This document describes Identity and Access Management (IAM) roles that allow you to use Data Catalog to search and tag Google Cloud resources.
For a detailed description of IAM and its features, see the IAM documentation.
IAM terminology
- Permissions
- Checked at runtime to allow you to perform an operation or access a Google Cloud resource. You're not granted permissions directly, but, instead, are granted roles that contain permissions.
- Roles
- A role is a predefined collection of permissions. Custom roles consisting of a custom collection of permissions are also allowed.
View Data Catalog roles
In the Google Cloud console, go to the IAM & Admin > Roles page.
In the Filter field, select Used in, type
Data CatalogorData Lineage, and click Enter.Click a role to view the permissions of the role in the right pane.
For example, the Data Catalog Admin role has full access to all Data Catalog resources.
Predefined Data Catalog roles
Some predefined Data Catalog roles include the Data Catalog Admin, Data Catalog Viewer, and Data Catalog TagTemplate Creator. Some of these roles are described in the subsequent sections.
For a list and description of Data Catalog predefined roles and the permissions associated with each role, see Data Catalog roles.
Data Catalog Admin role
The roles/datacatalog.admin role has access to all the
Data Catalog resources. A Data Catalog admin can
add different types of users to a Data Catalog project.
Data Catalog Data Steward role
The roles/datacatalog.dataSteward role lets you add, edit, or
delete the data stewards and the rich text overview for a data entry such as a
BigQuery table.
Data Catalog Viewer role
To simplify gaining access to Google Cloud resources,
Data Catalog provides the roles/datacatalog.viewer role with
metadata read permission for all cataloged Google Cloud resources.
This role also grants the permissions to view Data Catalog tag templates and tags.
Grant the Data Catalog Viewer role on your project to view Google Cloud resources in Data Catalog.
Data Catalog TagTemplate Creator role
The roles/datacatalog.tagTemplateCreator role lets you create tag templates.
Data Catalog Search Admin role
The roles/datacatalog.searchAdmin role lets you retrieve, through search,
all cataloged Google Cloud resources within a project or organization.
Data Catalog Migration Config Admin role
The roles/datacatalog.migrationConfigAdmin role lets you set and retrieve
configuration related to the migration of resources from
Data Catalog to Dataplex Catalog.
Predefined data lineage roles
To access the lineage for any Data Catalog entry, you need
access to the entry in Data Catalog. To access the
Data Catalog entry, you need a viewer role on the corresponding
system resource or
Data Catalog Viewer
(roles/datacatalog.viewer) on the project that stores the
Data Catalog entry. This section describes roles that are required to
view the lineage.
Lineage viewer role
The Data Lineage Viewer
(roles/datalineage.viewer) role allows you to view Dataplex
lineage in the Google Cloud console and read lineage information using
the Data Lineage API. The
runs, and events for a given process are all stored in the same project as the
process. In the case of automated lineage,
the process, runs, and events
are stored in the project in which the job that generated the lineage was
running. This could be for example the project in which a BigQuery job was
running.
You need different roles to view the lineage between assets and to view metadata
of the assets. For the former, you need
Data Lineage Viewer (roles/datalineage.viewer).
For the latter, you need the same roles as used for accessing metadata entries
in Data Catalog.
Roles to view lineage between two assets
To view lineage between assets, you need the
Data lineage Viewer role (roles/datalineage.viewer)
on the following projects:
- The project in which you're viewing lineage (known as active project), that is the project in the drop-down at the top of the Google Cloud console or the project from which API calls are made. This would normally be the Data Catalog resource project.
- The projects in which lineage is recorded (known as compute project). Lineage is stored in the project in which the corresponding process was executed, as described above. This project can be different from the project that stores the asset that you're viewing lineage for.
For more information about granting roles, see Manage access. You might also be able to get the required permissions through custom roles or other predefined roles.
Depending on the use case, grant the Data lineage Viewer (roles/datalineage.viewer)
role on the folder or organization level to guarantee access the lineage (see Grant or revoke a single role).
Roles required for Data lineage can be granted only through
the Google Cloud CLI.
