Suppose I have 2 users available for the same project. The requirement is to restrict the table access in the same project to one user. How can it be managed it in Bigquery? what kind of access controls to be applied and how?
Thanks in advance.
You can use table level ACLS and set Bigquery roles/bigquery.dataViewer for users on the tables you wish to grant access. More details here https://cloud.google.com/bigquery/docs/table-access-controls-intro
This approach doesn't require creating a separate dataset(as a workaround for table level access) for access control which use to be the case earlier.
Depending on requirements, and the strictness of them, this is what I do:
Grant the user access to a specific table within a dataset by granting the BigQuery Data Viewer role at the table level.
You can do this as follows:
-> Open the table in the console and click Share, then click Add Principal
And to make it easier for the user to navigate the metadata of the table, such as schema, details and preview, I grant them the BigQuery Metadata Viewer role at the dataset level.
You should only do this of course if it is ok for the user to see which other tables within the dataset are there. (they can't see the data in the other tables, just the schema etc)
The advantage is that it will be easier for the user to see the schema and a preview of the data.
More info can be found here:
https://cloud.google.com/bigquery/docs/table-access-controls
Related
we have some restrictions on our GCP prod instance that is why I cannot store BQ views there.
Do you know the minimum permission or role needed to store views in BigQuery?
Then I would take that into a discussion with our user administration.
Thank you,
Christian
See this page: https://cloud.google.com/bigquery/docs/access-control#permissions_and_predefined_roles for permissions and roles.
Here BigQuery view falls into the category of table, therefore, you'll need
bigquery.tables.create permission to be able to store a view (and probably bigquery.tables.update to update the view definition later).
Predefined roles seems too wide, you might just ask admin to create a custom role for you. https://cloud.google.com/iam/docs/creating-custom-roles
And in case the dataset for holding tables is too sensitive, you could suggest admin to create a "view only" dataset and grant you enough permission or even assign you predefined role roles/bigquery.dataEditor to that dataset only.
Issue: In GCP IAM I have >30 users assigned the pre-defined roles BigQuery Data Viewer and BigQuery Data Editor, and now when I create a new dataset, it's automatically accessible to these 30+ users because of "policy inheritance".
Question: As BQ project admin, I want a newly created dataset only accessible to certain users (a small subset of the 30+ users). What's the best approach to do this? Thanks!
You cannot override the permissions granted at higher leves. So, if you want to restrict access at dataset level, the best approach would be to:
1) Remove the current permissions BigQuery Data Viewerand BigQuery Data Editor from project level.
2) Grant the permissions again, but only at dataset level
This also complies with the recommended best practice of least privilege. Also, if possible, use groups to grant the permissions, as it will be easier to manage.
In addition to this, you could use another project to create the dataset and allow access to the desired subset of users; however, I wouldn't recommend this approach as it only makes more difficult to handle the data and the users with access to them.
What permissions does a service account needs to read from BigQuery __TABLE__ tables? Our scenario is that we want to grant the service account collecting storage stats from our BigQuery projects minimum necessary permissions. Ideally it shouldn't be able to read the data from BQ tables but still it needs to read the __TABLE__ tables from all our datasets. We tried granting metadataViewer permissions but that didn't work, still getting 403.
Ideally it shouldn't be able to read the data from BQ tables but still it needs to read the __TABLE__ tables from all our datasets.
Currently, you cannot grant permissions on tables, views, columns, or rows. A dataset is the lowest level resource that supports access controls in BigQuery.
-- source --
Therefore you will need to grant roles/bigquery.dataViewer to the service account.
You might also need to grant a second permission. Under the hood the code that executes with service account credentials will be making API calls. I don't know the details applicable to your case, but the code will likely use one of the basic REST objects (such as Job object) to make the calls. And will likely need another permission(s) that come under umbrella of roles/bigquery.jobUser or similar role.
The required permissions to query __TABLES__ are the same as to query any regular tables. Thus, the roles/bigquery.dataViewer role viewer at dataset level should be enough.
Since your requirement is to only grant access to this particular table's data, but not to the user generated tables, a possible workaround is to create an authorized view in a separate dataset. The view will have dataViewer access to your current dataset and the user will have dataViewer access to the dataset containing the view.
I wanted to give a user the ability to view and query a single table in a much larger dataset. Is there some way to allow the user to query just that table? I know I can restrict access to datasets, but is there a way to give permissions at a table level?
Table ACL has been introduced in beta, see doc here:
https://cloud.google.com/bigquery/docs/table-access-controls-intro
There is no way to set permission on table level! As you mentioned in your question - you can so this only on dataset level
Meantime, there is workaround that might help you - you can use so called authorized view
what you can do is create new dataset (let's say for such users) and inside that dataset you create view on top of table of interest. Now you can give that view VIEW permission for original dataset using authorized view option. SO in this case you don't need to give the user VIEW permission to original dataset. The only what user need is VIEW permission to dataset where this new view is created
Giving access on a per-table basis is possible in GCP now. Check https://cloud.google.com/bigquery/docs/table-access-controls-intro for more details, but essentially, you need to use the bigquery.tables.setIamPolicy directive to grant access to specific tables.
So, for example, using the bq CLI command, you can run the following command to grant access to table xyz
bq set-iam-policy --table=true xyz
As already mentioned, there's not way of sharing single table. Creating an Authorized View is the way to go, see full tutorial here: https://cloud.google.com/bigquery/docs/share-access-views
Is there a way to grant users the ability to view and query tables in a specific dataset (and only that dataset), without granting them the ability to also create new datasets within the overall project?
I'm trying to give access to a third party to integrate with a very specific subset of our data.
The documentation I've been reading is here: https://cloud.google.com/bigquery/docs/access-control#bigquery.user
You can share the specific dataset with your 3rd parties by. Using the web UI:
Dataset -> Share Dataset -> Email/user -> "Can View"
Add the user as viewer. They can now see and query (using their own Google account) the tables in your dataset, but not create anything in your project.
They should have the role bigquery.jobUser.
This gives them the permission to query but not the ability to create datasets.
This role is applied at the org and dataset level.
https://cloud.google.com/bigquery/docs/access-control#bigquery.jobUser