Basic roles and permissions

BigQuery supports IAMbasic roles for project-level access.

Caution: Avoid using basic roles. They predate IAM and grantexcessive and uneven access. Use predefined IAMroles instead.

Basic roles for projects

By default, granting access to a project also grants access to datasets withinit. Default access can be overridden on a per-dataset basis. The following tabledescribes what access is granted to members of the basicIAM roles.

Basic role	Capabilities
`Viewer`	Can start a job in the project. Additional dataset roles are required depending on the job type. Can list and get all jobs, and update jobs that they started for the project If you create a dataset in a project that contains any viewers, BigQuery grants those users thebigquery.dataViewer predefined role for the new dataset.
`Editor`	Same as`Viewer`, plus: Can create a new dataset in the project If you create a dataset in a project that contains any editors, BigQuery grants those users thebigquery.dataEditor predefined role for the new dataset.
`Owner`	Same as`Editor`, plus: Can revoke or change any project role Can list all datasets in the project Can delete any dataset in the project Can list and get all jobs run on the project, including jobs run by other project users If you create a dataset, BigQuery grants all project owners thebigquery.dataOwner predefined role for the new dataset. Exception: When a user runs a query, ananonymous dataset is created to store the cached results table. Only the user that runs the query is given`OWNER` access to the anonymous dataset. Don't confuse the`OWNER` basic role with the BigQuery Admin (`roles/bigquery.admin`) IAM role. BigQuery Admin provides a number of permissions that aren't granted by the`OWNER` basic role. If you're granting project-level access to BigQuery, use IAM roles instead of basic roles.

Basic roles for projects are granted or revoked through theGoogle Cloud console. When a project is created,theOwner role is granted to the user who created theproject.

For more information about how to grant or revoke access for project roles, seeGranting, changing, and revoking access to resourcesin the IAM documentation.

Basic roles for datasets

The following basic roles apply at the dataset level.

Dataset role Capabilities

Dataset role	Capabilities
`READER`	Can read, query, copy or export tables in the dataset. Can read routines in the dataset Can callget on the dataset Can callget andlist on tables in the dataset Can callget andlist on routines in the dataset Can calllist on table data for tables in the dataset The BigQuery Data Viewer (`roles/bigquery.dataViewer`) predefined IAM role is mapped to the`READER` BigQuery basic role. When you grant BigQuery Data Viewer to a principal at the dataset level, the principal is granted`READER` access to the dataset.
`WRITER`	Same as`READER`, plus: Can edit or append data in the dataset Can callinsert,insertAll,update ordelete on tables Can use tables in the dataset as destinations for load, copy or query jobs Can callinsert,update, ordelete on routines The BigQuery Data Editor (`roles/bigquery.dataEditor`) predefined IAM role is mapped to the`WRITER` BigQuery basic role. When you grant BigQuery Data Editor to a principal at the dataset level, the principal is granted`WRITER` access to the dataset.
`OWNER`	Same as`WRITER`, plus: Can callupdate on the dataset Can calldelete on the dataset A dataset must have at least one entity with the`OWNER` role. A user with the`OWNER` role can't remove their own`OWNER` role. The BigQuery Data Owner (`roles/bigquery.dataOwner`) predefined IAM role is mapped to the`OWNER` BigQuery basic role. When you grant BigQuery Data Owner to a principal at the dataset level, the principal is granted`OWNER` access to the dataset.

READER

Can read, query, copy or export tables in the dataset. Can read routines in the dataset
- Can callget on the dataset
- Can callget andlist on tables in the dataset
- Can callget andlist on routines in the dataset
- Can calllist on table data for tables in the dataset

The BigQuery Data Viewer (roles/bigquery.dataViewer) predefined IAM role is mapped to theREADER BigQuery basic role. When you grant BigQuery Data Viewer to a principal at the dataset level, the principal is grantedREADER access to the dataset.

WRITER

Same asREADER, plus:
- Can edit or append data in the dataset
  - Can callinsert,insertAll,update ordelete on tables
  - Can use tables in the dataset as destinations for load, copy or query jobs
  - Can callinsert,update, ordelete on routines

The BigQuery Data Editor (roles/bigquery.dataEditor) predefined IAM role is mapped to theWRITER BigQuery basic role. When you grant BigQuery Data Editor to a principal at the dataset level, the principal is grantedWRITER access to the dataset.

OWNER

Same asWRITER, plus:
- Can callupdate on the dataset
- Can calldelete on the dataset

A dataset must have at least one entity with theOWNER role. A user with theOWNER role can't remove their ownOWNER role.

The BigQuery Data Owner (roles/bigquery.dataOwner) predefined IAM role is mapped to theOWNER BigQuery basic role. When you grant BigQuery Data Owner to a principal at the dataset level, the principal is grantedOWNER access to the dataset.

For more information on assigning roles at the dataset level, seeControlling access to datasets.

When you create a new dataset, BigQuery adds default dataset access forthe following entities. Roles that you specify on dataset creation overwrite thedefault values.

Entity Dataset role

All users withViewer access to the project READER

All users withEditor access to the project WRITER

Entity	Dataset role
All users with`Viewer` access to the project	`READER`
All users with`Editor` access to the project	`WRITER`
All users with`Owner` access to the project, and the dataset creator	`OWNER` Exception: When a user runs a query, ananonymous dataset is created to store the cached results table. Only the user that runs the query is given`OWNER` access to the anonymous dataset.

All users withOwner access to the project,
and the dataset creator

OWNER

Exception: When a user runs a query, ananonymous dataset is created to store the cached results table. Only the user that runs the query is givenOWNER access to the anonymous dataset.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Basic roles and permissions

Basic roles for projects

Basic roles for datasets