Problem: I have a project in BigQuery where all my data is stored. Within this project I created multiple datasets containing different views. Now I want to use different service accounts to query the different datasets containing different views via grafana (if that matters). These users should only be able to query the views (and therefore a specific dataset) meant for them.
What I tried: I granted BigQuery User, Viewer or Editor permissions (I tried all of them) at a dataset level (and also BigQuery Meatadata Viewer at a project level). When I query a view, I receive the error:
User does not have bigquery.jobs.create permission in project xy.
Questions: It is not clear to me if granting bigquery.jobs.create permission on project level, will allow the user to query all datasets instead of only the one I want him to access to.
Is there any way to allow the user to create jobs only on a single dataset?
Update October 2021
I've just seen that this question did go unanswered for me back then but still gets a lot of views. I believe the possibilities changed a bit since I asked the question so here is how I'm handling it now:
I give the respective service account the role roles/bigquery.jobUser on project level. This allows it to create jobs in general, however since I don't give any other permissions yet it cannot query data yet.
Then I give the role roles/bigquery.dataViewer on the dataset level. That makes it possible for the service account to query only the dataset I granted the permission on.
It is also possible to grant roles/bigquery.dataViewer on table level, what will restrict access to only the specific table.
In case you want the service account not only to query (view) the data, but also to insert or change it for example, replace roles/bigquery.dataViewer with the role having the necessary permissions (or assign that role in addition).
How to grant the permissions:
On dataset level
On table or view level
We had a same problem, how we solved was, created a custom role and assigned the custom role to the particular dataset.
You can grant bigquery.user role to a specific dataset as indicated in this guide. The bigquery.user role contains the bigquery.jobs.create permission as well as other basic permissions related to querying datasets. You can check the full list of permissions for this role in this list.
As suggested above, you can also create custom roles having only the exact permissions you want by following this piece of documentation.
Related
I am trying to grant access to a table and cannot tell the difference between the "Viewer" and "BigQuery Data Viewer" roles. I do not want to give permissions to view other tables or datasets within the GCP Project or full access to BigQuery. Can someone tell me the difference between these two if the access is given through the Share option at the table level?
Screenshot of where Role is granted
At the moment I've assigned the user both roles and am not sure if I'm granting too much access. I want to follow the Principle of Least Privilege.
Viewer or roles/viewer is a top level, project level permission. Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
BigQuery Data Viewer its a resource based permission. Can be applied to BigQuery itself, or even to individual tables or views. Read all about its usage.
it has the following BQ roles:
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.createSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
I have 10 tables under my dataset. I need to create "BigQuery Metadata Viewer" permission but would like to neglect 2 tables under my dataset. So that BigQuery Metadata Viewer policy only will be able to access 8 tables.
I see that there is "condition" tab but could not figure out how to apply such a condition here.
IAM condition is a nice way to solve that issue, but it's not available for BigQuery resources.
The solution here is to have 2 datasets
One with the 8 tables and the permission to view the metadata
one with the 2 other tables without the permission to view the metadata.
You can use the GRANT statement using the role bigquery.metadataViewer or dataviewer.You can set this role to table level, the user will have permission to a specific table, and won’t see listed tables. In this case, you need to know the name tables.
Take a look to this example:
GRANT `roles/bigquery.metadataViewer`
ON TABLE `my_dataset._my_table`
TO "user:user#domain.com"
Additionally, you can set this role at dataset level, this will grant access to read and list all the tables from the dataset.
Here’s an example:
GRANT `roles/bigquery.metadataViewer`
ON schema `project_name.dataset_name`
TO "user:mail#mail.com"
I am puzzled about the Role Manager in Visual Studio when working with SSAS tabular cubes:
Is my understanding correct?
When a user logs to the cube, the “security” will check each role and see if the user is in that role… if the user is in the role; it gives the said access.
If the user is in multiple roles, it will give some sort UNION between all of them, so the user can see as much as possible , correct?
Is this documented anywhere?
Ps: is there also documentation in cases where you force less access (like having a ‘users’ table and putting that filter in a .pbix only on a specific page?
From https://learn.microsoft.com/en-us/analysis-services/tabular-models/roles-ssas-tabular?view=asallproducts-allversions#permissions
"A group or user can be a member of any number of roles, each role with a different permission. When a user is a member of multiple roles, the permissions defined for each role are cumulative. For example, if a user is a member of a role with the Read permission, and also a member of a role with None permission, that user will have Read permissions."
One important result of this in SSAS, is that Server Admins can read everything always.
Also don't confuse access from filters. Access of "None" means I cannot ever access the data. Access of "Read" plus a page filter will not prevent me from accessing the data from Q+A or Analyze in Excel. Use filters in roles for security. A security table used in a filter in a role will prevent access. If the filter is just on the visual or page, the data is not secure, just not shown.
I have found api for adding user to workspace(group) as well as Add Datasource user. I would like to know, if there is any api available for adding user to dataset?
From the Power Bi Web portal, this is accessed by:
Workspace -> Datasets + Dataflows -> select the three dots menu icon near to the Dataset name and click Manage Permissions. Now, select Direct Access and Add/Remove users here with share/build permissions.
I couldn't find an api for this process. When I tracked the network calls, it is calling the url portion:
redirect.analysis.windows.net/metadata/access
Dataset permissions are part of item permission so you can't override the workspace permissions and can be granted who has at least same level of permission. There are POST APIs where you can add new permission to dataset but not to remove permissions and then PUT APIs where you can update the user's permissions and GET APIs where you can get list of principals that have access to dataset.
Coming to the adding user to dataset I can't find one API for that. But A user's role in workspace implicitly grants the permission on the dataset in the workspace. So if you want to add user then you can use that API you found. And then You can update the permissions for the specific user using these APIs.
Please refer to the link for detailed information.
References:
https://learn.microsoft.com/power-bi/developer/embedded/datasets-permissions#item-permissions
https://learn.microsoft.com/rest/api/power-bi/groups/add-group-user
https://learn.microsoft.com/power-bi/connect-data/service-datasets-permissions
We don't have the option of providing the access through api.
But we can create a Distribution List, by adding users to the list access will be granted accordingly
Is it possible to create a project in BigQuery to store data and another to query the data ? If yes, what rights should be given to the project querying the data to access the data stored by the other project ?
The idea would be to have a better control of costs.
Yes you can do that!
You have to give the roles/bigquery.dataViewer role to the user that will be querying the data (at least). What that account will be depends on the use-case. If you are going to query from BigQuery UI you have to give such permissions to the mail account with which you will log in GCP UI, but you can also give such permissions to particular users or service-accounts for programatic access too.
Here you have the documentation referring to BQ permissions and how to grant them.