Access levels and ingress rules for Google BigQuery

Basic access level

Administrators define access policy, which is a container for Access Context Manager resources like access levels and service perimeters. Access level defines tiers of who can access what, such as an access level called High_Level, which lets a small group of highly-privileged users to make requests. Service perimeters are created by VPC Service Controls, and protect resources and data that you specify. Those within the perimeter have access to the data contained within, but do not have access to unauthorized resources outside the perimeter. To create data exchange across perimeters, you need to use ingress and egress rules.

Create an access policy

To create an access policy, follow the steps described in Create an access policy.

Example

The following is an example of an Access Level schema in JSON format.

{
  "name": AccessLevelName,
  "title": AccessLevelName,
  "description": Description,
  "basic": {
    "conditions": [
      {
        "ipSubnetworks": [
            {{ THOUGHTSPOT IP }}
        ]
      }
    ],
    "combiningFunction": AND
  }
}

For more information about the access level fields, see REST Resource, accessPolicies. accessLevels.

Ingress and egress rules

Ingress and egress rules are created to allow access to and from the resources and clients protected by service perimeters. Ingress rules refer to access by an API client from outside the service perimeter to resources within a service perimeter, while egress rules refer to access by an API client or resources from within the service perimeter to access resources outside a service perimeter. To grant ThoughtSpot access to data within a service perimeter, you will need to use an ingress rule.

Set ingress policies during perimeter creation

  1. In the Google Cloud console navigation menu, click Security, then select VPC Service Controls.

  2. Click New perimeter.

  3. In the left menu, click Ingress policy.

  4. Select Add rule.

  5. Designate the required From attributes of the API client and To attributes of Google Cloud resources/services that you want.

  6. Click Create perimeter.

Update ingress policies for a service perimeter

  1. In the Google Cloud console navigation menu, click Security, then select VPC Service Controls.

  2. Select an existing service perimeter.

  3. Click Edit perimeter.

  4. In the left menu, click Ingress policy.

  5. Designate the required From attributes of the API client and To attributes of Google Cloud resources/services that you want.

  6. Click Save.

Example

The following is an example of an ingress rule in .yaml format.

- ingressFrom:
    identityType: ANY_IDENTITY
    sources:
    - accessLevel:
  ingressTo:
    operations:
    - serviceName: bigquery.googleapis.com
      methodSelectors:
      - method: read permission 1
      - method: read permission 2
      - method: etc
    resources:
    - projects/{{ PROJECT_ID }}
// Project Id is a unique number that defines the project that you give ThoughtSpot access to.

For more information about ingress rule fields, see Ingress rules reference.