I’ve got a sample table in BigQuery. In the same project, I gave only one role to my test user: Discovery Engine User, so that he can access the Gemini Enterprise application.
From BigQuery, he cannot access the table. From the app, he can get the full content. Is there no way to propagate my user permissions to the Gemini App Service Account? Also, it seems that Row and Column Access policies are not possible from Gemini Enterprise?
This is highly inconvenient. I thought Gemini Enterprise was more like a plug-and-play experience. I need to amend all my existing tables with a new column and handle those permissions manually whenever a new user comes in? How about tables that are continously replicated from other databases?
Gemini Enterprise accesses BigQuery through its own service account, which is granted permissions independently of the end user’s IAM roles. This means your test user’s limited BigQuery access doesn’t apply when data is fetched by Gemini—the app’s service account needs to be restricted directly in BigQuery using IAM roles or authorized views. Row and column-level security in BigQuery isn’t automatically enforced in Gemini unless you design your data source to include those policies, and the “access control column” approach in the docs is currently the supported method for per-user filtering. For continuously replicated tables, you can implement authorized views or intermediary tables with the required column, so replication remains untouched while Gemini queries the restricted view instead. You can check which service account Gemini Enterprise uses in the documentation and adjust its BigQuery dataset permissions accordingly in IAM & Admin > IAM.
So, to make it simpler, and to prevent hallucinations, it’s propably best to create a Gemini Enterprise app for each domain? One for HR, one for Analytics, etc. with their respective data sources.
Is there a limit on the number of applications we can create? Does that influence quota?
I also wonder if there are already some architectures guides and best practices available on the setup of Gemini Enterprise.