Roles and permissions

The following topic covers the roles and permissions to be granted in Google Cloud projects to access BigQuery data and do various operations in BigQuery.

BigQuery provides the following predefined roles that can be assigned to users. A user can be assigned to multiple roles in the same project, and the permission in such cases will be a union of all permissions from all assigned roles. Service accounts can also be added to these roles:

  • BigQuery Data Viewer: This is the most basic level of permission that can be granted to users. Users who are granted this permission can only see the projects, datasets in the project, tables in the project, and information about the tables such as schema, number of rows, or when it was created and modified. Users can see sample rows from the table using the preview option. Users who have been assigned this role cannot execute any queries. This role is mostly assigned to users who review the objects in BigQuery.
  • BigQuery Data Editor: Users in this role have all the permissions that are part of Data Viewer and also have permissions to create a new dataset, create a new table, and delete tables. The users in this role cannot query data in BigQuery nor can they import/export data in BigQuery.
  • BigQuery Data Owner: Users in this role have all the permissions that are part of Data Editor and can delete datasets in the project. Users in this role cannot query data in BigQuery nor can they import/export data in BigQuery.
  • BigQuery User: Users in this role are similar to BigQuery Data Viewer but they can run queries that show the data and cannot do import/export. Users can save queries under their account. In production projects, a developer is usually granted BigQuery Data Viewer and BigQuery User permission so that they can query and verify the data in production without changing any tables or data in the tables.
  • BigQuery Job User: Users in this role can run queries and export/import data in BigQuery. In development projects, the developers are usually granted BigQuery Data Editor and BigQuery Job User permissions to run queries and import/export data into the tables in the project.
  • BigQuery Admin User: Users in this role will have the highest level of access to BigQuery. Exercise caution when adding users to this role. Usually it is granted only to db admins and deployment team members, not to developers or testers in the project.

The following page provides a comparison table for various roles and their permission in BigQuery. Go through this documentation and also understand how these permissions are applied to each method in the BigQuery API that your application will be using:

https://cloud.google.com/bigquery/docs/access-control#predefined_roles_comparison_matrix

To grant users the required permissions, choose the project from the top navigation bar as shown in this screenshot:

Click on the top-left menu button and choose the IAM & admin option in the menu; a screen like the one shown here will be displayed:

Click on the ADD button and invite the users for the project using their email address; select the list of roles for the users as shown in this screenshot:

For development and testing projects, add members to BigQuery Data Editor and BigQuery Job User roles. For production projects, add users to BigQuery Data Viewer and BigQuery User roles. 
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.17.18