Roles to view asset metadata when viewing lineage
When metadata about an asset is stored in Data Catalog, you only
get to view that metadata if you have a viewer role on the corresponding system resource
or Data Catalog Viewer (roles/datacatalog.viewer)
on the project in which the Data Catalog entry is stored. You
might have access to assets on the lineage graph or list through appropriate
viewer roles but no access to the lineage between them. This is the case when
you don't have the Data lineage Viewer role (roles/datalineage.viewer)
on the project in which the lineage was recorded. In this case, the
Data Lineage API and Google Cloud console doesn't show the lineage and
doesn't return an error, to prevent leaking information about the existence of
lineage. Therefore, absence of lineage for an asset does not mean that there is
no lineage for that asset, but that you might not have access to that lineage.
Data Lineage Events Producer role
The roles/datalineage.producer role lets users manually record lineage
information using the data lineage API.
Data Lineage Editor role
The roles/datalineage.editor role lets users manually modify lineage
information using the data lineage API.
Data Lineage Administrator role
The roles/datalineage.admin role lets users perform all lineage operations
listed in this section.
Roles to view public and private tags
You can search for public tags using simple search. You can view a data entry, including its public tags, as long as you have the required permissions to view the data entry. No additional permissions on the tag template are required. For permissions required to view the data entry, see the table in this section.
However, we recommend to also grant the datacatalog.tagTemplates.get
permission to users who are expected to search for these public tags. This
permission allows users to also use the search predicate tag: or use
the tag template search facet in the Data Catalog search page.
For private tags, you need view permissions on both the tag template and the data entry to search for the tag and to see the tag in the entry detail page. Users must use the tag: search predicate or the tag template search facet to find the tags; simple search for private tags isn't supported.
Note the following:
The view permission needed on the private tag template is
datacatalog.tagTemplates.getTag.The view permissions on the data entry for both public and private tags are included in the following table.
| Resource | Permission | Role |
|---|---|---|
| BigQuery datasets, tables, models, routines, and connections | bigquery.datasets.getbigquery.tables.getbigquery.models.getMetadatabigquery.routines.getbigquery.connections.get |
roles/datacatalog.tagTemplateViewerroles/bigquery.metadataViewerroles/bigquery.connectionUser |
| Pub/Sub topics | pubsub.topics.get |
roles/datacatalog.tagTemplateViewerroles/pubsub.viewer |
| Spanner instances, databases, tables and views | Instance: spanner.instances.getDatabase:spanner.databases.getTable: spanner.databases.getViews: spanner.databases.getdatacatalog.tagTemplates.getTag |
No predefined roles are available. |
| Bigtable instances and tables | bigtable.instances.getbigtable.tables.getdatacatalog.tagTemplates.getTag |
roles/datacatalog.tagTemplateViewerroles/bigtable.viewer |
| Dataproc Metastore services, databases, and tables | metastore.tables.getmetastore.databases.getmetastore.services.get |
roles/datacatalog.tagTemplateViewerroles/metastore.metadataViewer |
| Custom entries | datacatalog.entries.get |
No predefined roles are available. |
Roles to search Google Cloud resources
Before searching, discovering, or displaying Google Cloud resources, Data Catalog checks that you've been granted an IAM role with the metadata read permissions required by BigQuery, Pub/Sub, Dataproc Metastore, or other source system to access the resource.
Example: Data Catalog checks that you've been granted
a role with bigquery.tables.get permission before displaying
BigQuery table metadata.
The following table lists the permissions and the associated roles needed to use Data Catalog to search the listed Google Cloud resources.
| Resource | Permission | Role |
|---|---|---|
| BigQuery datasets, tables, models, routines, and connections | bigquery.datasets.getbigquery.tables.getbigquery.models.getMetadatabigquery.routines.getbigquery.connections.get |
roles/bigquery.metadataViewerroles/bigquery.connectionUserAlso see Data Catalog Viewer role |
| Pub/Sub topics | pubsub.topics.get |
roles/pubsub.viewerAlso see Data Catalog Viewer role |
| Spanner databases and tables | Instance: spanner.instances.getDatabase: spanner.databases.getViews: spanner.databases.get |
No predefined roles are available. |
| Bigtable instances and tables | bigtable.instances.getbigtable.tables.get |
roles/bigtable.viewerAlso see Data Catalog Viewer role |
| Dataplex lakes, zones, tables, and filesets | dataplex.lakes.getdataplex.zones.get dataplex.entities.getdataplex.entities.get |
No predefined roles are available. |
| Dataproc Metastore services, databases, and tables | metastore.tables.getmetastore.databases.get metastore.services.get |
roles/metastore.metadataViewer |
Roles to attach tags to Google Cloud resources
To attach public and private tags to Google Cloud resources require the same permissions.
