Bigquery: grant permissions on specific tables by Common Expression Language (CEL) conditions - google-bigquery

roles/bigquery.user is the permission to use some BigQuery datasets. But we need to grant permissions of a specific tables instead of the whole dataset. How to do it by CEL and condition builder?
Thanks

As I mention in the comment section you should check GCP Documentation Controlling access to tables and views
This document describes how to use BigQuery Table ACL to control access to tables and views. For an overview of BigQuery Table ACL, see Introduction to table access controls.
After you create a table or view, you can set its policy in the following ways:
using the Cloud Console
using the bq set-iam-policy command
calling the tables.setIamPolicy method
using the GRANT or REVOKE data control language statements
As addition, you could also check Authorized views

Related

How to restrict the table/view access in Bigquery?

Suppose I have 2 users available for the same project. The requirement is to restrict the table access in the same project to one user. How can it be managed it in Bigquery? what kind of access controls to be applied and how?
Thanks in advance.
You can use table level ACLS and set Bigquery roles/bigquery.dataViewer for users on the tables you wish to grant access. More details here https://cloud.google.com/bigquery/docs/table-access-controls-intro
This approach doesn't require creating a separate dataset(as a workaround for table level access) for access control which use to be the case earlier.
Depending on requirements, and the strictness of them, this is what I do:
Grant the user access to a specific table within a dataset by granting the BigQuery Data Viewer role at the table level.
You can do this as follows:
-> Open the table in the console and click Share, then click Add Principal
And to make it easier for the user to navigate the metadata of the table, such as schema, details and preview, I grant them the BigQuery Metadata Viewer role at the dataset level.
You should only do this of course if it is ok for the user to see which other tables within the dataset are there. (they can't see the data in the other tables, just the schema etc)
The advantage is that it will be easier for the user to see the schema and a preview of the data.
More info can be found here:
https://cloud.google.com/bigquery/docs/table-access-controls

BigQuery dataset level access control via IAM

Issue: In GCP IAM I have >30 users assigned the pre-defined roles BigQuery Data Viewer and BigQuery Data Editor, and now when I create a new dataset, it's automatically accessible to these 30+ users because of "policy inheritance".
Question: As BQ project admin, I want a newly created dataset only accessible to certain users (a small subset of the 30+ users). What's the best approach to do this? Thanks!
You cannot override the permissions granted at higher leves. So, if you want to restrict access at dataset level, the best approach would be to:
1) Remove the current permissions BigQuery Data Viewerand BigQuery Data Editor from project level.
2) Grant the permissions again, but only at dataset level
This also complies with the recommended best practice of least privilege. Also, if possible, use groups to grant the permissions, as it will be easier to manage.
In addition to this, you could use another project to create the dataset and allow access to the desired subset of users; however, I wouldn't recommend this approach as it only makes more difficult to handle the data and the users with access to them.

Permissions to read from BigQuery __TABLE__ metatables

What permissions does a service account needs to read from BigQuery __TABLE__ tables? Our scenario is that we want to grant the service account collecting storage stats from our BigQuery projects minimum necessary permissions. Ideally it shouldn't be able to read the data from BQ tables but still it needs to read the __TABLE__ tables from all our datasets. We tried granting metadataViewer permissions but that didn't work, still getting 403.
Ideally it shouldn't be able to read the data from BQ tables but still it needs to read the __TABLE__ tables from all our datasets.
Currently, you cannot grant permissions on tables, views, columns, or rows. A dataset is the lowest level resource that supports access controls in BigQuery.
-- source --
Therefore you will need to grant roles/bigquery.dataViewer to the service account.
You might also need to grant a second permission. Under the hood the code that executes with service account credentials will be making API calls. I don't know the details applicable to your case, but the code will likely use one of the basic REST objects (such as Job object) to make the calls. And will likely need another permission(s) that come under umbrella of roles/bigquery.jobUser or similar role.
The required permissions to query __TABLES__ are the same as to query any regular tables. Thus, the roles/bigquery.dataViewer role viewer at dataset level should be enough.
Since your requirement is to only grant access to this particular table's data, but not to the user generated tables, a possible workaround is to create an authorized view in a separate dataset. The view will have dataViewer access to your current dataset and the user will have dataViewer access to the dataset containing the view.

Big Query give user access to a single table

I wanted to give a user the ability to view and query a single table in a much larger dataset. Is there some way to allow the user to query just that table? I know I can restrict access to datasets, but is there a way to give permissions at a table level?
Table ACL has been introduced in beta, see doc here:
https://cloud.google.com/bigquery/docs/table-access-controls-intro
There is no way to set permission on table level! As you mentioned in your question - you can so this only on dataset level
Meantime, there is workaround that might help you - you can use so called authorized view
what you can do is create new dataset (let's say for such users) and inside that dataset you create view on top of table of interest. Now you can give that view VIEW permission for original dataset using authorized view option. SO in this case you don't need to give the user VIEW permission to original dataset. The only what user need is VIEW permission to dataset where this new view is created
Giving access on a per-table basis is possible in GCP now. Check https://cloud.google.com/bigquery/docs/table-access-controls-intro for more details, but essentially, you need to use the bigquery.tables.setIamPolicy directive to grant access to specific tables.
So, for example, using the bq CLI command, you can run the following command to grant access to table xyz
bq set-iam-policy --table=true xyz
As already mentioned, there's not way of sharing single table. Creating an Authorized View is the way to go, see full tutorial here: https://cloud.google.com/bigquery/docs/share-access-views

BigQuery - Granting Read Permission, but not Dataset Creation Privileges

Is there a way to grant users the ability to view and query tables in a specific dataset (and only that dataset), without granting them the ability to also create new datasets within the overall project?
I'm trying to give access to a third party to integrate with a very specific subset of our data.
The documentation I've been reading is here: https://cloud.google.com/bigquery/docs/access-control#bigquery.user
You can share the specific dataset with your 3rd parties by. Using the web UI:
Dataset -> Share Dataset -> Email/user -> "Can View"
Add the user as viewer. They can now see and query (using their own Google account) the tables in your dataset, but not create anything in your project.
They should have the role bigquery.jobUser.
This gives them the permission to query but not the ability to create datasets.
This role is applied at the org and dataset level.
https://cloud.google.com/bigquery/docs/access-control#bigquery.jobUser