BigQuery IAM roles and permissions

This document provides a list of Identity and Access Management (IAM) predefined roles andpermissions for BigQuery. This page includes roles and permissions forthe following:

  • BigQuery: Roles and permissions that apply toBigQuery resources such as datasets, tables, views, androutines. Many of these roles and permissions can also be granted toResource Manager resources like projects, folders, and organizations.
  • BigQuery Connection API: Role that grants aservice agentaccess to a Cloud SQL connection.
  • BigQuery Continuous Query: Role that grants aservice account access to a continuousquery.
  • BigQuery Data Policy: Roles and permissions that apply toData Policies in BigQuery.
  • BigQuery Data Transfer Service: Role that grants aservice agentaccess to create jobs that transfer data.
  • BigQuery Engine for Apache Flink: Roles and permissions that apply toBigQuery Engine for Apache Flink resources.
  • BigQuery Migration Service API: Roles and permissions that apply toBigQuery Migration Service resources.
  • BigQuery Omni: Role that grants aservice agentaccess to tables.
  • BigQuery sharing: Roles and permissions that apply toBigQuery sharing resources.

BigQuery predefined IAM roles

The following tables list the predefined BigQuery IAMroles with a corresponding list of all thepermissions eachrole includes. Note that each permission is applicable to a particular resourcetype.

Note: When new capabilities are added to BigQuery, new permissionsmight be added to predefined IAM roles, and new predefinedIAM roles might be added to BigQuery. If yourorganization requires role definitions to remain unchanged, you should createcustom IAM roles.

BigQuery roles

This table lists the predefined IAM roles and permissions forBigQuery. To search through all roles and permissions, see therole and permission index.

For information on granting predefined roles on BigQueryresources like datasets, tables, and routines, seeControl access to resourceswith IAM.

RolePermissions

BigQuery Admin

(roles/bigquery.admin)

Provides permissions to manage all resources within the project. Can manageall data within the project, and can cancel jobs from other users runningwithin the project.

It is possible to grant this role to the following lowest-level resources, but it is notrecommended. Other predefined roles grant full permissions over these resources and are lesspermissive. BigQuery Admin is typically granted at the project level.

Lowest-level resources where you can grant this role:

  • Dataset
  • These resources within a dataset:
    • Table
    • View
    • Routine
  • Connection
  • Saved query
  • Data canvas
  • Pipeline
  • Data preparation
  • Repository

This role can also be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.bireservations.*

  • bigquery.bireservations.get
  • bigquery.bireservations.update

bigquery.capacityCommitments.*

  • bigquery.capacityCommitments.create
  • bigquery.capacityCommitments.delete
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.capacityCommitments.update

bigquery.config.*

  • bigquery.config.get
  • bigquery.config.update

bigquery.connections.*

  • bigquery.connections.create
  • bigquery.connections.delegate
  • bigquery.connections.delete
  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.setIamPolicy
  • bigquery.connections.update
  • bigquery.connections.updateTag
  • bigquery.connections.use

bigquery.dataPolicies.attach

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

  • bigquery.datasets.create
  • bigquery.datasets.createTagBinding
  • bigquery.datasets.delete
  • bigquery.datasets.deleteTagBinding
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.link
  • bigquery.datasets.listEffectiveTags
  • bigquery.datasets.listSharedDatasetUsage
  • bigquery.datasets.listTagBindings
  • bigquery.datasets.setIamPolicy
  • bigquery.datasets.update
  • bigquery.datasets.updateTag

bigquery.jobs.*

  • bigquery.jobs.create
  • bigquery.jobs.createGlobalQuery
  • bigquery.jobs.delete
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.jobs.update

bigquery.models.*

  • bigquery.models.create
  • bigquery.models.delete
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.models.updateData
  • bigquery.models.updateMetadata
  • bigquery.models.updateTag

bigquery.objectRefs.*

  • bigquery.objectRefs.read
  • bigquery.objectRefs.write

bigquery.readsessions.*

  • bigquery.readsessions.create
  • bigquery.readsessions.getData
  • bigquery.readsessions.update

bigquery.reservationAssignments.*

  • bigquery.reservationAssignments.create
  • bigquery.reservationAssignments.delete
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search

bigquery.reservationGroups.*

  • bigquery.reservationGroups.create
  • bigquery.reservationGroups.delete
  • bigquery.reservationGroups.get
  • bigquery.reservationGroups.list

bigquery.reservations.*

  • bigquery.reservations.create
  • bigquery.reservations.delete
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.reservations.listFailoverDatasets
  • bigquery.reservations.update
  • bigquery.reservations.use

bigquery.routines.*

  • bigquery.routines.create
  • bigquery.routines.delete
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.routines.update
  • bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.get

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

  • bigquery.savedqueries.create
  • bigquery.savedqueries.delete
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.savedqueries.update

bigquery.tables.*

  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.createTagBinding
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.deleteSnapshot
  • bigquery.tables.deleteTagBinding
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.listEffectiveTags
  • bigquery.tables.listTagBindings
  • bigquery.tables.replicateData
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.setCategory
  • bigquery.tables.setColumnDataPolicy
  • bigquery.tables.setIamPolicy
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateIndex
  • bigquery.tables.updateTag

bigquery.transfers.*

  • bigquery.transfers.get
  • bigquery.transfers.update

bigquerymigration.translation.translate

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

dataform.*

  • dataform.commentThreads.create
  • dataform.commentThreads.delete
  • dataform.commentThreads.get
  • dataform.commentThreads.list
  • dataform.commentThreads.update
  • dataform.comments.create
  • dataform.comments.delete
  • dataform.comments.get
  • dataform.comments.list
  • dataform.comments.update
  • dataform.compilationResults.create
  • dataform.compilationResults.get
  • dataform.compilationResults.list
  • dataform.compilationResults.query
  • dataform.config.get
  • dataform.config.update
  • dataform.folders.addContents
  • dataform.folders.create
  • dataform.folders.delete
  • dataform.folders.get
  • dataform.folders.getIamPolicy
  • dataform.folders.move
  • dataform.folders.queryContents
  • dataform.folders.setIamPolicy
  • dataform.folders.update
  • dataform.locations.get
  • dataform.locations.list
  • dataform.operations.cancel
  • dataform.operations.delete
  • dataform.operations.get
  • dataform.operations.list
  • dataform.releaseConfigs.create
  • dataform.releaseConfigs.delete
  • dataform.releaseConfigs.get
  • dataform.releaseConfigs.list
  • dataform.releaseConfigs.update
  • dataform.repositories.commit
  • dataform.repositories.computeAccessTokenStatus
  • dataform.repositories.create
  • dataform.repositories.delete
  • dataform.repositories.fetchHistory
  • dataform.repositories.fetchRemoteBranches
  • dataform.repositories.get
  • dataform.repositories.getIamPolicy
  • dataform.repositories.list
  • dataform.repositories.move
  • dataform.repositories.queryDirectoryContents
  • dataform.repositories.readFile
  • dataform.repositories.scheduleRelease
  • dataform.repositories.scheduleWorkflow
  • dataform.repositories.setIamPolicy
  • dataform.repositories.update
  • dataform.teamFolders.create
  • dataform.teamFolders.delete
  • dataform.teamFolders.get
  • dataform.teamFolders.getIamPolicy
  • dataform.teamFolders.setIamPolicy
  • dataform.teamFolders.update
  • dataform.workflowConfigs.create
  • dataform.workflowConfigs.delete
  • dataform.workflowConfigs.get
  • dataform.workflowConfigs.list
  • dataform.workflowConfigs.update
  • dataform.workflowInvocations.cancel
  • dataform.workflowInvocations.create
  • dataform.workflowInvocations.delete
  • dataform.workflowInvocations.get
  • dataform.workflowInvocations.list
  • dataform.workflowInvocations.query
  • dataform.workspaces.commit
  • dataform.workspaces.create
  • dataform.workspaces.delete
  • dataform.workspaces.fetchFileDiff
  • dataform.workspaces.fetchFileGitStatuses
  • dataform.workspaces.fetchGitAheadBehind
  • dataform.workspaces.get
  • dataform.workspaces.getIamPolicy
  • dataform.workspaces.installNpmPackages
  • dataform.workspaces.list
  • dataform.workspaces.makeDirectory
  • dataform.workspaces.moveDirectory
  • dataform.workspaces.moveFile
  • dataform.workspaces.pull
  • dataform.workspaces.push
  • dataform.workspaces.queryDirectoryContents
  • dataform.workspaces.readFile
  • dataform.workspaces.removeDirectory
  • dataform.workspaces.removeFile
  • dataform.workspaces.reset
  • dataform.workspaces.searchFiles
  • dataform.workspaces.setIamPolicy
  • dataform.workspaces.writeFile

dataplex.datascans.*

  • dataplex.datascans.create
  • dataplex.datascans.delete
  • dataplex.datascans.get
  • dataplex.datascans.getData
  • dataplex.datascans.getIamPolicy
  • dataplex.datascans.list
  • dataplex.datascans.run
  • dataplex.datascans.setIamPolicy
  • dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

Connected Sheets Service Agent

(roles/bigquery.connectedSheetsServiceAgent)

Grants Connected Sheets Service Account access to create and manage BigQuery jobs on the customers resources.

