Dataprep by Trifacta
Page tree


Support | BlogContact Us 

Versions Compared

Old Version 11

changes.mady.by.user docuser1

Saved on

compared with

New Version 28

changes.mady.by.user docuser1

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DEV and version r089

D toc

In the the

D s platform
Identity and Access Management (IAM) allows allows you to control user and group access to your project's resources. This section describes the IAM permissions relevant to 
D s product
productgdp
 and the IAM roles that grant those permissions. To access the IAM console, see https://cloud.google.com/iam.

  • A role is is a set of one or more permissions. A role is assigned to users and groups.
  • A permission grants grants access to a resource. Different permissions can grant different access levels to the same resource.

...

D s dataflow to manage security and permissions while running 

D s product
productgdp
 jobs, see https://cloud.google.com/dataflow/docs/concepts/security-and-permissions#security_and_permissions_for_pipelines_on_google_cloud_platform.Tools for manage IAM policies:

...

  • Google Cloud Console

...

  • API

...

  • gcloud CLI

For more information, see https://cloud.google.com/iam/docs/

...

granting-changing-revoking-access.

Required Roles and Their Permissions

To use 

D s product
productgdp
, the following roles are required. Below, you can review each required role, its purpose, and the permissions that are enabled by it.

RoleUsePermissions and roles
roles/dataprep.projects.user

Enables a user to run

D s product
productgdp
in a project See below.

Permissions:

  • dataprep.projects.use
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/dataprep.serviceAgent

Enables the platform to access and modify datasets and storage and to run and manage

D s dataflow
jobs on behalf of the user within the project. For more information on this role, see https://console.cloud.google.com/iam-admin/roles/details/roles%3Cdataprep.serviceAgent.

Info

NOTE: When the product is enabled within a project, this role is granted by the project owner as part of the enablement process. For more information, see Enable or Disable Dataprep.

Permissions:

  • storage.buckets.get
  • storage.buckets.list

  • storage.objects.create

  • storage.objects.delete

  • storage.objects.get

  • storage.objects.getIamPolicy

  • storage.objects.list

  • storage.objects.setIamPolicy

  • storage.objects.update

Roles:

  • roles/dataflow.developer
  • roles/bigquery.user
  • roles/bigquery.dataEditor
  • roles/storage.objectAdmin
  • roles/iam.serviceAccountUser

roles/dataprep.projects.user IAM Role

All users of any version of of

D s product
productgdp
 must must be assigned the the roles/dataprepdataprep.projects.user IAM IAM Role.

Warning

This role and its related permissions enable access to all data in a project. Other permissions do not apply.

...

d-s-

...

item

...

item

...

D s product
productgdppr

...

Application
 Permissions

The following base set of IAM permissions and some additional permissions are required for accessing the product. Below, you can review the required permissions for this product edition.

General

  • resourcemanager.projects.get

BigQuery

Read and write to BigQuery, including views and custom SQL:

...

Info

NOTE: These permissions provide basic access to the

D s webapp
. Additional features within the product or available through external integrations are considered optional.

General

PermissionProduct Use
dataprep.projects.use

Allow a user to use

D s product

resourcemanager.projects.get

Get

D s product
project details

D s dataflow

Run Run

D s item
itemjobs
 on  on
D s dataflow
:

PermissionProduct Use
compute.machineTypes.get

List available machine types for

d-s-dataflow
jobs

dataflow.jobs.create

Create a

D s dataflow
job

dataflow.jobs.get

List

d-s-dataflow
jobs

dataflow.messages.list

Get

D s dataflow
job details

dataflow.metrics.get

Get

D s dataflow
job details

Connection Permissions

These permissions are required for connections that are common in 

d-s-product
.

d-s-storage

Read and write to to

D s storage
, the base storage for for
D s product
:

PermissionProduct UseRequirement
storage.buckets.

...

list

List

D s storage
buckets in project

Required at project level
storage.buckets.

...

getGet bucket metadataRequired for staging bucket only
storage.objects.createCreate filesRequired for staging bucket only
storage.objects.deleteDelete filesRequired for staging bucket only
storage.objects.getRead filesRequired for staging bucket only
storage.objects.list

...

List filesRequired for staging bucket only

BigQuery

Read and write to BigQuery, including views and custom SQL:

PermissionProduct UseRequirement
bigquery.jobs.create

For Custom SQL query support and launching

D s dataflow
jobs with BigQuery data sources.

Required at project level to use BigQuery
bigquery.datasets.getList and get metadata about datasets in projectCan be applied at project level or at individual dataset level
bigquery.tables.createExecute custom queriesCan be applied at project level or at individual dataset level
bigquery.tables.getCreate tables in datasetCan be applied at project level or at individual dataset level
bigquery.tables.getGet table metadataCan be applied at project level or at individual dataset level
bigquery.tables.getDataget table contentsCan be applied at project level or at individual dataset level
bigquery.tables.listList tables in datasetCan be applied at project level or at individual dataset level

Feature Permissions

Additional permissions may be required to use specific features. Individual users may be required to permit 

D s product
 access when the feature is first used. 

D s dataflow
 job cancellation

...

PermissionProduct Use
dataflow.jobs.cancel

This permission is required to cancel jobs on

D s dataflow
from within the
D s webapp
. It is not required for the product to work but may be helpful to add via IAM roles.

...

Info

NOTE: The ability to cancel a job from within the

D s webapp
is temporarily disabled. When it is re-enabled, this permission will be required. You should leave this permission enabled, if possible.


Info

NOTE: A user may be able cancel a job from the

D s webapp
, even though the user is not permitted to cancel the job in the running environment. The service account associated with the user's 
D s item
itemaccount
may have the appropriate permissions, but the user's personal account does not. For more information, see Google Service Account Management

BigQuery publishing options

The following permissions are required to publish to BigQuery:

PermissionProduct Use
bigquery.datasets.createCreate datasets in BigQuery
bigquery.datasets.updateUpdate datasets in BigQuery

The following permission is not required to publish to BigQuery.

PermissionProduct Use
bigquery.tables.delete

...

If this permission is not granted to a user, that user

...

requires one of the following permissions to drop or truncate table data in BigQuery

...

: 

  • The user is granted editor or owner role on the project.
  • The user is granted bigquery.tables.delete for the project.
Info

NOTE: If a user does not have this permission when publishing to a table, the user receives a warning that the target dataset is read-only.

BigQuery job execution

To enable execution of jobs in BigQuery, the following permission must be enabled. Additional configuration may be required. For more information on this feature, see BigQuery Running Environment.

PermissionProduct Use
bigquery.jobs.createThis permission enables execution of jobs within BigQuery. It is also used for

...

custom SQL queries, which is enabled by default. In most projects, this permission is enabled by default.

BigQuery job execution on 
D s storage
 files

If you have enabled execution of jobs in BigQuery, you can extend that capability to execute jobs for data sources hosted in 

D s storage
. GCS execution in BigQuery requires that external tables be enabled in BigQuery. The following permissions are required to create and use external tables.

Tip

Tip: In most projects, these permissions are enabled by default.

PermissionProduct Use

bigquery.tables.create

Enabled in the default

D s product
productgdp
role.

bigquery.tables.getData

Enabled in the default

D s product
productgdp
role.

bigquery.jobs.createRequired for job execution in BigQuery. See previous section.

Google Sheets access

D s ed
rtrue
editionsgdpstgdpent,gdppro,gdpsta,gdppr,gdpst

  • drive.readonly

For more information, see Import Google Sheets Data.

Additional Permissions for Cloud IAM

D s ed
rtrue
editionsgdpent,gdppr

Info

NOTE: Any change in a user's permissions in

D s gcp platform
must be reflected in the service account assigned to the user.

Run 
D s dataflow
 jobs

Every 

D s product
 job requires the use of a service account through which the job is submitted to 
D s dataflow
 for execution. Each project user must have access to a service account. For more information, see Google Service Account Management.

Data access

In addition to the IAM roles above, users must also be granted the following to enable data access based on their Cloud IAM:

...

These permissions ensure that users can access the appropriate data within 

D s product
rtrue
.


© 2013-2023 Alteryx® Inc Privacy Policy  |  Terms of Use