Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

D toc

In the 

D s platform
Identity and Access Management (IAM) allows you to control user and group access to your project's resources. This section describes the IAM permissions relevant to 
D s product
productgdp
 and the IAM roles that grant those permissions. To access the IAM console, see https://cloud.google.com/iam.

  • role is a set of one or more permissions. A role is assigned to users and groups.
  • permission grants access to a resource. Different permissions can grant different access levels to the same resource.

For more information on the service accounts used by 

D s dataflow
 to manage security and permissions while running 
D s product
productgdp
 jobs, see https://cloud.google.com/dataflow/docs/concepts/security-and-permissions#security_and_permissions_for_pipelines_on_google_cloud_platform.

Tools for manage IAM policies:

  • Google Cloud Console
  • API
  • gcloud CLI

For more information, see https://cloud.google.com/iam/docs/granting-changing-revoking-access.

Required Roles and Their Permissions

To use 

D s product
productgdp
, the following roles are required. Below, you can review each required role, its purpose, and the permissions that are enabled by it.

...

The following IAM permissions are required for each user to provide baseline functionality in 

D s product

...

r

...

Permissions:

  • dataprep.projects.use

...

Enables the platform to access and modify datasets and storage and to run and manage

D s dataflow
jobs on behalf of the user within the project

Info

NOTE: When the product is enabled within a project, this role is granted by the project owner as part of the enablement process. For more information, see Enable or Disable Dataprep.

...

Permissions:

  • storage.buckets.get
  • storage.buckets.list

Roles:

  • roles/dataflow.developer
  • roles/bigquery.user
  • roles/bigquery.dataEditor
  • roles/storage.objectAdmin
  • roles/iam.serviceAccountUser

true
 and access to common integrations

Dataprep.User IAM Roles

All users of any version of of

D s product
productgdp
 must must be assigned the roles/dataprep.user IAM the Dataprep.User IAM Role.

Warning

This role and its related permissions enable access to all data in a project. Other permissions do not apply.

...

  • (P) denotes permissions that are required for any usage of the product within a project.

Additional Permissions for
D s product
productgdppr

The following base set of IAM permissions and some additional permissions are required for accessing the product. Below, you can review the required permissions for this product edition.

Info

NOTE: These permissions provide basic access to the

D s webapp
. Additional features within the product or available through external integrations are considered optional.

General

...

Allow a user to use

D s product

...

D s product

...

General

  • resourcemanager.projects.get

BigQuery

Read and write to BigQuery, including views and custom SQL:

  • bigquery.datasets.get (P)
  • bigquery.jobs.create
  • bigquery.tables.create (P)
  • bigquery.tables.get (P)
  • bigquery.tables.getData (P)
  • bigquery.tables.list (P)

D s dataflow

Run Run

D s item
itemjobs
 on  on
D s dataflow
:

...

  • compute.machineTypes.get

...

...

  • dataflow.jobs.create

...

D s dataflow

...

  • dataflow.jobs.get

...

D s dataflow

...

  • dataflow.messages.list

...

D s dataflow

...

  • dataflow.metrics.get

...

D s dataflow

...

D s storage

Read and write to to

D s storage
, the base storage for for
D s product
:

...

...

  • storage.buckets.

...

List

D s storage
buckets in project

...

  • get
  • storage.buckets.

...

  • list
  • storage.objects.create

...

  • storage.objects.delete

...

  • storage.objects.get

...

  • storage.objects.list

...

Optional Permissions

Permissions required to integrate with external services are considered optional. 

BigQuery

Read and write to BigQuery, including views and custom SQL:

...

For Custom SQL query support and launching

D s dataflow
jobs with BigQuery data sources.

...

  • storage.objects.update


Feature Permissions

Additional permissions may be required to use specific features. Individual users may be required to permit 

D s product
 access when the feature is first used. 

D s dataflow
 job cancellation

...

The following permission enables users to cancel their jobs in progress. It is not required for the product to work but may be helpful to add via IAM roles.

BigQuery publishing options

The following permissions are required to publish to BigQuery:

...

  • dataflow.jobs.cancel

BigQuery publishing options

The following permission is not required to publish to BigQuery.

...

  • bigquery.tables.delete

...

However, if the above permission is not granted to a user, that user can drop or truncate table data in BigQuery, only if one of the following permissions

...

must be enabled in a user's account

...

. 

  • The user is granted editor or owner role on the project.
  • The user is granted bigquery.tables.permission for the project

...

  • .


Google Sheets access

D s ed
rtrue
editionsgdpst, gdppr

...

For more information, see Import Google Sheets Data.

Additional Permissions for Cloud IAM

D s ed
editionsgdppr

Run 
D s dataflow
 jobs

To run jobs on 

D s dataflow
, one of the following must be applied:

  • User must have iam.serviceAccounts.actAs permission on a compute service account, which must be specified during job execution.
  • User must have iam.serviceAccounts.actAs permission specified at the project level or in the default compute service account:

    Code Block
    <project-number>-compute@developer.gserviceaccount.com


  • Project owners require no additional permissions on the projects that they own.

For more information, see https://cloud.google.com/dataflow/docs/concepts/security-and-permissions#security_and_permissions_for_pipelines_on_google_cloud_platform.

Data access

In addition to the IAM roles above, users must also be granted the following to enable data access based on their Cloud IAM:

These permissions ensure that users can access the appropriate data within 

D s product
rtrue
.