PolicySync Role Permission Details

Permission	Why it is needed
resourcemanager.projects.get	This is required to list the projects available in the GCP console.
resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy	These are required to make permission changes at the project level based on Privacera policies.
iam.roles.list iam.roles.get iam.roles.create iam.roles.update	PolicySync creates and uses custom IAM roles for fine-grained access control.
PrivaceraGBQDatasetCreateRole PrivaceraGBQDatasetGetMetadataRole PrivaceraGBQDatasetUpdateRole PrivaceraGBQDatasetDeleteRole PrivaceraGBQTableListRole PrivaceraGBQTableCreateRole PrivaceraGBQTableGetMetadataRole	These are needed only if you want PolicySync to automatically create custom IAM roles for you. They will also handle updates if any permissions are modified in a custom role. If you are manually creating all the required custom roles, you can skip these permissions.
bigquery.jobs.create	This is required to execute SQL queries within a BigQuery project. PolicySync needs this permission as it creates views to apply masking and row filtering. It is also necessary to establish a JDBC connection.
bigquery.datasets.get	This is required to list all available datasets within a BigQuery project.
bigquery.datasets.getIamPolicy bigquery.datasets.setIamPolicy	These are required to make permission changes at the dataset level based on Privacera policies.
bigquery.tables.list bigquery.tables.get	These are required to list all available tables and their columns within a BigQuery project.
bigquery.tables.getIamPolicy bigquery.tables.setIamPolicy	These are required to make permission changes at the table/view level based on Privacera policies.
bigquery.datasets.create bigquery.datasets.update bigquery.datasets.delete bigquery.tables.getData bigquery.tables.create bigquery.tables.update bigquery.tables.delete	These are required to create, update, or delete secure views and their datasets.
bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.update bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.setIamPolicy	These are required only if you are using a native row filter in BigQuery. These permissions are necessary to create, update, or delete row filters on tables for users and groups based on Privacera policies.
datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.taxonomies.get datacatalog.taxonomies.getIamPolicy datacatalog.taxonomies.list datacatalog.taxonomies.setIamPolicy datacatalog.taxonomies.update bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.tables.setCategory	These permissions are required for the Tag-Based Masking feature.

PolicySync Role Permission Details

Comments