Google Cloud Platform
Hide
BigQuery
Write Feedback

Access Control

BigQuery uses ACLs to manage permissions on projects and datasets. ACLs are not directly supported on tables. A table inherits its ACL from the dataset that contains it.

Project roles affect your ability to run jobs or manage the project, while dataset roles affect how you can access or modify the data inside of a project.

Contents

Project roles

By default, granting access to a project also grants access to datasets within it. Default access can be overridden on a per-dataset basis. Any user with the project Is Owner role has the ability to revoke or change any project role.

Supported entity types

Project roles are granted or revoked for individual users, groups or service accounts, by specifying an email address.

Supported project roles

BigQuery supports the following project roles:

Project role Capabilities
Can View
  • Can start a job in the project. Additional dataset roles are required depending on the job type.
  • Can list and get all jobs that they started for that project
  • Is granted the READER dataset role by default for any new dataset in the project
Can Edit
  • Same as Can View, plus:
    • Can create a new dataset in the project
    • Is granted the WRITER role by default for any new dataset in the project
Is Owner
  • Same as Can Edit, plus:
    • Can list all datasets in the project
    • Can delete any dataset in the project
    • Can list and get all jobs run on the project, including jobs run by other project users

Default access

When you create a new project in the Google Developers Console, the following roles are automatically granted:

Project role Entity
Is Owner The user who created the project

Granting and revoking access

Project roles are granted or revoked through the Google Developers Console. You must have Is Owner access to the project in order to grant or revoke a new project role.

For more information about how to grant or revoke access for project roles, see Managing project members.

Dataset roles

Supported entity types

Dataset roles can be granted to the following entity types:

Entity type API
Single users, by email address access.userByEmail
A Google Group, by email address access.groupByEmail
A predefined group of users, such as all users, or a group of users that have the same project role for the project that contains the dataset access.specialGroup

Supported dataset roles

BigQuery supports the following dataset roles:

Dataset role Capabilities
READER
  • Can read, query, copy or export tables in the dataset
    • Can call get on the dataset
    • Can call get and list on tables in the dataset
    • Can call list on table data for tables in the dataset
WRITER
  • Same as READER, plus:
    • Can edit or append data in the dataset
OWNER
  • Same as WRITER, plus:
    • Can call update on the dataset
    • Can call delete on the dataset

Note: A dataset must have at least one entity with the OWNER role. A user with the OWNER role can't remove their own OWNER role.

Default access

When you create a new dataset, BigQuery adds default dataset access for the following entities. Roles that you specify on dataset creation overwrite the default values.

Entity Project role
All users with Can View access to the project READER
All users with Can Edit access to the project WRITER
All users with Is Owner access to the project OWNER

Granting and revoking access

Dataset roles are granted or revoked by using one of following options:

  • Through the BigQuery API, using update
  • Through the browser tool, by clicking the dropdown next to a dataset name, and then clicking Share dataset

back to top

Other services

In addition to project and dataset roles, you might need additional access rights when working with BigQuery. For example, when loading data into BigQuery from Google Cloud Storage, you need a certain level of access to the bucket where the data resides.

We list information about these required roles at the top of certain topics in the BigQuery documentation, such as loading data and exporting data.

Back to top

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies.