Authorized routines

Authorized routines let you share query results with specific users or groups without giving them access to the underlying tables that generated the results. For example, an authorized routine can compute an aggregation over data or look up a table value and use that value in a computation.

By default, if a user invokes a routine, the user must have access to read the data in the table. As an alternative, you can authorize the routine to access the dataset that contains the referenced table. An authorized routine can query the tables in the dataset, even if the user who calls the routine can't query those tables directly.

The following types of routines can be authorized:

Authorize routines

To authorize a routine, use the Google Cloud console, the bq command-line tool, or the REST API:

Console

Go to the BigQuery page in the Google Cloud console.

Go to BigQuery
In the left pane, click Explorer:

If you don't see the left pane, click Expand left paneto open the pane.
In the Explorerpane, expand your project, click Datasets, and then select a dataset.
In the details pane, click Share > Authorize Routines.
In the Authorized routinespage, in the Authorize routinesection, select the Project, Dataset, and Routinefor the routine that you want to authorize.
Click Add authorization.

bq

Use the bq show command to get the JSON representation of the dataset that you want the routine to access. The output from the command is a JSON representation of the Dataset resource. Save the result to a local file.
```
bq  
show  
--format = 
prettyjson  
 TARGET_DATASET 
 > 
dataset.json
```
Replace TARGET_DATASET with the name of the dataset that the routine can access.

Edit the file to add the following JSON object to the access array in the Dataset resource:

 { 
  
 "routine" 
 : 
  
 { 
  
 "datasetId" 
 : 
  
 " DATASET_NAME 
" 
 , 
  
 "projectId" 
 : 
  
 " PROJECT_ID 
" 
 , 
  
 "routineId" 
 : 
  
 " ROUTINE_NAME 
" 
  
 } 
 }

Where:

DATASET_NAME is the name of the dataset that contains the routine.
PROJECT_ID is the project ID of the project that contains the routine.
ROUTINE_NAME is the name of the routine.

Use the bq update command to update the dataset.

 bq 
  
 upda 
 te 
  
 -- 
 source 
  
 da 
 taset 
 .jso 
 n 
  
  TARGET_DATASET

API

Call the datasets.get method to fetch the dataset that you want the routine to access. The response body contains a representation of the Dataset resource.

Add the following JSON object to the access array in the Dataset resource:

 { 
  
 "routine" 
 : 
  
 { 
  
 "datasetId" 
 : 
  
 " DATASET_NAME 
" 
 , 
  
 "projectId" 
 : 
  
 " PROJECT_ID 
" 
 , 
  
 "routineId" 
 : 
  
 " ROUTINE_NAME 
" 
  
 } 
 }

Where:

DATASET_NAME is the name of the dataset that contains the UDF.
PROJECT_ID is the project ID of the project that contains the UDF.
ROUTINE_NAME is the name of the routine.

Call the dataset.update method with the modified Dataset representation.

Quotas and limits

Authorized routines are subject to dataset limits. For more information, see Dataset limits .

Authorized routine example

The following is an end-to-end example of creating and using an authorized UDF.

Create two datasets named private_dataset and public_dataset . For more information about creating a dataset, see Creating a dataset .

Run the following statement to create a table named private_table in private_dataset :

  CREATE 
  
 OR 
  
 REPLACE 
  
 TABLE 
  
 private_dataset 
 . 
 private_table 
 AS 
  
 SELECT 
  
 key 
  
 FROM 
  
 UNNEST 
 ( 
 [ 
 'key1' 
 , 
  
 'key1' 
 , 
 'key2' 
 , 
 'key3' 
 ] 
 ) 
  
 key 
 ;

Run the following statement to create a UDF named count_key in public_dataset . The UDF includes a SELECT statement on private_table .

  CREATE 
  
 OR 
  
 REPLACE 
  
 FUNCTION 
  
 public_dataset 
 . 
 count_key 
 ( 
 input_key 
  
 STRING 
 ) 
 RETURNS 
  
 INT64 
 AS 
 (( 
 SELECT 
  
 COUNT 
 ( 
 1 
 ) 
  
 FROM 
  
 private_dataset 
 . 
 private_table 
  
 t 
  
 WHERE 
  
 t 
 . 
 key 
  
 = 
  
 input_key 
 ));

Grant the bigquery.dataViewer role to a user on the public_dataset dataset. This role includes the bigquery.routines.get permission, which lets the user call the routine. For information about how to assign access controls to a dataset, see Controlling access to datasets .

Note: Instead of using a built-in role, consider creating a custom role with minimal permissions. For more information, see Creating and managing custom roles .
At this point, the user has permission to call the count_key routine but cannot access the table in private_dataset . If the user tries to call the routine, they get an error message similar to the following:
```
Access Denied: Table myproject:private_dataset.private_table: User does
not have permission to query table myproject:private_dataset.private_table.
```
Using the bq command-line tool, run the show command as follows:
```
bq  
show  
--format = 
prettyjson  
private_dataset > 
dataset.json
```
The output is saved to a local file named dataset.json .

Edit dataset.json to add the following JSON object to the access array:

 { 
  
 "routine" 
 : 
  
 { 
  
 "datasetId" 
 : 
  
 "public_dataset" 
 , 
  
 "projectId" 
 : 
  
 " PROJECT_ID 
" 
 , 
  
 "routineId" 
 : 
  
 "count_key" 
  
 } 
 }

Replace PROJECT_ID with the project ID for public_dataset .

Using the bq command-line tool, run the update command as follows:

 bq 
  
 upda 
 te 
  
 -- 
 source 
  
 da 
 taset 
 .jso 
 n 
  
 priva 
 te 
 _da 
 taset

To verify that the UDF has access to private_dataset , the user can run the following query:

  SELECT 
  
 public_dataset 
 . 
 count_key 
 ( 
 'key1' 
 );