Warning: Do not grant service agent roles to any principals exceptservice agents.

bigquery.datasets.get

bigquery.jobs.create

bigquery.tables.create

bigquery.tables.update

bigquery.tables.updateData

BigQuery Connection Admin

(roles/bigquery.connectionAdmin)

Lowest-level resources where you can grant this role:

  • Connection

This role can also be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.connections.*

  • bigquery.connections.create
  • bigquery.connections.delegate
  • bigquery.connections.delete
  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.setIamPolicy
  • bigquery.connections.update
  • bigquery.connections.updateTag
  • bigquery.connections.use

BigQuery Connection User

(roles/bigquery.connectionUser)

Lowest-level resources where you can grant this role:

  • Connection

This role can also be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.connections.get

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.connections.use

BigQuery Data Editor

(roles/bigquery.dataEditor)

When granted on a dataset, this role grants these permissions:

  • Get metadata and permissions for the dataset.
  • For tables and views:
    • Create, update, get, list, and delete the dataset's tables andviews.
    • Read (query), export, replicate, and update table data.
    • Create, update, and delete indexes.
    • Create and restore snapshots.
  • All permissions for the dataset's routines and models.
Note: Principals that are granted the Data Editor role at the project level can also createnew datasets and list datasets in the project that they have access to.

When granted on a table or view, this role grants these permissions:

  • Get metadata, update metadata, get access controls, and delete thetable or view.
  • Get (query), export, replicate, and update table data.
  • Create, update, and delete indexes.
  • Create and restore snapshots.
  • All permissions for the routine.

The Data Editor role cannot be granted to individual models.

Note: The BigQuery Data Editor role is mapped to theWRITERBigQuery basic role. When you grant the BigQuery Data Editor role to a principal atthe dataset level, the principal is grantedWRITER access to the dataset.

Lowest-level resources where you can grant this role:

  • Dataset
  • These resources within a dataset:
    • Table
    • View
    • Routine

This role can also be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.models.*

  • bigquery.models.create
  • bigquery.models.delete
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.models.updateData
  • bigquery.models.updateMetadata
  • bigquery.models.updateTag

bigquery.routines.*

  • bigquery.routines.create
  • bigquery.routines.delete
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.routines.update
  • bigquery.routines.updateTag

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateIndex

bigquery.tables.updateTag

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

dataplex.datascans.create

dataplex.datascans.delete

dataplex.datascans.get

dataplex.datascans.getData

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.datascans.run

dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Data Owner

(roles/bigquery.dataOwner)

When granted on a dataset, this role grants these permissions:

  • All permissions for the dataset and for all of the resources withinthe dataset: tables and views, models, and routines.
Note: Principals that are granted the Data Owner role at the project level can also createnew datasets and list datasets in the project that they have access to.

When granted on a table or view, this role grants these permissions:

  • All permissions for the table or view.
  • All permissions for row access policies except permission tooverride time travel restrictions.
  • Set categories and column-level data policies.

When granted on a routine, this role grants these permissions:

  • All permissions for the routine.

You shouldn't grant the Data Owner role at the routinelevel. Data Editor also grants all permissions for the routine and is aless permissive role.

This role cannot be granted to individual models.

Note: The BigQuery Data Owner role is mapped to theOWNERBigQuery basic role. When you grant the BigQuery Data Owner role to a principal atthe dataset level, the principal is grantedOWNER access to the dataset.

Lowest-level resources where you can grant this role:

  • Dataset
  • These resources within a dataset:
    • Table
    • View
    • Routine

This role can also be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.config.get

bigquery.dataPolicies.attach

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

  • bigquery.datasets.create
  • bigquery.datasets.createTagBinding
  • bigquery.datasets.delete
  • bigquery.datasets.deleteTagBinding
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.link
  • bigquery.datasets.listEffectiveTags
  • bigquery.datasets.listSharedDatasetUsage
  • bigquery.datasets.listTagBindings
  • bigquery.datasets.setIamPolicy
  • bigquery.datasets.update
  • bigquery.datasets.updateTag

bigquery.models.*

  • bigquery.models.create
  • bigquery.models.delete
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.models.updateData
  • bigquery.models.updateMetadata
  • bigquery.models.updateTag

bigquery.routines.*

  • bigquery.routines.create
  • bigquery.routines.delete
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.routines.update
  • bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.get

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.tables.*

  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.createTagBinding
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.deleteSnapshot
  • bigquery.tables.deleteTagBinding
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.listEffectiveTags
  • bigquery.tables.listTagBindings
  • bigquery.tables.replicateData
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.setCategory
  • bigquery.tables.setColumnDataPolicy
  • bigquery.tables.setIamPolicy
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateIndex
  • bigquery.tables.updateTag

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

dataplex.datascans.*

  • dataplex.datascans.create
  • dataplex.datascans.delete
  • dataplex.datascans.get
  • dataplex.datascans.getData
  • dataplex.datascans.getIamPolicy
  • dataplex.datascans.list
  • dataplex.datascans.run
  • dataplex.datascans.setIamPolicy
  • dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Data Viewer

(roles/bigquery.dataViewer)

When granted on a dataset, this role grants these permissions:

  • Get metadata and permissions for the dataset.
  • List a dataset's tables, views, and models.
  • Get metadata and access controls for the dataset's tables and views.
  • Get (query), replicate, and export table data and create snapshots.
  • List and invoke the dataset's routines.

When granted on a table or view, this role provides these permissions:

  • Get metadata and access controls for the table or view.
  • Get (query), export, and replicate table data.
  • Create snapshots.

When granted on a routine, this role grants these permissions:

  • In a query, reference a routine created by someone else.

This role cannot be granted to individual models.

Note: The BigQuery Data Viewer role is mapped to theREADERBigQuery basic role. When you grant the BigQuery Data Viewer role to a principal atthe dataset level, the principal is grantedREADER access to the dataset.

Lowest-level resources where you can grant this role:

  • Dataset
  • These resources within a dataset:
    • Table
    • View
    • Routine

This role can also be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.createSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

dataplex.datascans.get

dataplex.datascans.getData

dataplex.datascans.getIamPolicy

dataplex.datascans.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Filtered Data Viewer

(roles/bigquery.filteredDataViewer)

Access to view filtered table data defined by a row access policy.bigquery.filteredDataViewer is a system-managed role. Grant the role by usingrow-level access policies. Don't apply the role directly to a resource throughIdentity and Access Management (IAM).

bigquery.rowAccessPolicies.getFilteredData

BigQuery Job User

(roles/bigquery.jobUser)

Provides permissions to run jobs, including queries, within the project.

This role can only be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.config.get

bigquery.jobs.create

dataform.folders.create

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Metadata Viewer

(roles/bigquery.metadataViewer)

When granted on a dataset, this role grants these permissions:

  • Get metadata and access controls for the dataset.
  • Get metadata and access controls for tables and views.
  • Get metadata from the dataset's models and routines.
  • List tables, views, models, and routines in the dataset.

When granted on a table or view, this role provides these permissions:

  • Get metadata and access controls for the table or view.

When granted on a routine, this role grants these permissions:

  • In a query, reference a routine created by someone else.

This role cannot be granted to individual models.

Lowest-level resources where you can grant this role:

  • Dataset
  • These resources within a dataset:
    • Table
    • View
    • Routine

This role can also be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.get

bigquery.tables.getIamPolicy

bigquery.tables.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery ObjectRef Admin

(roles/bigquery.objectRefAdmin)

Administer ObjectRef resources that includes read and write permissions

Lowest-level resources where you can grant this role:

  • Connection

This role can also be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.objectRefs.*

  • bigquery.objectRefs.read
  • bigquery.objectRefs.write

BigQuery ObjectRef Reader

(roles/bigquery.objectRefReader)

Role for reading referenced objects via ObjectRefs in BigQuery

Lowest-level resources where you can grant this role:

  • Connection

This role can also be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.objectRefs.read

BigQuery Read Session User

(roles/bigquery.readSessionUser)

Provides the ability to create and use read sessions.

This role can only be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.readsessions.*

  • bigquery.readsessions.create
  • bigquery.readsessions.getData
  • bigquery.readsessions.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Admin

(roles/bigquery.resourceAdmin)

Administers BigQuery workloads, including slot assignments, commitments, and reservations.

