PAD User Levels and Permissions

PAD user levels and permissions

Permissions in PAD are handled via Google Groups. This means all users in a Google Group will have the same permissions for a dataset and project. When onboarded to PAD, users are assigned a designated level according to the organization admin’s request. If your PAD has a parent and child project setup, see the FAQ for additional permissions information. 

What are the user levels and permissions?

• Administrators can create, edit, and delete datasets in your partner project and have this access automatically to all datasets in the partner project. They can also control access for the Contributor and Viewer groups to datasets. Administrators can also view, download from/upload to, and make changes to Google Cloud buckets. Additionally, they can run and administer Google workflows. The number of admins should be limited.
  
  
• Editors can create and edit datasets in your partner projects but cannot delete them. They have this access automatically to all datasets in the partner project. Editors can also view, download from/upload to, and make changes to Google Cloud buckets. Additionally, they can run and administer Google workflows.
  
  
• Viewers can only read (query) datasets in your partner project. The viewers group needs to be explicitly added to datasets in your partner project to be able to see and query them. Viewers also need to be explicitly added to Google Cloud buckets to be able to view and download from them. We generally do not recommend the viewer role without a clearly defined use case.
  
  
• Contributors can query and create datasets, and they can also run Google workflows. The contributors group needs to be explicitly added to datasets in your partner project to be able to see, query, and edit them. Contributors also need to be explicitly added to Google Cloud buckets to be able to view and download from them. We generally do not recommend the contributor role without a clearly defined use case.
  
  

These user levels and permissions are standard across PAD. For quick reference:

As an admin, can I add users to the Google Groups?

The answer here is yes and no. Admins can add users to Contributor and Viewer groups as needed. Once they are added, users in these two groups will have access to the datasets you would like them to access. To add users, log in to groups.google.com via your PAD account to view group access.

If you’d like to add a user as an Administrator or Editor, you must submit a help ticket to CTA via help@techallies.org.

How do I add a group/user to a dataset?

To add a group to a dataset in BigQuery, follow these steps:

1. Navigate to the BigQuery home page.
2. In the Explorer pane, expand your project and select the dataset to which you want to add a group.
3. Click "Sharing" in the pane on the far right side, and then select "Permissions" from the dropdown menu.
4. Click "Add principal."
5. In the "New principals" field, enter the user account or group.
6. From the "Select a role" list, choose a role to grant the principal. In most cases, CTA recommends using either "BigQuery Data Editor" or "BigQuery Data Viewer."
7. Click "Save."
8. To return to the dataset info, click "Close."
   
   

Please note that only administrators have the ability to add groups or users to a dataset. If you encounter an error message saying you do not have permission to edit permissions, you can submit a help ticket to CTA via help@techallies.org or speak to your organization’s administrator to have the group added.

My users are getting an error message when they try to access a dataset - what do I do?

Several issues can cause an access error. If the users receiving an error message are contributors or viewers, it is likely they have not been added to the dataset. To add them to the dataset, see the instructions above. If the users getting an error message are editors or admins, or adding the group does not resolve the issue, reach out to help@techallies.org for further troubleshooting.

How do I add a group to a bucket?

See instructions here.

What if my PAD has parent and child projects? How do permissions transfer?

If your PAD has parent and child projects, administrators and editors in the parent project will have administrator or editor access (based on their parent project role) in each child project. To see the child projects, they can pin each child project from the Explorer pane in BigQuery. Contributors and viewers in the parent project will not have access to child projects. Users permissioned on child projects will not be able to access other child projects or the parent project regardless of role (unless explicitly permissioned on them).