Stay organized with collectionsSave and categorize content based on your preferences.
TheIAM role recommenderuses aggregated
IAM access data, collected during the usage of services in
Google Cloud, to provide recommendations. This data is primarily used for
compliance purposes.
BigQuery Admin(roles/bigquery.admin)
on the project that you will export data to
To publish notifications for your transfer to an existing Pub/Sub topic:Pub/Sub Viewer(roles/pubsub.viewer)
on the project that you will export data to
To publish notifications for your topic to a new Pub/Sub topic:Pub/Sub Editor(roles/pubsub.editor)
on the project that you will export data to
Select your organization from the drop-down list, then clickSelect.
ClickTransparency & control.
In theData processing grouptable, clickIAM.
In theData sourcessection of the page, clickaddCreate transfer.
In theProjectfield, clickBrowse, then select the project that
you want to export data to. If the project does not have the
BigQuery Data Transfer Service API enabled, clickEnable APIand wait until the API is
enabled.
ClickNext.
Configure the data transfer:
In theDisplay namefield, enter a display name for your data
transfer.
InSchedule optionssection, choose when the data transfer will start
and how often it will run.
To choose when to start the transfer, you can leave the default value
ofStart now, or clickStart at a set time.
In theRepeatsfield, choose an option for how often to run the
transfer. If you choose an option other than Daily, additional options
are available. For example, if you chooseWeekly, an option appears
for you to select the day of the week.
ForStart date and run time, enter the date and time to start the
transfer. If you chooseStart now, this option is disabled.
In theDataset IDfield, choose a BigQuery dataset
to export the data to.
You can export data to an existing dataset, or create a new dataset:
To export data to an existing dataset, click theDataset IDfield,
then select a dataset from the drop-down list.
To export data to a new dataset, click theDataset IDfield, clickCreate new dataset, and fill out the fields in theCreate
datasetpane:
In theDataset IDfield, enter an ID for the dataset. Letters,
numbers, and underscores are allowed.
From theData locationdrop-down list, select eitherUnited
States (US)orEuropean Union (EU).
Optional: Select an encryption method. The default encryption
method isGoogle-managed encryption key. If you selectCustomer-managed encryption key (CMEK), you must also select acustomer-managed key.
The transfer you set up will be in the same region as the dataset, and
cannot be moved.
In theproject_numbersfield, enter the project numbers for the
projects whose aggregated IAM access data you want to
export. If you list multiple project numbers, separate the project
numbers with commas. You can export data for up to 10 projects at a time.
To find a project's number, do the following:
In the Google Cloud console, go to theSettingspage.
To enable notifications for failed transfer runs, click theEmail notificationstoggle.
When you enable this option, the transfer administrator
receives an email notification when a transfer run fails.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Export data for role recommendations\n\nThe [IAM role recommender](/policy-intelligence/docs/role-recommendations-overview) uses aggregated\nIAM access data, collected during the usage of services in\nGoogle Cloud, to provide recommendations. This data is primarily used for\ncompliance purposes.\n\nThis page explains how to export that access data to BigQuery using the\n[BigQuery Data Transfer Service](/bigquery-transfer/docs/introduction).\n\nIf you want to export a snapshot of your insights and recommendations, see\n[Export recommendations to\nBigQuery](/policy-intelligence/docs/export-recommendations).\n\nBefore you begin\n----------------\n\n-\n\n\n Enable the IAM, Resource Manager, Recommender, BigQuery, BigQuery Data Transfer Service, and Pub/Sub APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=iam.googleapis.com,cloudresourcemanager.googleapis.com,recommender.googleapis.com,bigquery.googleapis.com,bigquerydatatransfer.googleapis.com,pubsub.googleapis.com&redirect=https://console.cloud.google.com)\n\n \u003cbr /\u003e\n\n- Read about [role recommendations](/policy-intelligence/docs/role-recommendations-overview).\n\n### Required permissions\n\n\nTo get the permissions that\nyou need to create a data transfer,\n\nask your administrator to grant you the\nfollowing IAM roles:\n\n- [Data Processing Controls Resource Admin](/iam/docs/roles-permissions/dataprocessing#dataprocessing.admin) (`roles/dataprocessing.admin`) on your organization\n- [BigQuery Admin](/iam/docs/roles-permissions/bigquery#bigquery.admin) (`roles/bigquery.admin`) on the project that you will export data to\n- To publish notifications for your transfer to an existing Pub/Sub topic: [Pub/Sub Viewer](/iam/docs/roles-permissions/pubsub#pubsub.viewer) (`roles/pubsub.viewer`) on the project that you will export data to\n- To publish notifications for your topic to a new Pub/Sub topic: [Pub/Sub Editor](/iam/docs/roles-permissions/pubsub#pubsub.editor) (`roles/pubsub.editor`) on the project that you will export data to\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nExport aggregated IAM access data\n---------------------------------\n\nTo export your projects' aggregated IAM access history to\nBigQuery, use the Transparency and Control Center to set up a data\ntransfer:\n\n1. In the Google Cloud console, go to the **Privacy \\& Security** page.