Control access with IAM
This document shows you how to do the following in Dataform:
- Grant Dataform required access.
- Control access to Dataform with IAM.
- Control access to individual tables with IAM.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project: To create a project, you need the Project Creator role (
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission.Learn how to grant roles.
Verify that billing is enabled for your Google Cloud project.
Enable the BigQuery and Dataform APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project: To create a project, you need the Project Creator role (
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission.Learn how to grant roles.
Verify that billing is enabled for your Google Cloud project.
Enable the BigQuery and Dataform APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.
Grant Dataform the required access
This section shows you how to grant the Identity and Access Management (IAM) rolesthat Dataform service agents and custom service accountsrequire to run workflows in BigQuery.
About custom service accounts and Dataform service agents
You can configure custom service accounts to run workflows on your behalf in thefollowing ways:
- At therepository level, to run allthe workflows in a given repository.
- Individually for eachworkflow configuration.
When you create a Dataform repository or workflow configuration,you can select any service account that you haveact-as permissionson. You must configure the required permissions for all theservice accounts associated with your Dataform resources.
Important: We recommend enablingstrict act-as mode,as this helps to ensure a more secure and predictable permissions model for your Dataform projects.When you create your first Dataform repository,Dataform automatically generates a default service agent.Dataform uses the default service agent to interact withBigQuery on your behalf.
Your default Dataform service agent ID is in the followingformat:
service-PROJECT_NUMBER@gcp-sa-dataform.iam.gserviceaccount.comReplacePROJECT_NUMBER with the numeral ID of yourGoogle Cloud project. You can find your Google Cloud project ID in theGoogle Cloud console dashboard. For more information, seeIdentifying projects.
Required roles for Dataform service agents, custom service accounts, and Google Accounts
Default Dataform service agents, custom service accounts, andGoogle Account user credentials(Preview) used toauthenticate in Dataform require the followingBigQuery IAM roles to be able to run workflows inBigQuery:
- BigQuery Data Editoron projects to which Dataform needs both read and write access.These usually include the project hosting your Dataform repository.
- BigQuery Data Vieweron projects to which Dataform needs read-only access.
- BigQuery Job Useron the project hosting your Dataform repository.
- BigQuery Data Ownerif you want to queryBigQuery datasets.
- BigQuery roles for column-level access controlif you want touse BigQuery policy tags.
Additionally, grant the following roles to the default Dataformservice agent on theeffective service accountfor the workflow configuration:
- Service Account User(
roles/iam.serviceAccountUser) - Service Account Token Creator(
roles/iam.serviceAccountTokenCreator)
For automatic repository releases and automatic workflow runs,grant the default Dataform service agent theiam.serviceAccounts.actAs permission on theeffective service account.
Security considerations
Granting the roles required by Dataform to aDataform service agent, custom service account, or auser's Google Account (Preview)comes with the following security considerations:
Any service agent or service account granted the required roles might gainaccess to BigQuery or Secret Manager in the project thatthe service agent or service account belongs to, regardless ofVPC Service Controls.Requests originating from Dataform that use a service agent with the required roles are within the VPC Service Controls perimeter of the project that the Dataform repository belongs to.
For more information, seeConfigure VPC Service Controls.
Any user who has the
dataform.repositories.createIAMpermission can run code using the default Dataform serviceagent and all the permissions granted to that service agent or serviceaccount.For more information, seeSecurity considerations for Dataform permissions.
To restrict the data that a user, service agent, or service account canread or write in BigQuery, you can grant granularBigQuery IAM permissions to selectedBigQuery datasets or tables. For more information, seeControlling access to datasets andControlling access to tables and views.
To prevent users from performing actions while using the Google Account usercredentials of another user, the following restrictions are enforced:
- To modify a workflow configuration with another Google Account user'scredentials attached to it, you need to attach your own Google Accountuser credentials to the workflow configuration or change the workflowconfiguration to authenticate with a {dataform_name_short} service agentor custom service account.
- You can't modify a compilation result for a release configuration if thereare workflow configurations referencing the release configuration that haveanother Google Account user's credentials attached.
