Associate Data Practitioner

Unlock the power of your data in the cloud! Get hands-on with Google Cloud's core data services like BigQuery and Looker to validate your practical skills in data ingestion, analysis, and management, and earn your Associate Data Practitioner certification!

Practice Test

Fundamental
Exam

Differentiate between basic roles, predefined roles, and permissions for data services (e.g., BigQuery, Cloud Storage)

Establish the principles of least privileged access by using Identity and Access Management (IAM)

Identify and Describe Basic Roles and Predefined Roles

Identity and Access Management (IAM) uses roles to grant users exact permissions. There are two main categories of roles: basic roles and predefined roles, each with different scopes. A role is a set of permissions that map to actions on resources such as BigQuery datasets or Cloud Storage buckets. You must follow the principle of least privilege to keep your data secure. This means granting only the access needed for a specific task.

Basic roles include Owner, Editor, and Viewer, and they apply broadly across all Google Cloud services. The Owner role gives full control over resources, including billing and IAM policies. The Editor role allows modifying resources but does not permit managing roles or billing. The Viewer role grants read-only access so users can look at resources without making changes. Avoid using basic roles in production environments unless absolutely required.

Predefined roles provide granular permissions tailored to specific data services. For example, BigQuery Data Viewer lets users read table data and metadata, while BigQuery Data Editor allows reading and modifying table contents. Another example is Storage Object Admin, which grants full control over objects in Cloud Storage buckets. Predefined roles have fewer permissions than basic roles, lowering security risks. They help you follow the principle of least privilege by granting only the actions needed for a job.

Each permission usually matches an API method, making it easy to predict what actions a role allows. For instance, the permission bigquery.jobs.create lets a user run new query jobs, while bigquery.tables.get allows reading table metadata. In Cloud Storage, storage.objects.get permits downloading objects from a bucket. If a user or service account lacks the required permission, the API call will fail. This clear mapping helps you design precise access controls.

To maintain a secure environment, grant users the minimum access required and regularly review and adjust role bindings. Choose predefined roles over basic roles whenever possible, and create custom roles for specialized cases. Combine roles thoughtfully to avoid giving too much or too little access. Using the principle of least privilege reduces the risk of accidental or malicious changes to your data. Consistent monitoring and auditing keep your project compliant and secure.

Conclusion

In summary, GCP IAM roles let you control who can do what with data services like BigQuery and Cloud Storage. Knowing the difference between basic roles and predefined roles helps you grant the right level of access. Permissions map directly to API methods, making role behaviors transparent. By following the principle of least privilege and regularly reviewing roles, you keep your data safe and well-managed.

Use Eventarc triggers in event-driven pipelines (Dataform, Dataflow, Cloud Functions, Cloud Run, Cloud Composer)Compare methods of access control for Cloud Storage (e.g., public or private access, uniform access)