The following IAM permissions are required for each user to provide baseline functionality in and access to common integrations
All users of any version of must be assigned the
Dataprep.User IAM Role.
Read and write to BigQuery, including views and custom SQL:
Run on :
Read and write to , the base storage for :
Additional permissions may be required to use specific features. Individual users may be required to permit access when the feature is first used.
The following permission enables users to cancel their jobs in progress. It is not required for the product to work but may be helpful to add via IAM roles.
The following permission is not required to publish to BigQuery.
However, if the above permission is not granted to a user, that user can drop or truncate table data in BigQuery, only if one of the following permissions must be enabled in a user's account.
ownerrole on the project.
For more information, see Import Google Sheets Data.
To run jobs on , one of the following must be applied:
iam.serviceAccounts.actAspermission on a compute service account, which must be specified during job execution.
User must have
iam.serviceAccounts.actAs permission specified at the project level or in the default compute service account:
Project owners require no additional permissions on the projects that they own.
For more information, see https://cloud.google.com/dataflow/docs/concepts/security-and-permissions#security_and_permissions_for_pipelines_on_google_cloud_platform.
In addition to the IAM roles above, users must also be granted the following to enable data access based on their Cloud IAM:
These permissions ensure that users can access the appropriate data within .