Associate Data Practitioner

Differentiate between basic roles, predefined roles, and permissions for data services (e.g., BigQuery, Cloud Storage)

In Google Cloud, Identity and Access Management (IAM) lets you set who can access and manage resources. It uses basic roles, predefined roles, and permissions as building blocks. Basic roles grant broad levels of access and consist of Owner, Editor, and Viewer. They are simple but may violate the principle of least privilege if used too freely. Always choose the most restrictive role that still allows tasks to be completed.

Predefined roles are more fine-grained and service-specific, such as roles for BigQuery Data Viewer or Storage Object Admin. They bundle only the permissions needed for specific tasks. Using predefined roles helps enforce least privileged access by limiting capabilities to what is necessary. They are updated by Google to include new permissions as services evolve. This update process reduces management overhead for administrators.

In IAM, permissions are the atomic units that define what actions can be performed on resources. Roles are simply collections of permissions. When no predefined role fits exactly, you can create a custom role by selecting only the permissions you need. Custom roles help achieve fine-grained security but require careful planning to avoid missing essential permissions or granting extras. Administrators should monitor and adjust custom roles as requirements change.

When working with data services such as BigQuery and Cloud Storage, always apply the principle of least privilege. Start by identifying the tasks users need to perform and then assign the most specific predefined or custom roles that cover those tasks. For example, use BigQuery Data Viewer for read-only SQL queries or Storage Object Admin for managing objects in a bucket. Regularly review IAM policies and use tools like the IAM policy analyzer to audit and refine permissions. This practice reduces security risks and simplifies compliance.

IAM supports assigning roles at different levels of the resource hierarchy, such as organization, folder, project, and resource levels. This inheritance model means roles granted at a higher level automatically apply to contained resources. You can use this feature to simplify policy management when multiple projects or buckets share the same access requirements. However, take care to avoid overly broad permissions flowing down where they are not needed. Clear documentation of your IAM structure helps prevent misconfigurations.

Conclusion

In this section, we learned how to use IAM roles and permissions to apply least privileged access. We reviewed basic roles for broad assignments, predefined roles for fine-grained control in data services, and how to create custom roles with specific permissions. We also discussed best practices like assigning roles at the correct level of the resource hierarchy, regularly auditing IAM policies, and using tools to monitor access. Applying these principles helps maintain security and ensures users only have the access needed to do their jobs. By following these guidelines, administrators can protect data, reduce risk, and simplify permission management in GCP.