You can't set a workflow configuration to authenticate with Google Accountuser credentials and reference a release configuration with a schedule. Thislimitation has the following consequences:
- You can't update a release configuration to use a schedule if there areworkflow configurations referencing the release configuration that are setto authenticate with Google Account user credentials.
- You can't create a workflow configuration that authenticates withGoogle Account user credentials and points to a release configuration with aschedule.
- You can't create or update a workflow configuration to use Google Accountuser credentials and point to a release configuration with a schedule.
Grant the required BigQuery roles
To grant the required BigQuery IAM roles to yourdefault Dataform service agent, a custom service accountthat you want to use in Dataform, or a user's Google Account that youwant to use to authenticate in Dataform(Preview), follow these steps:
In the Google Cloud console, go to theDataform page.
Select orcreate a repository.
In the Google Cloud console, go to theIAM page.
ClickGrant Access.
In theNew principals field, enter the service agent ID, serviceaccount ID, or the user's GoogleAccount email (Preview).
In theSelect a role list, select theBigQuery Job User role.
ClickAdd another role, and then in theSelect a role list,select theBigQuery Data Editor role.
ClickAdd another role, and then in theSelect a role list,select theBigQuery Data Viewer role.
ClickSave.
Grant roles required for automatic workflows
To use a custom service account in Dataform, the defaultDataform service agent must be able to access the custom serviceaccount. This lets Dataform run your workflows using thepermissions defined on your custom service account instead of on the defaultservice agent's account.
To grant this access, you need to grant theService Account Token Creator role(roles/iam.serviceAccountTokenCreator) to the default Dataformservice agent as the principal. This lets the default Dataformservice agent impersonate the service account by creating short-lived credentialsknown as tokens. These tokens are required for Dataform to runworkflows using the custom service account's identity.
You also need to grant theService Account User role(roles/iam.serviceAccountUser) to the default Dataform serviceagent. This lets the default Dataform service agent start newautomatic workflow runs for workflow configurations that are run by the custom service account.
To grant the default Dataform service agent access to acustom service account, follow these steps:
In the Google Cloud console, go toIAM>Service accounts.
Select a project.
On theService accounts for project "PROJECT_NAME"page, select your custom service account.
Go toPrincipals with access, and then clickGrant Access.
In theNew principals field, enter your default Dataformservice agent ID.
Your default Dataform service agent ID is in the followingformat:
service-PROJECT_NUMBER@gcp-sa-dataform.iam.gserviceaccount.comIn theSelect a role list, select theService Account Token Creatorrole and theService Account User role.
ClickSave.
The custom service account is now ready to be configured within yourDataform repository.
Audit service account configurations
This section shows you how to audit your Dataform resources toensure proper service account usage and permission grants. Auditing is especiallyimportant when using custom service accounts, as they require specificpermissions for the default Dataform service agent to operate.
When using a custom service account for a Dataform repository orworkflow configuration, you must verify that the defaultDataform service agent has theService Account User role(roles/iam.serviceAccountUser) on the custom service account. This rolegrants theiam.serviceAccounts.actAs permission, which lets scheduled runs,initiated by the default Dataform service agent, impersonatethe custom service account. Additionally, verify that the defaultDataform service agent has theService Account Token Creator role(roles/iam.serviceAccountTokenCreator)on the effective service account.
Verify repository service accounts
First, identify thedataform.Repository assets that are in scope forDataform's own scheduling and execution. Then, verify the serviceaccount configurations for those in-scope repositories.
Use Cloud Asset Inventory to list all the resources of the
dataform.Repositorytype.For more information, seeView your assets.For each repository in the Cloud Asset Inventory output, check the
resource.data.labelsfield to determine if it's in scope. The exact path mightvary slightly based on your export format.Identify out-of-scope repositories by inspecting the labels map for the
single-file-asset-typekey. The presence of this key indicates that therepository is used by a BigQuery feature. If the value issqlordata_canvas, the repository can be excluded from the service accountpermission checks.The remaining repositories lacking this key or these values are in scope for the service account permission checks.
