row_access_policies
Creates, updates, deletes, gets or lists a row_access_policies resource.
Overview
| Name | row_access_policies |
| Type | Resource |
| Id | google.bigquery.row_access_policies |
Fields
The following fields are returned by SELECT queries:
- get
- list
Successful response
| Name | Datatype | Description |
|---|---|---|
creationTime | string (google-datetime) | Output only. The time when this row access policy was created, in milliseconds since the epoch. |
etag | string | Output only. A hash of this resource. |
filterPredicate | string | Required. A SQL boolean expression that represents the rows defined by this row access policy, similar to the boolean expression in a WHERE clause of a SELECT query on a table. References to other tables, routines, and temporary functions are not supported. Examples: region="EU" date_field = CAST('2019-9-27' as DATE) nullable_field is not NULL numeric_field BETWEEN 1.0 AND 5.0 |
grantees | array | Optional. Input only. The optional list of iam_member users or groups that specifies the initial members that the row-level access policy should be created with. grantees types: - "user:alice@example.com": An email address that represents a specific Google account. - "serviceAccount:my-other-app@appspot.gserviceaccount.com": An email address that represents a service account. - "group:admins@example.com": An email address that represents a Google group. - "domain:example.com":The Google Workspace domain (primary) that represents all the users of that domain. - "allAuthenticatedUsers": A special identifier that represents all service accounts and all users on the internet who have authenticated with a Google Account. This identifier includes accounts that aren't connected to a Google Workspace or Cloud Identity domain, such as personal Gmail accounts. Users who aren't authenticated, such as anonymous visitors, aren't included. - "allUsers":A special identifier that represents anyone who is on the internet, including authenticated and unauthenticated users. Because BigQuery requires authentication before a user can access the service, allUsers includes only authenticated users. |
lastModifiedTime | string (google-datetime) | Output only. The time when this row access policy was last modified, in milliseconds since the epoch. |
rowAccessPolicyReference | object | Required. Reference describing the ID of this row access policy. (id: RowAccessPolicyReference) |
Successful response
| Name | Datatype | Description |
|---|---|---|
creationTime | string (google-datetime) | Output only. The time when this row access policy was created, in milliseconds since the epoch. |
etag | string | Output only. A hash of this resource. |
filterPredicate | string | Required. A SQL boolean expression that represents the rows defined by this row access policy, similar to the boolean expression in a WHERE clause of a SELECT query on a table. References to other tables, routines, and temporary functions are not supported. Examples: region="EU" date_field = CAST('2019-9-27' as DATE) nullable_field is not NULL numeric_field BETWEEN 1.0 AND 5.0 |
grantees | array | Optional. Input only. The optional list of iam_member users or groups that specifies the initial members that the row-level access policy should be created with. grantees types: - "user:alice@example.com": An email address that represents a specific Google account. - "serviceAccount:my-other-app@appspot.gserviceaccount.com": An email address that represents a service account. - "group:admins@example.com": An email address that represents a Google group. - "domain:example.com":The Google Workspace domain (primary) that represents all the users of that domain. - "allAuthenticatedUsers": A special identifier that represents all service accounts and all users on the internet who have authenticated with a Google Account. This identifier includes accounts that aren't connected to a Google Workspace or Cloud Identity domain, such as personal Gmail accounts. Users who aren't authenticated, such as anonymous visitors, aren't included. - "allUsers":A special identifier that represents anyone who is on the internet, including authenticated and unauthenticated users. Because BigQuery requires authentication before a user can access the service, allUsers includes only authenticated users. |
lastModifiedTime | string (google-datetime) | Output only. The time when this row access policy was last modified, in milliseconds since the epoch. |
rowAccessPolicyReference | object | Required. Reference describing the ID of this row access policy. (id: RowAccessPolicyReference) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | projectId, +datasetId, +tableId, +policyId | Gets the specified row access policy by policy ID. | |
list | select | projectId, +datasetId, +tableId | pageSize, pageToken | Lists all row access policies on the specified table. |
insert | insert | projectId, +datasetId, +tableId | Creates a row access policy. | |
update | replace | projectId, +datasetId, +tableId, +policyId | Updates a row access policy. | |
delete | delete | projectId, +datasetId, +tableId, +policyId | force | Deletes a row access policy. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
+datasetId | string | |
+policyId | string | |
+tableId | string | |
projectId | string | |
force | boolean | |
pageSize | integer (int32) | |
pageToken | string |
SELECT examples
- get
- list
Gets the specified row access policy by policy ID.
