What privileges can I grant to let everyone in the world query my information schema? i.e. I want everyone to be able to run:
select * from `projectid`.INFORMATION_SCHEMA.SCHEMATA
Currently I get back:
Access Denied: Table projectid:INFORMATION_SCHEMA.SCHEMATA: User does not have permission to query table projectid:INFORMATION_SCHEMA.SCHEMATA
Usually in BigQuery you set permissions at the dataset level. For example, this query will run for anyone, as the dataset is public for everyone:
SELECT *
FROM `fh-bigquery.flights.INFORMATION_SCHEMA.TABLES`
But you can't do this:
SELECT *
FROM `fh-bigquery.INFORMATION_SCHEMA.SCHEMATA`
This because you need project level permissions to see all my datasets, even the ones I haven't made public.
If you really want to share the schemas of all your datasets with the world, then you could create a custom role just for this, with the bigquery.datasets.get permission:
https://console.cloud.google.com/iam-admin/roles
Then you need to assign this role to all users - but that's not an option.
At the project level, you can assign this role to one of these:
Google Account email: user#gmail.com
Google Group: admins#googlegroups.com
Service account: server#example.gserviceaccount.com
G Suite domain: example.com
One option in this case:
Create a Google Group.
Give this new role to this new Google Group.
Make this Google Group free to join.
Tell people "hey, if you want to see my project SCHEMATA, join this group".
Then all will work.
Related
|Project
|-Dataset
|-table1
|-table2
I gave the following permissions on a Dataset level.
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.list
resourcemanager.projects.get
and I gave the following only on table1
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
Now user can query table1 but can't see the table1 under dataset in UI. it is as below:
|Project
|-Dataset
And I would like to make it as below.
|Project
|-Dataset
|-table1
Any ideas?
I had a similar issue, I had to share only one table for user connecting with Google sheet in Bigquery.
Here is what I did to make this happen:
I created a new roles as follow:
BigQuery Dataset Traverse
With the following 6 assigned permissions
**bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.list
bigquery.tables.getData
bigquery.tables.list
resourcemanager.projects.get**
On ce created the new role, I created a group in Workspace and I granted access to this group at the project level to this group with the new role created.
The inheritance was propagated into the project to the tables level.
Finally, to permit user to read data into the table, I granted this role BigQuery Data Viewer on my new group at the tables level.
And for sure, I added the user I need to have access into the new group.
Now they see all Dataset into the project, but they can only access data one table I shared.
Hope it s clear!
Cheer!
I have access to BigQuery through work, but no write access. Just read.
So I have a bunch of integers in a GoogleSheets, one column (~400):
User.
332321
031230
938101
These numbers all correspond to a specific value in a table in BQ, but unfortunately, they aren't easily queried, as they are the result of multiple queries, etc.
So my dilemma. How can I take the column of integers from GoogleSheets and then use it in a query (say, in a WHERE clause)? My only suggestion has been to get write access: https://supermetrics.com/blog/bigquery-query-google-sheets
You will need to create an external table in BigQuery using your Google Sheet data for you to be able to query it in BigQuery. However, as you have already mentioned, the only solution for this is to get write/create access permission to BigQuery which is also mentioned in your provided reference --> https://supermetrics.com/blog/bigquery-query-google-sheets.
In addition, you may refer to Query Google Drive Data documentation as it conatains more details about the permissions needed for BigQuery and Google Drive before you can create/query an external table in BigQuery and also the actual creation and query execution.
BigQuery permissions
At a minimum, the following permissions are required to create and query an external table in BigQuery.
bigquery.tables.create
bigquery.tables.getData
bigquery.jobs.create
Drive permissions
At a minimum, to query external data in Drive you must be granted View access to the Drive file linked to the external table.
We have Big-Query on project PRJ-A with 30 datasets
Question:
1/ If we have another project (ex: PRJ-B). How can we grant view permission on PRJ-A for all users on PRJ-B ? (it means: user_01 on PRJ-B can select "dataset" of PRJ-A)
2/ If we have a group user (ten users) and they have not VISA and we do not want to add them to our PRJ-A (because they can view our information about instance,app,configurations ... )
How can we grant view permission for them ? (may be we can use a global user for ten users)
Until now, we intend to use "bq command" to solve : install gcloud sdk tool on server A, after that, grant privileges to ten users can use bq command.
For #1, there is no way to reference all users of Project A in ACL for project B. So, your best options I see : domain or userByEmail or groupByEmail depends on your specifics
If you would need to reference Users of the same project - specialGroup would be your choice
https://cloud.google.com/bigquery/docs/reference/v2/datasets#resource
For #2
I think, groupByEmail (An email address of a Google Group to grant access to.) is your option
I would like to make the user console available to our users, but I cannot do to if I can't set permissions on individual data sources. That is to say, user A would only have access to use data source A, and user B would only have access to use data source B.
Is it possible to restrict a user or role to a subset of defined datasources?
try this for every datasource: http://mondrian.pentaho.com/documentation/schema.php#Access_control
Make sure the Mondrian One-To-One UserRoleMapper is uncommented in the /pentaho-solutions/system/pentahoObjects.spring.xml file.
It will look like this:
https://help.pentaho.com/Documentation/5.1/0N0/020/080/010/000
I need to give a 'Active Directory User Group' read access to a tabular model database. I am not able to find the group when searched, to add it to a role.
As mentioned here for a database instance, adding the group to 'Logins' in 'Security' Folder is the first step. But 'Security' folder is not there in case of tabular model as shown in screen shot below. First one out of 3 is Tabular Model instance:
(source: sqlmusings.com)
I am admin for the server if that would be required. How to give 'Active Directory User Group' read access to a tabular model?
First, there must be a role defined in the Tabular model. Then you add the active directory group to the list of members. If the model was developed/deployed from a system that doesn't have access to the domain, then the group will have to be added after the fact. This can be done via SSMS...
Navigate to the roles folder:
<SSAS Tabular Instance> | Databases | <tabular model> | Roles
Right-click the role to which you want to add the active directory
group
Select the Membership page
Click Add
...at this point, make sure the correct objects are selected (users, groups, etc), and locations (network, domains, etc)...this window is pretty standard in windows apps.