For each in-scope repository, check the
resource.data.serviceAccountfieldin the Cloud Asset Inventory output to determine if a custom service account isconfigured:- If the
resource.data.serviceAccountfield is present and its value isdifferent from the project's default Dataform service agentemail address, then the repository uses a custom service account. If the
Note: If you expect a custom service account to be configured but theresource.data.serviceAccountfield is absent, or if the field'svalue matches the project's default Dataform service agent,then the repository uses the default service agent.resource.data.serviceAccountfield is absent, first double-check therepository's configuration in the Google Cloud console. If the service accountis configured on the repository but not appearing in the Cloud Asset Inventoryoutput,contact Cloud Customer Care.
- If the
If a custom service account is used, verify that the defaultDataform service agent has both the Service Account User role(
roles/iam.serviceAccountUser) and the Service Account Token Creator role(roles/iam.serviceAccountTokenCreator) on that custom service account.
Verify workflow configuration service accounts
Using dedicated custom service accounts for Dataform workflowconfigurations is a security best practice, aligning with the principle of leastprivilege.
To verify service account usage fordataform.WorkflowConfig resources, dothe following:
Use Cloud Asset Inventory to list all resources of the
dataform.WorkflowConfigtype.For each workflow configuration, examine the Cloud Asset Inventory output to determine the effective service account:
- If the
resource.data.serviceAccountfield is present, this value isthe email address of the service account explicitly set on the workflowconfiguration. - If the
resource.data.serviceAccountfield is absent, the workflowconfiguration inherits the service account from its parent repository.Check theparent repository's configurationto find the effective service account.
- If the
Identify if a custom service account is being used by comparing the emailaddress of the effective service account with the email address of the project'sdefault Dataform service agent. If they are different, a customservice account is in use.
If a custom service account is in use, ensure that the defaultDataform service agent has both the Service Account User role(
roles/iam.serviceAccountUser) and the Service Account Token Creator role(roles/iam.serviceAccountTokenCreator) granted on that custom serviceaccount. These permissions let the default Dataform serviceagent initiate workflow executions impersonating the custom service account.
Control access to Dataform with IAM
This section describes the access control options for Dataformand shows you how to view and grant Dataform roles.Dataform usesIdentity and Access Management (IAM)for access control. For more information about roles and permissions inIAM, seeIAM roles and permissions index.
Predefined Dataform roles
The following table lists the predefined roles that give you accessto Dataform resources:
| Role | Permissions |
|---|---|
Dataform Admin( Full access to all Dataform resources. |
|
Code CommenterBeta( Permissions to comment, at the repository level. Grants CRUD access over commentThread and comment resources. |
|
Code Creator( Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you. |
|
Code Editor( Edit access code resources. |
|
Code Owner( Full access to code resources. |
|
Code SchedulerBeta( Access for scheduling workflows and releases. |
|
Code Viewer( Read-only access to all code resources. |
|
Dataform Editor( Edit access to Workspaces and Read-only access to Repositories. |
|
Dataform Service Agent( Gives permission for the Dataform API to access a secret from Secret Manager Warning: Do not grant service agent roles to any principals exceptservice agents. |
|
Team Folder CommenterBeta( View and comment access to a team folder and its contents. |
|
Team Folder ContributorBeta( Edit access to a team folder and its contents. |
|
Team Folder CreatorBeta( Access to create new team folders. |
|
Team Folder OwnerBeta( Full access to a team folder and its contents. Can share the team folder and its contents. |
|
Team Folder ViewerBeta( View access to a team folder and its contents. |
|
Dataform Viewer( Read-only access to all Dataform resources. |
|
Custom Dataform roles
Custom roles can include any permissions that you specify. You can createcustom roles that include permissions to perform specific administrativeoperations, like creating development workspaces or creating files anddirectories within a development workspace. To create custom roles,seeCreating and managing custom roles.
Security considerations for Dataform permissions
Any user who has thedataform.repositories.create permission can run codein BigQuery using the default Dataform serviceagent and all permissions granted to that service agent. This includesexecution of Dataformworkflows.
Thedataform.repositories.create permissions is included in the followingIAM roles:
- BigQuery Admin (
roles/bigquery.admin) - BigQuery Job User (
roles/bigquery.jobUser) - BigQuery Studio User (
roles/bigquery.studioUser) - BigQuery User (
roles/bigquery.user) - Code Creator (
roles/dataform.codeCreator) - Code Editor (
roles/dataform.codeEditor) - Code Owner (
roles/dataform.codeOwner) - Colab Enterprise User (
roles/aiplatform.colabEnterpriseUser) - Dataform Admin (
roles/dataform.admin)
To restrict the data that a user, service agent, or service account canread or write in BigQuery, you can grant granularBigQuery IAM permissions to selectedBigQuery datasets or tables. For more information, seeControlling access to datasets andControlling access to tables and views.
