is it possible to list all the columns a user can ...

dev_0 · 04-03-2023 02:00 AM

Is it possible to list all the columns a user has access(read, write, update) to in bigquery table? for example if Table A has 5 columns(1-5)

user- abc@gmail.com has access to table A for column1, column2, column3.

user- xyz@gmail.com has access to column1,column4, column5.

Is it possible to get the column-level access policy for each user in bigquery?
or is it possible to check each column in a table if a user has access to it.

Aris_O

Welcome back to Google Cloud Community.

I understand that you are getting lot of error for your application.

I would like to have some more information so that I can investigate further for your issue.

1.) Can you provide me the configuration files (app.yaml, queue.yaml and snippet of the code which causing the error)
2.) What is your application doing ?
3.) Did the same code was working fine before or not ? If yes then did you made any changes in your code ?

Once I have above information in hand. I will be in a better position to help you further. Let me know if you have any other question or concern.

Aris_O

I believe this question has been answered to this discussion https://www.googlecloudcommunity.com/gc/Data-Analytics/How-to-get-all-the-users-groups-who-have-acce.... Did this worked for you? I recommend you provide feedback to your original post to prevent duplicate threads. Thanks!

kolban

It looks like the OP's original question was "Can I determine which tables, views and columns a user can access". In the other post, I saw answers to "tables and view" but not columns. This current question seems to ask the question "Can I determine which columns a user can access". It's subtle but definitely distinct. Google Cloud mostly uses IAM for access control and that is also true for table and view access. To determine if a user can access a table, we examine what permissions (as granted by roles) the user possesses for a given table/view. However for columns the story changes. Whether a user can access a column is governed in an indirect manner.

1. A policy tag is created
2. Some set of users are granted Fine Grained Reader role on that tag
3. For some set of columns in some set of tables, the policy tag is associated with the column

so ... now in order to determine if a user can access the data in the column, we now need to look at the given column, find out what (if any) Policy Tag is associated with it and then ask "For this policy tag, does the user have fine grained reader".

Sadly, I am simply not aware of any tool that could point at a table and name a user and say:

1. The user has these IAM Table permissions and hence can/can't query the table
2. If the user can query the table, the user can/can't see the data in which columns

If we took it further, there are two further permutations that we have not yet discussed. Those are:

1. Row level access - Can the user see all rows or just a subset?
2. Column level masking - WHAT (not if) does a user see when looking at a column (it isn't just access/deny ... it can also be masked ... meaning that a value is returned ... just not the actual value as stored in the database)

is it possible to list all the columns a user can access in bigquery table.