Introduction to security and access controls in BigQuery

This document provides an overview of access controls in BigQuery using Identity and Access Management (IAM). IAM lets you grant granular access to specific BigQuery resources and helps prevent access to other resources. IAM helps you apply the security principle of least privilege, which states that no IAM principal should have more permissions than they actually need.

When an IAM principal such as a user, group, or service account calls a Google Cloud API, that principal must have the minimum IAM permissions necessary to use the resource. To give a principal the required permissions, you grant an IAM role to the principal.

This document describes how predefined and custom IAM roles can be used to allow principals to access BigQuery resources.

To familiarize yourself with how access is managed in Google Cloud, see IAM overview.

IAM role types

A role is a collection of permissions that can be granted to an IAM principal. You can use the following types of roles in IAM to grant access to BigQuery resources:

To determine if one or more permissions are included in a predefined IAM role, you can use one of the following methods:

IAM roles in BigQuery

Permissions are not assigned directly to users, groups, or service accounts. Instead, users, groups, or service accounts are granted one or more predefined or custom roles that grant them permissions to perform actions on resources. You grant these roles on a particular resource, but they also apply to all of that resource's descendants in the resource hierarchy.

When you assign multiple role types to a user, the permissions granted are a union of each role's permissions.

You can grant access to the following BigQuery resources:

  • Datasets and these resources within datasets:
    • Tables and views
    • Routines
  • Connections
  • Saved queries
  • Data canvases
  • Data preparations
  • Pipelines
  • Repositories

Grant access to Resource Manager resources

You can configure access to BigQuery resources through Resource Manager by granting a BigQuery role to a principal and then by granting that role on an organization, a folder, or a project.

When you grant roles to Resource Manager resources such as organizations and projects, you're granting permissions on all of the BigQuery resources in the organization or project.

For additional information on using IAM to manage access to Resource Manager resources, see Manage access to projects, folders, and organizations in the IAM documentation.

Grant access to datasets

You can assign roles at the dataset level to provide access to a specific dataset, without providing complete access to the project's other resources. In the IAM resource hierarchy, BigQuery datasets are child resources of projects. For more information on assigning roles at the dataset level, see Control access to resources with IAM.

Grant access to individual resources within datasets

You can grant roles access to certain types of resources within datasets, without providing complete access to the dataset's resources.

Roles can be applied to the following resources within datasets:

  • Tables and views
  • Routines

For more information on assigning roles at the table, view, or routine level, see Control access to resources with IAM.

What's next