This chapter covers BigQuery authorized views, a critical security feature for fine-grained access control in Google Cloud. For the ACE exam, understanding authorized views is essential because they appear in questions about data security, access control, and multi-dataset architectures. Approximately 5-10% of exam questions touch on BigQuery security features, and authorized views are a common scenario. You will learn the mechanism, configuration steps, and how authorized views differ from other access control methods, ensuring you can answer both theoretical and scenario-based questions correctly.
Jump to a section
Imagine a secure corporate archive room with rows of filing cabinets containing sensitive employee records. Each cabinet represents a BigQuery dataset, and each drawer is a table. You want to give the HR department access to only the personnel files they need — specifically, a filtered view showing names and departments but not salaries or Social Security numbers. An authorized view is like a special window installed into the cabinet door. The window is crafted by the archive manager (the dataset owner) to show only certain documents. HR employees can look through the window and see exactly the permitted information, but they never get the key to open the cabinet. If HR tries to peek around the window or drill a new hole, the cabinet's security prevents it. The window itself is a view defined in a different dataset (HR's dataset), but the archive manager explicitly authorizes that view to access the underlying data. Without authorization, the view would be opaque — HR would see nothing. This mechanism ensures that HR can query the data they need without ever having direct table access, preserving the principle of least privilege. The archive manager retains full control: they can revoke the window's authorization at any time, instantly cutting off HR's access. In BigQuery terms, the authorized view is a view object in one dataset that is granted permission to query tables in another dataset, without granting the view's users any direct access to the source tables.
What Are BigQuery Authorized Views?
BigQuery authorized views are a security mechanism that allows a view (a saved SQL query) in one dataset to access data from another dataset, even if the users running the view do not have direct permissions on the source dataset. The view is "authorized" by the source dataset's owner, meaning the source dataset explicitly grants the view's identity (its Google Cloud resource name) permission to query its tables. This enables a data owner to share a controlled subset of data without granting underlying table access.
Why Authorized Views Exist
In enterprise environments, data is often stored in centralized datasets managed by a data governance team. Different teams need access to different slices of that data. For example, the marketing team should see only customer names and email addresses, not purchase history or credit card numbers. Without authorized views, you would have to either grant the marketing team direct access to the source tables (violating least privilege) or create separate copies of the data (wasting storage and risking staleness). Authorized views solve this by allowing the data owner to define a view that filters and transforms data, then authorize that view to access the source dataset. Users query the view as if it were a regular table, but they never have permissions on the underlying tables.
How Authorized Views Work Internally
Authorized views rely on BigQuery's identity-based access control. Every BigQuery resource (dataset, table, view) has a unique Google Cloud resource name, such as projects/myproject/datasets/mydataset/tables/mytable. When a user runs a query against a view, BigQuery performs authorization checks at two levels:
View-level check: The user must have bigquery.tables.getData permission on the view itself (typically via roles like roles/bigquery.dataViewer on the dataset containing the view).
Source-level check: The view's identity must have bigquery.tables.getData permission on the source tables. This is granted by adding the view's resource name to the source dataset's authorized views list.
The key insight: the user's identity is NOT checked against the source dataset. Only the view's identity is checked. This is why authorized views are a delegation mechanism — the view acts as a proxy, and the source dataset trusts the view, not the end user.
Key Components and Configuration
To set up an authorized view, you need:
Source dataset: Contains the tables you want to protect.
View dataset: Contains the view (the SQL query that accesses source tables). This can be the same or different dataset, but typically it's a different dataset to enforce separation of concerns.
Authorized view definition: The view itself, created in the view dataset, with a SQL query that references source tables (e.g., SELECT name, email FROM myproject.sourcedataset.customers).
Authorization grant: Adding the view's resource name to the source dataset's authorized views list.
