Limit access to each other's database in Google Cloud Big Query - google-bigquery

I need to grant access to Big Query to 30 Phd Students in a University on Google Cloud Platform.
Can I give them standalone access to each of them? i.e. One student cannot see other's work unless it is granted.
Creating projects = number of students is not too cost effective.
so can I give 30 access controls to a single project ?
The students need to have full access to Big query (Create, edit, join, download, run) to their respective databases.

The document is indeed confusing. Don't grant any project-level permissions. Just as Katie Sinatra said, go to the dataset Web UI, in the arrow drop's "Share dataset", add email and grant "Can edit". At the time of this writing, after you do the above, the user won't be able to see the dataset in the Web UI, but s/he can still do query in the Web UI just fine if s/he specifies the table correctly, i.e. `project.dataset.table`. (i tested it.) The user can also manually add the dataset to be displayed in the web UI. Here is how to do it, https://cloud.google.com/bigquery/bigquery-web-ui#displayprojects.
What i am still confusing is: after you do the above, when the user do a query, who is paying. My guess is the user is paying. If you want the dataset's original owner (the project under which the dataset is created) to be billed, then my guess is that you need to grant project-level BigQuery Job User permission to the user/email in addition to the above. Then, the user will be able to select the project in the GCP console and hit "BigQuery" to go to the big query Web UI, and be billed under the project. (by the way, if you do this, the dataset can be seen by the user in the Web UI.)

As JL-HN said, it is documented but it is a bit confusing. To give access to an specific dataset, you only need to go the dataset, in the arrow drop it down and click on "Share dataset". Then you only need to add the email of the student that will handle that dataset.

Related

How do I control user access and data permissions

Let me preface this with the fact that I don't know much about VBA. I have created a database that will be split and the front end will be distributed to 14 different project managers. The database is intended to allow users to enter bi-weekly updates to their projects. I hope to get some guidance on creating usernames and passwords so that PMs can only access their project data.
I don't mind creating and issuing usernames and passwords to each user, but I am trying to avoid creating 14 copies of the database. That would make providing updated databases a nightmare.
Hopefully this isn't too basic of a question for this group.
yes, you can control users access, you need to create a user table in your backend database that will hold their firstname, surname, password, and any other user specific data that you might need, e.g. department, access level, etc.
In your front end, you need a login form and you make that the Display Form for your fe (set in the access options menu). You check the username and password entered matches what is held in your database, and if it's correct, you load the appropriate form, usually a main menu, and show them the appropriate data based on the login they used. You may need to hold the login they used in a TempVar, so you can access it from any form, report, query etc in your frontend.
You will need something like LASsie (Light Application Security) or program a similar solution yourself.
Also, you may enjoy my article Deploy and update a Microsoft Access application with one click.
(If you don't have an account, browse for the link: Read the full article.)

Dataset level access control in BigQuery

So I have a number of datasets under the same GCP BQ project, and I want to allow an external user to have read-only and read/write access on a few of them, but other datasets should not be visible to him. What's the best approach for this?
P.S. Probably not going to create an email account for him under our domain, so I'm thinking service accounts.
Just figured out one way to do it:
Create service account for external user (with BigQuery Job User role so it can be used to run queries in this project)
In GCP console web UI, for each dataset to share, click "SHARE DATASET", and in the pop-up panel add the service account created in step 1, with appropriate roles (BigQuery Data Viewer or BigQuery Data Editor)
Not sure if there's a cleaner way.