This role can only be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.bireservations.*

  • bigquery.bireservations.get
  • bigquery.bireservations.update

bigquery.capacityCommitments.*

  • bigquery.capacityCommitments.create
  • bigquery.capacityCommitments.delete
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.capacityCommitments.update

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

  • bigquery.reservationAssignments.create
  • bigquery.reservationAssignments.delete
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search

bigquery.reservationGroups.*

  • bigquery.reservationGroups.create
  • bigquery.reservationGroups.delete
  • bigquery.reservationGroups.get
  • bigquery.reservationGroups.list

bigquery.reservations.*

  • bigquery.reservations.create
  • bigquery.reservations.delete
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.reservations.listFailoverDatasets
  • bigquery.reservations.update
  • bigquery.reservations.use

recommender.bigqueryCapacityCommitmentsInsights.*

  • recommender.bigqueryCapacityCommitmentsInsights.get
  • recommender.bigqueryCapacityCommitmentsInsights.list
  • recommender.bigqueryCapacityCommitmentsInsights.update

recommender.bigqueryCapacityCommitmentsRecommendations.*

  • recommender.bigqueryCapacityCommitmentsRecommendations.get
  • recommender.bigqueryCapacityCommitmentsRecommendations.list
  • recommender.bigqueryCapacityCommitmentsRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Editor

(roles/bigquery.resourceEditor)

Manages BigQuery workloads, but is unable to create or modify slot commitments.

This role can only be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

  • bigquery.reservationAssignments.create
  • bigquery.reservationAssignments.delete
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search

bigquery.reservationGroups.*

  • bigquery.reservationGroups.create
  • bigquery.reservationGroups.delete
  • bigquery.reservationGroups.get
  • bigquery.reservationGroups.list

bigquery.reservations.*

  • bigquery.reservations.create
  • bigquery.reservations.delete
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.reservations.listFailoverDatasets
  • bigquery.reservations.update
  • bigquery.reservations.use

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Viewer

(roles/bigquery.resourceViewer)

Can view BigQuery workloads, but cannot create or modify slot reservations or commitments.

This role can only be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservationGroups.get

bigquery.reservationGroups.list

bigquery.reservations.get

bigquery.reservations.list

bigquery.reservations.listFailoverDatasets

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Authorized Routine AdminBeta

(roles/bigquery.routineAdmin)

Role for Authorized Routine to administer supported resources

bigquery.connections.use

bigquery.datasets.get

bigquery.models.getData

bigquery.models.getMetadata

bigquery.routines.get

bigquery.routines.list

bigquery.tables.create

bigquery.tables.delete

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.update

bigquery.tables.updateData

BigQuery Authorized Routine Data EditorBeta

(roles/bigquery.routineDataEditor)

Role for Authorized Routine to edit contents of supported resources

bigquery.datasets.get

bigquery.models.getData

bigquery.models.getMetadata

bigquery.routines.get

bigquery.routines.list

bigquery.tables.create

bigquery.tables.delete

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.update

bigquery.tables.updateData

BigQuery Authorized Routine Data ViewerBeta

(roles/bigquery.routineDataViewer)

Role for Authorized Routine to view data and contents of supported resources

bigquery.datasets.get

bigquery.models.getData

bigquery.models.getMetadata

bigquery.routines.get

bigquery.routines.list

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

BigQuery Authorized Routine Metadata ViewerBeta

(roles/bigquery.routineMetadataViewer)

Role for Authorized Routine to view metadata of supported resources

bigquery.datasets.get

bigquery.models.getMetadata

bigquery.routines.get

bigquery.routines.list

bigquery.tables.get

bigquery.tables.list

BigQuery Security AdminBeta

(roles/bigquery.securityAdmin)

Administer all BigQuery security controls

bigquery.dataPolicies.attach

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.createTagBinding

bigquery.datasets.deleteTagBinding

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.listEffectiveTags

bigquery.datasets.listSharedDatasetUsage

bigquery.datasets.listTagBindings

bigquery.datasets.setIamPolicy

bigquery.datasets.update

bigquery.datasets.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.get

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.tables.createTagBinding

bigquery.tables.deleteTagBinding

bigquery.tables.get

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.listEffectiveTags

bigquery.tables.listTagBindings

bigquery.tables.setColumnDataPolicy

bigquery.tables.setIamPolicy

bigquery.tables.update

bigquery.tables.updateTag

dataplex.projects.search

BigQuery Studio Admin

(roles/bigquery.studioAdmin)

Combination role of BigQuery Admin, Dataform Admin, Notebook Runtime Admin and DataprocServerless Editor.

It is possible to grant this role to the following lowest-level resources, but it is notrecommended. Other predefined roles grant full permissions over these resources and are lesspermissive. BigQuery Studio Admin is typically granted at the project level.

Lowest-level resources where you can grant this role:

  • Dataset
  • These resources within a dataset:
    • Table
    • View
    • Routine
  • Connection
  • Saved query
  • Data canvas
  • Data preparation
  • Pipeline
  • Repository

This role can also be granted on Resource Manager resources (projects, folders, andorganizations).

aiplatform.locations.get

aiplatform.notebookRuntimeTemplates.*

  • aiplatform.notebookRuntimeTemplates.apply
  • aiplatform.notebookRuntimeTemplates.create
  • aiplatform.notebookRuntimeTemplates.delete
  • aiplatform.notebookRuntimeTemplates.get
  • aiplatform.notebookRuntimeTemplates.getIamPolicy
  • aiplatform.notebookRuntimeTemplates.list
  • aiplatform.notebookRuntimeTemplates.setIamPolicy
  • aiplatform.notebookRuntimeTemplates.update

aiplatform.notebookRuntimes.*

  • aiplatform.notebookRuntimes.assign
  • aiplatform.notebookRuntimes.delete
  • aiplatform.notebookRuntimes.get
  • aiplatform.notebookRuntimes.list
  • aiplatform.notebookRuntimes.start
  • aiplatform.notebookRuntimes.update
  • aiplatform.notebookRuntimes.upgrade

aiplatform.operations.list

bigquery.bireservations.*

  • bigquery.bireservations.get
  • bigquery.bireservations.update

bigquery.capacityCommitments.*

  • bigquery.capacityCommitments.create
  • bigquery.capacityCommitments.delete
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.capacityCommitments.update

bigquery.config.*

  • bigquery.config.get
  • bigquery.config.update

bigquery.connections.*

  • bigquery.connections.create
  • bigquery.connections.delegate
  • bigquery.connections.delete
  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.setIamPolicy
  • bigquery.connections.update
  • bigquery.connections.updateTag
  • bigquery.connections.use

bigquery.dataPolicies.attach

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

  • bigquery.datasets.create
  • bigquery.datasets.createTagBinding
  • bigquery.datasets.delete
  • bigquery.datasets.deleteTagBinding
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.link
  • bigquery.datasets.listEffectiveTags
  • bigquery.datasets.listSharedDatasetUsage
  • bigquery.datasets.listTagBindings
  • bigquery.datasets.setIamPolicy
  • bigquery.datasets.update
  • bigquery.datasets.updateTag

bigquery.jobs.*

  • bigquery.jobs.create
  • bigquery.jobs.createGlobalQuery
  • bigquery.jobs.delete
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.jobs.update

bigquery.models.*

  • bigquery.models.create
  • bigquery.models.delete
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.models.updateData
  • bigquery.models.updateMetadata
  • bigquery.models.updateTag

bigquery.objectRefs.*

  • bigquery.objectRefs.read
  • bigquery.objectRefs.write

bigquery.readsessions.*

  • bigquery.readsessions.create
  • bigquery.readsessions.getData
  • bigquery.readsessions.update

bigquery.reservationAssignments.*

  • bigquery.reservationAssignments.create
  • bigquery.reservationAssignments.delete
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search

bigquery.reservationGroups.*

  • bigquery.reservationGroups.create
  • bigquery.reservationGroups.delete
  • bigquery.reservationGroups.get
  • bigquery.reservationGroups.list

bigquery.reservations.*

  • bigquery.reservations.create
  • bigquery.reservations.delete
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.reservations.listFailoverDatasets
  • bigquery.reservations.update
  • bigquery.reservations.use

bigquery.routines.*

  • bigquery.routines.create
  • bigquery.routines.delete
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.routines.update
  • bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.get

