BigQuery permissions

Use the following information to understand the BigQuery permissions that are used when configuring BigQuery permissions for Data Access.

Service account

Item Why When

Service account or Workload Identity Federation

To authenticate to your GCP environment. It is the identity that the connector runs as.

Always required.

APIs

API Why When
cloudresourcemanager.googleapis.com To retrieve or manage the "organization > folder > project" hierarchy and project IAM policies. Always required.
iam.googleapis.com To list service accounts and manage IAM bindings. Always required.
admin.googleapis.com To access the Google Workspace (GSuite) Directory API to import users and groups. Always required.
bigquery.googleapis.com To manage BigQuery metadata and access control operations. Always required.
datacatalog.googleapis.com To manage the Data Catalog policy tags that are used for column masking.

Required when using column masks.

bigquerydatapolicy.googleapis.com To manage the BigQuery data policies that are bound to policy tags for column masking.

Required when using column masks.

Organization, folder, and project discovery permissions

Permission Why When
resourcemanager.organizations.get To read the organization's display name to establish the root of the resource hierarchy. Required when using the Organization or Folder scoping approach.
resourcemanager.folders.list

To list the direct child folders within a specific parent organization or folder.

Required when using the Organization or Folder scoping approach.
resourcemanager.projects.list To list the projects within the hierarchy. Required when using the Organization or Folder scoping approach.
iam.serviceAccounts.list To import GCP service accounts as identities in Data Access. Required when using the Folder or Project scoping approach.

Google Workspace (GSuite) admin role

Permission Why When
users.read To import users as identities. Always required.
groups.read To import groups and their memberships. Always required.

Project-level BigQuery permissions

Always required

Permission Why
bigquery.datasets.get To read dataset metadata.
bigquery.datasets.getIamPolicy To import existing dataset-level access into Data Access.
bigquery.datasets.setIamPolicy To apply dataset-level access in BigQuery.
bigquery.datasets.update To update dataset access entries.
bigquery.jobs.create To run queries or jobs.
bigquery.jobs.get To read job status or results.
bigquery.tables.get To read metadata and schema of tables and table views.
bigquery.tables.getIamPolicy To import existing table-level access.
bigquery.tables.list To list tables and table views within datasets.
bigquery.tables.setIamPolicy To apply table-level access.
resourcemanager.projects.get To read project metadata.
resourcemanager.projects.list To list projects.
resourcemanager.projects.getIamPolicy To import project-level IAM bindings.
resourcemanager.projects.setIamPolicy To apply project-level IAM bindings.

Row filtering

Permission Why
bigquery.tables.getData

To create or update row access policies. Data Access never reads your actual table data.

bigquery.rowAccessPolicies.create To create row access policies.
bigquery.rowAccessPolicies.delete To remove obsolete row access policies.
bigquery.rowAccessPolicies.list To list existing row access policies.
bigquery.rowAccessPolicies.update To modify existing row access policies.
bigquery.rowAccessPolicies.getIamPolicy To read principals granted on a policy.
bigquery.rowAccessPolicies.setIamPolicy To set principals (GRANT TO) on a policy.

Column masking

Permission Why
bigquery.tables.setColumnDataPolicy To bind a data policy to a column.
bigquery.tables.update To update table schema to attach policy tags.
bigquery.tables.setCategory To assign policy tag categories to columns.
bigquery.dataPolicies.create To create data policies for column masks.
bigquery.dataPolicies.delete To remove obsolete data policies.
bigquery.dataPolicies.get To read data policies.
bigquery.dataPolicies.list To list data policies.
bigquery.dataPolicies.update To modify data policies.
bigquery.dataPolicies.getIamPolicy To read the principals that are granted on a data policy.
bigquery.dataPolicies.setIamPolicy To grant principals (for example, fine-grained reader) on a data policy.

Usage analytics

Permission Why
bigquery.jobs.listAll To list and query INFORMATION_SCHEMA.JOBS across all users to collect usage data.

Related topics

Configure BigQuery permissions