Console
    Start free

    Use data products

    This document is intended for Knowledge Catalog (formerly Dataplex Universal Catalog) data product consumers who want to discover and use data products for their use cases.

    For more information about the architecture and key concepts of data products, see About data products .

    Before you begin

    1. Enable the Dataplex, BigQuery APIs.

      Roles required to enable APIs

      To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

      Enable the APIs

    Required roles

    To get the permissions that you need to search for, access, and use data products, ask your administrator to grant you the following IAM roles on the data product or the project:

    For more information about granting roles, see Manage access to projects, folders, and organizations .

    You might also be able to get the required permissions through custom roles or other predefined roles .

    As a data product consumer, to view the metadata of an asset, you must have the viewer permission to access the corresponding asset in the source system. For example, to search for metadata for a dataset or a table in a data product, you need the BigQuery Metadata Viewer role ( roles/bigquery.metadataViewer ). For more information, see Required roles for accessing search results .

    Console

    1. In the Google Cloud console, go to the Knowledge Catalog Searchpage.

      Go to Search

    2. Search using keywords or natural language. For more information, see Search for resources .

    3. In the search results, click the data product for which you want to view details. You can review the description, assets, contract, aspects, contact details, and other documentation associated with the data product.

    REST

    To search for a data product, use the searchEntries method.

    For example, send the following POST request:

     curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d \
  '{
  "query": " ADDITIONAL_KEYWORDS 
(type=(DATA_PRODUCT))",
  "pageSize": 10
  }' \
"https://dataplex.googleapis.com/v1/projects/ PROJECT_ID 
/locations/global:searchEntries"

    Replace the following:

    • ADDITIONAL_KEYWORDS (optional): any additional keywords or search criteria to narrow down the results (for example, displayName:'My Data Product' or description:'sales' )
    • PROJECT_ID : the ID of your Google Cloud project in which the data product is created

    Request access to data products

    As a data product consumer, if you don't have IAM permissions to access a data product, you can request access using the integrated access approval workflows.

    Submit an access request

    Console

    1. In the Google Cloud console, go to the Knowledge Catalog Data productspage.

      Go to Data products

    2. Click the data product that you want to access.

    3. Click Request access.

    4. In the Request detailspane, specify the following parameters:

      • Access groups: Select the functional access group you want to join.

      • Selfor Service account: Select the principal type:

        • If you're requesting access for yourself, select Self.

        • If you're requesting access for programmatic identity, select Service account. This option is only available if the data product supports service accounts.

      • Justification: Enter a business justification for your request.

    5. Click Submit.

    A new change request is generated for the data product owner to review. You will receive an email notification detailing the final status as soon as the request is approved or rejected.

    REST

    Data product consumers who have the dataplex.dataProducts.get permission can request access by creating a ChangeRequest resource. Send a POST request to the data product resource endpoint using the custom method :requestAccess :

     curl  
-X  
POST  
 \ 
-H  
 "Authorization: Bearer 
 $( 
gcloud  
auth  
print-access-token ) 
 " 
  
 \ 
-H  
 "Content-Type: application/json" 
  
 \ 
-d  
 '{ 
 "parent": "projects/ PROJECT_ID 
/locations/ LOCATION 
/dataProducts/ DATA_PRODUCT_ID 
", 
 "change_request": { 
 "justification": " JUSTIFICATION_TEXT 
", 
 "data_product_access_request": { 
 "parent": "projects/ PROJECT_ID 
/locations/ LOCATION 
/dataProducts/ DATA_PRODUCT_ID 
", 
 "access_group_id": " DATA_PRODUCT_ACCESS_GROUP_ID 
" 
 } 
 } 
 }' 
  
 \ 
 "https://dataplex.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/dataProducts/ DATA_PRODUCT_ID 
:requestAccess"

    Replace the following:

    • PROJECT_ID : the ID of your Google Cloud project

    • LOCATION : the region where the data product exists (for example, us-central1 )

    • DATA_PRODUCT_ID : the unique identifier of the target data product

    • JUSTIFICATION_TEXT : the business reason explaining why access is required

    • DATA_PRODUCT_ACCESS_GROUP_ID : the ID of the specific access group you are requesting to join

    View the status of access requests

    As a data product consumer, you can monitor the progress and lifecycle of your submitted access requests. Knowledge Catalog tracks and displays these requests using distinct status states depending on whether you are viewing a unified workflow list or a specific product's access summary.

