Exam Professional Data Engineer topic 1 question 118 discussion

Old question. It's done using IAM nowadays: bigquery.dataEditor and bigquery.dataViewer

B. Create a dataset for each department. Assign the department leads the role of WRITER, and assign the data analysts the role of READER on their dataset.

No writer, reader role

WRITER role is not there in roles of BigQuery table/dataset

Answer : D. There is no role called WRITER or READER as preliminary role.

both C & D violate the principle of least privilege. A talks about OWNER and WRITER roles, and the analyst doesn't need a writer role. So we're left with B.

https://cloud.google.com/bigquery/docs/access-control#bigquery

B - Lead needs to have the role to create tables and also Analyst only need to read

Answer B: Why not D, mentioned in question: Data lead will create tables in dataset. Imagine, other department leads are creating unnecessory tables in shared dataset and you are struggling to find your tables as everyday there are some new tables. Headache right ? better to give them seperate dataset and do whatever you want in that dataset.

Vote B, both BD can fullfill the job requirement but B is on dataset level and D on project level. "By default, granting access to a project also grants access to datasets within it." D may issue unnecessary accesses to other content in the project.

Interestingly enough - I know believe the answer is A... Deleting is not the same as modify...

Answer is B: https://cloud.google.com/bigquery/docs/access-control The question ask for the lead to be able to: CREATE, UPDATE, and SHARE with the team... BigQuery Data Owner can do that (roles/bigquery.dataOwner) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. Editor cannot do that. Thoughts?

It's D, because this is an outdated question, before IAM you cannot set Editor to a dataset; but the best practice is: Create a dataset for each department. Assign the department leads the role of EDITOR(NOT OWNER), and assign the data analysts the role of READER on their dataset.

Wow B is an answer https://cloud.google.com/bigquery/docs/access-control-basic-roles#dataset-basic-roles

It CANNOT BE B BECAUSE OF : Caution: BigQuery's dataset-level basic roles existed prior to the introduction of IAM. We recommend that you minimize the use of basic roles. In production environments, don't grant basic roles unless there is no alternative. Instead, use predefined IAM roles. https://cloud.google.com/bigquery/docs/access-control-basic-roles

I vote B because C and D says that the role is on the project that the table is in, this mean that the role is at the project level that implies that: If you create a dataset in a project that contains any editors, BigQuery grants those users the bigquery.dataEditor predefined role for the new dataset. (from https://cloud.google.com/bigquery/docs/access-control-basic-roles#project-basic-roles) A can't not be because the analysts, in this case, can access the data. B grant to the leads update their datasets, that's mean create tables, and the analysts only read their datasets.

https://cloud.google.com/bigquery/docs/access-control-basic-roles Caution: BigQuery's dataset-level basic roles existed prior to the introduction of IAM. We recommend that you minimize the use of basic roles. In production environments, don't grant basic roles unless there is no alternative. Instead, use predefined IAM roles.