o ensure that users can only access the data in a BigQuery table during working hours, you can assign the BigQuery Data Viewer role with an IAM condition that specifies the allowed access times. This method leverages IAM Conditions, which allow you to define and enforce time-based access policies. Here's how to do it:
Identify the BigQuery Table: Determine which BigQuery table(s) require restricted access.
Create an IAM Policy with Conditions: Define an IAM policy that includes a condition for time-based access. You can do this using the Google Cloud Console, gcloud command-line tool, or directly editing the IAM policy JSON.
Specify Working Hours: In the IAM condition, specify the time frame during which access is allowed. For example, you can set access to be allowed from 9 AM to 5 PM on weekdays.
Assign the Role with Conditions: Apply the policy to the users or groups who need access. Ensure that the condition is correctly attached to the BigQuery Data Viewer role.
Example using gcloud:
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member=user:[USER_EMAIL] \
--role=roles/bigquery.dataViewer \
--condition=expression="(request.time.getFullYear() == 2024) && (request.time.getDayOfWeek() in [1, 2, 3, 4, 5]) && (request.time.getHours() >= 9) && (request.time.getHours() < 17)",title="Working hours condition",description="Access limited to working hours"
References
Google Cloud IAM Conditions
Google Cloud BigQuery IAM Roles
Submit