This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

User does not have permission to access results of another user's job.

Posted on 06-20-2024 05:43 AM
InesTlili
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

User A is creating a query in bq and then user B wants to read the data (using job ID and location). 

User B gets : User does not have permission to access results of another user's job.

User B has the bq admin role assigned.

Which permissions are necessary for user B to access the data of the job created by user A ?

Solved Solved
1 1 1,418
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

By default, BigQuery jobs and their results are private to the user who created them. Even with the BigQuery Admin role, a user cannot directly access the results of another user's job unless explicitly granted permission. 

There are a few ways to allow User B to access the results of User A's job:

  1. Share the Job: User A can share the job itself with User B. This allows User B to view the job details, query, and results. To share the job:

    • User A navigates to the job in the BigQuery UI.
    • Clicks on the "Share" button and adds User B's email address.

  2. Persist Results to a Table: The most common solution is for User A to save the job results into a permanent table. User B can then be granted permissions (e.g., BigQuery Data Viewer or BigQuery Reader) on that table to access the data.

  3. Grant bigquery.jobs.get Permission:

    • This permission allows a user to view the details and results of any job in the project.
    • Caution: Be careful when granting this permission broadly, as it gives access to all job results in the project. Consider creating a custom role with only this specific permission if you want more granular control.

  4. Use Authorized Views:

    • If the data is sensitive, create an authorized view on top of the underlying table containing the results.
    • Grant User B access to the view. This allows User B to see only a subset of the data based on the view definition.

Implementing Permissions

To grant the bigquery.jobs.get permission or create a custom role, follow these steps:

  1. Go to the IAM & Admin section in the Google Cloud Console.
  2. Select your project.
  3. Click on "Add" to add a new member (User B).
  4. In the "Role" dropdown, search for "BigQuery Job User" (includes bigquery.jobs.get) or select "Create Role" to define a custom role.
  5. Save the changes.

Example Custom Role (JSON)

 
{
  "title": "Custom BigQuery Job Viewer",
  "description": "Allows viewing details and results of all jobs in the project.",
  "includedPermissions": [
    "bigquery.jobs.get"
  ],
  "stage": "GA"
}

Important Considerations

  • Security: Always be mindful of the sensitivity of the data. Don't grant excessive permissions unless necessary.
  • Performance: If the results are large, materializing them into a table might be more efficient for User B to access the data than repeatedly running the job.

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

By default, BigQuery jobs and their results are private to the user who created them. Even with the BigQuery Admin role, a user cannot directly access the results of another user's job unless explicitly granted permission. 

There are a few ways to allow User B to access the results of User A's job:

  1. Share the Job: User A can share the job itself with User B. This allows User B to view the job details, query, and results. To share the job:

    • User A navigates to the job in the BigQuery UI.
    • Clicks on the "Share" button and adds User B's email address.

  2. Persist Results to a Table: The most common solution is for User A to save the job results into a permanent table. User B can then be granted permissions (e.g., BigQuery Data Viewer or BigQuery Reader) on that table to access the data.

  3. Grant bigquery.jobs.get Permission:

    • This permission allows a user to view the details and results of any job in the project.
    • Caution: Be careful when granting this permission broadly, as it gives access to all job results in the project. Consider creating a custom role with only this specific permission if you want more granular control.

  4. Use Authorized Views:

    • If the data is sensitive, create an authorized view on top of the underlying table containing the results.
    • Grant User B access to the view. This allows User B to see only a subset of the data based on the view definition.

Implementing Permissions

To grant the bigquery.jobs.get permission or create a custom role, follow these steps:

  1. Go to the IAM & Admin section in the Google Cloud Console.
  2. Select your project.
  3. Click on "Add" to add a new member (User B).
  4. In the "Role" dropdown, search for "BigQuery Job User" (includes bigquery.jobs.get) or select "Create Role" to define a custom role.
  5. Save the changes.

Example Custom Role (JSON)

 
{
  "title": "Custom BigQuery Job Viewer",
  "description": "Allows viewing details and results of all jobs in the project.",
  "includedPermissions": [
    "bigquery.jobs.get"
  ],
  "stage": "GA"
}

Important Considerations

  • Security: Always be mindful of the sensitivity of the data. Don't grant excessive permissions unless necessary.
  • Performance: If the results are large, materializing them into a table might be more efficient for User B to access the data than repeatedly running the job.
Jump to Solution
Top Solution Authors
View all