Using row-level security with other BigQuery features
This document describes how to use row-level access security with other BigQuery features.
Before you read this document, familiarize yourself with row-level security by reading Introduction to BigQuery row-level security and Working with row-level security.
The TRUE filter
Row-level access policies can filter the result data that you see when running
queries. To run non-query operations, such as DML, you need full
access to all rows in the table. Full access is granted
by using a row access policy with the filter expression set to TRUE. This
row-level access policy is called the TRUE filter.
Any user can be granted TRUE filter access, including a service account.
Examples of non-query operations are:
- Other BigQuery APIs, such as the BigQuery Storage Read API.
- Some
bqcommand-line tool commands, such as thebq headcommand. - Copying a table
TRUE filter example
CREATE ROW ACCESS POLICY all_access ON project.dataset.table1
GRANT TO ("group:all-rows-access@example.com")
FILTER USING (TRUE);
Features that work with the TRUE filter
When you use a DML operation
on a table protected by row access policies, you must use a TRUE filter which
implies access to the whole table. Any operations that don't alter the table
schema maintain any row access policies on the table.
For example, the ALTER TABLE RENAME
TO
statement copies row access policies from the original table to the new table.
As another example, the TRUNCATE
TABLE
statement removes all of the rows from a table but maintains the table schema as
well as any row access policies.
Copy jobs
To copy a table with one or more
row-level access policies on it, you must first be granted TRUE filter access
on
the source table. All row-level access policies on the source table are also
copied to the new destination table. If you copy a source table without
row-level access policies onto a destination table that does have row-level
access policies,
then the row-level access policies are removed from the destination table,
unless the --append_table flag is used or "writeDisposition": "WRITE_APPEND"
is set.
Cross-region copies are allowed and all policies are copied. Subsequent queries might be broken after the copy is complete if the queries contain invalid table references in subquery policies.
Row-level access policies on a table must have unique names. A collision in row-level access policy names during the copy results in an invalid input error.
Required permissions to copy a table with a row-level access policy
To copy a table with one or more row-level access policies, you must have the following permissions, in addition to the roles to copy tables and partitions.
| Permission | Resource |
|---|---|
bigquery.rowAccessPolicies.list
|
The source table. |
bigquery.rowAccessPolicies.getIamPolicy
|
The source table. |
The TRUE filter
|
The source table. |
bigquery.rowAccessPolicies.create
|
The destination table. |
bigquery.rowAccessPolicies.setIamPolicy
|
The destination table. |
Tabledata.list in BigQuery API
You need TRUE filter access in order to use the tabledata.list method in the
BigQuery API on a table with row-level access policies.
DML
To execute a DML statement that updates a table that has row-level access
policies, you need TRUE filter access for the table.
In particular, MERGE statements interact with row-level access policies as
follows:
- If a target table contains row-level access policies, then you need
TRUEfilter access to the target table. - If a source table contains row-level access policies, then the
MERGEstatement only acts on the rows that are visible to the user.
Table snapshots
Table snapshots support row-level security. The permissions that you need for the base table (source table) and the table snapshot (destination table) are described in Required permissions to copy a table with a row-level access policy.
BigQuery table with JSON columns
Row-level access policies cannot be applied on JSON columns. To learn more about the limitations for row-level security, see Limitations.
Execution graph
You can't use the query execution graph for jobs with row-level access policies.
Extract jobs
If a table has row-level access policies, then only the data that you can view is exported to Cloud Storage when you run an extract job.
Partitioned and clustered tables
Row-level security does not participate in query pruning, which is a feature of partitioned tables.
While row-level security is compatible with partitioned and clustered
tables, the row-level access policies that filter row data aren't applied
during partition pruning. You can still use partition pruning on a table
that uses row-level security by specifying a WHERE clause that operates
on the partition column. Similarly, row-level access policies themselves
don't create any performance benefits for queries against clustered tables,
but they don't interfere with other filtering that you apply.
Query pruning is performed during the execution of row-level access policies using the filters with the policies.
Rename a table
You don't need TRUE filter access to rename a table with one or more row access
policies on it. You can
rename a table with a DDL statement.
As an alternative, you can also copy a table and give the destination table a different name. If the source table has a row-level access policy on it, see table copy jobs on this page for more information.
Streaming updates
To perform streaming table UPDATE or DELETE operations with change data capture, you must have TRUE filter access.
Time travel
Only a table administrator can access historical data for a table that has, or
has previously had, row-level access policies. Other users get an access
denied error if they use a time travel decorator on a table that has had
row-level access. For more information, see Time travel and row-level
access.
Logical, materialized, and authorized views
This section describes different types of BigQuery views and how they interact with row-level security.
Logical or materialized views
Logical or materialized views are built from queries against tables. The query results are usually a subset of the table data.
The data displayed in either type of view is filtered according to the underlying source table's row-level access policies. However, you can't reference views or materialized views in row-level access policies.
Performance for materialized views
In addition, when a materialized view is derived from an underlying table that has row-level access policies, then the query performance is the same as when you query the source table directly. In other words, if the source table has row-level security, you don't see the typical performance benefits of querying a materialized view versus querying the source table.
Authorized views
You can also authorize a logical or materialized view, which means sharing the view with specific users or groups (principals). Principals can then query a view, but don't have access to the underlying table. For more information, see Authorized views.
Wildcard queries
Wildcard queries against
tables with row-level access policies fail with an INVALID_INPUT error.
What's next
- For information about best practices for row-level access policies, see Best practices for row-level security in BigQuery.