Use policy tags to control column access in BigQuery

Policy tags enable you to control who can view sensitive columns in BigQuery tables. Data Catalog, you can add or remove policy tags to columns directly on the table entry details page.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Enable the Data Catalog and BigQuery APIs.

    Enable the APIs

  4. Make sure that you have the following role or roles on the project: Data Catalog > Policy Tag Admin, BigQuery > Data Viewer

    Check for the roles

    1. In the Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Find the row that has your email address in the Principal column.

      If your email address isn't in that column, then you do not have any roles.

    4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.

    Grant the roles

    1. In the Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Add.
    4. In the New principals field, enter your email address.
    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.
  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Enable the Data Catalog and BigQuery APIs.

    Enable the APIs

  7. Make sure that you have the following role or roles on the project: Data Catalog > Policy Tag Admin, BigQuery > Data Viewer

    Check for the roles

    1. In the Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Find the row that has your email address in the Principal column.

      If your email address isn't in that column, then you do not have any roles.

    4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.

    Grant the roles

    1. In the Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Add.
    4. In the New principals field, enter your email address.
    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

Roles and permissions

There are several roles related to policy tags for users and service accounts. On this page, the roles discussed are the Data Catalog Policy Tags Admin and the Data Catalog Fine-Grained Reader role.

  • Users or service accounts that administer policy tags are required to have the Data Catalog Policy Tags Admin role. This role can manage taxonomies and policy tags, and can grant or remove ACL policies.

  • Users or service accounts that query data protected with policy tags must have the Data Catalog Fine-Grained Reader role. added separately for each policy tag.

For more information about all policy tag-related roles, see Roles used with column-level security.

The Policy Tags Admin role

The Data Catalog Policy Tags Admin role can create and manage data policy tags.

To grant the Data Catalog Policy Tags Admin role, you must have resourcemanager.projects.setIamPolicy permissions on the project for which you want to grant the Policy Tags Admin role. If you do not have resourcemanager.projects.setIamPolicy permission, ask a Project Owner to either grant you the permission, or perform the following steps for you.

  1. In the Google Cloud console, go to the IAM page.

    Open the IAM page

  2. If the email address of the user to grant the role is in the list, select the email address and click Edit (the pencil icon). Then click Add another role.

    If the user email address is not in the list, click Add, then enter the email address in the New principals box.

  3. Click the Select a role drop-down list.

  4. Click Data Catalog, and then click Policy Tags Admin.

  5. Click Save.

For more information about this role, see Roles used with column-level security.

Create a taxonomy

You use Data Catalog to create a taxonomy and add policy tags for your data.

The user account for the following steps is required to have the Data Catalog Policy Tags Admin role.

  1. Open the Data Catalog Taxonomies page in the Cloud console.

    Open the Taxonomies page

  2. Click Create taxonomy.

  3. On the New taxonomy page:

    1. For Taxonomy name, enter the name of the taxonomy that you want to create.
    2. For Description, enter a description.
    3. If needed, change the project listed under Project.
    4. If needed, change the location listed under Location.
    5. Under Policy Tags, enter a policy tag name and description.
    6. To add a child policy tag for a policy tag, click Add child policy tag.
    7. To add a new policy tag at the same level as another policy tag, click the + icon.

      The following shows the New taxonomy page for an example taxonomy.

      Create taxonomy page.

    8. Continue adding policy tags and child policy tags as needed for your taxonomy.

    9. When you are done creating policy tags for your hierarchy, click Save.

    10. On the Policy tag taxonomy page, toggle on the Enforce access control slider.

Users who want to see columns tagged with a policy tag need the full set of permissions on the dataset, and the policy tag itself. See the BigQuery column-level security guide for a detailed walkthrough.

Grant the Fine-Grained Reader role

Users that need access to columns protected with policy tags need the Data Catalog Fine-Grained Reader role. This role is assigned individually on every policy tag.

Before you can perform the following steps, you must have resourcemanager.projects.setIamPolicy permissions on the project where you want to grant the Fine-Grained Reader role. If you do not have resourcemanager.projects.setIamPolicy permission, ask a Project Owner to either grant you the permission, or to perform the following steps for you.

  1. Go to the Data Catalog > Policy tags page.

    Go to Data Catalog policy tags

  2. Select the policy tag taxonomy where you want to grant the role.

  3. In the Policy tags section, select the specific policy tag.

  4. In the policy tag info pane, click ADD PRINCIPAL.

    If you can't see the info pane, click SHOW INFO PANEL.

  5. In the Add principals pane:

    1. In the New principals box, enter the email address of the user to grant the role.
    2. From the Select a role menu, select Data Catalog > Fine-Grained Reader.
    3. Click Save.

This user account can now view all columns protected by that specific policy tag.

For more information about this role, see Roles used with column-level security.

Add a policy tag to a column

In Data Catalog, you can only attach one policy tag to one column at a time. Edit table schema in BigQuery if you want to attach policy tags to multiple columns in a single operation. See Set a policy tag on a column in BigQuery.

  1. Open the Data Catalog home page and find the BigQuery table where you want to attach a policy tag to a column.

    Open the Data Catalog home page

    For more information about finding assets in Data Catalog, see How to search for data assets.

  2. On the asset page, scroll down to the Schema section.

  3. In the Schema table, find the row that represents the BigQuery table column, and under Policy Tags click +.

  4. In the Add a policy tag panel, select the policy tag that you want to apply to the column.

  5. At the bottom of the panel, click Select. Your screen should look similar to the following:

    Policy tag attached in Data Catalog.

The column is now protected with the policy tag. To allow users access to this data, grant them the Data Catalog Fine-Grained Reader role on this policy tag. See The Fine-Grained Reader role.

Clear a policy tag from a column

  1. Open the Data Catalog home page and find the BigQuery table where you want to clear a policy tag from a column.

    Open the Data Catalog home page

    For more information about finding assets in Data Catalog, see How to search for data assets.

  2. On the asset page, scroll down to the Schema section.

  3. In the Schema table, find the row that represents the BigQuery column, and in the Policy Tags cell, click X.

    Clear policy tag.