For more information about the default Dataform service agentand the roles and permissions it requires, seeGrant Dataform required access.
View Dataform roles
Within the Google Cloud console, perform the following steps:
Go to theIAM & Admin> Roles page.
In theFilter field, selectUsed in, type
Dataform,and then pressEnter.Click one of the listed roles to view the permissions of the role in theright pane.
For example, the Dataform Admin role has full accessto all Dataform resources.
For more information about granting a role on a project, seeGrant a role.You can grant predefined or custom roles in this way.
Control access to an individual repository
To control access to Dataform with granular permissions,you can set Dataform IAM roles on individualrepositories by using the Dataform APIrepositories.setIamPolicyrequest.
To set Dataform IAM roles on an individualDataform repository, follow these steps:
In the terminal, pass the Dataform API
repositories.setIamPolicyrequest with an accesspolicy.In the policy, bind a user, group, domain, service agent, or serviceaccount to a selected role in the following format:
{"policy": { "bindings": [ { "role": "roles/ROLE", "members": [ "TYPE:IDENTIFIER", ] }, ], }}Replace the following:
ROLE: the DataformIAM role that you want to grant on the repository.TYPE:user,group,domain, orserviceAccount.IDENTIFIER: the user, group, domain, or serviceaccount that you want to grant the role to.
In the IAM page, ensure that all users can view the full listof Dataform repositories through aDataform role with the
dataform.repositories.listpermission.In IAM, ensure that only users who require full access to allDataform repositories are granted the Dataform Admin role on allrepositories.
The following command passes therepositories.setIamPolicy Dataform APIrequest that grants the Dataform Editor role on thesales repositoryto a single user:
curl -H "Content-Type: application/json" -X POST -d '{ "policy": { "bindings": [{ "role": "roles/dataform.editor", "members": ["user:sasha@examplepetstore.com"]}] }}' "https://dataform.googleapis.com/v1/projects/examplepetstore/locations/us-central1/repositories/sales:setIamPolicy"Grant public access to a repository
You can grant public access to a Dataform repository by grantingIAM roles on the repository to theallAuthenticatedUsersprincipal.
When you assign an IAM role to theallAuthenticatedUsersprincipal, service agents, service accounts, and all users on the internetwho have authenticated with a Google Account are granted that role. Thisincludes accounts that aren't connected to a Google Workspace accountor Cloud Identity domain, such as personal Gmail accounts. Userswho aren't authenticated, such as anonymous visitors, aren't included. Formore information, seeAll authenticated users.
For example, when you grant the Dataform Viewer role toallAuthenticatedUsers on thesales repository, all service agents,service accounts, and users on the internet who have authenticated with aGoogle Account have read-only access to allsales code resources.
allAuthenticatedUsers can allow bad actors to access yourdata and run code. Grant only the minimal required permissions.To grant public access to a Dataform repository, follow thesesteps:
In the terminal, pass the Dataform API
repositories.setIamPolicyrequest with an accesspolicy.In the policy, bind the
allAuthenticatedUsersprincipal to a selectedrole in the following format:{"policy": { "bindings": [ { "role": "roles/ROLE", "members": [ "allAuthenticatedUsers", ] }, ], }}Replace
ROLEwith a DataformIAM role that you want to grant to all authenticatedusers.
The following command passes therepositories.setIamPolicy Dataform APIrequest that grants the Dataform Viewer role on thesales repositorytoallAuthenticatedUsers:
curl -H "Content-Type: application/json" -X POST -d '{ "policy": { "bindings": [{ "role": "roles/dataform.viewer", "members": ["allAuthenticatedUsers"]}] }}' "https://dataform.googleapis.com/v1/projects/examplepetstore/locations/us-central1/repositories/sales:setIamPolicy"Prevent public access to repositories
To ensure that no access is granted to the public on any Dataformrepository, you can restrict theallAuthenticatedUsers principal in yourproject.
