BigQuery grant access to specific datasets

1
votes

I have a user which is not currently a member of my GCP project, for which I am an owner. I would like to grant them read write and delete privileges for specific datasets. I know that I can add them to the project with the "BigQuery User" role but this gives them permissions for all datasets. How do I add them to the project but only give them permissions for specific datasets?

2
google-cloud-platformgoogle-bigquerygoogle-iamgoogle-cloud-iam
Did you try to go to BigQuery UI, select your dataset, click on Share Dataset and grant the role security admin on the user that you want? - guillaume blaquiere
No, I'll try that - Max888
It didn't work just sharing the dataset, it only works if I give them permissions at the project level, but then they have access to all datasets. - Max888
What did not work? Do you have an error, or it did not work as expected? - guillaume blaquiere
It simply doesn't let the user into the project if I only given them access to the dataset. I need to give them something like project viewer role to let them into the project, but then they can see all the datasets. - Max888

2 Answers

3
votes

There are two scenarios to consider when sharing datasets.

  1. Only sharing the datasets (no access to the project):

You can share the dataset from the BigQuery web UI, using a predefined IAM role with the access you want to provide. Keep in mind that with this approach, the user will only have access to the dataset, and to do something like query a table they'll require a GCP project of their own, where they have the "bigquery.jobs.create" permission at a project level, which is required for this.

A clear example on how this works is a public dataset, where you have access to the data, but you have to query it from your own project.

  1. Sharing datasets and project access (to run queries):

This option requires as the first one, share the dataset, and additionally, requires some permissions at a level project for specific operation, like run queries. To allow a user to run queries on your project (the billing of this executions will go to your billing account), you need to provide the user with the "bigquery.jobs.create" permission at a project level; this permission won't provide access to the datasets, it allows to do queries within the project.

If by some reason you only provide the "bigquery.jobs.create" permission and no dataset access, they will only be able to query public datasets.

For this particular case you could provide the "BigQuery Job User" predefined IAM role at the project level, which from the 3 roles that include the required permission is the one with the lower scope.

0
votes

You should be able to share only single dataset with them. The following worked for me:

  1. Choose the dataset you want to share, click share dataset: screenshot
  2. Enter email, click BigQuery -> BigQuery Admin
  3. Save

It should work on dataset level, and would not give access to all datasets, see details in https://cloud.google.com/bigquery/docs/access-control:

You can also assign roles at the dataset level to provide access only to one or more datasets. In the Cloud IAM policy hierarchy, BigQuery datasets are child resources of projects. Tables and views are child resources of datasets — they inherit permissions from their parent dataset.

Also, there are other ways to share datasets here: https://cloud.google.com/bigquery/docs/dataset-access-controls#console

Thanks, Alexey