\n\n [Go to Privacy \\& Security](https://console.cloud.google.com/projectselector/iam-admin/privacy?supportedpurview=organizationId)\n2. Select your organization from the drop-down list, then click **Select**.\n\n3. Click **Transparency \\& control**.\n\n4. In the **Data processing group** table, click **IAM**.\n\n5. In the **Data sources** section of the page, click\n add **Create transfer**.\n\n6. In the **Project** field, click **Browse** , then select the project that\n you want to export data to. If the project does not have the\n BigQuery Data Transfer Service API enabled, click **Enable API** and wait until the API is\n enabled.\n\n7. Click **Next**.\n\n8. Configure the data transfer:\n\n 1. In the **Display name** field, enter a display name for your data transfer.\n 2. In **Schedule options** section, choose when the data transfer will start\n and how often it will run.\n\n - To choose when to start the transfer, you can leave the default value of **Start now** , or click **Start at a set time**.\n - In the **Repeats** field, choose an option for how often to run the transfer. If you choose an option other than Daily, additional options are available. For example, if you choose **Weekly**, an option appears for you to select the day of the week.\n - For **Start date and run time** , enter the date and time to start the transfer. If you choose **Start now**, this option is disabled.\n 3. In the **Dataset ID** field, choose a BigQuery dataset\n to export the data to.\n\n | **Important:** This dataset must have a location of **United States (US)** or **European Union (EU)**. No other regions are supported.\n\n You can export data to an existing dataset, or create a new dataset:\n - To export data to an existing dataset, click the **Dataset ID** field, then select a dataset from the drop-down list.\n - To export data to a new dataset, click the **Dataset ID** field, click\n **Create new dataset** , and fill out the fields in the **Create\n dataset** pane:\n\n 1. In the **Dataset ID** field, enter an ID for the dataset. Letters, numbers, and underscores are allowed.\n 2. From the **Data location** drop-down list, select either **United\n States (US)** or **European Union (EU)**.\n 3. Optional: Enable [table expiration](/bigquery/docs/managing-tables#updating_a_tables_expiration_time) by selecting **Enable table expiration**.\n 4. Optional: Select an encryption method. The default encryption method is **Google-managed encryption key** . If you select **Customer-managed encryption key (CMEK)** , you must also select a [customer-managed key](/kms/docs/cmek).\n\n The transfer you set up will be in the same region as the dataset, and\n cannot be moved.\n 4. In the **project_numbers** field, enter the project numbers for the\n projects whose aggregated IAM access data you want to\n export. If you list multiple project numbers, separate the project\n numbers with commas. You can export data for up to 10 projects at a time.\n\n To find a project's number, do the following:\n 1. In the Google Cloud console, go to the **Settings** page.\n\n [Go to Settings](https://console.cloud.google.com/projectselector/iam-admin/settings?supportedpurview=project)\n 2. Select your project.\n\n 3. Copy the project ID from the **Project number** field.\n\n 5. Optional: Enable notifications for your transfer:\n\n - To enable notifications for failed transfer runs, click the **Email notifications** toggle. When you enable this option, the transfer administrator receives an email notification when a transfer run fails.\n - To enable [Pub/Sub notifications for your\n transfer](/bigquery-transfer/docs/transfer-run-notifications), click **Select a Pub/Sub\n topic**, then select or create a topic.\n9. Click **Done**.\n\n10. If prompted, allow **IAM Recommender Aggregated Access Transfers** access\n to your Google account.\n\nManage existing data transfers\n------------------------------\n\nYou can view and manage your transfers in the Transparency and Control Center, or\nin BigQuery:\n\n- To view all aggregated IAM access data transfers for your\n organization, use the Transparency and Control Center:\n\n 1. In the Google Cloud console, go to the **Privacy \\& Security** page.\n\n [Go to Privacy \\& Security](https://console.cloud.google.com/projectselector/iam-admin/privacy?supportedpurview=organizationId)\n 2. Select your organization from the drop-down list, then click **Select**.\n\n 3. Click **Transparency \\& control**.\n\n 4. In the **Data processing group** table, click **IAM** . The **Data\n transfers** section of the page lists all aggregated IAM\n access data transfers for your organization.\n\n 5. To manage an individual transfer, click the transfer's display name.\n\n- To view all data transfers in a project, including aggregated\n IAM access data transfers, use BigQuery:\n\n 1. In the Google Cloud console, go to the **Data transfers** page.\n\n [Go to Data transfers](https://console.cloud.google.com/projectselector/bigquery/transfers?supportedpurview=project)\n 2. Select the project that you exported data to.\n\n 3. The **Data transfers** page shows all data transfers for your project,\n including aggregated IAM access data transfers.\n\n 4. To manage an individual transfer, click the transfer's display name.\n\nWhat's next\n-----------\n\n- Learn how to [export a snapshot of your recommendations and\n insights](/policy-intelligence/docs/export-recommendations).\n- Understand [best practices for using role recommendations](/policy-intelligence/docs/role-recommendations-best-practices).\n- Find out how to [review and apply recommendations](/policy-intelligence/docs/review-apply-role-recommendations).\n- Learn how to [disable role recommendations](/recommender/docs/opting-out)."]]
