{"id":19582951,"url":"https://github.com/tomgorb/row-access-policies","last_synced_at":"2026-05-16T05:38:47.098Z","repository":{"id":252067770,"uuid":"836314364","full_name":"tomgorb/row-access-policies","owner":"tomgorb","description":"Implementing row-level security in BigQuery to restrict data visibility for individual users.","archived":false,"fork":false,"pushed_at":"2024-08-07T11:57:09.000Z","size":828,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-26T12:23:58.857Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tomgorb.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-31T15:27:12.000Z","updated_at":"2024-08-07T11:57:12.000Z","dependencies_parsed_at":"2024-08-07T14:31:41.061Z","dependency_job_id":"11faa3bd-45bd-4797-92cd-bc4caa55c30f","html_url":"https://github.com/tomgorb/row-access-policies","commit_stats":null,"previous_names":["tomgorb/row-access-policies"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/tomgorb/row-access-policies","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomgorb%2Frow-access-policies","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomgorb%2Frow-access-policies/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomgorb%2Frow-access-policies/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomgorb%2Frow-access-policies/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tomgorb","download_url":"https://codeload.github.com/tomgorb/row-access-policies/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomgorb%2Frow-access-policies/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33091937,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-16T04:41:52.686Z","status":"ssl_error","status_checked_at":"2026-05-16T04:41:52.009Z","response_time":115,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-11T07:38:46.357Z","updated_at":"2026-05-16T05:38:47.075Z","avatar_url":"https://github.com/tomgorb.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# (Proof of Concept) Row Access Policies \n\n\u003e Implementing row-level security in BigQuery to restrict data visibility for individual users.\n\n## CODE\n\n### Environments Variables\n\n```shell\nsource env.sh\n```\nIt will cause your variables to be set in the current shell otherwise bash will open a non-interactive shell.\n\nContent of *env.sh*\n- ```export GCP_PROJECT_ID='myProject'```\n- ```export GCP_PROJECT_ID_VIEW='myProjectForViews'```\n- ```export GCP_SA=$(cat myServiceAccount.json)```\n- ```export GCP_USER='firstname.lastname@gmail.com'```\n- ```export POC_PWD='myPassword'```\n\n#### **GCP_SA**\n\nGCP Service Account Role(s):\n- **GCP_PROJECT_ID**\n  - BigQuery Admin\n- **GCP_PROJECT_ID_VIEW**\n  - BigQuery Data Editor \n  - Security Admin\n\n#### **GCP_USER** \n\n\u003e Email addresses and domains must be associated with an active **Google Account**, **Google Workspace account**, or **Cloud Identity account**.\n\n\n### DATA\n\nIn the example data, there is a field **identifier** (a numerical string) which will be used for partitioning.\n\n***main.py*** will load these data and prepare it:\n\n  - copy data with an integer-based partitioning (max 10,000 partitions) on **index** using *farm fingerprinting* on **identifier** ;\n  - split data into **n** parts (*params.yaml*) to somehow bypass the 100-row access policy limit per table ;\n  - add a default row access policy on 0=1 so that by default no one can see the data.\n\n\n### Web App \n\n***app.py*** is a Streamlit application to:\n- grant, revoke and check accesses for a specific user (email) ;\n\n![Grant Access](screenshots/streamlit%20-%20Grant%20Access.png)\n\n- check IAM policies ;\n\n![IAM Policies](screenshots/streamlit%20-%20IAM%20Policies.png)\n\n- (de)authorize view.\n\n![View Authorization](screenshots/streamlit%20-%20View%20Authorization.png)\n\nThe code is using a BigQuery *user defined function* **atoz** available [here](https://github.com/tomgorb/gcp-terraform-examples/blob/main/bigquery_udf/sql/atoz.sql).\n\n### Dashboard\n\nCreate a dashboard in **Looker Studio** using the view *insights* as source.\n\n**DO NOT FORGET** to change Data Credentials to ```Viewer```. Otherwise your (```Owner```) credentials will be used (potential data leak). \n\nNevertheless if **you** $\\Leftrightarrow$ **GCP_USER**, in principle, you should not see any data since there is a policy on 0=1 (kind of built-in security).\n\nYou should share the report as follow\n```\nUnlisted\nAnyone on the internet with the link can view          Viewer \n```\n\n- After granting access, you should see the effects almost immediately.\n- After revoking access, you should wait a couple of minutes or wait for data refreshening.\n\n\n![Authorized](screenshots/Looker%20Studio%20-%20view%20authorized%20AND%20access.png)\n\n![Unauthorized](screenshots/Looker%20Studio%20-%20view%20unauthorized%20OR%20no%20access.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftomgorb%2Frow-access-policies","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftomgorb%2Frow-access-policies","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftomgorb%2Frow-access-policies/lists"}