This document shows you how to grant OWOX BI service account the Identity and Access Management (IAM) roles required for OWOX BI to access datasets in BigQuery. All actions from the instructions must be performed in the Google Console interface.
NoteYou can now share datasets with OWOX BI service accounts in just a few clicks by using the 'Shared datasets' link in the project menu. Read more in this article.
About the OWOX BI service account and required permissions
When you create your first OWOX BI project, OWOX BI automatically generates a service account. OWOX BI uses the service account to interact with BigQuery on your behalf for all data collection and data processing scenarios where the OWOX BI user isn't directly involved.
You may grant an IAM role on the Google Cloud project level to avoid repetitive setting processes on multiple datasets, but it's not necessarily required. The OWOX BI service account requires the BigQuery Data Editor role only on specific BigQuery datasets you use in OWOX BI.
NoteTo get your OWOX BI service account email, please go to the 'Shared datasets' page and copy it.
Granting access on a GCP Project level
ImportantYou must have a Project IAM admin, Security Admin, or Owner role in the respective Google Cloud project to proceed with the following instructions.
To grant the service account the required permissions on the project level follow these steps:
1. In the Google Cloud console, go to the IAM page.
2. Click Grant Access.
3. In the New principals field, enter the OWOX BI service account email.
4. In the Select a role drop-down list, select the BigQuery Data Editor role.
5. Click Save.
If all is done correctly, Service Account will appear in the list of Principals on the IAM & Admin page.
For more information about how to control access to datasets, go to Manage access to projects.
Granting access on a BigQuery datasets' level
To grant access to a dataset, follow this instruction.