BigQuery has its own set of predefined IAM roles, separate from the generic IAM roles you use elsewhere in GCP. The Associate Cloud Engineer exam tests whether you can match the right role to the right scenario. This article covers the roles you need to know, what each one permits, and the dataset-level versus project-level distinction that the exam sometimes tests directly.
It does not cover custom roles, conditional IAM, or every fine-grained permission inside BigQuery. The goal here is the predefined roles you actually see on the ACE exam.
BigQuery Admin (roles/bigquery.admin) is full control. Create datasets, delete datasets, manage IAM on those datasets, run any job. Assigned at the project level. This is what a BigQuery platform owner gets.
BigQuery User (roles/bigquery.user) lets someone create datasets and run jobs at the project level. They cannot manage other people's datasets unless they are also given access to those specifically. This is the everyday role for analysts who need to do their own work in BigQuery without admin rights.
BigQuery Data Owner (roles/bigquery.dataOwner) is for managing a specific dataset. Owners can read and write the dataset's data, manage its tables and views, and grant access to other users. This is granted at the dataset level, not the project level. That distinction matters and the exam tests it.
BigQuery Data Editor (roles/bigquery.dataEditor) lets someone modify table data and definitions within a dataset. Insert, update, delete, create new tables. They cannot grant access to others. Granted at dataset or table level.
BigQuery Data Viewer (roles/bigquery.dataViewer) is read-only access to tables and views. The user can run queries that read data but cannot modify anything. Can be granted at the project, dataset, or table level, which makes it the most flexible scope of the data roles.
BigQuery Job User (roles/bigquery.jobUser) lets someone run jobs (queries, loads, exports) within a project. Crucially, this role does not grant data access. Someone with Job User but no data access can submit jobs but cannot actually read any data. Granted at the project level.
BigQuery Metadata Viewer (roles/bigquery.metadataViewer) is read access to dataset and table metadata, like schemas, but not the underlying data. Useful for users who need to understand structure without seeing the contents.
This is what the ACE exam tests most often, and it is also what trips people up if they have not seen it before.
BigQuery Admin and BigQuery User are project-level roles. They apply across every dataset in a project. If you make someone a BigQuery User on project alpha, they can create datasets, run jobs, and (depending on data-level grants) work with data across that project.
BigQuery Data Owner and Data Editor are typically assigned at the dataset level. You grant Data Owner on a specific dataset to a specific person, and they get authority over just that dataset. This lets you have multiple teams sharing a project where each team owns their own datasets.
Data Viewer is the most flexible, assignable at project, dataset, or table level. Use that flexibility. If a team only needs to read one table, grant Data Viewer at the table level instead of giving them everything.
One pattern worth flagging because it shows up on the exam. Sometimes you want someone to be able to run queries against data they have access to, but you do not want to give them broader rights to create datasets or load data. The combination is BigQuery Job User at the project level (so they can submit jobs) plus BigQuery Data Viewer or Data Editor at the dataset level (so they can read or write specific data).
Job User without data access does nothing useful on its own. It is a building block, not a complete grant.
The Associate Cloud Engineer exam usually presents a scenario like "an analyst needs to be able to query the sales dataset but should not be able to modify the data or grant access to others. What roles should they be assigned?" The answer is BigQuery Job User at the project level (to run queries) and BigQuery Data Viewer at the dataset level (to read the sales dataset).
Another pattern. "A team owns a dataset and needs to manage access to it themselves." That is BigQuery Data Owner at the dataset level. They get the authority to grant other people access without you needing to do it.
A third pattern. "A platform team manages BigQuery for the whole company." That is BigQuery Admin at the project level (or organization level if it spans projects).
If you see "read-only" plus a specific dataset or table, think Data Viewer at that scope. If you see "manage their own dataset", think Data Owner at the dataset level. If you see "run queries but not modify data", think Job User plus Data Viewer.
BigQuery has its own predefined roles because the generic IAM roles do not capture the project-vs-dataset structure of how BigQuery actually works. The roles to know for the Associate Cloud Engineer exam are Admin, User, Data Owner, Data Editor, Data Viewer, Job User, and Metadata Viewer. The most important thing to remember is that some roles are project-level (Admin, User, Job User) and some are typically dataset-level (Data Owner, Data Editor), and Data Viewer can go anywhere.
My Associate Cloud Engineer course covers BigQuery IAM in the BigQuery section alongside the other admin tools, so you can match each scenario to the correct combination of roles without overthinking it.