To restrictallAuthenticatedUsers in your project, you canset theiam.allowedPolicyMemberDomains policy,and removeallAuthenticatedUsers from the list ofallowed_values.
When you restrictallAuthenticatedUsers in theiam.allowedPolicyMemberDomainspolicy, theallAuthenticatedUsers principal can't be used in anyIAM policy in your project, which prevents granting public accessto all resources, including Dataform repositories.
For more information about theiam.allowedPolicyMemberDomains policyand also instructions to set it, seeRestricting identities by domain.
Workforce Identity Federation in Dataform
Workforce Identity Federationlets you use an external identity provider (IdP) toauthenticate and authorize users to Google Cloud services withIAM.
Dataform supports Workforce Identity Federation withno known limitations.
Control access to individual tables with IAM
This section shows you how to grant and revoke BigQueryIAM rolesfor individual Dataform tables and views.
When Dataform runs a table or view, it creates the resourcein BigQuery. During development in Dataform, youcan grant BigQuery roles to individual tables and views tocontrol their access in BigQuery after execution.
For more information about granting and revoking access to resources, seeGrant access to a resource.
Grant BigQuery roles to a table or view
You can grant BigQuery roles to a table or view inDataform by adding apost_operations block with theGRANT DCL statementto the.sqlx definition file of the selected table or view.
To grant BigQuery roles to a selected table or view, follow thesesteps:
In the Google Cloud console, go to theDataform page.
Select a repository, and then select a workspace.
In theFiles pane, expand the
definitions/directory.Select the
.sqlxdefinition file of the table or view that you want togrant access to.In the file, enter the following code snippet:
post_operations{GRANT"ROLE_LIST"ON"RESOURCE_TYPE"${self()}TO"USER_LIST"}Replace the following:
ROLE_LIST: the BigQuery role or list ofcomma-separated BigQuery roles that you want to grant.
RESOURCE_TYPE:
TABLEorVIEW.USER_LIST: the comma-separated list of users that therole is granted to.
For a list of valid formats, seeuser_list.
Optional: ClickFormat.
Run the table or view.
If you granted access on an incremental table, remove the
GRANTstatementfrom the table definition file after the first execution.
The following code sample shows theBigQuery Viewer rolegranted on a table to a user:
config { type: "table" }SELECT ...post_operations { GRANT `roles/bigquery.dataViewer` ON TABLE ${self()} TO "user:222larabrown@gmail.com"}Revoke BigQuery roles from a table or view
You can revoke BigQuery roles from a table or view by adding apost_operations block with theREVOKE DCL statementto the.sqlx definition file of the selected table or view.
To revoke BigQuery roles from a selected table or view, followthese steps:
In the Google Cloud console, go to theDataform page.
Select a repository, and then select a workspace.
In theFiles pane, expand the
definitions/directory.Select the
.sqlxdefinition file of the table or view that you want torevoke access to.In the
post_operationsblock, enter the followingREVOKEstatement:REVOKE"ROLE_LIST"ON"RESOURCE_TYPE"${self()}FROM"USER_LIST"Replace the following:
- ROLE_LIST: the BigQuery role or list ofcomma-separated BigQuery roles that you want to revoke.
- RESOURCE_TYPE:
TABLEorVIEW. - USER_LIST: the comma-separated list of users that therole is revoked from. For a list of valid formats, seeuser_list.
To revoke the access granted in a
Warning: Removing theGRANTstatement in the file, replace theGRANTstatement with aREVOKEstatement.GRANTstatement without adding theREVOKEstatement does not revoke access.Optional: ClickFormat.
Run the table or view.
If you revoked access to an incremental table, remove the
REVOKEstatementfrom the table definition file after the first execution.
The following code sample shows theBigQuery Viewer rolerevoked from a user on a table:
config { type: "table" }SELECT ...post_operations { REVOKE `roles/bigquery.dataViewer` ON TABLE ${self()} FROM "user:222larabrown@gmail.com"}Collectively manage BigQuery roles for tables and views
To control BigQuery access to individual tables and views in asingle location, you can create a dedicatedtype: "operations" file withGRANT andREVOKEDCL statements.
