When we're working on different projects in bigquery, we're changing project-id from the top panel. We need to get "Bigquery Admin" permission so we can make this choice from above, but we want to keep these permissions to a minimum, so what can we do?
We've discovered this document, but we don't know which roles are meant to be enough for us. We just don't expect to be able to question the data and keep the query costs on the customer.
Is there a quick way to get this permission? Does the user need to define manual by these roles? Is there a practical way we can get "Bigquery Admin"?
Just a quick refresher, in this GCP Documentation:
Permissions determine what operations are allowed on a resource.
A role is a collection of permissions. You cannot grant a permission to the user directly. Instead, you grant them a role. When you grant a role to a user, you grant them all the permissions that the role contains.
So Bigquery Admin is already a predefined role. You can just assign this role to an authenticated principal to access Bigquery resources on a certain project.
Related
My Database dbo.MyDb currently allows database-level access to a bunch of users.
However I now have a table in dbo.MyDb called "MyDbTable", which only specific users should be able to access. I don't want to DENY access to MyDb users because then we would have to deny access to new users manually every time a new user gets added. I want to only allow specific users (for example a guy named "user1") to access MyDbTable. No other user should be able to access MyDbTable.
Question 1: Is there a way to achieve this?
Question 2: If we can do only-allow, does that mean that only "user1" can make changes to that table from an app like a C#/NET backend app (by passing in his username and password along with the connectionstring)?
Add schema-level permissions to all existing schemas to the existing users.
Drop the database-level permissions from the existing users.
Test
Make a new schema
Move your new table to the new schema.
Grant permissions on the new schema to only some users.
If you want to retain database-level permissions, you're going to need to DENY, because a database level permission is, in fact, a database level permission.
Permission denied. Please get bigquery.jobs.listExecutionMetadata or bigquery.jobs.listAll permission at organisation level to access Admin Resource Charts.
I am getting the above error while trying to access the Monitoring dashboard in BigQuery.
Question: How do I find which role has these permissions so that role can be assigned to principle ?
Thanks in advance for your help
You need to set the roles at the organization level. Applying it to the organization level means that you provide permission to access all of a project’s BigQuery resources. These roles are used on the organization level because BigQuery Monitoring requires it.
The predefined roles that BigQuery has with these permissions are:
bigquery.jobs.listExecutionMetadata
bigquery.jobs.listAll
BigQuery Admin
BigQuery Resource Admin
BigQuery Resource Editor
BigQuery Resource Viewer
On the other hand, if you have these roles and BigQuery Monitoring is sending you the same error you probably have the roles set at a project level, applying it to a project level means that it will have only access to that project.
These are the required permissions to use BigQuery Monitoring. See this to know how to grant permissions at organization level.
Additionally, you can see all the BigQuery Roles in this document.
Is there any way to make user or role specific triggers in Azure Synapse or azure DW?
You do not need a trigger for this. Users can only do what you allow them to do. For example, when you first create a user in the database, they have no permissions. Users can only drop tables if they are members of the database role db_ddladmin or they are effectively db_owner or sysadmins. So the answer to your question is, make sure that user is not a member of the db_ddladmin role in the database.
You can look at using the DENY statement for certain roles but I think that would lead to an over-complicated setup that is hard to maintain and administer. See the Database Roles documentation for Synapse for more info.
we have some restrictions on our GCP prod instance that is why I cannot store BQ views there.
Do you know the minimum permission or role needed to store views in BigQuery?
Then I would take that into a discussion with our user administration.
Thank you,
Christian
See this page: https://cloud.google.com/bigquery/docs/access-control#permissions_and_predefined_roles for permissions and roles.
Here BigQuery view falls into the category of table, therefore, you'll need
bigquery.tables.create permission to be able to store a view (and probably bigquery.tables.update to update the view definition later).
Predefined roles seems too wide, you might just ask admin to create a custom role for you. https://cloud.google.com/iam/docs/creating-custom-roles
And in case the dataset for holding tables is too sensitive, you could suggest admin to create a "view only" dataset and grant you enough permission or even assign you predefined role roles/bigquery.dataEditor to that dataset only.
Would every user who uses my database have a role? Is it more administrators who will have roles, people who need access to all the tables?
Also, I am unable to offer table-level privileges to a role and offer that to a user.. it just won't work. I have to offer the privileges directly onto the user for them to work. Is that normal? Should I be able to offer table-level privileges to a role or do I have to manually offer each of my users the table level privileges?
Would every user who uses my database have a role?
That depends on how you (or, should I rather say, DBA) set it up.
Quite a long time ago, say until Oracle 8i, there were 2 very popular roles: connect and resource so when DBA created a new user, they simply ran
grant connect, resource to new_user;
and the new_user was ready to go as those roles provided most needed privileges such as create session, create table or create view (check documentation for more info about those predefined roles).
However, it turned out that not everyone should be granted e.g. create cluster (which is one of connect's privileges) so nowadays you should create your own roles, if you want - then grant certain privileges to those roles and, finally, grant roles to your users.
Another option is to keep .sql scripts for each of your users. That script should contain list of privileges granted to those users, separately, which means that you shouldn't granted anyone privilege they don't really need.
I am unable to offer table-level privileges to a role and offer that to a user. it just won't work. I have to offer the privileges directly onto the user for them to work. Is that normal?
It works, but not everywhere. Those privileges (the ones granted via roles) won't work in named PL/SQL procedures (i.e. stored procedures, functions, packages). If you have to use those tables in them, yes - you have to grant privileges directly to each of those users.
As opposed to named PL/SQL procedures, privileges granted via roles will work in anonymous PL/SQL blocks or at SQL level.
If you're wondering why would you use roles at all, then, the answer is my first sentence: it depends.