I have a table which requires a drive access scope to be queried. I was wondering if there is a way to create a view which wouldn't require this permission to be queried.
It's not possible as per documentation about data drive access
You will need access to data drive.
But as a workaround you can move that data into a dataset on bigquery that will work like an authorized view. As per definition:
Giving a view access to a dataset is also known as creating an authorized view in BigQuery. An authorized view lets you share query results with particular users and groups without giving them access to the underlying tables. You can also use the view's SQL query to restrict the columns (fields) the users are able to query.
Still, your users will need have access to the dataset that stores the view.
For your data analysts to query the view, they need to be granted the bigquery.dataViewer role on the dataset containing the view.
On that way it would be possible to query data which have access restrictions. Even on google documentation there is a guide you can use to produce such query named Create an authorized view.
Related
In this they seem to be using a separate datasets for the views and underlying tables. And granting the whole views dataset to grantee.
Is it necessary to use separate datasets provided I'll only grant BigQuery Data Viewer on the view instead?
Authorized view in BigQuery are used to share the query results with the users and groups where they do not have access to the underlying source data. For implementing this principal, you need to create a new separate dataset which is used to store the authorized view that you share with other users. In this way the accounts will not be able to view the underlying source dataset.
For authorized view, a separate dataset needs to be created as mentioned in this documentation. Then the owners can grant access to the authorized view without giving them access to the underlying source dataset.
If you want the users or groups to run jobs including query job then you can grant bigquery.user role at project level and for querying the view they need to be given bigquery.dataViewer role on the dataset containing the view. For more information you can check this link.
For authorized views, there are 2 levels :
table or view
dataset
Example with dataset level :
- private_dataset
table1
table2
- public_dataset
view1 => authorized view on the entire private_dataset
view2 => authorized view on the entire private_dataset
Example with table level :
- private_dataset
table1
table2
- public_dataset
view1 => authorized view on the table1 in private_dataset
view2 => authorized view on the table2 in private_dataset
authorized view BigQuery
In the previous examples, a new dataset public_dataset is created to expose views to partnairs. Views apply the needed filters to control rows exposed to partnairs.
Then you can create a Google Group containing a set of identities and give a role BigQuery Data Viewer on the public_dataset.
Example : Google Group my_partnair#googlegroups.com is Bigquery Data Viewer on dataset public_dataset
For the decision between dataset and table level, it depends on you and your use case.
We have a bunch of BigQuery datasets and for some reason we need to give out an authorized dataset access to a dataset that's not owned by us or included in our project but the main concern here is that I need to have control over who he gives access to view our datasets from that authorized dataset. Any method or a best practice for this type of problem?
Basically, we did it this way. Gave that other project's dataset the "Authorized dataset" access because they need to build their own views and then open these views to other customers they have. It's now able to view our tables and run queries against our datasets but the problem is that we have no control over who they give access to their dataset that they're using against ours and we need to figure out a way to control this.
I have database with many tables. Users have full access to this database and tables to create various charts and dashboards. They use SQL Lab extensively to write custom queries.
However I added a sensitive data in a separate table that needs to be accessed only by few set of users. How can I achieve?
I tried ROW-LEVEL-SECURITY feature.
However, this affects only to Virtual Tables created by Superset. I want to restrict during direct SQL Lab access also.
Possible Solution:
Create ACL at database level and create a seperate connection in Superset.
Cons - This requires a duplicate connection to same database twice.
Ideal solution:
To restrict SQL Lab access to specific tables at superset level. e.g Superset should check User roles and ACLs and decide upon a table can be queried or not.
Is this possible?
Maybe consider implement proper access control to your data with Ranger and from superset impersonate login user.
Superset users want to add calculated fields to their datasets, but they run into an error:
Changing this dataset is forbidden
Users have the following roles:
Gamma
tables_modify: [can tables on Superset, can save on Datasource, can get on Datasource, can datasources on Superset, menu access on Tables, can fetch datasource metadata on Superset, can read on Dataset, can write on Dataset]
DB: [database access on [their TimeScale DB], datasource access on [the dataset they want to edit]]
sql_lab
I can't find the role missing for them to be able to edit their datasets. They have read and write permission on it, and are the ones creating the datasets in the first place.
I looked into the database properties but could not find any setting there either. Moreover with admin role I am able to edit datasets so I guess what's missing here is a user role, I just can't find which one.
As official documentation says, Gamma users are not able to alter data sources. Alpha users can add and alter data sources.
Additional information can be read further in that document:
If the user does not have the all_datasource_access permission
granted, the user will only be able to see Slices or explore the
data sources that are granted to them.
There are two databases configured on superset. I want to have a role that has access to all the dashboards/slices on one database, but not on the other one.
Let's say that I want to provide access to a db called main.
Is providing datasource access on [main].(id:1) supposed to grant access to all the dashboards and slices on main?
At the moment it doesn't work that way, so I'm wondering what am I doing wrong.
database access on [main].(id:1) will grant access to all the dashboards and slices on your main db.
So what you want is database access on [main].(id:1) rather than datasource access on [main].(id:1)
As of v. 0.20.0 granting such access means that users will be able to view Slices and Dashboards that are based on the granted DB when provided a direct link to those visualizations. However, they will not be able to view the list of these Slices and Dashboards.