BigQuery dataset access when specialGroup member

0
votes

In BigQuery you can configure the access at a dataset-level.

According to the documentation:

BigQuery adds default dataset access for the following entities: access.specialGroup: projectReaders; access.role: READER; access.specialGroup: projectWriters; access.role: WRITER; access.specialGroup: projectOwners; access.role: OWNER; access.userByEmail: [dataset creator email]; access.role: OWNER;

However, I haven't been able to find a deterministic equivalence of such specialGroup values to the project's policy roles.

The referenced documentation doesn't shed a lot of light in this aspect:

A special group to grant access to. Possible values include: projectOwners: Owners of the enclosing project. projectReaders: Readers of the enclosing project. projectWriters: Writers of the enclosing project. allAuthenticatedUsers: All authenticated BigQuery users. Maps to similarly-named IAM members.

My understanding is that (please, correct me if I'm wrong) these values would identify all members within the project's policy whose bound role is one of the following:

  • projectOwners -> roles/bigquery.dataOwner (and/or roles/owner?)
  • projectWriters -> roles/bigquery.dataEditor (and/or roles/editor?)
  • projectReaders -> roles/bigquery.dataViewer (and/or roles/viewer?)

But at the end, those roles aren't more than a set of permissions, right? So, what happens if there's a custom role which contains the same subset of permissions as bigquery.dataViewer? Would users bound to this role also be able to access the datasets?

So, my question would be:

Does specialGroup's values have a deterministic equivalent to the project's roles and if so, what is it?

The final goal is determine exactly who can access a dataset, either configured directly within dataset's access or inherited via project's policies.

1
google-bigquerygoogle-iamgoogle-cloud-iam

1 Answers

0
votes

The "specialGroup" possible values, are analog to the similarly named primitive roles for projects:

  • projectOwners -> Project Owners
  • projectWriters -> Project Editors
  • projectReaders -> Project Viewers

If you try the get dataset API method in a dataset, by default, the "access" object you'll get in the response will be like:

"access": [
    {
      "role": "WRITER",
      "specialGroup": "projectWriters"
    },
    {
      "role": "OWNER",
      "specialGroup": "projectOwners"
    },
    {
      "role": "OWNER",
      "userByEmail": "[email protected]"
    },
    {
      "role": "READER",
      "specialGroup": "projectReaders"
    }
  ]

The "role" possible values makes reference to the permission granted over that specific dataset, which, by default, are granted to the analog project-level roles (the "specialGroups" possible values). The dataset creator also gets granted a dataset OWNER access, although not by a specialGroup, but by a userByEmail value. However, if the user who created the dataset was also the project owner, he would also belong to the projectOwners specialGroup.

Regarding the custom roles, you're right, a role is a set of permissions, if you create a custom role with exactly the same permissions as bigquery.dataViewer, and then you grant, for example, a service account that custom role, it would have the same permissions as if was granted the bigquery.dataViewer role.