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

  • bigquery.savedqueries.create
  • bigquery.savedqueries.delete
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.savedqueries.update

bigquery.tables.*

  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.createTagBinding
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.deleteSnapshot
  • bigquery.tables.deleteTagBinding
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.listEffectiveTags
  • bigquery.tables.listTagBindings
  • bigquery.tables.replicateData
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.setCategory
  • bigquery.tables.setColumnDataPolicy
  • bigquery.tables.setIamPolicy
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateIndex
  • bigquery.tables.updateTag

bigquery.transfers.*

  • bigquery.transfers.get
  • bigquery.transfers.update

bigquerymigration.translation.translate

cloudaicompanion.codeToolsSettings.*

  • cloudaicompanion.codeToolsSettings.create
  • cloudaicompanion.codeToolsSettings.delete
  • cloudaicompanion.codeToolsSettings.get
  • cloudaicompanion.codeToolsSettings.list
  • cloudaicompanion.codeToolsSettings.update

cloudaicompanion.companions.*

  • cloudaicompanion.companions.generateChat
  • cloudaicompanion.companions.generateCode

cloudaicompanion.dataSharingWithGoogleSettings.*

  • cloudaicompanion.dataSharingWithGoogleSettings.create
  • cloudaicompanion.dataSharingWithGoogleSettings.delete
  • cloudaicompanion.dataSharingWithGoogleSettings.get
  • cloudaicompanion.dataSharingWithGoogleSettings.list
  • cloudaicompanion.dataSharingWithGoogleSettings.update

cloudaicompanion.entitlements.get

cloudaicompanion.geminiGcpEnablementSettings.*

  • cloudaicompanion.geminiGcpEnablementSettings.create
  • cloudaicompanion.geminiGcpEnablementSettings.delete
  • cloudaicompanion.geminiGcpEnablementSettings.get
  • cloudaicompanion.geminiGcpEnablementSettings.list
  • cloudaicompanion.geminiGcpEnablementSettings.update

cloudaicompanion.instances.*

  • cloudaicompanion.instances.completeCode
  • cloudaicompanion.instances.completeTask
  • cloudaicompanion.instances.exportMetrics
  • cloudaicompanion.instances.generateCode
  • cloudaicompanion.instances.generateText
  • cloudaicompanion.instances.queryEffectiveSetting
  • cloudaicompanion.instances.queryEffectiveSettingBindings

cloudaicompanion.licenses.selfAssign

cloudaicompanion.loggingSettings.*

  • cloudaicompanion.loggingSettings.create
  • cloudaicompanion.loggingSettings.delete
  • cloudaicompanion.loggingSettings.get
  • cloudaicompanion.loggingSettings.list
  • cloudaicompanion.loggingSettings.update

cloudaicompanion.operations.get

cloudaicompanion.releaseChannelSettings.*

  • cloudaicompanion.releaseChannelSettings.create
  • cloudaicompanion.releaseChannelSettings.delete
  • cloudaicompanion.releaseChannelSettings.get
  • cloudaicompanion.releaseChannelSettings.list
  • cloudaicompanion.releaseChannelSettings.update

cloudaicompanion.settingBindings.*

  • cloudaicompanion.settingBindings.codeToolsSettingsCreate
  • cloudaicompanion.settingBindings.codeToolsSettingsDelete
  • cloudaicompanion.settingBindings.codeToolsSettingsGet
  • cloudaicompanion.settingBindings.codeToolsSettingsList
  • cloudaicompanion.settingBindings.codeToolsSettingsUpdate
  • cloudaicompanion.settingBindings.codeToolsSettingsUse
  • cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsCreate
  • cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsDelete
  • cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsGet
  • cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsList
  • cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsUpdate
  • cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsUse
  • cloudaicompanion.settingBindings.geminiGcpEnablementSettingsCreate
  • cloudaicompanion.settingBindings.geminiGcpEnablementSettingsDelete
  • cloudaicompanion.settingBindings.geminiGcpEnablementSettingsGet
  • cloudaicompanion.settingBindings.geminiGcpEnablementSettingsList
  • cloudaicompanion.settingBindings.geminiGcpEnablementSettingsUpdate
  • cloudaicompanion.settingBindings.geminiGcpEnablementSettingsUse
  • cloudaicompanion.settingBindings.loggingSettingsCreate
  • cloudaicompanion.settingBindings.loggingSettingsDelete
  • cloudaicompanion.settingBindings.loggingSettingsGet
  • cloudaicompanion.settingBindings.loggingSettingsList
  • cloudaicompanion.settingBindings.loggingSettingsUpdate
  • cloudaicompanion.settingBindings.loggingSettingsUse
  • cloudaicompanion.settingBindings.releaseChannelSettingsCreate
  • cloudaicompanion.settingBindings.releaseChannelSettingsDelete
  • cloudaicompanion.settingBindings.releaseChannelSettingsGet
  • cloudaicompanion.settingBindings.releaseChannelSettingsList
  • cloudaicompanion.settingBindings.releaseChannelSettingsUpdate
  • cloudaicompanion.settingBindings.releaseChannelSettingsUse

cloudaicompanion.topics.create

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

compute.projects.get

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.reservations.get

compute.reservations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

dataform.*

  • dataform.commentThreads.create
  • dataform.commentThreads.delete
  • dataform.commentThreads.get
  • dataform.commentThreads.list
  • dataform.commentThreads.update
  • dataform.comments.create
  • dataform.comments.delete
  • dataform.comments.get
  • dataform.comments.list
  • dataform.comments.update
  • dataform.compilationResults.create
  • dataform.compilationResults.get
  • dataform.compilationResults.list
  • dataform.compilationResults.query
  • dataform.config.get
  • dataform.config.update
  • dataform.folders.addContents
  • dataform.folders.create
  • dataform.folders.delete
  • dataform.folders.get
  • dataform.folders.getIamPolicy
  • dataform.folders.move
  • dataform.folders.queryContents
  • dataform.folders.setIamPolicy
  • dataform.folders.update
  • dataform.locations.get
  • dataform.locations.list
  • dataform.operations.cancel
  • dataform.operations.delete
  • dataform.operations.get
  • dataform.operations.list
  • dataform.releaseConfigs.create
  • dataform.releaseConfigs.delete
  • dataform.releaseConfigs.get
  • dataform.releaseConfigs.list
  • dataform.releaseConfigs.update
  • dataform.repositories.commit
  • dataform.repositories.computeAccessTokenStatus
  • dataform.repositories.create
  • dataform.repositories.delete
  • dataform.repositories.fetchHistory
  • dataform.repositories.fetchRemoteBranches
  • dataform.repositories.get
  • dataform.repositories.getIamPolicy
  • dataform.repositories.list
  • dataform.repositories.move
  • dataform.repositories.queryDirectoryContents
  • dataform.repositories.readFile
  • dataform.repositories.scheduleRelease
  • dataform.repositories.scheduleWorkflow
  • dataform.repositories.setIamPolicy
  • dataform.repositories.update
  • dataform.teamFolders.create
  • dataform.teamFolders.delete
  • dataform.teamFolders.get
  • dataform.teamFolders.getIamPolicy
  • dataform.teamFolders.setIamPolicy
  • dataform.teamFolders.update
  • dataform.workflowConfigs.create
  • dataform.workflowConfigs.delete
  • dataform.workflowConfigs.get
  • dataform.workflowConfigs.list
  • dataform.workflowConfigs.update
  • dataform.workflowInvocations.cancel
  • dataform.workflowInvocations.create
  • dataform.workflowInvocations.delete
  • dataform.workflowInvocations.get
  • dataform.workflowInvocations.list
  • dataform.workflowInvocations.query
  • dataform.workspaces.commit
  • dataform.workspaces.create
  • dataform.workspaces.delete
  • dataform.workspaces.fetchFileDiff
  • dataform.workspaces.fetchFileGitStatuses
  • dataform.workspaces.fetchGitAheadBehind
  • dataform.workspaces.get
  • dataform.workspaces.getIamPolicy
  • dataform.workspaces.installNpmPackages
  • dataform.workspaces.list
  • dataform.workspaces.makeDirectory
  • dataform.workspaces.moveDirectory
  • dataform.workspaces.moveFile
  • dataform.workspaces.pull
  • dataform.workspaces.push
  • dataform.workspaces.queryDirectoryContents
  • dataform.workspaces.readFile
  • dataform.workspaces.removeDirectory
  • dataform.workspaces.removeFile
  • dataform.workspaces.reset
  • dataform.workspaces.searchFiles
  • dataform.workspaces.setIamPolicy
  • dataform.workspaces.writeFile

dataplex.datascans.*

  • dataplex.datascans.create
  • dataplex.datascans.delete
  • dataplex.datascans.get
  • dataplex.datascans.getData
  • dataplex.datascans.getIamPolicy
  • dataplex.datascans.list
  • dataplex.datascans.run
  • dataplex.datascans.setIamPolicy
  • dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

dataplex.projects.search

dataproc.batches.*

  • dataproc.batches.analyze
  • dataproc.batches.cancel
  • dataproc.batches.create
  • dataproc.batches.delete
  • dataproc.batches.get
  • dataproc.batches.list
  • dataproc.batches.sparkApplicationRead
  • dataproc.batches.sparkApplicationWrite

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

  • dataproc.sessionTemplates.create
  • dataproc.sessionTemplates.delete
  • dataproc.sessionTemplates.get
  • dataproc.sessionTemplates.list
  • dataproc.sessionTemplates.update

dataproc.sessions.*

  • dataproc.sessions.create
  • dataproc.sessions.delete
  • dataproc.sessions.get
  • dataproc.sessions.list
  • dataproc.sessions.sparkApplicationRead
  • dataproc.sessions.sparkApplicationWrite
  • dataproc.sessions.terminate

dataprocrm.nodePools.*

  • dataprocrm.nodePools.create
  • dataprocrm.nodePools.delete
  • dataprocrm.nodePools.deleteNodes
  • dataprocrm.nodePools.get
  • dataprocrm.nodePools.list
  • dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

  • dataprocrm.workloads.cancel
  • dataprocrm.workloads.create
  • dataprocrm.workloads.delete
  • dataprocrm.workloads.get
  • dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Studio User

(roles/bigquery.studioUser)

Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator,Notebook Runtime User and Dataproc Serverless Editor.

