Data Catalog Identity and Access Management (IAM)

Data Catalog provides and supports the following features:

Centralized search and discovery. Data Catalog catalogs metadata for Google Cloud resources, such as BigQuery and Pub/Sub.
Resource tagging. Data Catalog can create and attach metadata (tags) on Google Cloud resources.

This document describes Identity and Access Management (IAM) roles that allow users to use Data Catalog to search and tag Google Cloud resources.

IAM Terminology

Permissions: Checked at runtime to allow user to perform an operation or access a Google Cloud resource. Users are not granted permissions directly, but, instead, are granted roles that contain permissions.
Roles: A role is a predefined collection of permissions. Custom roles consisting of a custom collection of permissions may also be allowed.

Searching Google Cloud resources

Before searching, discovering, or displaying Google Cloud resources, Data Catalog checks that the user has been granted an IAM role with the metadata read permissions required by BigQuery, Pub/Sub, or other source system to access the resource.

Example: Data Catalog checks that the user has been granted a role with bigquery.tables.get permission before displaying BigQuery table metadata.

The table below lists the BigQuery and Pub/Sub permissions and the associated role needed for a user to use Data Catalog to search the listed Google Cloud resource.

Resource	Permission	Role
BigQuery datasets, tables, and models	`bigquery.datasets.get` `bigquery.tables.get` `bigquery.models.getMetadata`	roles/bigquery.metadataViewer Also see Data Catalog Viewer role
Pub/Sub topics	`pubsub.topics.get`	roles/pubsub.viewer Also see Data Catalog Viewer role

Data Catalog Viewer role

To simplify gaining access to Google Cloud resources, Data Catalog provides a Data Catalog Viewer role (roles/datacatalog.viewer) with metadata read permission for all cataloged Google Cloud resources. This role also grants the permissions to view Data Catalog tag templates and tags. In the future, this role may be extended to grant additional permissions when new types of resources become searchable in Data Catalog.

Attaching tags to Google Cloud resources

Data Catalog allows users to extend metadata on Google Cloud resources by attaching tags. One or more tags that can be attached to a resource are defined in a tag template. When a user attempts to use the tag template to attach a tag to a Google Cloud resource, Data Catalog checks that the user has been granted permissions to use the tag template and to update resource metadata. Permissions are granted via IAM roles, as shown in the table below.

Each row lists only the permissions needed to tag resources. The corresponding roles may grant additional permissions. Click on each role to view all permissions associated with it.

Resource	Permissions	Role
BigQuery datasets, tables, and models	`datacatalog.tagTemplates.use` `datacatalog.entries.updateTag` AND `bigquery.datasets.updateTag` `bigquery.tables.updateTag` `bigquery.models.updateTag`	roles/datacatalog.tagTemplateUser roles/datacatalog.tagEditor roles/bigquery.dataEditor
Pub/Sub topics	`datacatalog.tagTemplates.use` `datacatalog.entries.updateTag` `pubsub.topics.updateTag`	roles/datacatalog.tagTemplateUser roles/datacatalog.tagEditor roles/pubsub.editor

Use Custom Roles. Predefined BigQuery and Pub/Sub editor roles may provide broader write access than required (allow updating data in addition to updating metadata). Use custom roles to specify *.updateTag permissions only on a Google Cloud resource.

Data Catalog TagTemplate Creator role

The Data Catalog TagTemplate Creator role allows users to create tag templates.

Viewing tags on Google Cloud resources

Data Catalog allows users to view tags attached to Google Cloud resources only if the user has permissions on the resource to view its metadata and permissions on the tag template to view the corresponding tags. Permissions are granted via IAM roles, as explained in the table below.

Each row lists only the permissions needed to view tags, while the corresponding roles may grant additional permissions. Click on each role to view all permissions associated with it.

Resource	Permissions	Role
BigQuery datasets, tables, and models	`datacatalog.tagTemplates.getTag` AND `bigquery.datasets.get` `bigquery.tables.get` `bigquery.models.getMetadata`	roles/datacatalog.tagTemplateViewer roles/bigquery.metadataViewer
Pub/Sub topics	`datacatalog.tagTemplates.getTag` `pubsub.topics.get`	roles/datacatalog.tagTemplateViewer roles/pubsub.viewer