SELECT
creationTime,
etag,
filterPredicate,
grantees,
lastModifiedTime,
rowAccessPolicyReference
FROM google.bigquery.row_access_policies
WHERE projectId = '{{ projectId }}' -- required
AND +datasetId = '{{ +datasetId }}' -- required
AND +tableId = '{{ +tableId }}' -- required
AND +policyId = '{{ +policyId }}' -- required;
Lists all row access policies on the specified table.
SELECT
creationTime,
etag,
filterPredicate,
grantees,
lastModifiedTime,
rowAccessPolicyReference
FROM google.bigquery.row_access_policies
WHERE projectId = '{{ projectId }}' -- required
AND +datasetId = '{{ +datasetId }}' -- required
AND +tableId = '{{ +tableId }}' -- required
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}';
INSERT examples
- insert
- Manifest
Creates a row access policy.
INSERT INTO google.bigquery.row_access_policies (
data__filterPredicate,
data__grantees,
data__rowAccessPolicyReference,
projectId,
+datasetId,
+tableId
)
SELECT
'{{ filterPredicate }}',
'{{ grantees }}',
'{{ rowAccessPolicyReference }}',
'{{ projectId }}',
'{{ +datasetId }}',
'{{ +tableId }}'
RETURNING
creationTime,
etag,
filterPredicate,
grantees,
lastModifiedTime,
rowAccessPolicyReference
;
# Description fields are for documentation purposes
- name: row_access_policies
props:
- name: projectId
value: string
description: Required parameter for the row_access_policies resource.
- name: +datasetId
value: string
description: Required parameter for the row_access_policies resource.
- name: +tableId
value: string
description: Required parameter for the row_access_policies resource.
- name: filterPredicate
value: string
description: >
Required. A SQL boolean expression that represents the rows defined by this row access policy, similar to the boolean expression in a WHERE clause of a SELECT query on a table. References to other tables, routines, and temporary functions are not supported. Examples: region="EU" date_field = CAST('2019-9-27' as DATE) nullable_field is not NULL numeric_field BETWEEN 1.0 AND 5.0
- name: grantees
value: array
description: >
Optional. Input only. The optional list of iam_member users or groups that specifies the initial members that the row-level access policy should be created with. grantees types: - "user:alice@example.com": An email address that represents a specific Google account. - "serviceAccount:my-other-app@appspot.gserviceaccount.com": An email address that represents a service account. - "group:admins@example.com": An email address that represents a Google group. - "domain:example.com":The Google Workspace domain (primary) that represents all the users of that domain. - "allAuthenticatedUsers": A special identifier that represents all service accounts and all users on the internet who have authenticated with a Google Account. This identifier includes accounts that aren't connected to a Google Workspace or Cloud Identity domain, such as personal Gmail accounts. Users who aren't authenticated, such as anonymous visitors, aren't included. - "allUsers":A special identifier that represents anyone who is on the internet, including authenticated and unauthenticated users. Because BigQuery requires authentication before a user can access the service, allUsers includes only authenticated users.
- name: rowAccessPolicyReference
value: object
description: >
Required. Reference describing the ID of this row access policy.
REPLACE examples
- update
Updates a row access policy.
REPLACE google.bigquery.row_access_policies
SET
data__filterPredicate = '{{ filterPredicate }}',
data__grantees = '{{ grantees }}',
data__rowAccessPolicyReference = '{{ rowAccessPolicyReference }}'
WHERE
projectId = '{{ projectId }}' --required
AND +datasetId = '{{ +datasetId }}' --required
AND +tableId = '{{ +tableId }}' --required
AND +policyId = '{{ +policyId }}' --required
RETURNING
creationTime,
etag,
filterPredicate,
grantees,
lastModifiedTime,
rowAccessPolicyReference;
DELETE examples
- delete
Deletes a row access policy.
DELETE FROM google.bigquery.row_access_policies
WHERE projectId = '{{ projectId }}' --required
AND +datasetId = '{{ +datasetId }}' --required
AND +tableId = '{{ +tableId }}' --required
AND +policyId = '{{ +policyId }}' --required
AND force = '{{ force }}';