Lowest-level resources where you can grant this role:

  • Saved query
  • Data canvas
  • Data preparation
  • Pipeline
  • Repository

This role can also be granted on Resource Manager resources (projects, folders, andorganizations).

aiplatform.locations.get

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimes.assign

aiplatform.notebookRuntimes.get

aiplatform.notebookRuntimes.list

aiplatform.operations.list

bigquery.config.get

bigquery.jobs.create

bigquery.readsessions.*

  • bigquery.readsessions.create
  • bigquery.readsessions.getData
  • bigquery.readsessions.update

cloudaicompanion.companions.*

  • cloudaicompanion.companions.generateChat
  • cloudaicompanion.companions.generateCode

cloudaicompanion.entitlements.get

cloudaicompanion.instances.*

  • cloudaicompanion.instances.completeCode
  • cloudaicompanion.instances.completeTask
  • cloudaicompanion.instances.exportMetrics
  • cloudaicompanion.instances.generateCode
  • cloudaicompanion.instances.generateText
  • cloudaicompanion.instances.queryEffectiveSetting
  • cloudaicompanion.instances.queryEffectiveSettingBindings

cloudaicompanion.licenses.selfAssign

cloudaicompanion.operations.get

cloudaicompanion.topics.create

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

compute.projects.get

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

dataform.commentThreads.get

dataform.commentThreads.list

dataform.comments.get

dataform.comments.list

dataform.folders.create

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.repositories.create

dataform.repositories.list

dataplex.projects.search

dataproc.batches.*

  • dataproc.batches.analyze
  • dataproc.batches.cancel
  • dataproc.batches.create
  • dataproc.batches.delete
  • dataproc.batches.get
  • dataproc.batches.list
  • dataproc.batches.sparkApplicationRead
  • dataproc.batches.sparkApplicationWrite

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

  • dataproc.sessionTemplates.create
  • dataproc.sessionTemplates.delete
  • dataproc.sessionTemplates.get
  • dataproc.sessionTemplates.list
  • dataproc.sessionTemplates.update

dataproc.sessions.*

  • dataproc.sessions.create
  • dataproc.sessions.delete
  • dataproc.sessions.get
  • dataproc.sessions.list
  • dataproc.sessions.sparkApplicationRead
  • dataproc.sessions.sparkApplicationWrite
  • dataproc.sessions.terminate

dataprocrm.nodePools.*

  • dataprocrm.nodePools.create
  • dataprocrm.nodePools.delete
  • dataprocrm.nodePools.deleteNodes
  • dataprocrm.nodePools.get
  • dataprocrm.nodePools.list
  • dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

  • dataprocrm.workloads.cancel
  • dataprocrm.workloads.create
  • dataprocrm.workloads.delete
  • dataprocrm.workloads.get
  • dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery User

(roles/bigquery.user)

When granted on a dataset, this role provides the ability to read the dataset's metadata and listtables in the dataset.

When granted on a project, this role also provides the ability to run jobs, including queries,within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, andenumerate datasets within a project. Additionally, allows the creation of new datasets within theproject; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner)on these new datasets.

Lowest-level resources where you can grant this role:

  • Dataset
  • These resources within a dataset:
    • Routine

This role can also be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.jobs.create

bigquery.jobs.list

bigquery.models.list

bigquery.readsessions.*

  • bigquery.readsessions.create
  • bigquery.readsessions.getData
  • bigquery.readsessions.update

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservationGroups.get

bigquery.reservationGroups.list

bigquery.reservations.get

bigquery.reservations.list

bigquery.reservations.listFailoverDatasets

bigquery.reservations.use

bigquery.routines.list

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.list

bigquery.transfers.get

bigquerymigration.translation.translate

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

dataform.folders.create

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.repositories.create

dataform.repositories.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Connection API roles

This table lists the predefined IAM roles and permissions forBigQuery Connection API. To search through all roles andpermissions, see therole and permission index.

RolePermissions

BigQuery Connection Service Agent

(roles/bigqueryconnection.serviceAgent)

Gives BigQuery Connection Service access to Cloud SQL instances in user projects.

Warning: Do not grant service agent roles to any principals exceptservice agents.

cloudsql.instances.connect

cloudsql.instances.get

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

telemetry.metrics.write

BigQuery Continuous Query roles

This table lists the predefined IAM roles and permissions forBigQuery Continuous Query. To search through all roles andpermissions, see therole and permission index.

RolePermissions

BigQuery Continuous Query Service Agent

(roles/bigquerycontinuousquery.serviceAgent)

Gives BigQuery Continuous Query access to the service accounts in the user project.

Warning: Do not grant service agent roles to any principals exceptservice agents.

iam.serviceAccounts.getAccessToken

BigQuery Data Policy roles

This table lists the predefined IAM roles and permissions forBigQuery Data Policy. To search through all roles andpermissions, see therole and permission index.

RolePermissions

BigQuery Data Policy Admin

(roles/bigquerydatapolicy.admin)

Role for managing Data Policies in BigQuery

This role can only be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.dataPolicies.attach

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

Masked Reader

(roles/bigquerydatapolicy.maskedReader)

Masked read access to sub-resources tagged by the policy tag associated with a data policy, forexample, BigQuery columns

This role can only be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.dataPolicies.maskedGet

Raw Data ReaderBeta

(roles/bigquerydatapolicy.rawDataReader)

Raw read access to sub-resources associated with a data policy, for example, BigQuery columns

This role can only be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.dataPolicies.getRawData

BigQuery Data Policy Viewer

(roles/bigquerydatapolicy.viewer)

Role for viewing Data Policies in BigQuery

This role can only be granted on Resource Manager resources (projects, folders, andorganizations).

bigquery.dataPolicies.get

bigquery.dataPolicies.list

BigQuery Data Transfer Service roles

This table lists the predefined IAM roles and permissions forBigQuery Data Transfer Service. To search through all roles and permissions, see therole and permission index.

RolePermissions

BigQuery Data Transfer Service Agent

(roles/bigquerydatatransfer.serviceAgent)

Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project.

Warning: Do not grant service agent roles to any principals exceptservice agents.

bigquery.config.get

bigquery.connections.delegate

bigquery.jobs.create

compute.networkAttachments.get

compute.networkAttachments.update

compute.regionOperations.get

compute.subnetworks.use

dataform.folders.create

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.repositories.create

dataform.repositories.list

iam.serviceAccounts.getAccessToken

logging.logEntries.create

logging.logEntries.route

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

BigQuery Engine for Apache Flink roles

This table lists the predefined IAM roles and permissions forBigQuery Engine for Apache Flink. To search through all roles and permissions, see therole and permission index.

RolePermissions

Managed Flink AdminBeta

(roles/managedflink.admin)

Full access to Managed Flink resources.

managedflink.*

  • managedflink.deployments.create
  • managedflink.deployments.delete
  • managedflink.deployments.get
  • managedflink.deployments.list
  • managedflink.deployments.update
  • managedflink.jobs.create
  • managedflink.jobs.delete
  • managedflink.jobs.get
  • managedflink.jobs.list
  • managedflink.jobs.update
  • managedflink.locations.get
  • managedflink.locations.list
  • managedflink.operations.cancel
  • managedflink.operations.delete
  • managedflink.operations.get
  • managedflink.operations.list
  • managedflink.sessions.create
  • managedflink.sessions.delete
  • managedflink.sessions.get
  • managedflink.sessions.list
  • managedflink.sessions.update

resourcemanager.projects.get

resourcemanager.projects.list

Managed Flink DeveloperBeta

(roles/managedflink.developer)

Full access to Managed Flink Jobs and Sessions and read access to Deployments.

managedflink.deployments.get

managedflink.deployments.list

managedflink.jobs.*

  • managedflink.jobs.create
  • managedflink.jobs.delete
  • managedflink.jobs.get
  • managedflink.jobs.list
  • managedflink.jobs.update

managedflink.locations.*

  • managedflink.locations.get
  • managedflink.locations.list

managedflink.operations.get

managedflink.operations.list

managedflink.sessions.*

  • managedflink.sessions.create
  • managedflink.sessions.delete
  • managedflink.sessions.get
  • managedflink.sessions.list
  • managedflink.sessions.update

resourcemanager.projects.get

resourcemanager.projects.list

Managed Flink Service Agent

(roles/managedflink.serviceAgent)

Gives Managed Flink Service Agent access to Cloud Platform resources.

Warning: Do not grant service agent roles to any principals exceptservice agents.

compute.networkAttachments.create

compute.networkAttachments.delete

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkAttachments.update

compute.networks.get

compute.networks.list

compute.regionOperations.get

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

dns.networks.targetWithPeeringZone

managedkafka.clusters.get

managedkafka.clusters.list

managedkafka.clusters.update

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

serviceusage.services.use

storage.objects.get

Managed Flink ViewerBeta

(roles/managedflink.viewer)

Readonly access to Managed Flink resources.

managedflink.deployments.get

managedflink.deployments.list

managedflink.jobs.get

managedflink.jobs.list

managedflink.locations.*

  • managedflink.locations.get
  • managedflink.locations.list

managedflink.operations.get

managedflink.operations.list

managedflink.sessions.get

managedflink.sessions.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Migration Service roles

This table lists the predefined IAM roles and permissions forBigQuery Migration Service. To search through all roles and permissions, see therole and permission index.

