In the |
Tools for manage IAM policies:
For more information, see https://cloud.google.com/iam/docs/granting-changing-revoking-access.
To use , the following roles are required. Below, you can review each required role, its purpose, and the permissions that are enabled by it.
Role | Use | Permissions and roles | |
---|---|---|---|
roles/dataprep.projects.user | Enables a user to run | Permissions:
| |
roles/dataprep.serviceAgent | Enables the platform to access and modify datasets and storage and to run and manage
| Permissions:
Roles:
|
All users of any version of must be assigned the
roles/dataprep.projects.user
IAM Role.
This role and its related permissions enable access to all data in a project. Other permissions do not apply. |
The following base set of IAM permissions and some additional permissions are required for accessing the product. Below, you can review the required permissions for this product edition.
NOTE: These permissions provide basic access to the |
Permission | Product Use |
---|---|
dataprep.projects.use | Allow a user to use |
resourcemanager.projects.get | Get |
Run on
:
Permission | Product Use |
---|---|
compute.machineTypes.get | List available machine types for |
dataflow.jobs.create | Create a |
dataflow.jobs.get | List |
dataflow.messages.list | Get |
dataflow.metrics.get | Get |
These permissions are required for connections that are common in .
Read and write to , the base storage for
:
Permission | Product Use | Requirement |
---|---|---|
storage.buckets.list | List | Required at project level |
storage.buckets.get | Get bucket metadata | Required for staging bucket only |
storage.objects.create | Create files | Required for staging bucket only |
storage.objects.delete | Delete files | Required for staging bucket only |
storage.objects.get | Read files | Required for staging bucket only |
storage.objects.list | List files | Required for staging bucket only |
Read and write to BigQuery, including views and custom SQL:
Permission | Product Use | Requirement |
---|---|---|
bigquery.jobs.create | For Custom SQL query support and launching | Required at project level to use BigQuery |
bigquery.datasets.get | List and get metadata about datasets in project | Can be applied at project level or at individual dataset level |
bigquery.tables.create | Execute custom queries | Can be applied at project level or at individual dataset level |
bigquery.tables.get | Create tables in dataset | Can be applied at project level or at individual dataset level |
bigquery.tables.get | Get table metadata | Can be applied at project level or at individual dataset level |
bigquery.tables.getData | get table contents | Can be applied at project level or at individual dataset level |
bigquery.tables.list | List tables in dataset | Can be applied at project level or at individual dataset level |
Additional permissions may be required to use specific features. Individual users may be required to permit access when the feature is first used.
Permission | Product Use | ||
---|---|---|---|
dataflow.jobs.cancel | This permission is required to cancel jobs on
|
The following permissions are required to publish to BigQuery:
Permission | Product Use | |
---|---|---|
bigquery.datasets.create | Create datasets in BigQuery
| |
bigquery.datasets.update | Update datasets in BigQuery |
The following permission is not required to publish to BigQuery.
Permission | Product Use | |
---|---|---|
bigquery.datasets.delete | If this permission is not granted to a user, that user requires one of the following permissions to drop or truncate table data in BigQuery:
|
To enable execution of jobs in BigQuery, the following permission must be enabled. Additional configuration may be required. For more information on this feature, see BigQuery Running Environment.
Permission | Product Use |
---|---|
bigquery.jobs.create | This permission enables execution of jobs within BigQuery. It is also used for custom SQL queries, which is enabled by default. In most projects, this permission is enabled by default. |
If you have enabled execution of jobs in BigQuery, you can extend that capability to execute jobs for data sources hosted in . GCS execution in BigQuery requires that external tables be enabled in BigQuery. The following permissions are required to create and use external tables.
Tip: In most projects, these permissions are enabled by default. |
Permission | Product Use |
---|---|
bigquery.tables.create | Enabled in the default |
bigquery.tables.getData | Enabled in the default |
bigquery.jobs.create | Required for job execution in BigQuery. See previous section. |
For more information, see Import Google Sheets Data.
NOTE: Any change in a user's permissions in |
Every job requires the use of a service account through which the job is submitted to
for execution. Each project user must have access to a service account. For more information, see Google Service Account Management.
In addition to the IAM roles above, users must also be granted the following to enable data access based on their Cloud IAM:
These permissions ensure that users can access the appropriate data within .