How to Manage Users in BigQuery

How do I manage users in BigQuery with GRANT and REVOKE?

GRANT and REVOKE statements assign or remove roles so users can query, create, or administer datasets, tables, and views in BigQuery.

Welcome to the Galaxy, Guardian!

Oops! Something went wrong while submitting the form.

Description

Example H2

Example H3

Why use GRANT/REVOKE for user management?

GRANT and REVOKE let you control who can read, write, or administer data without exposing full project access. Use them to follow the principle of least privilege and simplify audits.

What roles can I grant?

BigQuery supplies predefined roles (bigquery.dataViewer, bigquery.dataEditor, bigquery.dataOwner, bigquery.user). You can also grant custom IAM roles that bundle granular permissions like bigquery.tables.create.

How do I grant dataset-level access?

Run a GRANT ON SCHEMA statement targeting the dataset. The principal can be a Google account, Google group, service account, or domain. Example:

GRANT `bigquery.dataViewer` ON SCHEMA `ecommerce.sales` TO "user:analyst@acme.com";

How do I grant table-level access?

Use GRANT ON TABLE to allow fine-grained control. Table roles are the same as dataset roles but affect only the specified table.

GRANT `bigquery.dataViewer` ON TABLE `ecommerce.sales.Customers` TO "user:intern@acme.com";

How do I remove permissions?

Run REVOKE with the same syntax. Always revoke unneeded privileges when users change teams or leave the organization.

REVOKE `bigquery.dataViewer` ON SCHEMA `ecommerce.sales` FROM "user:intern@acme.com";

Can I see existing grants?

List dataset or table metadata withSELECT * FROM `ecommerce.sales.INFORMATION_SCHEMA.SCHEMA_PRIVILEGES`;This reveals who has which roles.

Best practices for user management

• Grant roles to Google groups, not individuals—team membership then controls data access.
• Prefer predefined roles unless you need custom combinations.
• Audit INFORMATION_SCHEMA monthly.
• Automate revocation via Cloud Functions triggered by Cloud IAM events.

How does this work with row-level security?

GRANT/REVOKE control object access. Combine with row-level security policies when you need to filter data per user. The policy runs only if the user first has table access.

Why How to Manage Users in BigQuery is important

How to Manage Users in BigQuery Example Usage


-- Give a finance analyst read access to Orders and Customers tables only
GRANT `bigquery.dataViewer` ON TABLE `ecommerce.sales.Orders` TO "user:finance_analyst@acme.com";
GRANT `bigquery.dataViewer` ON TABLE `ecommerce.sales.Customers` TO "user:finance_analyst@acme.com";

How to Manage Users in BigQuery Syntax


-- Grant a predefined role on a dataset
GRANT `bigquery.dataViewer`
ON SCHEMA `ecommerce.sales`
TO "user:analyst@acme.com";

-- Grant a custom IAM role on a table
GRANT `roles/bqLimitedEditor`
ON TABLE `ecommerce.sales.Orders`
TO "group:data-ops@acme.com";

-- Revoke a role
REVOKE `bigquery.dataViewer`
ON SCHEMA `ecommerce.sales`
FROM "user:intern@acme.com";

Common Mistakes

Granting project-level Owner. This gives excessive control, including billing and deletion rights. Fix by granting dataset-specific roles like bigquery.dataViewer.
Granting roles to individual emails. This causes sprawl and manual overhead. Fix by creating Google groups per team and granting roles to the group.