RolePermissions

MigrationWorkflow Editor

(roles/bigquerymigration.editor)

Editor of EDW migration workflows.

bigquerymigration.subtasks.*

  • bigquerymigration.subtasks.get
  • bigquerymigration.subtasks.list

bigquerymigration.workflows.create

bigquerymigration.workflows.delete

bigquerymigration.workflows.enableAiOutputTypes

bigquerymigration.workflows.enableLineageOutputTypes

bigquerymigration.workflows.enableOutputTypePermissions

bigquerymigration.workflows.get

bigquerymigration.workflows.list

bigquerymigration.workflows.update

Task Orchestrator

(roles/bigquerymigration.orchestrator)

Orchestrator of EDW migration tasks.

bigquerymigration.workflows.orchestrateTask

storage.objects.list

Migration Translation User

(roles/bigquerymigration.translationUser)

User of EDW migration interactive SQL translation service.

bigquerymigration.translation.translate

MigrationWorkflow Viewer

(roles/bigquerymigration.viewer)

Viewer of EDW migration MigrationWorkflow.

bigquerymigration.subtasks.*

  • bigquerymigration.subtasks.get
  • bigquerymigration.subtasks.list

bigquerymigration.workflows.get

bigquerymigration.workflows.list

Task Worker

(roles/bigquerymigration.worker)

Worker that executes EDW migration subtasks.

storage.objects.create

storage.objects.get

storage.objects.list

BigQuery Omni roles

This table lists the predefined IAM roles and permissions forBigQuery Omni. To search through all roles and permissions, seetherole and permission index.

RolePermissions

BigQuery Omni Service Agent

(roles/bigqueryomni.serviceAgent)

Gives BigQuery Omni access to tables in user projects.

Warning: Do not grant service agent roles to any principals exceptservice agents.

bigquery.jobs.create

bigquery.tables.updateData

BigQuery sharing roles

This table lists the predefined IAM roles and permissions forBigQuery sharing. To search through all roles and permissions, see therole and permission index.

RolePermissions

Analytics Hub Admin

(roles/analyticshub.admin)

Administer Data Exchanges and Listings

analyticshub.dataExchanges.create

analyticshub.dataExchanges.delete

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.dataExchanges.setIamPolicy

analyticshub.dataExchanges.update

analyticshub.dataExchanges.viewSubscriptions

analyticshub.listings.create

analyticshub.listings.delete

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.setIamPolicy

analyticshub.listings.update

analyticshub.listings.viewSubscriptions

analyticshub.subscriptions.*

  • analyticshub.subscriptions.create
  • analyticshub.subscriptions.delete
  • analyticshub.subscriptions.get
  • analyticshub.subscriptions.list
  • analyticshub.subscriptions.update

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Listing Admin

(roles/analyticshub.listingAdmin)

Grants full control over the Listing, including updating, deleting and setting ACLs

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.delete

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.setIamPolicy

analyticshub.listings.update

analyticshub.listings.viewSubscriptions

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Publisher

(roles/analyticshub.publisher)

Can publish to Data Exchanges thus creating Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.create

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Subscriber

(roles/analyticshub.subscriber)

Can browse Data Exchanges and subscribe to Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.dataExchanges.subscribe

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.subscribe

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Subscription Owner

(roles/analyticshub.subscriptionOwner)

Grants full control over the Subscription, including updating and deleting

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.subscriptions.*

  • analyticshub.subscriptions.create
  • analyticshub.subscriptions.delete
  • analyticshub.subscriptions.get
  • analyticshub.subscriptions.list
  • analyticshub.subscriptions.update

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Viewer

(roles/analyticshub.viewer)

Can browse Data Exchanges and Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery permissions

The following tables list the permissions available inBigQuery. These are included in predefined roles and can be usedin custom role definitions. To search through all roles and permissions, see therole and permission index.

BigQuery permissions

This table lists the IAM permissions for BigQueryand the roles that include them. To search through all roles and permissions,see therole and permission index.

PermissionIncluded in roles

bigquery.bireservations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.bireservations.update

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.capacityCommitments.create

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.capacityCommitments.delete

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.capacityCommitments.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.capacityCommitments.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.capacityCommitments.update

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.config.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Job User (roles/bigquery.jobUser)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Studio User (roles/bigquery.studioUser)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.config.update

Owner (roles/owner)

Editor (roles/editor)

Assured Workloads Administrator (roles/assuredworkloads.admin)

Assured Workloads Editor (roles/assuredworkloads.editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.connections.create

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Connection Admin (roles/bigquery.connectionAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.connections.delegate

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Connection Admin (roles/bigquery.connectionAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.connections.delete

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Connection Admin (roles/bigquery.connectionAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.connections.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Connection Admin (roles/bigquery.connectionAdmin)

BigQuery Connection User (roles/bigquery.connectionUser)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Data Catalog Admin (roles/datacatalog.admin)

Data Catalog Viewer (roles/datacatalog.viewer)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.connections.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Connection Admin (roles/bigquery.connectionAdmin)

BigQuery Connection User (roles/bigquery.connectionUser)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.connections.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Connection Admin (roles/bigquery.connectionAdmin)

BigQuery Connection User (roles/bigquery.connectionUser)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.connections.setIamPolicy

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Connection Admin (roles/bigquery.connectionAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Security Admin (roles/iam.securityAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.connections.update

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Connection Admin (roles/bigquery.connectionAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.connections.updateTag

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Connection Admin (roles/bigquery.connectionAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Data Catalog Admin (roles/datacatalog.admin)

Data Catalog Tag Editor (roles/datacatalog.tagEditor)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.connections.use

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Connection Admin (roles/bigquery.connectionAdmin)

BigQuery Connection User (roles/bigquery.connectionUser)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.dataPolicies.attach

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Data Policy Admin (roles/bigquerydatapolicy.admin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.dataPolicies.create

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Data Policy Admin (roles/bigquerydatapolicy.admin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.dataPolicies.delete

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Data Policy Admin (roles/bigquerydatapolicy.admin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.dataPolicies.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Data Policy Admin (roles/bigquerydatapolicy.admin)

BigQuery Data Policy Viewer (roles/bigquerydatapolicy.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.dataPolicies.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Data Policy Admin (roles/bigquerydatapolicy.admin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.dataPolicies.getRawData

Raw Data Reader (roles/bigquerydatapolicy.rawDataReader)

bigquery.dataPolicies.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Data Policy Admin (roles/bigquerydatapolicy.admin)

BigQuery Data Policy Viewer (roles/bigquerydatapolicy.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.dataPolicies.maskedGet

Masked Reader (roles/bigquerydatapolicy.maskedReader)

bigquery.dataPolicies.setIamPolicy

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Data Policy Admin (roles/bigquerydatapolicy.admin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.dataPolicies.update

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Data Policy Admin (roles/bigquerydatapolicy.admin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.create

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

Commerce Business Enablement Configuration Admin (roles/commercebusinessenablement.admin)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.createTagBinding

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Tag User (roles/resourcemanager.tagUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.delete

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.deleteTagBinding

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Tag User (roles/resourcemanager.tagUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Metadata Viewer (roles/bigquery.metadataViewer)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Authorized Routine Data Editor (roles/bigquery.routineDataEditor)

BigQuery Authorized Routine Data Viewer (roles/bigquery.routineDataViewer)

BigQuery Authorized Routine Metadata Viewer (roles/bigquery.routineMetadataViewer)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

Commerce Business Enablement Configuration Admin (roles/commercebusinessenablement.admin)

Data Catalog Admin (roles/datacatalog.admin)

Data Catalog Viewer (roles/datacatalog.viewer)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Dataplex Storage Data Reader (roles/dataplex.storageDataReader)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Metadata Viewer (roles/bigquery.metadataViewer)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.link

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.listEffectiveTags

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.listSharedDatasetUsage

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.listTagBindings

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.setIamPolicy

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.update

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Commerce Business Enablement Configuration Admin (roles/commercebusinessenablement.admin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.datasets.updateTag

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Data Catalog Admin (roles/datacatalog.admin)

Data Catalog Tag Editor (roles/datacatalog.tagEditor)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.jobs.create

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Job User (roles/bigquery.jobUser)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Studio User (roles/bigquery.studioUser)

BigQuery User (roles/bigquery.user)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.jobs.createGlobalQuery

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.jobs.delete

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.jobs.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.jobs.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.jobs.listAll

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.jobs.listExecutionMetadata

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.jobs.update

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.models.create

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.models.delete

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.models.export

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Dataplex Storage Data Reader (roles/dataplex.storageDataReader)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.models.getData

