The following permissions are required to runGRANTandREVOKEstatements.
Resource Type
Permissions
Dataset
bigquery.datasets.update
Table
bigquery.tables.setIamPolicy
View
bigquery.tables.setIamPolicy
GRANTstatement
Grants roles to users on BigQuery resources.
Syntax
GRANT role_list
ON resource_type resource_name
TOuser_list
Arguments
role_list: A role or list of comma separated roles that contains the
permissions you want to grant. For more information on the types of roles available,
seeUnderstanding roles.
resource_type: The type of resource the role is applied to. Supported values include:SCHEMA(equivalent to dataset),TABLE,VIEW,EXTERNAL TABLE.
resource_name: The name of the resource you want to grant the permission on.
user_list: A comma separated list of users that the role is granted to.
The following example grants thebigquery.dataViewerrole to the usersraha@example-pet-store.comandsasha@example-pet-store.comon a dataset namedmyDataset:
Removes roles from a list of users on BigQuery resources.
Syntax
REVOKE role_list
ON resource_type resource_name
FROMuser_list
Arguments
role_list: A role or list of comma separated roles that contains the
permissions you want to remove. For more information on the types of roles available,
seeUnderstanding roles.
resource_type: The type of resource that the role will be removed from. Supported values include:SCHEMA(equivalent to dataset),TABLE,VIEW,EXTERNAL TABLE.
resource_name: The name of the resource you want to revoke the role on.
user_list: A comma separated list of users that the role is revoked from.
Example
The following example removes thebigquery.adminrole on themyDatasetdataset from theexample-team@example-pet-store.comgroup and a service
account:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eData control language (DCL) statements in GoogleSQL are used to manage access to BigQuery resources using SQL query syntax.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eGRANT\u003c/code\u003e statement assigns specified roles to users on resources such as datasets, tables, views, and external tables.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eREVOKE\u003c/code\u003e statement removes specified roles from users, allowing administrators to control permissions on BigQuery resources.\u003c/p\u003e\n"],["\u003cp\u003ePermissions required to execute \u003ccode\u003eGRANT\u003c/code\u003e and \u003ccode\u003eREVOKE\u003c/code\u003e statements include \u003ccode\u003ebigquery.datasets.update\u003c/code\u003e for datasets and \u003ccode\u003ebigquery.tables.setIamPolicy\u003c/code\u003e for tables and views.\u003c/p\u003e\n"],["\u003cp\u003eUsers can be specified in \u003ccode\u003eGRANT\u003c/code\u003e and \u003ccode\u003eREVOKE\u003c/code\u003e statements using formats for Google accounts, groups, service accounts, domains, and special groups like \u003ccode\u003eallAuthenticatedUsers\u003c/code\u003e and \u003ccode\u003eallUsers\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Data control language (DCL) statements in GoogleSQL\n===================================================\n\nThe BigQuery data control language (DCL) statements let you set up\nand control BigQuery resources using\n[GoogleSQL](/bigquery/docs/reference/standard-sql) query syntax.\n\nUse these statements to give or remove access to BigQuery resources.\n\nFor more information on controlling access to specific BigQuery resources,\nsee:\n\n- [Controlling access to datasets](/bigquery/docs/dataset-access-controls)\n- [Controlling access to tables](/bigquery/docs/table-access-controls)\n- [Controlling access to views](/bigquery/docs/authorized-views)\n\nPermissions required\n--------------------\n\nThe following permissions are required to run `GRANT` and `REVOKE` statements.\n\n`GRANT` statement\n-----------------\n\nGrants roles to users on BigQuery resources.\n\n### Syntax\n\n```\nGRANT role_list\n ON resource_type resource_name\n TO user_list\n```\n\n### Arguments\n\n- `role_list`: A role or list of comma separated roles that contains the\n permissions you want to grant. For more information on the types of roles available,\n see [Understanding roles](/iam/docs/understanding-roles).\n\n- `resource_type`: The type of resource the role is applied to. Supported values include:\n `SCHEMA` (equivalent to dataset), `TABLE`, `VIEW`,\n `EXTERNAL TABLE`.\n\n- `resource_name`: The name of the resource you want to grant the permission on.\n\n- [`user_list`](#user_list): A comma separated list of users that the role is granted to.\n\n### `user_list`\n\nSpecify users using the following formats:\n\nFor more information about each type of user in the table, see\n[Concepts related to identity](/iam/docs/overview#concepts_related_identity).\n\n### Example\n\nThe following example grants the `bigquery.dataViewer` role to the users\n`raha@example-pet-store.com` and `sasha@example-pet-store.com` on a dataset named\n`myDataset`: \n\n GRANT `roles/bigquery.dataViewer` ON SCHEMA `myProject`.myDataset\n TO \"user:raha@example-pet-store.com\", \"user:sasha@example-pet-store.com\"\n\n`REVOKE` statement\n------------------\n\nRemoves roles from a list of users on BigQuery resources.\n\n### Syntax\n\n```\nREVOKE role_list\n ON resource_type resource_name\n FROM user_list\n```\n\n### Arguments\n\n- `role_list`: A role or list of comma separated roles that contains the\n permissions you want to remove. For more information on the types of roles available,\n see [Understanding roles](/iam/docs/understanding-roles).\n\n- `resource_type`: The type of resource that the role will be removed from. Supported values include:\n `SCHEMA` (equivalent to dataset), `TABLE`, `VIEW`,\n `EXTERNAL TABLE`.\n\n- `resource_name`: The name of the resource you want to revoke the role on.\n\n- [`user_list`](#user_list): A comma separated list of users that the role is revoked from.\n\n### Example\n\nThe following example removes the `bigquery.admin` role on the `myDataset`\ndataset from the `example-team@example-pet-store.com` group and a service\naccount: \n\n REVOKE `roles/bigquery.admin` ON SCHEMA `myProject`.myDataset\n FROM \"group:example-team@example-pet-store.com\", \"serviceAccount:user@test-project.iam.gserviceaccount.com\""]]
