This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
This site is in read only until July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Unableto set the enable_fine_grained_dataset_acls_option on GCP project

Posted a week ago
ps533i
New Member
Reply posted on --/--/---- --:-- AM

Hello Team, as per the documentation given here we are trying to opt in the early enforcement and ran this DDL statement by putting the correct PROJECT_ID and REGION. This statement returned the result as the enforcement got applied. 

ALTER PROJECT PROJECT_ID
SET OPTIONS (
  `region-REGION.enable_fine_grained_dataset_acls_option` = TRUE);

 So, we are doing the POC to check what are those custom roles are there which may fail after the enforcement got applied. So tested with one custom role which has the following permissions:
"bigquery.datasets.create",
"bigquery.datasets.delete",
"bigquery.datasets.get",
"bigquery.datasets.update",
Now, user with this role should not access BQ dataset ACLs since it doesn't have the bigquery.dataset.getIamPolicy permission. But users with this role are able to get the ACLs and also able to update the ACLs. 

Can you please help in this regards

1 1 54
Topic Labels
Reply
1 REPLY 1

Posted on --/--/---- --:-- AM
marckevin
Staff
Reply posted on --/--/---- --:-- AM

Hi @ps533i,

Welcome to Google Cloud Community!

Here are some suggestions that may help resolve the issue:

  • Ensure that you have properly configured the enable_fine_grained_dataset_acls_option configuration setting at the project level when opting into early enforcement.
  • Another possible reason for the issue could be the propagation delay, which may cause the enforcement to take some time to apply.
  • Make sure that the users you're testing during the POC do not have other roles that might contain the bigquery.datasets.getIamPolicy or bigquery.datasets.setIamPolicy permissions.
  • Verify and confirm that the enforcement has actually been applied and is active on the project. You can try this by using the bq command-line tool commands, as some bq tool commands are also affected when opting into early enforcement.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes
Reply
Top Labels in this Space
Top Solution Authors
View all