View Source

In the , Identity and Access Management (IAM) allows you to control user and group access to your project's resources. This section describes the IAM permissions relevant to and the IAM roles that grant those permissions. To access the IAM console, see https://cloud.google.com/iam.

A role is a set of one or more permissions. A role is assigned to users and groups.
A permission grants access to a resource. Different permissions can grant different access levels to the same resource.

Tools for manage IAM policies:

Google Cloud Console
API
gcloud CLI

For more information, see https://cloud.google.com/iam/docs/granting-changing-revoking-access.

Required Roles and Their Permissions

To use , the following roles are required. Below, you can review each required role, its purpose, and the permissions that are enabled by it.

Role Use Permissions and roles

roles/dataprep.projects.user

Enables a user to run in a project See below.

Permissions:

dataprep.projects.use
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

roles/dataprep.serviceAgent

Enables the platform to access and modify datasets and storage and to run and manage jobs on behalf of the user within the project. For more information on this role, see https://console.cloud.google.com/iam-admin/roles/details/roles%3Cdataprep.serviceAgent.

NOTE: When the product is enabled within a project, this role is granted by the project owner as part of the enablement process. For more information, see Enable or Disable Dataprep.

Permissions:

storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update

Roles:

roles/dataflow.developer
roles/bigquery.user
roles/bigquery.dataEditor
roles/storage.objectAdmin
roles/iam.serviceAccountUser

roles/dataprep.projects.user IAM Role

All users of any version of must be assigned the roles/dataprep.user IAM Role.

This role and its related permissions enable access to all data in a project. Other permissions do not apply.

Permissions

The following base set of IAM permissions and some additional permissions are required for accessing the product. Below, you can review the required permissions for this product edition.

NOTE: These permissions provide basic access to the . Additional features within the product or available through external integrations are considered optional.

General

Permission	Product Use
dataprep.projects.use	Allow a user to use
resourcemanager.projects.get	Get project details

Run on :

Permission	Product Use
compute.machineTypes.get	List available machine types for jobs
dataflow.jobs.create	Create a job
dataflow.jobs.get	List jobs
dataflow.messages.list	Get job details
dataflow.metrics.get	Get job details

Connection Permissions

These permissions are required for connections that are common in .

Read and write to , the base storage for :

Permission	Product Use	Requirement
storage.buckets.list	List buckets in project	Required at project level
storage.buckets.get	Get bucket metadata	Required for staging bucket only
storage.objects.create	Create files	Required for staging bucket only
storage.objects.delete	Delete files	Required for staging bucket only
storage.objects.get	Read files	Required for staging bucket only
storage.objects.list	List files	Required for staging bucket only

BigQuery

Read and write to BigQuery, including views and custom SQL:

Permission	Product Use	Requirement
bigquery.jobs.create	For Custom SQL query support and launching jobs with BigQuery data sources.	Required at project level to use BigQuery
bigquery.datasets.get	List and get metadata about datasets in project	Can be applied at project level or at individual dataset level
bigquery.tables.create	Execute custom queries	Can be applied at project level or at individual dataset level
bigquery.tables.get	Create tables in dataset	Can be applied at project level or at individual dataset level
bigquery.tables.get	Get table metadata	Can be applied at project level or at individual dataset level
bigquery.tables.getData	get table contents	Can be applied at project level or at individual dataset level
bigquery.tables.list	List tables in dataset	Can be applied at project level or at individual dataset level

Feature Permissions

Additional permissions may be required to use specific features. Individual users may be required to permit access when the feature is first used.

job cancellation

Permission

Product Use

dataflow.jobs.cancel

Enables users to cancel their jobs in progress. It is not required for the product to work but may be helpful to add via IAM roles.

NOTE: A user may be able cancel a job from the , even though the user is not permitted to cancel the job in the running environment. The service account associated with the user's may have the appropriate permissions, but the user's personal account does not. For more information, see Google Service Account Management.

BigQuery publishing options

The following permissions are required to publish to BigQuery:

Permission	Product Use
bigquery.datasets.create	Create datasets in BigQuery
bigquery.datasets.update	Update datasets in BigQuery

The following permission is not required to publish to BigQuery.

Permission Product Use

bigquery.tables.delete

If this permission is not granted to a user, that user requires one of the following permissions to drop or truncate table data in BigQuery:

The user is granted editor or owner role on the project.
The user is granted bigquery.tables.delete for the project.

NOTE: If a user does not have this permission when publishing to a table, the user receives a warning that the target dataset is read-only.

Google Sheets access

drive.readonly

For more information, see Import Google Sheets Data.

Additional Permissions for Cloud IAM

NOTE: Any change in a user's permissions in must be reflected in the service account assigned to the user.

Run jobs

Every job requires the use of a service account through which the job is submitted to for execution. Each project user must have access to a service account. For more information, see Google Service Account Management.

Data access

In addition to the IAM roles above, users must also be granted the following to enable data access based on their Cloud IAM:

dataset level permissions in BigQuery: See https://cloud.google.com/bigquery/docs/dataset-access-controls.
Cloud Storage object ACLs: See https://cloud.google.com/storage/docs/access-control.

These permissions ensure that users can access the appropriate data within .