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Authorized Routine Data Editor (roles/bigquery.routineDataEditor)

BigQuery Authorized Routine Data Viewer (roles/bigquery.routineDataViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Dataplex Storage Data Reader (roles/dataplex.storageDataReader)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.models.getMetadata

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Metadata Viewer (roles/bigquery.metadataViewer)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Authorized Routine Data Editor (roles/bigquery.routineDataEditor)

BigQuery Authorized Routine Data Viewer (roles/bigquery.routineDataViewer)

BigQuery Authorized Routine Metadata Viewer (roles/bigquery.routineMetadataViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Data Catalog Admin (roles/datacatalog.admin)

Data Catalog Viewer (roles/datacatalog.viewer)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Dataplex Storage Data Reader (roles/dataplex.storageDataReader)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.models.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Metadata Viewer (roles/bigquery.metadataViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Dataplex Storage Data Reader (roles/dataplex.storageDataReader)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.models.updateData

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.models.updateMetadata

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.models.updateTag

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Data Catalog Admin (roles/datacatalog.admin)

Data Catalog Tag Editor (roles/datacatalog.tagEditor)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.objectRefs.read

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery ObjectRef Admin (roles/bigquery.objectRefAdmin)

BigQuery ObjectRef Reader (roles/bigquery.objectRefReader)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.objectRefs.write

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery ObjectRef Admin (roles/bigquery.objectRefAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.readsessions.create

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Read Session User (roles/bigquery.readSessionUser)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Studio User (roles/bigquery.studioUser)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.readsessions.getData

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Read Session User (roles/bigquery.readSessionUser)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Studio User (roles/bigquery.studioUser)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.readsessions.update

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Read Session User (roles/bigquery.readSessionUser)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Studio User (roles/bigquery.studioUser)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservationAssignments.create

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservationAssignments.delete

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservationAssignments.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservationAssignments.search

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservationGroups.create

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservationGroups.delete

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservationGroups.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservationGroups.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservations.create

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservations.delete

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservations.listFailoverDatasets

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Resource Viewer (roles/bigquery.resourceViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservations.update

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.reservations.use

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Resource Admin (roles/bigquery.resourceAdmin)

BigQuery Resource Editor (roles/bigquery.resourceEditor)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.routines.create

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.routines.delete

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.routines.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Metadata Viewer (roles/bigquery.metadataViewer)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Authorized Routine Data Editor (roles/bigquery.routineDataEditor)

BigQuery Authorized Routine Data Viewer (roles/bigquery.routineDataViewer)

BigQuery Authorized Routine Metadata Viewer (roles/bigquery.routineMetadataViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Data Catalog Admin (roles/datacatalog.admin)

Data Catalog Viewer (roles/datacatalog.viewer)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Dataplex Storage Data Reader (roles/dataplex.storageDataReader)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.routines.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Metadata Viewer (roles/bigquery.metadataViewer)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Authorized Routine Data Editor (roles/bigquery.routineDataEditor)

BigQuery Authorized Routine Data Viewer (roles/bigquery.routineDataViewer)

BigQuery Authorized Routine Metadata Viewer (roles/bigquery.routineMetadataViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Dataplex Storage Data Reader (roles/dataplex.storageDataReader)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.routines.update

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.routines.updateTag

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Data Catalog Admin (roles/datacatalog.admin)

Data Catalog Tag Editor (roles/datacatalog.tagEditor)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.rowAccessPolicies.create

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.rowAccessPolicies.delete

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.rowAccessPolicies.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.rowAccessPolicies.getFilteredData

BigQuery Filtered Data Viewer (roles/bigquery.filteredDataViewer)

bigquery.rowAccessPolicies.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.rowAccessPolicies.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.rowAccessPolicies.setIamPolicy

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.rowAccessPolicies.update

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.savedqueries.create

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.savedqueries.delete

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.savedqueries.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.savedqueries.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.savedqueries.update

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.create

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Authorized Routine Data Editor (roles/bigquery.routineDataEditor)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.createIndex

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.createSnapshot

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.createTagBinding

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Tag User (roles/resourcemanager.tagUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.delete

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Authorized Routine Data Editor (roles/bigquery.routineDataEditor)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.deleteIndex

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.deleteSnapshot

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.deleteTagBinding

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Tag User (roles/resourcemanager.tagUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.export

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Dataplex Storage Data Reader (roles/dataplex.storageDataReader)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.get

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Metadata Viewer (roles/bigquery.metadataViewer)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Authorized Routine Data Editor (roles/bigquery.routineDataEditor)

BigQuery Authorized Routine Data Viewer (roles/bigquery.routineDataViewer)

BigQuery Authorized Routine Metadata Viewer (roles/bigquery.routineMetadataViewer)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Data Catalog Admin (roles/datacatalog.admin)

Data Catalog Viewer (roles/datacatalog.viewer)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Dataplex Storage Data Reader (roles/dataplex.storageDataReader)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.getData

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Authorized Routine Data Editor (roles/bigquery.routineDataEditor)

BigQuery Authorized Routine Data Viewer (roles/bigquery.routineDataViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Dataplex Storage Data Reader (roles/dataplex.storageDataReader)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Metadata Viewer (roles/bigquery.metadataViewer)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.list

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Metadata Viewer (roles/bigquery.metadataViewer)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Authorized Routine Data Editor (roles/bigquery.routineDataEditor)

BigQuery Authorized Routine Data Viewer (roles/bigquery.routineDataViewer)

BigQuery Authorized Routine Metadata Viewer (roles/bigquery.routineMetadataViewer)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Dataplex Storage Data Reader (roles/dataplex.storageDataReader)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.listEffectiveTags

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.listTagBindings

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.replicateData

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Data Viewer (roles/bigquery.dataViewer)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.restoreSnapshot

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.setCategory

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.setColumnDataPolicy

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.setIamPolicy

Owner (roles/owner)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.update

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Authorized Routine Data Editor (roles/bigquery.routineDataEditor)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.updateData

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Authorized Routine Admin (roles/bigquery.routineAdmin)

BigQuery Authorized Routine Data Editor (roles/bigquery.routineDataEditor)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Dataplex Storage Data Owner (roles/dataplex.storageDataOwner)

Dataplex Storage Data Writer (roles/dataplex.storageDataWriter)

Datastream Bigquery Writer (roles/datastream.bigqueryWriter)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.updateIndex

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.tables.updateTag

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Security Admin (roles/bigquery.securityAdmin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Data Catalog Admin (roles/datacatalog.admin)

Data Catalog Tag Editor (roles/datacatalog.tagEditor)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.transfers.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquery.transfers.update

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

BigQuery Connection API permissions

There are no IAM permissions for this service.

BigQuery Continuous Query permissions

There are no IAM permissions for this service.

BigQuery Data Policy permissions

There are no IAM permissions for this service.

BigQuery Data Transfer Service permissions

There are no IAM permissions for this service.

BigQuery Engine for Apache Flink permissions

This table lists the IAM permissions forBigQuery Engine for Apache Flink and the roles that include them. To search through allroles and permissions, see therole and permission index.

PermissionIncluded in roles

managedflink.deployments.create

Owner (roles/owner)

Editor (roles/editor)

Managed Flink Admin (roles/managedflink.admin)

managedflink.deployments.delete

Owner (roles/owner)

Editor (roles/editor)

Managed Flink Admin (roles/managedflink.admin)

managedflink.deployments.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

Managed Flink Viewer (roles/managedflink.viewer)

managedflink.deployments.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

Managed Flink Viewer (roles/managedflink.viewer)

managedflink.deployments.update

Owner (roles/owner)

Editor (roles/editor)

Managed Flink Admin (roles/managedflink.admin)

managedflink.jobs.create

Owner (roles/owner)

Editor (roles/editor)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

managedflink.jobs.delete

Owner (roles/owner)

Editor (roles/editor)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

managedflink.jobs.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

Managed Flink Viewer (roles/managedflink.viewer)

managedflink.jobs.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

Managed Flink Viewer (roles/managedflink.viewer)

managedflink.jobs.update

Owner (roles/owner)

Editor (roles/editor)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

managedflink.locations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

Managed Flink Viewer (roles/managedflink.viewer)

managedflink.locations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

Managed Flink Viewer (roles/managedflink.viewer)

managedflink.operations.cancel

Owner (roles/owner)

Editor (roles/editor)

Managed Flink Admin (roles/managedflink.admin)

managedflink.operations.delete

Owner (roles/owner)

Editor (roles/editor)

Managed Flink Admin (roles/managedflink.admin)

managedflink.operations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

Managed Flink Viewer (roles/managedflink.viewer)

managedflink.operations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

Managed Flink Viewer (roles/managedflink.viewer)

managedflink.sessions.create

Owner (roles/owner)

Editor (roles/editor)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

managedflink.sessions.delete

Owner (roles/owner)

Editor (roles/editor)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

managedflink.sessions.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

Managed Flink Viewer (roles/managedflink.viewer)

managedflink.sessions.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

Managed Flink Viewer (roles/managedflink.viewer)

managedflink.sessions.update

Owner (roles/owner)

Editor (roles/editor)

Managed Flink Admin (roles/managedflink.admin)

Managed Flink Developer (roles/managedflink.developer)

BigQuery Migration Service permissions

This table lists the IAM permissions forBigQuery Migration Service and the roles that include them. To search through allroles and permissions, see therole and permission index.

