Data control language (DCL) statements in GoogleSQL
The BigQuery data control language (DCL) statements let you set upand control BigQuery resources usingGoogleSQL query syntax.
Use these statements to give or remove access to BigQuery resources.
For more information on controlling access to specific BigQuery resources,see:
Permissions required
The following permissions are required to runGRANT andREVOKE statements.
| Resource Type | Permissions |
|---|---|
| Dataset | bigquery.datasets.update |
| Table | bigquery.tables.setIamPolicy |
| View | bigquery.tables.setIamPolicy |
GRANT statement
Grants roles to users on BigQuery resources.
Syntax
GRANT role_list ON resource_type resource_name TOuser_list
Arguments
role_list: A role or list of comma separated roles that contains thepermissions you want to grant. For more information on the types of roles available,seeRoles and permissions.resource_type: The type of resource the role is applied to. Supported values include:SCHEMA(equivalent to dataset),TABLE,VIEW,EXTERNAL TABLE.resource_name: The name of the resource you want to grant the permission on.user_list: A comma separated list of users that the role is granted to.
user_list
Specify users using the following formats:
| User Type | Syntax | Example |
|---|---|---|
| Google account | user:$user@$domain | user:first.last@example.com |
| Google group | group:$group@$domain | group:my-group@example.com |
| Service account | serviceAccount:$user@$project.iam.gserviceaccount.com | serviceAccount:robot@example.iam.gserviceaccount.com |
| Google domain | domain:$domain | domain:example.com |
| All Google accounts | specialGroup:allAuthenticatedUsers | specialGroup:allAuthenticatedUsers |
| All users | specialGroup:allUsers | specialGroup:allUsers |
For more information about each type of user in the table, seeConcepts related to identity.
Example
The following example grants thebigquery.dataViewer role to the usersraha@example-pet-store.com andsasha@example-pet-store.com on a dataset namedmyDataset:
GRANT`roles/bigquery.dataViewer`ONSCHEMA`myProject`.myDatasetTO"user:raha@example-pet-store.com","user:sasha@example-pet-store.com"REVOKE statement
Removes roles from a list of users on BigQuery resources.
Syntax
REVOKE role_list ON resource_type resource_name FROMuser_list
Arguments
role_list: A role or list of comma separated roles that contains thepermissions you want to remove. For more information on the types of roles available,seeRoles and permissions.resource_type: The type of resource that the role will be removed from. Supported values include:SCHEMA(equivalent to dataset),TABLE,VIEW,EXTERNAL TABLE.resource_name: The name of the resource you want to revoke the role on.user_list: A comma separated list of users that the role is revoked from.
Example
The following example removes thebigquery.admin role on themyDatasetdataset from theexample-team@example-pet-store.com group and a serviceaccount:
REVOKE`roles/bigquery.admin`ONSCHEMA`myProject`.myDatasetFROM"group:example-team@example-pet-store.com","serviceAccount:user@test-project.iam.gserviceaccount.com"Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.