Original Post: Google BigQuery: Give user access to a Table
I'm attempting to give edit access to a user for a BQ table and a saved query. This user does not and will not be given access to any additional items in my BQ account.
I've tried using instructions found here to share the table with the user, but that user is not able to see the table populate in their BQ project folder.
I then tried sharing a link to the query, but I'm unable to give the user edit access this way.
Any and all help is appreciated.
Related
Suppose I have 2 users available for the same project. The requirement is to restrict the table access in the same project to one user. How can it be managed it in Bigquery? what kind of access controls to be applied and how?
Thanks in advance.
You can use table level ACLS and set Bigquery roles/bigquery.dataViewer for users on the tables you wish to grant access. More details here https://cloud.google.com/bigquery/docs/table-access-controls-intro
This approach doesn't require creating a separate dataset(as a workaround for table level access) for access control which use to be the case earlier.
Depending on requirements, and the strictness of them, this is what I do:
Grant the user access to a specific table within a dataset by granting the BigQuery Data Viewer role at the table level.
You can do this as follows:
-> Open the table in the console and click Share, then click Add Principal
And to make it easier for the user to navigate the metadata of the table, such as schema, details and preview, I grant them the BigQuery Metadata Viewer role at the dataset level.
You should only do this of course if it is ok for the user to see which other tables within the dataset are there. (they can't see the data in the other tables, just the schema etc)
The advantage is that it will be easier for the user to see the schema and a preview of the data.
More info can be found here:
https://cloud.google.com/bigquery/docs/table-access-controls
We are creating dashboards for clients using data studio.
Each client should see their data in the dashboard, based on their login credentials. It is simple to create an authorized_view in Big Query to let certain users see certain rows of an underlying shared table. But how would one achieve to then move this into a dashboard which can be shared with each client, yet show only the individuals client in the dashboard instead of the data that was visible to the report creator?
So let's say we have a large table with a bunch of columns and one column email which contains the email of users. Now, we want the dashboard to show metrics for each user based on this email column.
On DataStudio in the datasource schema review step, make sure the flag USING VIEWER’S CREDENTIALS is on. By turning it on, the query when being executed will use the viewer’s credential instead of the owner who created the report.
After you finish create proper visualization on Data Studio, final step is to share the report to eg: store managers using the share option of Data Studio which is similar to share a Google Docs. You can confidently share it with the whole organization or with the email group of eg: store managers, permission already be controlled at data level.
Read more about this topic here.
I wanted to give a user the ability to view and query a single table in a much larger dataset. Is there some way to allow the user to query just that table? I know I can restrict access to datasets, but is there a way to give permissions at a table level?
Table ACL has been introduced in beta, see doc here:
https://cloud.google.com/bigquery/docs/table-access-controls-intro
There is no way to set permission on table level! As you mentioned in your question - you can so this only on dataset level
Meantime, there is workaround that might help you - you can use so called authorized view
what you can do is create new dataset (let's say for such users) and inside that dataset you create view on top of table of interest. Now you can give that view VIEW permission for original dataset using authorized view option. SO in this case you don't need to give the user VIEW permission to original dataset. The only what user need is VIEW permission to dataset where this new view is created
Giving access on a per-table basis is possible in GCP now. Check https://cloud.google.com/bigquery/docs/table-access-controls-intro for more details, but essentially, you need to use the bigquery.tables.setIamPolicy directive to grant access to specific tables.
So, for example, using the bq CLI command, you can run the following command to grant access to table xyz
bq set-iam-policy --table=true xyz
As already mentioned, there's not way of sharing single table. Creating an Authorized View is the way to go, see full tutorial here: https://cloud.google.com/bigquery/docs/share-access-views
Is there a way to grant users the ability to view and query tables in a specific dataset (and only that dataset), without granting them the ability to also create new datasets within the overall project?
I'm trying to give access to a third party to integrate with a very specific subset of our data.
The documentation I've been reading is here: https://cloud.google.com/bigquery/docs/access-control#bigquery.user
You can share the specific dataset with your 3rd parties by. Using the web UI:
Dataset -> Share Dataset -> Email/user -> "Can View"
Add the user as viewer. They can now see and query (using their own Google account) the tables in your dataset, but not create anything in your project.
They should have the role bigquery.jobUser.
This gives them the permission to query but not the ability to create datasets.
This role is applied at the org and dataset level.
https://cloud.google.com/bigquery/docs/access-control#bigquery.jobUser
I'm trying to access the M-Lab tables from BigQuery but keep getting this message:
Error: Access Denied: Table measurement-lab:m_lab.2010_01: QUERY_TABLE
I can access the other sample tables just fine.
Any suggestions?
Access to the M-lab tables requires you to be on the M-lab project as at least a 'reader'. Do you know if you've been added? I will contact the M-lab folks at Google to see if they're willing to add all users to the acl, which means that anyone will be able to access.