User logins from a database

I have an APEX application in which I need users(students) to be able to login and view their own information. I have both the usernames and passwords stored in a table within the database I'm using.
Is there a way of using these credentials to be able to log in individually? and how would I go about doing so?
I'm very new to APEX so sorry if this is an easy question.
Many thanks
Saying that each student has to see only their own data means - I presume (as it is about students) that there are as many database users (schemas) as students in your class.
If that's so, presuming that each of them will use their own Apex developer and its workspace (i.e. they won't share the workspace), I believe that you'll have to create that many Apex developers and assign each developer their own schema.
That should be done connected to the internal workspace, logged in as Apex admin.
However, as you have to create many users at once, that approach might be tedious. Instead, as you already have list of users stored in a table, you could utilize APEX_UTIL.CREATE_USER procedure and let it do the dirty job.
For example, if your table is MY_USERS, then such a script would do the job:
begin
for cur_u in (select username, password from my_users) loop
apex_util.create_user(p_user_name => cur_u.username,
p_web_password => cur_u.password
);
end loop;
end;
For more info, read this: https://docs.oracle.com/database/apex-18.2/AEAPI/CREATE_USER-Procedure.htm#AEAPI114
I would use a the Custom Authentication Scheme. It is documented, so if you need help, just clicked on the "?" buttons next to the various fields.
The example code is obviously not going to work, so please do not copy and paste blindly. Adapt it to your situation and hopefully, you are encrypting/hashing the passwords.
That gets you started with login (authentication). Next, to the second part of your question, that students should only see "their own information" (authorization). There are no clearcut answers to this question as there are many strategies available and many issues to consider. For example, how you design your application and data schema, what database features are available to you, and regulatory compliances that you need to meet.
A great starting point to read about these "database features" can be found here, on Real Application Security and Virtual Private Database.
The alternative includes a "poor man's implenentation of VPD" that Martin D'Souza wrote about a long time back.
HTH!

BigQuery - Grant Access to Other Google Cloud Platform Projects

I'm trying to setup customer access to some of my BigQuery data. I'll start off with my requirements, then what I think the solution needs to be, though I'm not sure how to execute.
Requirements
Separate billing per customer for queries
I don't want to make my dataset public
Read only access to specific datasets
Accessible via Excel connector
No access rights to my main project
They manage their own access privileges, I don't want to have to add and remove individual users from direct dataset access on behalf of all our clients.
Nice to have - Web UI access
What I've Done
Created a new Google Developer Project
Added a view-only user on that project
Added a service account
Granted access to my BigQuery dataset to the service account
Here are the options for granting dataset access from the documentation:
I imagine that I need to setup some sort of special group, but I can't figure out how to do it.
Thanks in advance!
In BigQuery there are two different concepts:
The first one is billing (for queries and any other billable
activity) that is linked with a Google Cloud Project.
The second one is access to a dataset.
Having said that, to fulfil your requirements you'd create a separate project for each of the customers, and grant access to the datasets in the granularity that you would want.
That way you would have the costs for each of the projects separated but billed to you. Be careful to give them only read access to the project, unless you want them to be able to create other services like VM or deploy GAE apps, as they'd be billed to you as well.
For example dataset [MyDatasetA] to users X and Y in projects Project1 and Project2, but access to [MyDatasetB] to users Y and Z in projects Project2 and Project3.
Thus, each project is accountable for the queries their users run, and you have your access control on each dataset without it being public.
Separate billing per customer for queries. Done with the independent projects.
I don't want to make my dataset public. Done with fine grained control access.
Read only access to specific datasets. Same as above.
Accessible via Excel connector. It should work without problems as they'd be first class BQ users.
No access rights to my main project. Again possible if they are restricted to their own projects.
They manage their own access privileges. This is trickier. I think they'd need more than read access to the datasets or more than read access to the projects to be able to add new users, if you use the project groups as access control.
Nice to have - Web UI access. Check out https://bigquery.cloud.google.com/
The project groups are groups that allow to select members with Viewer, Developer or Owner roles in one click, without the hassle of adding each member manually.
You get already three groups set-up for you to use: Viewers, Editors and Owners of the original project.
But you may create your own Google Groups and give those groups the permission you want.
The hint when doing so, is that new users will usually need to Display your project so that it appears in the BQ online browser. This is done by clicking on the arrow to the side of the project name in the BQ online browser followed by Switch to project then Display project with the project name that the Dataset belongs to.
Edit: Improved the explanation about Group access

tool to give user ability to query database without any ability to alter data

We have a Power User who knows the database very well and has become a great asset since we gave him access with SQL Server Management Studio. Unfortunately, we also gave him a user/pwd used by all Development which carries ability to change data.
Without going into all the wrongs behind having such a privileged db-user and giving such access an end user, is there a tool that would give the user ability to query without any ability to update/insert/drop/ or anything else?
My guess is that the user probably does not want to change the database -- for his/her protection as well as yours.
Just enable this user's login using Window to have read-only access. Or, set up another read-only user and give it to the power user. At the extreme, you may need to change the password of your super user account.
I would recommend in the mean time that you set up a development group, give the group privileges, and assign the developers to the group. They can then login through that id. Perhaps one day, you'll be able to disable your super user account. For now, you should think about ways to work around it.