Hello Team, as per the documentation given here we are trying to opt in the early enforcement and ran this DDL statement by putting the correct PROJECT_ID and REGION. This statement returned the result as the enforcement got applied.
ALTER PROJECT PROJECT_ID
SET OPTIONS (
`region-REGION.enable_fine_grained_dataset_acls_option` = TRUE);
So, we are doing the POC to check what are those custom roles are there which may fail after the enforcement got applied. So tested with one custom role which has the following permissions:
“bigquery.datasets.create”,
“bigquery.datasets.delete”,
“bigquery.datasets.get”,
“bigquery.datasets.update”,
Now, user with this role should not access BQ dataset ACLs since it doesn’t have the bigquery.dataset.getIamPolicy permission. But users with this role are able to get the ACLs and also able to update the ACLs.
Here are some suggestions that may help resolve the issue:
Ensure that you have properly configured the enable_fine_grained_dataset_acls_option configuration setting at the project level when opting into early enforcement.
Another possible reason for the issue could be the propagation delay, which may cause the enforcement to take some time to apply.
Verify and confirm that the enforcement has actually been applied and is active on the project. You can try this by using the bq command-line tool commands, as some bq tool commands are also affected when opting into early enforcement.
Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.