PermissionIncluded in roles

bigquerymigration.subtasks.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

MigrationWorkflow Editor (roles/bigquerymigration.editor)

MigrationWorkflow Viewer (roles/bigquerymigration.viewer)

Support User (roles/iam.supportUser)

bigquerymigration.subtasks.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

MigrationWorkflow Editor (roles/bigquerymigration.editor)

MigrationWorkflow Viewer (roles/bigquerymigration.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

bigquerymigration.translation.translate

Owner (roles/owner)

Editor (roles/editor)

BigQuery Admin (roles/bigquery.admin)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

Migration Translation User (roles/bigquerymigration.translationUser)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Databases Admin (roles/iam.databasesAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

bigquerymigration.workflows.create

Owner (roles/owner)

Editor (roles/editor)

MigrationWorkflow Editor (roles/bigquerymigration.editor)

bigquerymigration.workflows.delete

Owner (roles/owner)

Editor (roles/editor)

MigrationWorkflow Editor (roles/bigquerymigration.editor)

bigquerymigration.workflows.enableAiOutputTypes

Owner (roles/owner)

Editor (roles/editor)

MigrationWorkflow Editor (roles/bigquerymigration.editor)

bigquerymigration.workflows.enableLineageOutputTypes

Owner (roles/owner)

Editor (roles/editor)

MigrationWorkflow Editor (roles/bigquerymigration.editor)

bigquerymigration.workflows.enableOutputTypePermissions

Owner (roles/owner)

Editor (roles/editor)

MigrationWorkflow Editor (roles/bigquerymigration.editor)

bigquerymigration.workflows.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

MigrationWorkflow Editor (roles/bigquerymigration.editor)

MigrationWorkflow Viewer (roles/bigquerymigration.viewer)

Support User (roles/iam.supportUser)

bigquerymigration.workflows.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

MigrationWorkflow Editor (roles/bigquerymigration.editor)

MigrationWorkflow Viewer (roles/bigquerymigration.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

bigquerymigration.workflows.orchestrateTask

Owner (roles/owner)

Task Orchestrator (roles/bigquerymigration.orchestrator)

bigquerymigration.workflows.update

Owner (roles/owner)

Editor (roles/editor)

MigrationWorkflow Editor (roles/bigquerymigration.editor)

BigQuery Omni permissions

There are no IAM permissions for this service.

BigQuery sharing permissions

This table lists the IAM permissions forBigQuery sharing and the roles that include them. To search through allroles and permissions, see therole and permission index.

PermissionIncluded in roles

analyticshub.dataExchanges.create

Owner (roles/owner)

Editor (roles/editor)

Analytics Hub Admin (roles/analyticshub.admin)

analyticshub.dataExchanges.delete

Owner (roles/owner)

Editor (roles/editor)

Analytics Hub Admin (roles/analyticshub.admin)

analyticshub.dataExchanges.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Listing Admin (roles/analyticshub.listingAdmin)

Analytics Hub Publisher (roles/analyticshub.publisher)

Analytics Hub Subscriber (roles/analyticshub.subscriber)

Analytics Hub Subscription Owner (roles/analyticshub.subscriptionOwner)

Analytics Hub Viewer (roles/analyticshub.viewer)

Support User (roles/iam.supportUser)

analyticshub.dataExchanges.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Listing Admin (roles/analyticshub.listingAdmin)

Analytics Hub Publisher (roles/analyticshub.publisher)

Analytics Hub Subscriber (roles/analyticshub.subscriber)

Analytics Hub Subscription Owner (roles/analyticshub.subscriptionOwner)

Analytics Hub Viewer (roles/analyticshub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

analyticshub.dataExchanges.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Listing Admin (roles/analyticshub.listingAdmin)

Analytics Hub Publisher (roles/analyticshub.publisher)

Analytics Hub Subscriber (roles/analyticshub.subscriber)

Analytics Hub Subscription Owner (roles/analyticshub.subscriptionOwner)

Analytics Hub Viewer (roles/analyticshub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

analyticshub.dataExchanges.setIamPolicy

Owner (roles/owner)

Analytics Hub Admin (roles/analyticshub.admin)

Security Admin (roles/iam.securityAdmin)

analyticshub.dataExchanges.subscribe

Owner (roles/owner)

Analytics Hub Subscriber (roles/analyticshub.subscriber)

analyticshub.dataExchanges.update

Owner (roles/owner)

Editor (roles/editor)

Analytics Hub Admin (roles/analyticshub.admin)

analyticshub.dataExchanges.viewSubscriptions

Owner (roles/owner)

Analytics Hub Admin (roles/analyticshub.admin)

analyticshub.listings.create

Owner (roles/owner)

Editor (roles/editor)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Publisher (roles/analyticshub.publisher)

analyticshub.listings.delete

Owner (roles/owner)

Editor (roles/editor)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Listing Admin (roles/analyticshub.listingAdmin)

analyticshub.listings.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Listing Admin (roles/analyticshub.listingAdmin)

Analytics Hub Publisher (roles/analyticshub.publisher)

Analytics Hub Subscriber (roles/analyticshub.subscriber)

Analytics Hub Subscription Owner (roles/analyticshub.subscriptionOwner)

Analytics Hub Viewer (roles/analyticshub.viewer)

Support User (roles/iam.supportUser)

analyticshub.listings.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Listing Admin (roles/analyticshub.listingAdmin)

Analytics Hub Publisher (roles/analyticshub.publisher)

Analytics Hub Subscriber (roles/analyticshub.subscriber)

Analytics Hub Subscription Owner (roles/analyticshub.subscriptionOwner)

Analytics Hub Viewer (roles/analyticshub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

analyticshub.listings.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Listing Admin (roles/analyticshub.listingAdmin)

Analytics Hub Publisher (roles/analyticshub.publisher)

Analytics Hub Subscriber (roles/analyticshub.subscriber)

Analytics Hub Subscription Owner (roles/analyticshub.subscriptionOwner)

Analytics Hub Viewer (roles/analyticshub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

analyticshub.listings.setIamPolicy

Owner (roles/owner)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Listing Admin (roles/analyticshub.listingAdmin)

Security Admin (roles/iam.securityAdmin)

analyticshub.listings.subscribe

Owner (roles/owner)

Analytics Hub Subscriber (roles/analyticshub.subscriber)

analyticshub.listings.update

Owner (roles/owner)

Editor (roles/editor)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Listing Admin (roles/analyticshub.listingAdmin)

analyticshub.listings.viewSubscriptions

Owner (roles/owner)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Listing Admin (roles/analyticshub.listingAdmin)

analyticshub.subscriptions.create

Owner (roles/owner)

Editor (roles/editor)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Subscription Owner (roles/analyticshub.subscriptionOwner)

analyticshub.subscriptions.delete

Owner (roles/owner)

Editor (roles/editor)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Subscription Owner (roles/analyticshub.subscriptionOwner)

analyticshub.subscriptions.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Subscription Owner (roles/analyticshub.subscriptionOwner)

Support User (roles/iam.supportUser)

analyticshub.subscriptions.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Subscription Owner (roles/analyticshub.subscriptionOwner)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

analyticshub.subscriptions.update

Owner (roles/owner)

Editor (roles/editor)

Analytics Hub Admin (roles/analyticshub.admin)

Analytics Hub Subscription Owner (roles/analyticshub.subscriptionOwner)

Permissions for BigQuery ML tasks

The following table describes the permissions needed for commonBigQuery ML tasks.

PermissionDescription
bigquery.jobs.create
bigquery.models.create
bigquery.models.getData
bigquery.models.updateData
Create a new model usingCREATE MODEL statement
bigquery.jobs.create
bigquery.models.create
bigquery.models.getData
bigquery.models.updateData
bigquery.models.updateMetadata
Replace an existing model usingCREATE OR REPLACE MODEL statement
bigquery.models.deleteDelete model usingmodels.delete API
bigquery.jobs.create
bigquery.models.delete
Delete model usingDROP MODEL statement
bigquery.models.getMetadataGet model metadata usingmodels.get API
bigquery.models.listList models and metadata on models usingmodels.list API
bigquery.models.updateMetadataUpdate model metadata usingmodels.delete API. If setting or updating a non-zero expiration time for Model,bigquery.models.delete permission is also needed
bigquery.jobs.create
bigquery.models.getData		Perform evaluation, prediction and model and feature inspections using functions such asML.EVALUATE,ML.PREDICT,ML.TRAINING_INFO, andML.WEIGHTS.
bigquery.jobs.create
bigquery.models.export		Export a model
bigquery.models.updateTagUpdateData Catalog tags for a model.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-16 UTC.