Login/Register
How to set permissions for specific dataset on Google BigQuery?
Asked Answered
Solved permissionsgoogle-bigquerydataset
F

4

11

I am trying to set permissions on BigQuery in order to have users being able to see and query tables on one dataset but being able to edit, create and delete tables on another dataset.

I'm not able to figure out how to do this "dataset-level segregation" on the Cloud Platform Console.

Ideal scenario would be:

  • Dataset1 - Permissions to see data and query tables
  • Dataset2 - Permissions to see, query, create, edit and delete tables.

Any ideas on how to do this?

Fiddlestick answered 4/2, 2019 at 13:48 Comment(1)
it's mindnumbing that something so straightforward and common is so difficult to implement in bqDrugget
C
17

2021 update:

The old UI (the original answer) has not been available for a long time, but the new UI (now called the regular BQ UI) now has this ability.

To change permissions on the new UI, it's a 3 step process:

  1. First, you need to open the details of the dataset by clicking the contextual menu on the dataset and selecting "Open" (clicking or double-clicking the dataset name will not open the details pane): open dataset

  2. On the top bar of the details pane, you can open the ⁺👤 Sharing dropdown, and select "Permissions" to reveal the permissions sidebar: select dataset permissions

  3. On the open sidebar, click the ⁺👤 ADD PRINCIPAL button to open the contextual menu: permissions sidebar

  4. On the contextual menu, write the list of emails or Google groups that you want to grant access to, and select the right roles (roles/bigquery.dataViewer role for query permissions, roles/bigquery.dataEditor role for edit permissions): select permissions

2019 answer:

According to the docs, the permissions are set on a per-dataset basis, so what you want to accomplish is possible.

I can't see how to do that in the new interface (in https://console.cloud.google.com/bigquery), but it's quite easy to do so in the classic UI (in https://bigquery.cloud.google.com) by opening the drop-down next to the dataset and click on "Share dataset":

enter image description here

This will open the sharing panel, where you can select "Can view" for running queries, or "Can edit" to modify the dataset.

In the docs there are additional options, like using the CLI or the API, but I think the simplest way is to use the web UI.

Cadet answered 4/2, 2019 at 14:0 Comment(2)
Share dataset option only available in old UI, not yet released to new UI.Rose
How does a user with BigQuery Data Viewer access this dataset? Logging in the google cloud console as the user doesn't seem to give any indication on how to access this dataset. User also did not receive any notification/email that they have been given access.Raw
O
3

In the Cloud Console you can now set per-user permissions on your dataset:

screenshot of sharing a dataset

-Michael (BigQuery Product Manager)

Overkill answered 1/3, 2019 at 1:17 Comment(3)
will this be reflected in Release notes?Bounce
+Michael did I understand correctly, in order for user to query a table... permission "BigQuery Job User" needs to be at Project level.. Dataset level won't suffice. form what I see..Jetblack
Can we do this through the IAM UI in the console?Tessy
E
0

In order to give users access to a specific dataset on the new UI:

  1. Open the dataset and click Share Dataset Click Share Dataset button
  2. Give your members the following roles, depending in what level of access you want them to have: Setting the dataset permissions

View access ("see data and query tables"):

  • BigQuery Data Viewer
  • BigQuery User

Full access ("see, query, create, edit and delete tables"):

  • BigQuery Data Editor
  • BigQuery User

Important note: Do not give them project level access in your IAM console, unless you want them to have view/edit access to other datasets

Embody answered 11/4, 2019 at 10:16 Comment(1)
BigQuery Data Viewer and BigQuery User do not give bigquery.jobs.create permissions when applied to a dataset.Moschatel
P
0

You need to provide access on the project level from GCP console or CLI. Once access is given then user can access to all the datasets in the project

Palsgrave answered 31/12, 2021 at 1:40 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.