To manage BigQuery table access in a singletype: "operations"file, follow these steps:
In the Google Cloud console, go to theDataform page.
Select a repository, and then select a workspace.
In theFiles pane, next to
definitions/, click the
More menu.ClickCreate file.
In theAdd a file path field, enter the name of the file followed by
.sqlxafterdefinitions/. For example,definitions/table-access.sqlx.Filenames can only include numbers, letters, hyphens, and underscores.
ClickCreate file.
In theFiles pane, expand the
definitions/directory, and select thenewly created file.In the file, enter the following code snippet:
config{type:"operations"}GRANT"ROLE_LIST"ONRESOURCE_TYPERESOURCE_NAMETO"USER_LIST"REVOKE"ROLE_LIST"ON{"<var>"}}RESOURCE_TYPERESOURCE_NAMETO"USER_LIST"Replace the following:
- ROLE_LIST: the BigQuery role or list ofcomma-separated BigQuery roles that you want to grant orrevoke.
- RESOURCE_TYPE:
TABLEorVIEW. - RESOURCE_NAME: the name of the table or view.
- USER_LIST: the comma-separated list of users that therole is granted to or revoked from. For a list of valid formats, seeuser_list.
Add
GRANTandREVOKEstatements as needed.To revoke access granted in a
GRANTstatement in the file, replace theGRANTstatement with aREVOKEstatement.Removing the
GRANTstatement without adding theREVOKEstatementdoes not revoke access.
Optional: ClickFormat.
Run the file after each update.
- If you granted or revoked access on an incremental table, remove the
GRANTorREVOKEstatement from the file after the first execution ofthe statement.
- If you granted or revoked access on an incremental table, remove the
Use theConfig API to customize IAM behavior
You can use theprojects.locations.updateConfig Dataform API methodto customize IAM behavior and enhance security.
Grant a specific role upon resource creation
When you set thesetAuthenticatedUserAdmin field totrue in theprojects.locations.repositories resource,Dataform automatically grants the user who creates therepository theDataform Admin role(roles/dataform.admin) on that repository. In addition,Dataform grants any user who creates a workspace in thatrepository the Dataform Admin role on the new workspace.
You can use thecreator_role field(Preview)in theprojects.locations.updateConfig methodto override this behavior. IfsetAuthenticatedUserAdmin istrue and youconfigure thecreator_role field with a custom role, Dataformgrants the custom role instead of the defaultdataform.admin role.
Implement enhanced scheduling permissions
Preview
This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
Note: To provide feedback or request support, contactdataform-preview-support@google.com.To require that users need explicit permissions to scheduleDataform workflows, set theenable_project_checks_for_scheduling field totrue in theprojects.locations.updateConfig method.
When you enable these checks for scheduling, the user needs the followingpermissions:
To create a workflow configuration:
- The
dataform.workflowConfigs.createpermission on the project, grantedby theCode Scheduler role(roles/dataform.codeScheduler). - The
dataform.repositories.scheduleWorkflowpermission on the repository,granted by theDataform Admin role(roles/dataform.admin).
- The
To create a release configuration:
- The
dataform.releaseConfigs.createpermission on the project, grantedby theCode Scheduler role(roles/dataform.codeScheduler). - The
dataform.repositories.scheduleReleasepermission on the repository,granted by theDataform Admin role(roles/dataform.admin).
- The
Enable private workspaces
Preview
This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
Note: To provide feedback or request support, contactdataform-preview-support@google.com.To restrict Dataform workspace access so that only the workspacecreator can read and write code in that workspace, set theenable_private_workspace field totrue in theprojects.locations.updateConfig method.
This restriction also applies to viewing generated artifacts, such as compiledSQL, compilation errors, and run logs for the workspace's compilations orworkflow invocations.
This setting overrides standard IAM roles that grant workspaceaccess to other repository users.
What's next
- To learn more about IAM, seeIAM overview.
- To learn more about managing access to resources, seeManage access to projects, folders, and organizations
- To learn more about the key concepts of Workforce Identity Federation, seeWorkforce Identity Federation.
- To learn more about BigQuery IAM roles andpermissions, seeAccess control with IAM.
- To learn more about granting granular permissions to BigQuerydatasets, seeControlling access to datasets.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-16 UTC.