This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to get all the users/groups who have access to a table and columns they have access.

Posted on 03-17-2023 04:59 AM
dev_0
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Is there a way where I could get all the users/groups/service account who has access to a table and columns they have access to? 

I did get only users for a project level but not for tables. 

from pprint import pprint

from google.oauth2 import service_account
import googleapiclient.discovery

credentials = service_account.Credentials.from_service_account_file(
    filename='.../key.json',
    scopes=['https://www.googleapis.com/auth/cloud-platform'])

service = googleapiclient.discovery.build('cloudresourcemanager', 'v1', credentials=credentials)

response = service.projects().getIamPolicy(resource='test-3-project', body={}).execute()

pprint(response)

 

Solved Solved
0 3 4,530
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
bihagkashikar
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi @dev_0 

I think I answered this on stack overflow 🙂 ? anyways here's the post

I think this will meet your requirement.

The approach is basically using google cloud asset inventory api with batchget method. https://cloud.google.com/asset-inventory/docs/reference/rest/v1/effectiveIamPolicies/batchGet

if you navigate to below url, the page should also launch a "try this method pop screen" see screenshot below.

in the scope section enter below value in below format:

scope = projects/ENTERYOURPROJECTNAME
names = //bigquery.googleapis.com/projects/YOURPROJECTNAME/datasets/YOURDATASET

and then "execute", this will ask you to login with your console credentials, once done, you should see a response as in image sample json output

 
{
  "policyResults": [
    {
      "fullResourceName": "//bigquery.googleapis.com/projects/paidrightintelia/datasets/mydataset",
      "policies": [
        {
          "attachedResource": "//bigquery.googleapis.com/projects/YOURPROJECTNAME/datasets/YOURDATASET",
          "policy": {
            "bindings": [
              {
                "role": "roles/bigquery.dataEditor",
                "members": [
                  "projectEditor:YOURPROJECTNAME"
                ]
              },
              {
                "role": "roles/bigquery.dataOwner",
                "members": [
                  "projectOwner:YOURPROJECTNAME",
                  "user:<PII removed by staff>"
                ]
              },
              {
                "role": "roles/bigquery.dataViewer",
                "members": [
                  "projectViewer:YOURPROJECTNAME"
                ]
              }
            ]
          }
        },
        {
          "attachedResource": "//cloudresourcemanager.googleapis.com/projects/YOURPROJECTNAME",
          "policy": {

 

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
Aris_O
Staff
Reply posted on --/--/---- --:-- AM

Hi dev_0,

To configure access to tables and views, you can grant an IAM role to an entity at the following levels, listed in order of range of resources allowed (largest to smallest):

You can also restrict data access within tables, by using the following methods:

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dev_0
Bronze 1
Bronze 1
In response to Aris_O
Reply posted on --/--/---- --:-- AM

Thanks for the reply, my question is how to get/list the inherited users/groups who has access to a particular table in a dataset.

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
bihagkashikar
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi @dev_0 

I think I answered this on stack overflow 🙂 ? anyways here's the post

I think this will meet your requirement.

The approach is basically using google cloud asset inventory api with batchget method. https://cloud.google.com/asset-inventory/docs/reference/rest/v1/effectiveIamPolicies/batchGet

if you navigate to below url, the page should also launch a "try this method pop screen" see screenshot below.

in the scope section enter below value in below format:

scope = projects/ENTERYOURPROJECTNAME
names = //bigquery.googleapis.com/projects/YOURPROJECTNAME/datasets/YOURDATASET

and then "execute", this will ask you to login with your console credentials, once done, you should see a response as in image sample json output

 
{
  "policyResults": [
    {
      "fullResourceName": "//bigquery.googleapis.com/projects/paidrightintelia/datasets/mydataset",
      "policies": [
        {
          "attachedResource": "//bigquery.googleapis.com/projects/YOURPROJECTNAME/datasets/YOURDATASET",
          "policy": {
            "bindings": [
              {
                "role": "roles/bigquery.dataEditor",
                "members": [
                  "projectEditor:YOURPROJECTNAME"
                ]
              },
              {
                "role": "roles/bigquery.dataOwner",
                "members": [
                  "projectOwner:YOURPROJECTNAME",
                  "user:<PII removed by staff>"
                ]
              },
              {
                "role": "roles/bigquery.dataViewer",
                "members": [
                  "projectViewer:YOURPROJECTNAME"
                ]
              }
            ]
          }
        },
        {
          "attachedResource": "//cloudresourcemanager.googleapis.com/projects/YOURPROJECTNAME",
          "policy": {

 

Jump to Solution
0 Likes
Top Solution Authors
View all