Grant DataEditor Permissions

cmc_ · 02-08-2023 04:34 AM

Hello!

I am new to GCP. I already have a couple of existing projects in BigQuery. Now I have created a new project to which I would like to grant access to another user. This user should have access to just this BQ project (maybe just to a specific dataset, if possible) with the ability to create/delete tables and load data to those tables.

I have found that, within this project, I can add the user under "IAM & Admin" > IAM > Grant Access as a new principal with the role BigQuery Data Editor.

I would like to make sure that this the correct approach to limit the new user to just this project with no possibility to access data outside this project or to information related to my gcp (billing) account.

Thank you!

kolban

Howdy and welcome to the community. You are going down the right path. The IAM subsystem is the right way to go. What you want to do is associate a role with your identity that allows them to perform the tasks they need but you want to grant "least privilege" both in terms of scope (what they can do) and resource (only the resources desired). For BigQuery, you can grant a role at either a project, a dataset or a table. They inherit, so if you grant at the project level, all datasets (and all tables) associated with that project are included in the grant. It sounds like you want to grant the role at just the dataset level and NOT at the project level. This will give your user the ability to create/delete tables and work with data but ONLY on the allowed datasets. If you set the grant at the project level, then ALL datasets in the project would be granted.

cmc_

Hello Kolban and thank you for your reply!

I am having trouble understand what you mean by "associate a role with your identity"!

What I did is to enter the email address of the user in the "Add principals" window and selecting the BigQuery Data Editor role. Also this way I haven't found a way to limit the permission granted to the dataset. This seems to grant the permission to the project level!

kolban

Howdy and many thanks for coming back and commenting that something wasn't clear. Thats on us to make it as clear as possible ...so PLEASE keep coming back if anything is still not clear.

In Google Cloud, security access is governed by "roles". An example of a Role is "BigQuery Data Editor". You can find a list and description of the possible BigQuery related roles here. If you are new to Google Cloud, you might want to read about IAM in general which is the security manager. A Role is a "named" collection of permissions. We don't grant permissions to users ... instead we grant a user a role and since the role contains permissions ... we effectively grant permissions ... just not directly.

When a request is submitted by a user to Google Cloud for anything (not just BigQuery ... but ANYTHING) ... Google Cloud asks two questions:

1. Do I know who this user is? (Are they authenticated)
2. Should I allow the user to do what they are asking to do? (Shall I authorize them)

Right now we are talking about authorizations and thats where IAM comes in. To authorize a user, you "bind" a user to a role ... also known as "granting" a user a role. So ... for example, if we grant user "Neil" the role "BigQuery Data Editor", if user "Neil" asks to create a table then, because he was granted the role, he will be allowed to create a table. Now let's consider the next dimension ... how "broad" should that role be? Should he be able to create tables in ALL datasets or in just SOME datasets? Thats where we can scope the grant of the role. If we grant the role at the project level, then he can create tables in ALL datasets. If we grant the role at JUST one or more datasets then he can create tables in ONLY those datasets.

To grant a role at the project level through the console, you would go to:

IAM > IAM and click GRANT ACCESS and specify the principal (user) and Role to grant.

If you want to grant a role at just the Dataset level in the console, you would go to:

BigQuery > SQL Workspace > Project > Dataset > Share

From there you will see a panel called "Dataset Permissions" and you would click "Add principal" and again be given the opportunity to bind a user to a role. However, THIS binding is ONLY at the named/selected dataset.