Configuration steps:
1. Create the view in the view dataset:
CREATE VIEW myproject.viewdataset.safe_customers AS
SELECT name, email
FROM myproject.sourcedataset.customers;2. Grant the view access to the source dataset using the bq command-line tool or the Cloud Console:
bq show --format=prettyjson myproject:sourcedataset > dataset.json
# Edit dataset.json to add the view's resource name under 'access' array with role 'READER'
bq update --source dataset.json myproject:sourcedataset Or using bq with the --authorized_view flag (available in newer versions):
bq update --authorized_view myproject:viewdataset.safe_customers myproject:sourcedatasetGrant the end user bigquery.dataViewer on the view dataset (or on the view itself).
Defaults and Limitations
Authorized views can only be added to datasets that are in the same region as the view. Cross-region authorized views are not supported.
A view can be authorized in multiple source datasets.
Authorized views do not propagate permissions to downstream views. If View A (authorized) queries View B (not authorized), View B must also be authorized on the source dataset.
The view's SQL query can include joins, subqueries, and aggregations, but must reference tables in the source dataset (or other datasets where the view has access).
Authorized views respect row-level security if the source tables have row-level access policies. The view's identity is subject to those policies.
Interaction with IAM and Dataset ACLs
BigQuery access control uses a combination of IAM roles and dataset-level ACLs (legacy). Authorized views are a dataset-level ACL feature. When you add an authorized view, you are essentially adding an entry to the dataset's access control list that grants the view's identity a READER role (which includes bigquery.tables.getData). IAM roles on the source dataset (e.g., roles/bigquery.dataViewer) are separate — they grant access to individual users or groups. Authorized views bypass those IAM checks for the view's identity only.
Verification Commands
To verify an authorized view is set up correctly:
- List authorized views on a dataset:
bq show --format=prettyjson myproject:sourcedataset | jq '.access[] | select(.view)'- Test access as an end user:
bq query --use_legacy_sql=false 'SELECT * FROM myproject.viewdataset.safe_customers LIMIT 10'If the view is authorized, this should return data. If not, you'll get an access denied error.
Common Pitfalls
Wrong view resource name: The authorized view entry must exactly match the view's resource name, including project, dataset, and view ID. A typo will silently fail (no error until query time).
View references tables in multiple datasets: If the view queries tables from two different source datasets, each source dataset must authorize the view separately.
Using a view that depends on other views: Authorized views do not cascade. If View A is authorized on Dataset X, and View A queries View B (which is in Dataset Y), View B must also be authorized on Dataset X, or View A's query will fail.
Region mismatch: Source dataset and view must be in the same region. If they are in different regions, authorization will fail with an error.
Performance Considerations
Authorized views add minimal overhead because the authorization check is a simple ACL lookup. The view's SQL query is executed as if the view's identity is running it, so performance depends on the query complexity and data size. Caching and query optimization work normally. However, if the view is used by many users, the view's identity may hit BigQuery's quota for concurrent queries (default 100 concurrent queries per project, but adjustable).
Create Source Dataset and Table
First, ensure you have a source dataset containing the sensitive data. For example, create a dataset named 'sourcedataset' and a table 'customers' with columns like name, email, ssn, salary. The data owner (typically a data engineer with dataset owner role) creates this. Use the `bq mk` command or Cloud Console. Example: `bq mk sourcedataset` then `bq mk --table sourcedataset.customers name:STRING,email:STRING,ssn:STRING,salary:FLOAT`. This step establishes the data that needs to be protected.
Create View Dataset and Define View
Create a separate dataset for views, e.g., 'viewdataset'. This dataset will contain the authorized view that exposes only a subset of columns. The view is created by the data owner or an authorized user who has `bigquery.tables.create` on the view dataset. The SQL query selects only non-sensitive columns: `CREATE VIEW viewdataset.safe_customers AS SELECT name, email FROM sourcedataset.customers`. The view is stored in the view dataset and references the source table using fully qualified names (project.dataset.table).
