In the , Identity and Access Management (IAM) allows you to control user and group access to your project's resources. This section describes the IAM permissions relevant to and the IAM roles that grant those permissions. To access the IAM console, see https://cloud.google.com/iam.
For more information on the service accounts used by to manage security and permissions while running jobs, see https://cloud.google.com/dataflow/docs/concepts/security-and-permissions#security_and_permissions_for_pipelines_on_google_cloud_platform.
Tools for manage IAM policies:
|Google Cloud Console||https://cloud.google.com/iam/docs/managing-policies#access_control_via_console|
To use , the following roles are required. Below, you can review each required role, its purpose, and the permissions that are enabled by it.
|Role||Use||Permissions and roles|
Enables a user to run in a project
Enables the platform to access and modify datasets and storage and to run and manage jobs on behalf of the user within the project
All users of any version of must be assigned the
dataprep.user IAM Role.
provides additional capabilities for project users. The base set of permissions and some additional permissions are required. Below, you can review the required permissions for this product edition.
Read and write to BigQuery, including views and custom SQL:
Run on :
Read and write to , the base storage for :
Additional permissions may be required to use specific features. Individual users may be required to permit access when the feature is first used.
The following permission enables users to cancel their jobs in progress. It is not required for the product to work but may be helpful to add via IAM roles.
The following permission is not required to publish to BigQuery.
However, if the above permission is not granted to a user, that user can drop or truncate table data in BigQuery, only if one of the following permissions must be enabled in a user's account.
ownerrole on the project.
For more information, see Import Google Sheets Data.
In addition to the IAM roles above, users must also be granted the following to enable data access based on their Cloud IAM:
These permissions ensure that users can access the appropriate data within .