    View a unified list of your access requests

    To view a comprehensive list of all your submitted access requests across all data products, follow these steps:

    Console

    1. In the Google Cloud console, go to the Knowledge Catalog Governance workflowspage.

      Go to Governance workflows

    2. Click the My requeststab.

    3. Review the unified list displaying your past and pending requests, along with their current workflow statuses:

      • New: The access request has been created and is pending review by the approver.

      • Approved: The request has been approved, but backend systems are still provisioning access.

      • Rejected: The request was denied. Review the approver's comments to see the rationale for the rejection.

    REST

    Send a GET request using the custom collection method :listMine :

     curl  
-X  
GET  
 \ 
-H  
 "Authorization: Bearer 
 $( 
gcloud  
auth  
print-access-token ) 
 " 
  
 \ 
-H  
 "Content-Type: application/json" 
  
 \ 
 "https://dataplex.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/changeRequests:listMine"

    View the access summary for a specific data product

    In addition to the global workflow list, you can check your access posture for an individual data product. This lets you verify if you already possess inherited access to an asset group without needing to submit a new request.

    To view the access summary for a data product, follow these steps:

    Console

    1. In the Google Cloud console, go to the Knowledge Catalog Data productspage.

      Go to Data products

    2. Click the specific data product you want to inspect.

    3. Click the Access summarytab. Review your status across all access groups for that data product.

      The Access summarytab uses the following status states:

      Status Description
      No Access You don't have access to the access group and haven't yet requested access.
      Under review You have submitted an access request, and the request is pending review by an approver.
      Approved Your access request has been approved, but membership propagation to the underlying Google Group is still processing.
      Access granted Access is fully active. You are a member of the access group and can interact with the data product's assets.
      Rejected Your access request for this access group was rejected.

    REST

    Send a GET request using the unique ID returned when the request was originally created:

     curl  
-X  
GET  
 \ 
-H  
 "Authorization: Bearer 
 $( 
gcloud  
auth  
print-access-token ) 
 " 
  
 \ 
-H  
 "Content-Type: application/json" 
  
 \ 
 "https://dataplex.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/changeRequests/ CHANGE_REQUEST_ID 
"

    Replace the following:

    • PROJECT_ID : the ID of your Google Cloud project

    • LOCATION : the region where the data product exists (for example, us-central1 )

    • CHANGE_REQUEST_ID : the unique ID of your submitted change request

    Delete an access request

    1. In the Google Cloud console, go to the Knowledge Catalog Governance workflowspage.

      Go to Governance workflows

    2. Click the My requeststab.

    3. Locate the row containing your target data product request. If necessary, apply a filter to isolate the entry.

    4. Click Actionsand then click Delete.

    Consume data products

    To use a data product, ensure that you are granted the necessary permissions. See Request access to data products .

    After the data product owner grants you permission, you can access the data product and its assets. For example, if you're granted permissions to access a BigQuery table, you can query it directly in BigQuery to generate insights.

    Access assets using user credentials

    If your access request was approved for your user credentials, follow these steps to access the assets:

    1. Search for the data product .
    2. In the search results, click the data product that you want to use.
    3. Click the Assetstab.

    4. Click the asset for which you want to view details. This opens the entry details page.

      You can access details such as schema, insights, and lineage. If the asset is a BigQuery table or view, you can click Open in BigQueryto navigate to the BigQuery studio and query the results.

    If your access request was approved for a service account, you are granted the Service Account Token Creator ( roles/iam.serviceAccountTokenCreator ) IAM role on the data producer service account. This lets you create an impersonation chain to access the underlying assets.

    To access assets using a service account, follow these steps:

    1. Identify the configured service accounts for the data product by navigating to the Data Assetstab of the data product details page.

    2. To impersonate the data producer service account, create an impersonation chain for your service account using the following Google Cloud CLI command:

       gcloud  
config  
 set 
  
auth/impersonate_service_account  
 CONSUMER_SERVICE_ACCOUNT 
, PRODUCER_SERVICE_ACCOUNT

      Replace the following:

      • CONSUMER_SERVICE_ACCOUNT : the full qualified email address of the service account belonging to the data product consumer

      • PRODUCER_SERVICE_ACCOUNT : the fully qualified email address of the service account mapped to the data product access group

      For more information, see Use service account impersonation .

    Access data products using remote MCP server

    For client applications and development tools that interact with your data products outside of the Google Cloud ecosystem, you can use a remote Model Context Protocol (MCP) server. This architectural pattern allows external developer clients to safely query and discover cataloged data assets while maintaining unified governance boundaries.

    To learn how to deploy and connect to an external server, see Use the Knowledge Catalog remote MCP server .

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: