Stay organized with collections Save and categorize content based on your preferences.
OBJECT_PRIVILEGES viewPreview
This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see the launch stage descriptions.
The INFORMATION_SCHEMA.OBJECT_PRIVILEGES view contains metadata about access control bindings that are explicitly set on BigQuery objects. This view does not contain metadata about the inherited access control bindings.
To query the INFORMATION_SCHEMA.OBJECT_PRIVILEGES view, you need following Identity and Access Management (IAM) permissions:
bigquery.datasets.get for datasets.bigquery.tables.getIamPolicy for tables and views.For more information about BigQuery permissions, see Access control with IAM.
SchemaWhen you query the INFORMATION_SCHEMA.OBJECT_PRIVILEGES view, the query results contain one row for each access control binding for a resource.
The INFORMATION_SCHEMA.OBJECT_PRIVILEGES view has the following schema:
OBJECT_CATALOG STRING The project ID of the project that contains the resource. OBJECT_SCHEMA STRING The name of the dataset that contains the resource. This is NULL if the resource itself is a dataset. OBJECT_NAME STRING The name of the table, view, or dataset the policy applies to. OBJECT_TYPE STRING The resource type, such as SCHEMA (dataset), TABLE, VIEW, and EXTERNAL. PRIVILEGE_TYPE STRING The role ID, such as roles/bigquery.dataEditor. GRANTEE STRING The user type and user that the role is granted to. Scope and syntax
Queries against this view must include a region qualifier. A project ID is optional. If no project ID is specified, then the project that the query runs in is used. The following table explains the region scope for this view:
View name Resource scope Region scope[PROJECT_ID.]`region-REGION`.INFORMATION_SCHEMA.OBJECT_PRIVILEGES Project level REGION
Replace the following:
PROJECT_ID: the ID of your Google Cloud project. If not specified, the default project is used.REGION: any dataset region name. For example, `region-us`. Note: You must use a region qualifier to query INFORMATION_SCHEMA views. The location of the query execution must match the region of the INFORMATION_SCHEMA view.Example
-- Returns metadata for the access control bindings for mydataset.
SELECT * FROM myproject.`region-us`.INFORMATION_SCHEMA.OBJECT_PRIVILEGES
WHERE object_name = "mydataset";
OBJECT_PRIVILEGES queries must contain a WHERE clause limiting queries to a single dataset, table, or view.object_name.object_name AND object_schema.The following example retrieves all columns from the INFORMATION_SCHEMA.OBJECT_PRIVILEGES view.
To run the query against a project other than the project that the query is running in, add the project ID to the region in the following format: `project_id`.`region_id`.INFORMATION_SCHEMA.OBJECT_PRIVILEGES.
The following example gets all access control metadata for the mydataset dataset in the mycompany project:
SELECT *
FROM mycompany.`region-us`.INFORMATION_SCHEMA.OBJECT_PRIVILEGES
WHERE object_name = "mydataset"
The results should look like the following:
+----------------+---------------+-------------+-------------+---------------------------+-----------------------------------+ | object_catalog | object_schema | object_name | object_type | privilege_type | grantee | +----------------+---------------+-------------+-------------+---------------------------+-----------------------------------+ | mycompany | NULL | mydataset | SCHEMA | roles/bigquery.dataEditor | projectEditor:mycompany | +----------------+---------------+-------------+-------------+---------------------------+-----------------------------------+ | mycompany | NULL | mydataset | SCHEMA | roles/bigquery.dataOwner | projectOwner:mycompany | +----------------+---------------+-------------+-------------+---------------------------+-----------------------------------+ | mycompany | NULL | mydataset | SCHEMA | roles/bigquery.dataOwner | user:cloudysanfrancisco@gmail.com | +----------------+---------------+-------------+-------------+---------------------------+-----------------------------------+ | mycompany | NULL | mydataset | SCHEMA | roles/bigquery.dataViwer | projectViewer:mycompany | +----------------+---------------+-------------+-------------+---------------------------+-----------------------------------+
The following example gets all access control information for the testdata table in the mydataset dataset:
SELECT *
FROM mycompany.`region-us`.INFORMATION_SCHEMA.OBJECT_PRIVILEGES
WHERE object_schema = "mydataset" AND object_name = "testdata"
The results should look like the following:
+----------------+---------------+--------------+-------------+----------------------+------------------------------------+ | object_catalog | object_schema | object_name | object_type | privilege_type | grantee | +----------------+---------------+--------------+-------------+----------------------+------------------------------------+ | mycompany | mydataset | testdata | TABLE | roles/bigquery.admin | user:baklavainthebalkans@gmail.com | +----------------+---------------+--------------+-------------+----------------------+------------------------------------+
The INFORMATION_SCHEMA.OBJECT_PRIVILEGES view only shows access control bindings that are explicitly set. The first example shows that the user cloudysanfrancisco@gmail.com has the bigquery.dataOwner role on the mydataset dataset. The user cloudysanfrancisco@gmail.com inherits permissions to create, update, and delete tables in mydataset, including the testdata table. However, since those permissions were not explicitly granted on the testdata table, they don't appear in the results of the second example.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["The `INFORMATION_SCHEMA.OBJECT_PRIVILEGES` view provides metadata about explicitly set access control bindings on BigQuery objects, excluding inherited bindings."],["Querying this view requires specific IAM permissions, including `bigquery.datasets.get` for datasets and `bigquery.tables.getIamPolicy` for tables and views."],["Queries must include a region qualifier and are limited to a single dataset, table, or view, using a `WHERE` clause."],["The view's schema includes columns like `OBJECT_CATALOG`, `OBJECT_SCHEMA`, `OBJECT_NAME`, `OBJECT_TYPE`, `PRIVILEGE_TYPE`, and `GRANTEE`, which detail the project, dataset, object, type, role, and user granted the role, respectively."],["Pre-GA status means this feature is available \"as is\" with potential limitations in support, and is subject to the Pre-GA Offerings Terms."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4