Solved: Re: How to provide permission to BigQuery datasets

erik_bagdasarov · 04-15-2024 12:48 PM

Hi. I have several datasets in my project. Please tell me how to provide access to the project, but not to all data sets, but only to certain data sets? Thank you!

DamianS

Hmm, for project visibility grant Viewer role at project level. It should handle project visibility. For datasets, if this is random problem ( at least it looks like it is ), maybe we could create issue ticket [1] and wait for IssueTracker Team response. As AFAIR, if you grant access to particular datasets, those datasets should be visible all the time ( unless they have been removed which is quite obvious 😄 ).

[1]. https://issuetracker.google.com/issues/new?component=187149&template=1162659

cheers,

DamianS

View solution in original post

erik_bagdasarov

I found a solution to my problem!

At the project level you need to set the BigQuery User role, and at the dataset level you need to set the BigQuery Data Viewer role.

Thanks again! ✌️

View solution in original post

DamianS

Hello @erik_bagdasarov ,

Welcome on the Google Cloud Community. You should be able to do it via "SHARE" option for particular dataset.

1. Access Google Cloud Console

First, log in to the Google Cloud Console and navigate to the BigQuery section, or directly to the IAM & Admin section if you are managing access at the project level and then navigating to specific datasets.

2. Navigate to Each Dataset

For each dataset you wish to share:

Select the dataset in the BigQuery interface.
Click on "SHARE DATASET" at the top of the dataset details page.

3. Manage IAM Roles for Each Dataset

Within the Share dataset dialog:

Add Principals: Click "Add Principals" and enter the email addresses of the users, groups, or service accounts you want to grant access to.
Assign Roles: Choose the appropriate roles for these principals. The roles are specific to the level of access you want to provide:
- roles/bigquery.dataOwner: Allows full control over the data and permissions.
- roles/bigquery.dataEditor: Allows editing but not permission management.
- roles/bigquery.dataViewer: Read-only access to the dataset.

4. Apply and Confirm Changes

After adding principals and assigning roles, click "Add" to add these settings to the dataset.
Save your changes by clicking "Done" or "Save" to ensure the permissions are updated.

5. Repeat for Each Dataset

Repeat steps 2-4 for each dataset you wish to selectively share. This ensures that only the specified users or groups have access to the datasets you've chosen, and not to any others in the project.

6. Verify Permissions

After setting the permissions, it's a good practice to verify them. You can check the access controls by viewing the dataset settings or by asking the users to confirm their access levels.
Ensure that no broader project-level permissions override your dataset-specific permissions, which might inadvertently give wider access than intended.

Additionally, if you want to grant access to dataset with time-restrict option, you should be able to do it with IAM CEL conditions .

Go to your IAM -> Add principal -> Choose proper IAM role -> Choose "IAM Conditions" -> Provide title -> Use either condition builder or editor. -> In editor option copy / paste/ adjust following code

resource.name == "webaap-wordpress-load.customers" &&
request.time < timestamp("2024-04-17T22:00:00.000Z") &&
resource.type == "bigquery.googleapis.com/Dataset"

Line1 : DATASET-_ID
Line2: Timestamp
Line3: Should work without changes.

cheers,
DamianS

erik_bagdasarov

Hi Damians! Thank you to reply my post.

This is what I do, but the user to whom I grant rights to the dataset does not have the project appear in the project list and does not always display the dataset to which I have granted access.

I would like the user to have a project in the list of projects that contains a data set to which access is allowed, and the remaining data sets are not available to him.

DamianS

Hmm, for project visibility grant Viewer role at project level. It should handle project visibility. For datasets, if this is random problem ( at least it looks like it is ), maybe we could create issue ticket [1] and wait for IssueTracker Team response. As AFAIR, if you grant access to particular datasets, those datasets should be visible all the time ( unless they have been removed which is quite obvious 😄 ).

[1]. https://issuetracker.google.com/issues/new?component=187149&template=1162659

cheers,

DamianS

erik_bagdasarov

I found a solution to my problem!

At the project level you need to set the BigQuery User role, and at the dataset level you need to set the BigQuery Data Viewer role.

Thanks again! ✌️

nitish1995

Hello @erik_bagdasarov ,

BigQuery User (roles/bigquery.user) When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

I don't know how it solved your scenario. When we grant Bigquery User role at project level, it is granting to list all datasets as well. So I can't be able to control my viewer seeing other datasets.

Best,

Nitish