Table of Contents
Google cloud policies (IAM)
Allowing a user access to only a specific table in dataset
Select the table in the dataset you want to share and click on “Share” in the toolbar and then on “Add principal”.
On next screen input gmail account of user and select role “BigQuery Data Viewer”. Note that the user will not see the dataset of the shared table if they are not given access on the dataset level.
When the user now logs into his BigQuery panel he won't be able to use the Explorer and drill down to the table, he will need to search for the table name and it will show then.
This is because we have not given access to dataset to which the table belongs. If want the user to be able to drill down to the table we need to give him access to the dataset as well at least the permission “BigQuery MetaData Viewer”. However this has a side effect of showing other tables under that dataset although she won't be able to look at content of the tables themselves.
Additionally, if the user needs to run query such as SELECT on the table, she will need a custom role. To do this go to hamburger menu on top left and select IAM & Admin>Roles>Create role.
Fill out the fields, and set Role launch stage to “General availability”.
Now click Add permissions and under Filter search for “bigquery.jobs.create” and assign this permission to the role. The user will be able to use SELECT now but will not be able to INSERT for example. This requires the permission “bigquery.tables.update” (and there are other permissions, such as delete also available).
After the custom role is created it needs to be added to the user. Go to IAM section and click Grant access and add the user's email here and for role use the custom role that you created.
Tested on
- Google cloud accessed 2023-02-01