What is the difference between BigQuery Data Viewer permissions at dataset-level vs project-level when accessing the data from Data Studio?

0
votes

I have a dataset in BigQuery and if I give a user BigQuery Data Viewer permissions at dataset level he cannot see the data in Data Studio, he has an error when he tries to add a chart: "Data Studio Configuration Error. Data Studio cannot connect to your data set".

This error doesn't appear when I give the user the same access permissions(BigQuery Data Viewer) but at project level. In this case everything is working ok.

In the documentation it says: "You must have the appropriate permissions in order to add a BigQuery data source to a Google Data Studio report. In addition, the permissions applied to BigQuery datasets will apply to the reports, charts, and dashboards you create in Google Data Studio."

What does it mean "appropriate permissions" ?

Why is not working if I give the user access permission at dataset level? ( I don't want the user to have access to all datasets in the project)

2
permissionsgoogle-bigquerygoogle-data-studio

2 Answers

0
votes

I think your answer is in Big Query docs :: Predefined roles and permissions:

BigQuery Data Viewer (roles/bigquery.dataViewer)

When applied to a table or view, this role provides permissions to:

  • Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Since you realized that Data Studio doesn't work without this permission at project level (I did not test, but I trust in you), my bet is that Data Studio needs permision to enumerate datasets also (when you connect to a Data Source, it enumerate all datasets indeed, to let you choose the one you want to connect).

This permission probably is not really necessary after the setup or if you are running custom queries, but if BigQuery connector requires it, I would say it has an internal bug because it is always trying to enumerate datasets, even when it is not required.

0
votes

Datastudio launches jobs under the hood that needs authorization.

Running a query job that is used to populate a report requires bigquery.jobs.create permissions. In order for the query job to complete successfully, the user or group must have access to the dataset containing the tables referenced by the query. The minimum access level required is Can view which maps to the bigquery.dataViewer role for that dataset (Reference).