Data Catalog lets users extend metadata on Google Cloud resources by attaching tags. One or more tags that can be attached to a resource are defined in a tag template.
When a user attempts to use the tag template to attach a tag to a Google Cloud resource, Data Catalog checks that you have the required permissions to use the tag template and to update the resource metadata. Permissions are granted through IAM roles, as shown in the following table.
The following table lists the permissions and the associated roles needed for a user to use Data Catalog to attach both public and private tags to listed Google Cloud resources.
Each row in the following table lists the permissions needed to tag resources. The corresponding roles may grant additional permissions. Click on each role to view all permissions associated with it.
Note the following:
The owner of a data entry has the
datacatalog.entries.updateTagpermission by default. All other users must be granted the datacatalog.tagEditor role.The
datacatalog.tagTemplates.usepermission is also required for all resources listed in the table.
| Resource | Permissions | Role |
|---|---|---|
| BigQuery datasets, tables, models, routines, and connections |
bigquery.datasets.updateTagbigquery.tables.updateTagbigquery.models.updateTagbigquery.routines.updateTagbigquery.connections.updateTag |
roles/datacatalog.tagTemplateUserroles/datacatalog.tagEditorroles/bigquery.dataEditor |
| Pub/Sub topics | pubsub.topics.updateTag |
roles/datacatalog.tagTemplateUserroles/datacatalog.tagEditorroles/pubsub.editor |
| Spanner databases and tables. | Instance: spanner.instances.UpdateTagDatabase: spanner.databases.UpdateTagTable: spanner.databases.UpdateTagViews: spanner.databases.UpdateTag |
No predefined roles are available. |
| Bigtable instances and tables | bigtable.instances.updatebigtable.tables.update |
roles/datacatalog.tagTemplateUserroles/datacatalog.tagEditorroles/bigtable.admin |
| Dataplex lakes, zones, tables, and filesets | dataplex.lakes.updatedataplex.zones.update dataplex.entities.updatedataplex.entities.update |
No predefined roles are available. |
| Dataproc Metastore services, databases, and tables | metastore.tables.updatemetastore.databases.update metastore.services.update |
roles/datacatalog.tagTemplateUserroles/datacatalog.tagEditorroles/metastore.editorroles/metastore.metadataEditor |
Custom roles for Google Cloud resources
Predefined editor roles for data entries from other Google Cloud systems
might provide broader write access than required. Use
custom roles to specify
*.updateTag permissions only on a Google Cloud resource.
Roles to modify rich text overview and data stewards in Data Catalog
Users need the following roles to attach rich text overview and assign data stewards to entries in Data Catalog:
| Resource | Permissions | Role |
|---|---|---|
| Google Cloud projects | datacatalog.entries.updateOverview datacatalog.entries.updateContacts |
roles/datacatalog.dataSteward |
Roles to modify migration configuration in Data Catalog
Users need the following roles to set and retrieve configuration related to the migration from Data Catalog to Dataplex:
| Resource | Permissions | Role |
|---|---|---|
| Google Cloud projects and organizations | datacatalog.migrationConfig.set datacatalog.migrationConfig.get |
roles/datacatalog.migrationConfigAdmin |
Identity federation in Data Catalog
Identity federation lets you use an external identity provider (IdP) to authenticate and authorize users to Google Cloud services with IAM.
Data Catalog supports identity federation with the following limitations:
- Data Catalog API SearchCatalog and StarEntry methods support only the Workforce identity federation and aren't available for Workload identity federation
- Dataplex doesn't support the Google Cloud console for identity federation users
What's next
- Learn how to create custom IAM roles.
- Learn how to grant and manage roles.
- Learn more about the Dataplex IAM roles.
- Learn more about BigQuery access control.
- Learn more about Pub/Sub access control.
- Learn more about Dataproc Metastore access control.