Following is the list of permissions required and used by reOptimize:
Important: The following permissions DOES NOT grant us the ability to read you tables data, read query job results, run/update jobs or make any operations on a table or a dataset.
They DO grant us permissions to list and get tables and datasets metadata such as bytes stored, time created and jobs metadata such as the query itself, start and end time, bytes processed and other job statistics and configuration. Read more on BigQuery permissions.
- bigquery.jobs.list, bigquery.jobs.listAll:
Used to give you insights on your BigQuery jobs in the BigQuery optimizations page. You will be able to view information such as top users by query jobs cost, top most expensive queries and top longest (duration) queries. You can also view some statistics such as percentage of cache usage and percentage of errors.
- bigquery.datasets.get, bigquery.tables.get, bigquery.tables.list:
Used to build a BigQuery disk usage treemap which you can interact with in the BigQuery optimizations page. The treemap shows your BigQuery bytes stored for each project, dataset and table.
Will allow us to view the permissions granted to the custom role. This is used to present the "state" of your role. If the permissions required by reOptimize are set correctly, the state will be "healthy". If there are any missing permissions or redundant permissions, a warning message will be shown to you in reOptimize.
Used to get your organization details (name, display name)
Used to list and get a folders information (Name, Parent etc.). This allows us to construct the full path of a project in your OU.
- resourcemanager.projects.get, resourcemanager.projects.list
Used to list and get projects in your OU. Will allow us see the parent folder (if any) for every project.
You may take a look on the Resource Manager API to see which fields are returned when listing/getting folders/projects.