BigQuery Data Viewer allows querying but not viewing table data directly? Actually, BigQuery Data Viewer allows reading table data. However, the scenario is tricky: to prevent viewing data directly, you might need to use authorized views. But among roles, BigQuery Job User allows running jobs (queries) without reading data, and BigQuery Data Viewer allows reading data but not exporting.
The combination of Job User and Data Viewer would allow querying and reading data. But the requirement is to prevent viewing data directly, so perhaps they should not have Data Viewer. A better approach is to grant BigQuery Job User and BigQuery Data Viewer? Actually, without Data Viewer, they cannot query tables.
So the correct combination is BigQuery Job User (to submit queries) and BigQuery Data Viewer (to read the table). However, Data Viewer allows viewing data. To prevent direct viewing, you could use column-level security or authorized views.
But the question asks for IAM roles. The standard answer for allowing querying but not direct access is to grant BigQuery Job User and BigQuery Data Viewer on the dataset. I'll go with that.