Authorize the View on Source Dataset
The data owner adds the view's resource name to the source dataset's authorized views list. Using `bq update --authorized_view project:viewdataset.safe_customers sourcedataset`. This grants the view's identity READER access to the source dataset. The view's identity is a special service account representing the view, not a user. After this step, the view can query the source table. Verification: `bq show sourcedataset` should show the authorized view in the access list.
Grant End User Access to View
Grant the end user (e.g., marketing team member) the `roles/bigquery.dataViewer` role on the view dataset (or specifically on the view). This allows the user to run `SELECT * FROM viewdataset.safe_customers`. The user does not need any permissions on the source dataset. Use IAM: `gcloud projects add-iam-policy-binding project --member=user:marketing@example.com --role=roles/bigquery.dataViewer`. Alternatively, grant at dataset level via `bq add-iam-policy-binding`.
Test and Verify Access
End user runs a query against the view: `bq query 'SELECT * FROM viewdataset.safe_customers LIMIT 10'`. The query should return only name and email. If the user tries to query the source table directly (`SELECT * FROM sourcedataset.customers`), they should get an access denied error. This confirms that authorized views enforce least privilege. Also test that the user cannot access sensitive columns by modifying the view's SQL. The view is read-only; users cannot create their own views on top of the authorized view without additional permissions.
In a financial services company, the data governance team manages a BigQuery dataset containing all transaction records, including customer PII (names, addresses, SSNs) and financial details (account balances, transaction amounts). The fraud detection team needs access to transaction amounts and timestamps but must never see PII. The data governance team creates a view named fraud_transactions in a separate dataset fraud_views, selecting only transaction_id, amount, timestamp, and merchant_category. They authorize this view on the source dataset transactions_db. The fraud team is granted bigquery.dataViewer on fraud_views. This setup ensures that even if a fraud analyst accidentally writes a query that joins with PII tables, the view's scope prevents access. In production, this pattern scales to hundreds of views across dozens of datasets. A common issue occurs when a view joins tables from multiple source datasets — each source dataset must authorize the view individually. If an engineer forgets to authorize one dataset, the query fails with a cryptic permission error. Misconfiguration often arises when using the Cloud Console: the authorized view entry must exactly match the view's resource name, including case. A common mistake is copying the view ID from the URL, which may include the project ID twice or have incorrect formatting. Performance is generally not impacted, but if the view uses complex SQL (e.g., multiple joins, subqueries), the query execution time increases. The team monitors query performance using BigQuery's INFORMATION_SCHEMA.JOBS_BY_PROJECT. Another enterprise scenario is a healthcare provider that needs to share de-identified patient data with researchers. The view filters out PHI columns and applies a row-level policy to limit data to patients who have consented. Authorized views combined with row-level security provide a powerful defense-in-depth strategy. The biggest operational risk is that authorized views do not cascade: if the view itself uses another view, that second view must also be authorized. This can lead to a chain of authorizations that is hard to manage. The team maintains a documentation table listing all authorized views and their source datasets, updated via Terraform scripts that manage the authorizations as code.
The ACE exam (Objective 5.1: Security Compliance) tests your understanding of authorized views primarily through scenario-based questions. You must be able to identify when authorized views are the correct solution versus other access control methods like IAM roles, dataset ACLs, or row-level security. Common exam questions describe a situation where a data owner wants to share a filtered view of a table with a different team without granting direct table access. The correct answer is always "Create an authorized view in a separate dataset and grant the view access to the source dataset."
Most frequent wrong answer: "Grant the user IAM roles on the source dataset with a row-level filter." This is wrong because IAM roles grant table-level access, not column-level. Row-level security is for filtering rows, not columns. Another trap: "Create a view in the same dataset and grant the user access to the view." This works only if the user already has access to the source dataset (since views in the same dataset do not require authorization). The exam expects you to recognize that a view in the same dataset does not solve the problem because the user still needs source table access to query the view (actually, in BigQuery, if a view is in the same dataset, the user only needs view access, not table access — but the exam often tests this nuance incorrectly? Actually, per BigQuery docs, if the view is in the same dataset, the user can query the view without direct table access as long as they have view permissions. So the trap is that a same-dataset view works, but the question often specifies that the user should not have any access to the source dataset at all — meaning the view must be in a different dataset and authorized. Pay attention to wording: if the question says "the user should not have any permissions on the source dataset," then an authorized view in a different dataset is required. If it says "the user should only see specific columns," a simple view in the same dataset suffices.
