateIamPolicy(String datasetName, String tableName) {
    try {
      // Initialize client that will be used to send requests. This client only needs to be created
      // once, and can be reused for multiple requests.
      BigQuery bigquery = BigQueryOptions.getDefaultInstance().getService();

      TableId tableId = TableId.of(datasetName, tableName);

      Policy policy = bigquery.getIamPolicy(tableId);
      Map<Role, Set<Identity>> binding = new HashMap<>(policy.getBindings());
      binding.remove(Role.of("roles/bigquery.dataViewer"));

      policy.toBuilder().setBindings(binding).build();
      bigquery.setIamPolicy(tableId, policy);

      System.out.println("Iam policy updated successfully");
    } catch (BigQueryException e) {
      System.out.println("Iam policy was not updated. \n" + e.toString());
    }
  }
}

For more information about Identity and Access Management policies, see Understanding policies and the Policy reference topic.

What's next

Read the FAQ.
Learn about audit logging of BigQuery Table ACL admin activities at Audit logging.