We have a bunch of BigQuery datasets and for some reason we need to give out an authorized dataset access to a dataset that's not owned by us or included in our project but the main concern here is that I need to have control over who he gives access to view our datasets from that authorized dataset. Any method or a best practice for this type of problem?
Basically, we did it this way. Gave that other project's dataset the "Authorized dataset" access because they need to build their own views and then open these views to other customers they have. It's now able to view our tables and run queries against our datasets but the problem is that we have no control over who they give access to their dataset that they're using against ours and we need to figure out a way to control this.
Related
We're using BigQuery in a big team.
When I grant access for a dataset to a user, that user can query this dataset using a different project. (Project chosen on top)
In that case, I can't see the users query history on this dataset, since it's run using another project.
Let's say I grant access to an external consultant. That consultant can query all my data using another project, so I can't detect which queries that consultant ran.
So in short, is it possible to see all the queries from all the projects accessing to a specific table / dataset in BQ?
Or another solution, is it possible to limit the projects that can access a dataset?
I have a table which requires a drive access scope to be queried. I was wondering if there is a way to create a view which wouldn't require this permission to be queried.
It's not possible as per documentation about data drive access
You will need access to data drive.
But as a workaround you can move that data into a dataset on bigquery that will work like an authorized view. As per definition:
Giving a view access to a dataset is also known as creating an authorized view in BigQuery. An authorized view lets you share query results with particular users and groups without giving them access to the underlying tables. You can also use the view's SQL query to restrict the columns (fields) the users are able to query.
Still, your users will need have access to the dataset that stores the view.
For your data analysts to query the view, they need to be granted the bigquery.dataViewer role on the dataset containing the view.
On that way it would be possible to query data which have access restrictions. Even on google documentation there is a guide you can use to produce such query named Create an authorized view.
I've searched the documentation a lot, but couldn't find anything that allows me to do the following:
Allow creating a role which allows full table access to tables with certain table names only (ex.: "table1", etc.) that'll be created in future. This should work across all available datasets in a GCP project, and also the ones that'll be created in future.
Is this possible? If not directly, indirectly maybe?
Thanks..
The simplest way to do that would be to create a dataset for housing such tables, and set the access appropriate to what you need. Tables requiring a different set of policies should be housed in other datasets.
More information here: https://cloud.google.com/bigquery/docs/dataset-access-controls
I have been providing access to datasets in BigQuery using the Share Dataset option for some time now. No problem.
But now, I have a specific requirement: I need to provide access to specific people/account/group but I don't want inherited access to work on this dataset.
I mean, I really need to provide access only to specific people to this dataset, so that not even inherited access work.
Is that possible? And if so, how can I do that?
To add more context. There is a dataset which should be available only for one Service Account (the one populating it) and some specific consumer account (HR) as it will contain sensitive data.
Problem is that our project already contains a couple of BigQuery Admin accounts and they of course inherit permissions over the dataset.
I don't think it would be possible as Project level roles are inherited automatically. Making new project may be helpful.
If I understand correctly, unlike with the Personal Gateway, the Enterprise Gateway allows all the users within the same domain to refresh the data. So my question is: is it possible to disable Manual Refresh? I want to share my dashboard with people in my organization, but I want to avoid having people constantly refreshing the dashboard and consuming my database server resources.
Create a Report/dashboard in Power Bi, and select Import data not Direct query, don't share dataset with the users, only share report/dashboard with users, this way they will be able to see data but will not be able to refresh it. And you can schedule a time for your source data to get refreshed.