Specific numbers and terms: The authorized view must be added to the source dataset's access control list. The correct command is bq update --authorized_view. The view resource name format is project:dataset.view. The role granted to the view is READER (implicitly). The exam may ask about limitations: authorized views cannot span regions, and they do not cascade. Edge cases: if a view references a table in a different dataset that is also protected, that table's dataset must authorize the view as well. The exam loves to test this with a scenario where a view joins two tables from two different datasets, and the candidate must realize both datasets need to authorize the view.
How to eliminate wrong answers: If an option says "grant the user the bigquery.dataViewer role on the source dataset," eliminate it because that grants direct table access. If an option says "create a view in the source dataset," it may be correct if the user gets view permissions, but if the question emphasizes "no direct access," then a view in the source dataset still implies the user has some access to the source dataset (the view is in it). Actually, a view in the same dataset does not give the user table access, but the user still has access to the dataset (to see the view). The exam might consider that as "access to the source dataset." So the safest answer is always a separate dataset with authorization.
Finally, remember that authorized views are a dataset-level ACL feature, not an IAM feature. The exam may ask which type of access control is used — answer: dataset ACLs (legacy) or authorized views specifically.
Authorized views allow a view in one dataset to access tables in another dataset without granting end users direct table permissions.
To authorize a view, add its resource name (format: project:dataset.view) to the source dataset's access control list using `bq update --authorized_view`.
The view and source dataset must be in the same region; cross-region authorized views are not supported.
Authorized views do not cascade; if a view references another view, that second view must also be authorized on the source dataset.
End users need only `bigquery.dataViewer` (or equivalent) on the dataset containing the view, never on the source dataset.
Authorized views are a dataset-level ACL feature, not an IAM feature; views are not IAM principals.
The ACE exam tests scenario-based understanding: choose authorized views when the requirement is to share a filtered subset with no direct source dataset access.
Common exam trap: granting IAM roles on source dataset is wrong; creating a view in the same dataset may not satisfy 'no direct access' requirement.
Terraform can manage authorized views using `google_bigquery_dataset` resource with `access` block containing `view` sub-block.
Authorized views can be combined with row-level security for defense-in-depth: the view's identity is subject to row access policies on source tables.
These come up on the exam all the time. Here's how to tell them apart.
Authorized View (cross-dataset)
View resides in a different dataset from source tables.
Requires explicit authorization on source dataset via ACL.
Users querying the view need only permissions on the view's dataset.
Supports strict separation of duties: data owner controls source, view creator controls view.
Ideal for multi-team environments where source dataset access must be restricted.
View in Same Dataset
View resides in the same dataset as source tables.
No authorization needed; view inherits dataset permissions.
Users querying the view need permissions on the dataset (at least bigquery.dataViewer).
Less strict separation; anyone with dataset access can see the view and potentially create new views on the same tables.
Simpler for single-team scenarios where all users have dataset access.
Authorized View
Controls column-level access via SQL projection in the view.
Row-level filtering possible via WHERE clause in view definition.
Access is granted to the view's identity, not the user.
Configuration is at dataset ACL level.
Best for column-level restrictions and sharing with external teams.
IAM Row-Level Security
Controls row-level access via row access policies on tables.
Column-level access requires additional IAM or views.
Access is granted directly to users or groups via IAM.
Configuration is at table level using DDL.
Best for row-level restrictions within a single dataset.
Mistake
Authorized views automatically grant access to all tables in the source dataset.
