You are designing a data mesh on Google Cloud by using Dataplex to manage data in BigQuery and Cloud Storage. You want to simplify data asset permissions. You are creating a customer virtual lake with two user groups:
• Data engineers, which require full data lake access
• Analytic users, which require access to curated data
You need to assign access rights to these two groups. What should you do?
For designing a data mesh on Google Cloud using Dataplex, it is important to utilize the roles provided by Dataplex to manage access for data engineers and analytic users. The data engineers need full access to the data lake, which necessitates the dataplex.dataOwner role, granting them full control including managing access. The analytic users, who require access only to curated data, should be granted the dataplex.dataReader role, which permits them to read data without altering it. This approach aligns with the specific requirements and simplifies the management of data asset permissions effectively.
- dataplex.dataOwner: Grants full control over data assets, including reading, writing, managing, and granting access to others. - dataplex.dataReader: Allows users to read data but not modify it.
Yes, https://cloud.google.com/dataplex/docs/lake-security#data-roles Dataplex maps its roles to the data roles for each underlying storage resource (Cloud Storage, BigQuery). ^ simplify the permissions.
A correct answer
Option A clearly correct
A. 1. Grant the dataplex.dataOwner role to the data engineer group on the customer data lake. 2. Grant the dataplex.dataReader role to the analytic user group on the customer curated zone.
Option A
The quetion is for BigQuery AND Cloud Storage for a Data Lake, so you should assign IAM permissions for both of them. C is correct.
Dataplex roles are mapped to roles for the underlying resources, like BQ and GCS. So A and C are functionally (almost) equivalent, but A is simpler (2 roles rather than 4). See https://cloud.google.com/dataplex/docs/lake-security#data-roles