Grant view access

Authorize and grant access to a view.

Code sample

Go

Before trying this sample, follow theGo setup instructions in theBigQuery quickstart using client libraries. For more information, see theBigQueryGo API reference documentation.

To authenticate to BigQuery, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

import("context""fmt""cloud.google.com/go/bigquery")// updateViewDelegated demonstrates the setup of an authorized view, which allows access to a view's results// without the caller having direct access to the underlying source data.funcupdateViewDelegated(projectID,srcDatasetID,viewDatasetID,viewIDstring)error{// projectID := "my-project-id"// srcDatasetID := "sourcedata"// viewDatasetID := "views"// viewID := "myview"ctx:=context.Background()client,err:=bigquery.NewClient(ctx,projectID)iferr!=nil{returnfmt.Errorf("bigquery.NewClient: %w",err)}deferclient.Close()srcDataset:=client.Dataset(srcDatasetID)viewDataset:=client.Dataset(viewDatasetID)view:=viewDataset.Table(viewID)// First, we'll add a group to the ACL for the dataset containing the view.  This will allow users within// that group to query the view, but they must have direct access to any tables referenced by the view.vMeta,err:=viewDataset.Metadata(ctx)iferr!=nil{returnerr}vUpdateMeta:=bigquery.DatasetMetadataToUpdate{Access:append(vMeta.Access,&bigquery.AccessEntry{Role:bigquery.ReaderRole,EntityType:bigquery.GroupEmailEntity,Entity:"example-analyst-group@google.com",}),}if_,err:=viewDataset.Update(ctx,vUpdateMeta,vMeta.ETag);err!=nil{returnerr}// Now, we'll authorize a specific view against a source dataset, delegating access enforcement.// Once this has been completed, members of the group previously added to the view dataset's ACL// no longer require access to the source dataset to successfully query the view.srcMeta,err:=srcDataset.Metadata(ctx)iferr!=nil{returnerr}srcUpdateMeta:=bigquery.DatasetMetadataToUpdate{Access:append(srcMeta.Access,&bigquery.AccessEntry{EntityType:bigquery.ViewEntity,View:view,}),}if_,err:=srcDataset.Update(ctx,srcUpdateMeta,srcMeta.ETag);err!=nil{returnerr}returnnil}

Java

Before trying this sample, follow theJava setup instructions in theBigQuery quickstart using client libraries. For more information, see theBigQueryJava API reference documentation.

To authenticate to BigQuery, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

importcom.google.cloud.bigquery.Acl;importcom.google.cloud.bigquery.BigQuery;importcom.google.cloud.bigquery.BigQueryException;importcom.google.cloud.bigquery.BigQueryOptions;importcom.google.cloud.bigquery.Dataset;importcom.google.cloud.bigquery.Table;importjava.util.ArrayList;importjava.util.List;// Sample to grant view access on datasetpublicclassGrantViewAccess{publicstaticvoidmain(String[]args){// TODO(developer): Replace these variables before running the sample.StringsrcDatasetId="MY_DATASET_ID";StringviewDatasetId="MY_VIEW_DATASET_ID";StringviewId="MY_VIEW_ID";grantViewAccess(srcDatasetId,viewDatasetId,viewId);}publicstaticvoidgrantViewAccess(StringsrcDatasetId,StringviewDatasetId,StringviewId){try{// Initialize client that will be used to send requests. This client only needs to be created// once, and can be reused for multiple requests.BigQuerybigquery=BigQueryOptions.getDefaultInstance().getService();DatasetsrcDataset=bigquery.getDataset(srcDatasetId);DatasetviewDataset=bigquery.getDataset(viewDatasetId);Tableview=viewDataset.get(viewId);// First, we'll add a group to the ACL for the dataset containing the view. This will allow// users within that group to query the view, but they must have direct access to any tables// referenced by the view.List<Acl>viewAcl=newArrayList<>(viewDataset.getAcl());viewAcl.add(Acl.of(newAcl.Group("example-analyst-group@google.com"),Acl.Role.READER));viewDataset.toBuilder().setAcl(viewAcl).build().update();// Now, we'll authorize a specific view against a source dataset, delegating access// enforcement. Once this has been completed, members of the group previously added to the// view dataset's ACL no longer require access to the source dataset to successfully query the// viewList<Acl>srcAcl=newArrayList<>(srcDataset.getAcl());srcAcl.add(Acl.of(newAcl.View(view.getTableId())));srcDataset.toBuilder().setAcl(srcAcl).build().update();System.out.println("Grant view access successfully");}catch(BigQueryExceptione){System.out.println("Grant view access was not success. \n"+e.toString());}}}

Python

Before trying this sample, follow thePython setup instructions in theBigQuery quickstart using client libraries. For more information, see theBigQueryPython API reference documentation.

To authenticate to BigQuery, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

fromgoogle.cloudimportbigqueryclient=bigquery.Client()# To use a view, the analyst requires ACLs to both the view and the source# table. Create an authorized view to allow an analyst to use a view# without direct access permissions to the source table.view_dataset_id="my-project.my_view_dataset"# Make an API request to get the view dataset ACLs.view_dataset=client.get_dataset(view_dataset_id)analyst_group_email="example-analyst-group@google.com"access_entries=view_dataset.access_entriesaccess_entries.append(bigquery.AccessEntry("READER","groupByEmail",analyst_group_email))view_dataset.access_entries=access_entries# Make an API request to update the ACLs property of the view dataset.view_dataset=client.update_dataset(view_dataset,["access_entries"])print(f"Access to view:{view_dataset.access_entries}")# Group members of "data_analysts@example.com" now have access to the view,# but they require access to the source table to use it. To remove this# restriction, authorize the view to access the source dataset.source_dataset_id="my-project.my_source_dataset"# Make an API request to set the source dataset ACLs.source_dataset=client.get_dataset(source_dataset_id)view_reference={"projectId":"my-project","datasetId":"my_view_dataset","tableId":"my_authorized_view",}access_entries=source_dataset.access_entriesaccess_entries.append(bigquery.AccessEntry(None,"view",view_reference))source_dataset.access_entries=access_entries# Make an API request to update the ACLs property of the source dataset.source_dataset=client.update_dataset(source_dataset,["access_entries"])print(f"Access to source:{source_dataset.access_entries}")

What's next

To search and filter code samples for other Google Cloud products, see theGoogle Cloud sample browser.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.