Correct
Authorized views grant access only to the tables referenced in the view's SQL query. The view's identity gets READER on the entire dataset, but the query itself limits which tables are accessed. However, if the view's SQL is changed to include other tables, it will have access to them. The authorization is at the dataset level, not the table level, so the view could potentially access any table in the dataset if the query is modified. This is why views should be created by trusted parties.
Mistake
Authorized views can be used to share data across regions.
Correct
Authorized views require that the source dataset and the view dataset be in the same region. Cross-region authorized views are not supported. If you need cross-region access, you must copy data or use other mechanisms like federated queries with external data sources.
Mistake
Granting a user access to an authorized view also grants them access to the underlying source tables.
Correct
No. The user only has permissions on the view. They cannot directly query the source tables. The view acts as a security boundary. The user's identity is never checked against the source dataset; only the view's identity is checked.
Mistake
Authorized views are necessary only when the view is in a different dataset than the source tables.
Correct
Even if the view is in the same dataset, authorized views are not needed because the view inherits the dataset's permissions. However, if you want to restrict access further (e.g., the view should be accessible to users who don't have dataset access), you can still use authorized views by placing the view in a separate dataset and authorizing it. But typically, authorized views are used precisely for cross-dataset access.
Mistake
You can authorize a view by granting the view's service account IAM roles on the source dataset.
Correct
No, authorized views use dataset ACLs, not IAM. You add the view's resource name to the dataset's access control list. The view does not have a separate service account that you can grant IAM roles to; the view's identity is its resource name. Attempting to grant IAM roles to a view resource name will fail because views are not IAM principals.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A regular view is a saved SQL query that can be queried like a table. If the view is in the same dataset as the source tables, users with view permissions can query it without needing direct table access. However, if the view is in a different dataset, you must authorize it using BigQuery's authorized view feature. An authorized view explicitly grants the view's identity access to the source dataset, allowing cross-dataset querying without granting end users any permissions on the source. In short, authorized views are necessary for cross-dataset access, while same-dataset views work without extra configuration.
You must add the view's resource name to each source dataset's authorized views list separately. For example, if your view queries tables in DatasetA and DatasetB, run `bq update --authorized_view project:viewdataset.myview DatasetA` and `bq update --authorized_view project:viewdataset.myview DatasetB`. Each dataset must independently authorize the view. There is no way to grant cross-dataset authorization in bulk.
Yes, authorized views can work across projects as long as the source dataset and view dataset are in the same region. The view's resource name includes the project ID, so you can authorize a view from a different project. For example, if the view is in Project A and the source dataset is in Project B, you add the view's resource name (e.g., projectA:viewdataset.myview) to Project B's dataset ACL. The user querying the view must have permissions on the view in Project A, and the view's identity must be authorized in Project B's dataset.
If you delete the view, the authorization entry in the source dataset becomes orphaned. The source dataset still has an entry pointing to a non-existent view. Queries that try to use that view will fail with a "Not found" error. It is good practice to remove the authorization entry from the source dataset when you delete the view. You can do this by editing the dataset's ACL via `bq update` and removing the view entry.
Yes, authorized views work with partitioned and clustered tables. The view's SQL can include filters on partitioning columns, and BigQuery will perform partition pruning as usual. The authorization mechanism is independent of table organization. However, the view's identity must have access to the table, which is granted via the dataset-level authorization.
Authorized views and column-level security (using BigQuery Taxonomy and policy tags) can be used together. If the source table has policy tags that restrict access to certain columns, the view's identity must have the appropriate role (e.g., `roles/bigquerydatapolicy.viewer`) to access those columns. If the view's identity does not have the required policy tag access, the query will fail. This allows fine-grained control even within authorized views.
Yes, you can use UDFs in authorized views. The UDF must be stored in a dataset that the view's identity can access. If the UDF is in a different dataset, that dataset must also authorize the view (or the UDF must be in the same dataset as the view). The same authorization rules apply: the view's identity needs access to any resources (tables, UDFs) referenced in the view's SQL.
You've just covered BigQuery Authorized Views for Access Control — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?