Required Dataprep User Permissions

Contents:

In the Trifacta platform, Identity and Access Management (IAM) allows you to control user and group access to your project's resources. This section describes the IAM permissions relevant to  Cloud Dataprep by TRIFACTA INC. and the IAM roles that grant those permissions. To access the IAM console, see https://cloud.google.com/iam.

• A role is a set of one or more permissions. A role is assigned to users and groups.
• A permission grants access to a resource. Different permissions can grant different access levels to the same resource.

For more information on the service accounts used by Cloud Dataflow to manage security and permissions while running  Cloud Dataprep by TRIFACTA INC. jobs, see https://cloud.google.com/dataflow/docs/concepts/security-and-permissions#security_and_permissions_for_pipelines_on_google_cloud_platform.

Tools for manage IAM policies:

Required Roles and Their Permissions

To use  Cloud Dataprep by TRIFACTA INC., the following roles are required. Below, you can review each required role, its purpose, and the permissions that are enabled by it.

dataprep.user IAM Role

All users of any version of Cloud Dataprep by TRIFACTA INC. must be assigned the dataprep.user IAM Role.

Permissions for Cloud Dataprep Premium by TRIFACTA INC.

Cloud Dataprep Premium by TRIFACTA INC. provides additional capabilities for project users. The base set of permissions and some additional permissions are required. Below, you can review the required permissions for this product edition.

General

• resourcemanager.projects.get

BigQuery

Read and write to BigQuery, including views and custom SQL:

• bigquery.datasets.get
• bigquery.jobs.create
• bigquery.tables.create
• bigquery.tables.get
• bigquery.tables.getData
• bigquery.tables.list

Cloud Dataflow

Run Trifacta jobs on Cloud Dataflow:

• compute.machineTypes.get
• dataflow.jobs.create
• dataflow.jobs.get
• dataflow.messages.list
• dataflow.metrics.get

Google Cloud Storage

Read and write to Google Cloud Storage, the base storage for Cloud Dataprep by TRIFACTA INC.:

• storage.buckets.get
• storage.buckets.list
• storage.objects.create
• storage.objects.delete
• storage.objects.get
• storage.objects.list
• storage.objects.update

Feature Permissions

Additional permissions may be required to use specific features. Individual users may be required to permit  Cloud Dataprep by TRIFACTA INC. access when the feature is first used. 

Cloud Dataflow job cancellation

The following permission enables users to cancel their jobs in progress. It is not required for the product to work but may be helpful to add via IAM roles.

• dataflow.jobs.cancel

BigQuery publishing options

The following permission is not required to publish to BigQuery.

• bigquery.tables.delete

However, if the above permission is not granted to a user, that user can drop or truncate table data in BigQuery, only if one of the following permissions must be enabled in a user's account. 

• The user is granted editor or owner role on the project.
• The user is granted bigquery.tables.permission for the project.

Google Sheets access

• drive.readonly

For more information, see Import Google Sheets Data.

Additional Permissions for Cloud IAM

In addition to the IAM roles above, users must also be granted the following to enable data access based on their Cloud IAM:

• dataset level permissions in BigQuery: See https://cloud.google.com/bigquery/docs/dataset-access-controls. 
• Cloud Storage object ACLs: See https://cloud.google.com/storage/docs/access-control.

These permissions ensure that users can access the appropriate data within  Cloud Dataprep by TRIFACTA® INC..