I work at an advertising agency.
We have been asked to implement GCP (BigQuery) for an advertiser in our commercial distribution.
I've been told that each agency should have different access rights to BigQuery.
I think it is possible to divide the permissions by project.
Can we have the following configuration?
■Project 1
・BigQuery is used.
・The data is stored in the advertising area.
・Browse and edit permissions are given only to agency A
■Project 2
・Use BigQuery
・Store data in the CRM domain
・Only agency B is authorized to view and edit the data.
Related
Hello everyone I have a difficult situation:
How to restrict access to a single data perimeter in a BigQ table for use case layer. Which strategy is best?
Details – The BigQuery warehouse is 76 GB data (annual 20% growth). The reporting/ visualization tool shall be MS Power BI. We want to restrict access of a Italy user to only see Italy data and UK user to only see UK data.
Options considered -
Authorized Views with CONTROL tavle - create and mantain users i project; hard and not scalable
Filtering Views or tables (Complete Isolation Methodology) - create individual views for all countries
BigQ Row Level Security Using “Grant” (Native Methodology) - published in July and very fresh; but we can use grant and apply it to a AD group.
Success criteria - ease of implementation; high perforance with PBI dashboard; ABAC - Attribute based access on rows and scalability to other projects.
Any help is highly appreciated.
We are creating dashboards for clients using data studio.
Each client should see their data in the dashboard, based on their login credentials. It is simple to create an authorized_view in Big Query to let certain users see certain rows of an underlying shared table. But how would one achieve to then move this into a dashboard which can be shared with each client, yet show only the individuals client in the dashboard instead of the data that was visible to the report creator?
So let's say we have a large table with a bunch of columns and one column email which contains the email of users. Now, we want the dashboard to show metrics for each user based on this email column.
On DataStudio in the datasource schema review step, make sure the flag USING VIEWER’S CREDENTIALS is on. By turning it on, the query when being executed will use the viewer’s credential instead of the owner who created the report.
After you finish create proper visualization on Data Studio, final step is to share the report to eg: store managers using the share option of Data Studio which is similar to share a Google Docs. You can confidently share it with the whole organization or with the email group of eg: store managers, permission already be controlled at data level.
Read more about this topic here.
I'm developing an application in ASP.NET MVC5 with some forms for data entry and I have a database with 30 users.
3 of them are Admin, 4 of them are Regional Managers and the rest are users by country.
1. I want to restrict the users by country access to some fields in a form. Basically, there are 4 fields that only the Regional Managers can see and introduce data.
Also there's another form that only the Regional Managers can have access.
2. When the users logs into the application, they should only be able to see the data regarding the country they belong to. Example: a user from China can only see and introduce data from Chinese projects and a user from Indonesia can only do the same for projects in Indonesia.
How can I implement these restrictions in SQL Server?
Thanks in advance.
You should bring about that restriction at the application end and not in SQL Server. The app devs should implement that logic in place.
Additionally, what you could do at the database end would be to restrict users to access specific data only. One way of implementing this would be to create separate views for each country and grant users access to those views and not to the parent table directly. A user from japan could be granted access only to the view that holds data for Japan.
I'm trying to setup customer access to some of my BigQuery data. I'll start off with my requirements, then what I think the solution needs to be, though I'm not sure how to execute.
Requirements
Separate billing per customer for queries
I don't want to make my dataset public
Read only access to specific datasets
Accessible via Excel connector
No access rights to my main project
They manage their own access privileges, I don't want to have to add and remove individual users from direct dataset access on behalf of all our clients.
Nice to have - Web UI access
What I've Done
Created a new Google Developer Project
Added a view-only user on that project
Added a service account
Granted access to my BigQuery dataset to the service account
Here are the options for granting dataset access from the documentation:
I imagine that I need to setup some sort of special group, but I can't figure out how to do it.
Thanks in advance!
In BigQuery there are two different concepts:
The first one is billing (for queries and any other billable
activity) that is linked with a Google Cloud Project.
The second one is access to a dataset.
Having said that, to fulfil your requirements you'd create a separate project for each of the customers, and grant access to the datasets in the granularity that you would want.
That way you would have the costs for each of the projects separated but billed to you. Be careful to give them only read access to the project, unless you want them to be able to create other services like VM or deploy GAE apps, as they'd be billed to you as well.
For example dataset [MyDatasetA] to users X and Y in projects Project1 and Project2, but access to [MyDatasetB] to users Y and Z in projects Project2 and Project3.
Thus, each project is accountable for the queries their users run, and you have your access control on each dataset without it being public.
Separate billing per customer for queries. Done with the independent projects.
I don't want to make my dataset public. Done with fine grained control access.
Read only access to specific datasets. Same as above.
Accessible via Excel connector. It should work without problems as they'd be first class BQ users.
No access rights to my main project. Again possible if they are restricted to their own projects.
They manage their own access privileges. This is trickier. I think they'd need more than read access to the datasets or more than read access to the projects to be able to add new users, if you use the project groups as access control.
Nice to have - Web UI access. Check out https://bigquery.cloud.google.com/
The project groups are groups that allow to select members with Viewer, Developer or Owner roles in one click, without the hassle of adding each member manually.
You get already three groups set-up for you to use: Viewers, Editors and Owners of the original project.
But you may create your own Google Groups and give those groups the permission you want.
The hint when doing so, is that new users will usually need to Display your project so that it appears in the BQ online browser. This is done by clicking on the arrow to the side of the project name in the BQ online browser followed by Switch to project then Display project with the project name that the Dataset belongs to.
Edit: Improved the explanation about Group access
I am trying to find out how Microsoft has built access check flow in Dynamics CRM. What is the order of checks(security role, team, sharing)? The reason is that I came to a project where they created logic to share all records of one entity with a team, based on some criteria. All users are members of this team. Now we have a lot of records in POA table regarding this entity and one of my queries times out if it is not ran by user with admin permissions.
I wonder if it would be more efficient if this team was owner of a record instead of a record being shared with the team? Will CRM check user's membership in the team before running through POA table?
Thanks in advance.
Based on your description I'm assuming the following:
All records of some entity, call it new_entity, are shared to a specific team, call it TeamA.
All users are a member of TeamA.
They could eliminate the sharing and team membership altogether by giving all users the desired permission to the entity type in question.
It will certainly be more efficient to have everyone be a member of the team than it would be to share with the team, since it will mostly eliminate the POA table. That said, how big is the POA table? POA used to be an issue but at this point, if they are up-to-date on Rollups, most POA issues are a result of bad queries, missing indexes, or poor disk/memory configuration on the SQL server.