Data Catalog IAM Roles for the PDE Exam

If you are preparing for the Professional Data Engineer exam, Data Catalog IAM is one of those topics that looks small on paper and then turns into three or four scenario questions on test day. The exam loves to ask which role a specific persona should get when they need to tag a BigQuery table, build a tag template for the data governance team, or simply look up a metadata entry without being able to edit anything. Getting these roles straight saves you from second-guessing during the test, and it saves you from over-granting permissions when you build real catalogs in production.

In this article I want to walk through the Data Catalog roles that show up most often on the Professional Data Engineer exam, explain what each one actually lets a user do, and connect them to the least-privilege patterns Google expects you to apply.

Why Data Catalog IAM matters on the exam

Data Catalog is the metadata service that indexes assets across BigQuery, Pub/Sub, Cloud Storage, and other sources, and it lets you attach tags and tag templates so you can describe sensitivity, ownership, retention, and other governance attributes. Because catalog entries describe data that lives elsewhere, the IAM model is split. You have roles that control who can see and edit the metadata, and you have roles that control who can manage the structure of the tags themselves. The exam tests whether you can pick the right role for each persona without leaking access to the underlying data.

The pattern I keep coming back to is this. A user who only needs to read metadata should never get an Editor or Admin role. A user who only applies existing tags should not be able to create new tag templates. A user who designs governance schemas should manage templates without being able to delete metadata entries. Every Data Catalog question on the Professional Data Engineer exam can be answered if you internalize that split.

The seven Data Catalog roles you need to know

There are seven roles that show up in exam scenarios. I will go from narrowest to broadest, because that is how Google structures least-privilege thinking.

• Data Catalog Tag Template Viewer lets a user view tag templates and the metadata associated with them. This is read-only on the template structure. Use this for an analyst who needs to understand what governance attributes exist but should not apply or change anything.
• Data Catalog Tag Template User lets a user apply existing tag templates to data assets. The key word is apply. This persona can take a template the governance team already defined and attach it to a BigQuery table or a Pub/Sub topic. They cannot create new templates and they cannot delete existing ones.
• Data Catalog Tag Template Editor lets a user create, update, and delete tag templates. This is the role for the data governance team that owns the schema of your tagging system. If the exam describes someone who designs the company's metadata model, this is your answer.
• Data Catalog Entry Viewer lets a user view metadata entries inside Data Catalog. No editing. This is useful for an auditor or a downstream consumer who needs to discover assets but should not modify the catalog itself.
• Data Catalog Entry Editor lets a user create, update, and delete metadata entries. This persona manages the entries themselves rather than the tags applied to them. Think of an ingestion service or a data steward who is registering new assets into the catalog.
• Data Catalog Viewer lets a user view all metadata and tag templates across Data Catalog in a read-only capacity. This is the broad read role. If the scenario says someone needs comprehensive discovery across the whole catalog without any write access, this is the role.
• Data Catalog Admin is full access. The Admin can manage entries, tags, and tag templates without restriction. This role is reserved for the small group of people who own Data Catalog itself. The exam will almost never want you to assign this role to a typical user, and if an answer choice gives Admin to a single-purpose persona, it is usually a distractor.

Policy tags and BigQuery column-level security

Policy tags are a related concept that often shows up next to Data Catalog questions, and they have their own narrower set of roles. Policy tags are how you implement column-level security in BigQuery. You define a taxonomy of policy tags, attach them to specific columns, and then grant the Fine-Grained Reader role on a tag to the users who are allowed to query that column. Users without the role see a permission error when they touch the protected column.

For the Professional Data Engineer exam, remember that policy tags are the supported pattern for restricting access to sensitive columns like email, SSN, or revenue figures. You should not try to solve column-level security with authorized views unless the question specifically rules out policy tags.

Applying least-privilege to metadata access

The principle of least privilege is the through-line for every Data Catalog IAM question. A few patterns that tend to be correct answers:

• Give analysts Tag Template Viewer or Entry Viewer when they only need to discover metadata.
• Give data stewards Tag Template User when they need to apply existing tags but not change the schema.
• Give the governance team Tag Template Editor for managing the tag schema itself, and pair it with Entry Editor only if they also need to register assets.
• Reserve Data Catalog Admin for the platform owners who run the catalog.
• Use policy tags with the Fine-Grained Reader role for column-level access to sensitive BigQuery data.

One more thing the exam likes to test. Data Catalog roles control access to the metadata, not to the underlying asset. A user with Data Catalog Viewer can see that a BigQuery table exists and can read its tags, but they still need BigQuery Data Viewer on the table itself to actually query it. Keep those two layers separate in your head and the scenario questions become much easier.

My Professional Data Engineer course covers Data Catalog, policy tags, and the rest of the GCP data governance surface in the depth the exam expects, with practice scenarios that map directly to the role-selection questions you will see on test day.