|
Hello vv,
We are writing to inform you that granular permissions for managing BigQuery dataset Access Control Lists (ACLs) are now available as an optional feature.
This updates our communication from August 19, 2025, which stated that migrating to this new model was required by March 17, 2026. This transition is no longer mandatory; the existing permission model will not be discontinued. We will continue to support both models simultaneously, allowing you to opt in to the granular model only if it aligns with your specific requirements.
What you need to know
Key changes:
This new update allows you to manage permissions for dataset metadata and ACL updates independently, providing finer control and enhancing security by giving users only the necessary permissions.
We’re also introducing new parameters in dataset APIs to manage metadata and ACLs independently to align with these granular permissions.
Permission Updates
Currently, certain permissions grant broad access:
bigquery.datasets.get: Allows viewing both metadata and ACLsbigquery.datasets.update: Allows updating both metadata and ACLsbigquery.datasets.create: Allows setting ACLs upon creation
If you opt in to the new permission model, managing dataset ACLs will require the following new, separate permissions:
bigquery.datasets.getIamPolicy: Required to view dataset ACLs and query the Object_Privileges viewbigquery.datasets.setIamPolicy: Required to update dataset ACLs
API Parameter Updates
If you opt in, the Dataset APIs will include the following new parameters to manage metadata and ACLs independently:
- Dataset Get API: The
dataset_view parameter will have the following new options:
METADATA: View only metadata (requires bigquery.datasets.get)ACL: View only ACLs (requires bigquery.datasets.getIamPolicy)FULL (default): View both (requires both bigquery.datasets.get and bigquery.datasets.getIamPolicy)
- Dataset Patch and Update APIs: The
update_mode parameter will have the following new options:
UPDATE_METADATA: Update only metadata (requires bigquery.datasets.update).UPDATE_ACL: Update only ACLs (requires bigquery.datasets.setIamPolicy)UPDATE_FULL (default): Update both (requires both bigquery.datasets.update and bigquery.datasets.setIamPolicy)
Potential impact:
- There will be no disruption to the existing permissions or roles by default
- If you opt in to the new permission model, custom roles with only
bigquery.datasets.get, bigquery.datasets.create, or bigquery.datasets.update permission will lose the ability to view or modify ACLs
- Predefined roles will not be affected, since they already incorporate the new permissions
- You can opt out of the new permission model anytime
What you need to do
No action is required if you choose not to opt in. The new permission model provides more granular control by allowing you to manage dataset metadata and ACL updates independently, ensuring users only receive necessary permissions.
Required actions If you want to opt in
- Review Custom Roles: Identify all custom roles in your BigQuery projects
- Assess Current Permissions: Check if these roles include
bigquery.datasets.get, bigquery.datasets.create, or bigquery.datasets.update
- Update Roles for ACL Management:
- To retain the ability to view ACLs, add the
bigquery.datasets.getIamPolicy permission
- To retain the ability to update ACLs, add the
bigquery.datasets.setIamPolicy permission
- If you don’t want to add these permissions to the custom roles, ensure that the Dataset Get API is used with
dataset_view=METADATA parameter, and the Dataset Patch and Update APIs are used with update_mode=UPDATE_METADATA parameter
- Consider Testing: Test the updated APIs with the new permissions by following these instructions
We’re here to help
We understand that these changes might require you to make some adjustments. If you have questions or need assistance, please contact Google Cloud Support.
Projects for your review can be found in the attachment below.
Thanks for choosing BigQuery.
|
Comments
Post a Comment