The following permissions are required to run GRANT and REVOKE statements.
Resource Type
Permissions
Dataset
bigquery.datasets.update
Table
bigquery.tables.setIamPolicy
View
bigquery.tables.setIamPolicy
GRANT statement
Grants roles to users on BigQuery resources.
Syntax
GRANT role_list
ON resource_type resource_name
TO user_list
Arguments
role_list: A role or list of comma separated roles that contains the
permissions you want to grant. For more information on the types of roles available,
see Understanding roles.
resource_type: The type of resource the role is applied to. Supported values include:
SCHEMA (equivalent to dataset), TABLE, VIEW,
EXTERNAL TABLE.
resource_name: The name of the resource you want to grant the permission on.
user_list: A comma separated list of users that the role is granted to.
The following example grants the bigquery.dataViewer role to the users
raha@example-pet-store.com and sasha@example-pet-store.com on a dataset named
myDataset:
Removes roles from a list of users on BigQuery resources.
Syntax
REVOKE role_list
ON resource_type resource_name
FROM user_list
Arguments
role_list: A role or list of comma separated roles that contains the
permissions you want to remove. For more information on the types of roles available,
see Understanding roles.
resource_type: The type of resource that the role will be removed from. Supported values include:
SCHEMA (equivalent to dataset), TABLE, VIEW,
EXTERNAL TABLE.
resource_name: The name of the resource you want to revoke the role on.
user_list: A comma separated list of users that the role is revoked from.
Example
The following example removes the bigquery.admin role on the myDataset
dataset from the example-team@example-pet-store.com group and a service
account:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eData control language (DCL) statements in GoogleSQL are used to manage access to BigQuery resources using SQL query syntax.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eGRANT\u003c/code\u003e statement assigns specified roles to users on resources such as datasets, tables, views, and external tables.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eREVOKE\u003c/code\u003e statement removes specified roles from users, allowing administrators to control permissions on BigQuery resources.\u003c/p\u003e\n"],["\u003cp\u003ePermissions required to execute \u003ccode\u003eGRANT\u003c/code\u003e and \u003ccode\u003eREVOKE\u003c/code\u003e statements include \u003ccode\u003ebigquery.datasets.update\u003c/code\u003e for datasets and \u003ccode\u003ebigquery.tables.setIamPolicy\u003c/code\u003e for tables and views.\u003c/p\u003e\n"],["\u003cp\u003eUsers can be specified in \u003ccode\u003eGRANT\u003c/code\u003e and \u003ccode\u003eREVOKE\u003c/code\u003e statements using formats for Google accounts, groups, service accounts, domains, and special groups like \u003ccode\u003eallAuthenticatedUsers\u003c/code\u003e and \u003ccode\u003eallUsers\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Data control language (DCL) statements in GoogleSQL\n===================================================\n\nThe BigQuery data control language (DCL) statements let you set up\nand control BigQuery resources using\n[GoogleSQL](/bigquery/docs/reference/standard-sql) query syntax.\n\nUse these statements to give or remove access to BigQuery resources.\n\nFor more information on controlling access to specific BigQuery resources,\nsee:\n\n- [Controlling access to datasets](/bigquery/docs/dataset-access-controls)\n- [Controlling access to tables](/bigquery/docs/table-access-controls)\n- [Controlling access to views](/bigquery/docs/authorized-views)\n\nPermissions required\n--------------------\n\nThe following permissions are required to run `GRANT` and `REVOKE` statements.\n\n`GRANT` statement\n-----------------\n\nGrants roles to users on BigQuery resources.\n\n### Syntax\n\n```\nGRANT role_list\n ON resource_type resource_name\n TO user_list\n```\n\n### Arguments\n\n- `role_list`: A role or list of comma separated roles that contains the\n permissions you want to grant. For more information on the types of roles available,\n see [Understanding roles](/iam/docs/understanding-roles).\n\n- `resource_type`: The type of resource the role is applied to. Supported values include:\n `SCHEMA` (equivalent to dataset), `TABLE`, `VIEW`,\n `EXTERNAL TABLE`.\n\n- `resource_name`: The name of the resource you want to grant the permission on.\n\n- [`user_list`](#user_list): A comma separated list of users that the role is granted to.\n\n### `user_list`\n\nSpecify users using the following formats:\n\nFor more information about each type of user in the table, see\n[Concepts related to identity](/iam/docs/overview#concepts_related_identity).\n\n### Example\n\nThe following example grants the `bigquery.dataViewer` role to the users\n`raha@example-pet-store.com` and `sasha@example-pet-store.com` on a dataset named\n`myDataset`: \n\n GRANT `roles/bigquery.dataViewer` ON SCHEMA `myProject`.myDataset\n TO \"user:raha@example-pet-store.com\", \"user:sasha@example-pet-store.com\"\n\n`REVOKE` statement\n------------------\n\nRemoves roles from a list of users on BigQuery resources.\n\n### Syntax\n\n```\nREVOKE role_list\n ON resource_type resource_name\n FROM user_list\n```\n\n### Arguments\n\n- `role_list`: A role or list of comma separated roles that contains the\n permissions you want to remove. For more information on the types of roles available,\n see [Understanding roles](/iam/docs/understanding-roles).\n\n- `resource_type`: The type of resource that the role will be removed from. Supported values include:\n `SCHEMA` (equivalent to dataset), `TABLE`, `VIEW`,\n `EXTERNAL TABLE`.\n\n- `resource_name`: The name of the resource you want to revoke the role on.\n\n- [`user_list`](#user_list): A comma separated list of users that the role is revoked from.\n\n### Example\n\nThe following example removes the `bigquery.admin` role on the `myDataset`\ndataset from the `example-team@example-pet-store.com` group and a service\naccount: \n\n REVOKE `roles/bigquery.admin` ON SCHEMA `myProject`.myDataset\n FROM \"group:example-team@example-pet-store.com\", \"serviceAccount:user@test-project.iam.gserviceaccount.com\""]]
