[Action Required] Review and update your BigQuery dataset permissions before Sep 15, 2025

Review the upcoming changes for enhanced security.

MY CONSOLE Hello vv, Starting September 15, 2025, we’ll be introducing more granular permission requirements for managing BigQuery dataset Access Control Lists (ACLs). This important update will allow you to manage permissions for dataset metadata and ACL updates independently, providing finer control and enhancing security by giving users only the necessary permissions. We’re also introducing new parameters in dataset APIs to manage metadata and ACLs independently to align with the granular permissions. To prepare for these changes, we request that you review your custom roles and update them as needed to align with these revised permission requirements to avoid any user experience disruptions. We understand that this change can require some planning, therefore we have provided additional information below to guide you. What you need to know Key changes: Permission Updates Currently, certain permissions grant broad access: bigquery.datasets.get: Allows viewing both metadata and ACLs bigquery.datasets.update: Allows updating both metadata and ACLs bigquery.datasets.create: Allows setting ACLs upon creation Starting September 15, 2025, managing ACLs will require the following new, separate permissions: bigquery.datasets.getIamPolicy: Required to view dataset ACLs and query the Object_Privileges view bigquery.datasets.setIamPolicy: Required to update dataset ACLs API Parameter Updates Starting September 15, 2025, the Dataset APIs will include the following new parameters to manage metadata and ACLs independently: Dataset Get API: The dataset_view parameter will have options: METADATA: View only metadata (requires bigquery.datasets.get) ACL: View only ACLs (requires bigquery.datasets.getIamPolicy) FULL (default): View both (requires both bigquery.datasets.get and bigquery.datasets.getIamPolicy) Dataset Patch and Update APIs: The update_mode parameter will have options: UPDATE_METADATA: Update only metadata (requires bigquery.datasets.update). UPDATE_ACL: Update only ACLs (requires bigquery.datasets.setIamPolicy) UPDATE_FULL (default): Update both (requires both bigquery.datasets.update and bigquery.datasets.setIamPolicy) Potential impact: Custom roles with only bigquery.datasets.get, bigquery.datasets.create permission, or bigquery.datasets.update permission will lose the ability to view or modify ACLs after September 15, 2025, unless updated. Predefined roles will not be affected, since they already incorporate the new permissions. What do you need to do Required actions: Review Custom Roles: Identify all custom roles in your BigQuery projects Assess Current Permissions: Check if these roles include bigquery.datasets.get, bigquery.datasets.create, or bigquery.datasets.update Update Roles for ACL Management: To retain the ability to view ACLs, add the bigquery.datasets.getIamPolicy permission To retain the ability to update ACLs, add the bigquery.datasets.setIamPolicy permission If you don’t want to add these permissions to the custom roles, ensure that the Dataset Get API is used with “dataset_view=METADATA” parameter, and the Dataset Update and Patch APIs are used with “update_mode=UPDATE_METADATA” parameter. Consider Early Testing: Test the updated APIs with the new permissions by following these instructions Timelines: September 15, 2025: New permission requirements will be enforced. Update custom roles before this date. We’re here to help We’re committed to providing you with more secure and flexible data management. If you have questions or need assistance, please contact Google Cloud Support. Projects for your review can be found in the attachment below. Thanks for choosing BigQuery. -The Google Cloud Team DOCUMENTATION SUPPORT

Was this information helpful?         © 2025 Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043 You’ve received this mandatory service announcement to update you about important changes to Google Cloud or your account.