When we enable Open Data for you, we also automatically create a Google group for your organization. The Google account you provided at the beginning has the Manager role of the group by default and allows you to manage user access to your BigQuery datasets.
A group may not be the manager of another group.
Anyone you add to this Open Data access-group will be able to log in to Google Cloud to run queries and export data.
Your users must have a Google account to log in to BigQuery. So make sure to use email addresses associated with a Google account when you add people to your Google group.
This way, you can grant access to your datasets either to people in your organization or to external consultants.
You won’t have access to the Google Cloud Platform Identity and Access Manager pages other than the Service account administrator page because of security reasons.
Granting access
To add people to your Open Data access-group, proceed as follows:
- Sign in to Google Groups.
- Click All groups or My groups if you are a group admin.
Group admin view:
- Under the name of the Open Data access-group you want to manage, click Members.
If you are responsible for the marketing of several different brands or subsidiaries, you may see more groups associated with your organization on this page.
- Click Add members in the menu on the left side.
- Fill the form and click on the Add members button.
Group invitations sometimes fail to be sent out, therefore you should use the Add member functionality only. If you accidentally added a user in a different way, you should go to the Pending members menu, choose the user and click the Revoke invitation button. You should be able to directly add the member after you removed the pending invite.
All users added to your Open Data access-group will inherit the following permissions:
- bigquery.jobs.create
- iam.serviceAccountKeys.create
- iam.serviceAccountKeys.delete
- iam.serviceAccountKeys.get
- iam.serviceAccountKeys.list
- iam.serviceAccounts.create
- iam.serviceAccounts.delete
- iam.serviceAccounts.get
- iam.serviceAccounts.getIamPolicy
- iam.serviceAccounts.list
- iam.serviceAccounts.setIamPolicy
- iam.serviceAccounts.update
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.services.list
- storage.buckets.list
- bigquery.readsessions.*
- bigquery.savedqueries.get
- bigquery.savedqueries.list
- pubsub.subscriptions.consume
- pubsub.subscriptions.create
- pubsub.subscriptions.delete
- pubsub.subscriptions.get
- pubsub.subscriptions.list
- pubsub.subscriptions.update
To learn more about Google Cloud Platform roles, visit Google’s support pages.
Revoking access
To remove anyone from your Open Data access-group, proceed as follows:
- Sign in to Google Groups.
- Click My Groups.
- Select Switch organization view to: emarsys.com.
- Under the name of the Open Data access-group you want to manage, click Manage members.
- Choose the member you want to remove.
- Click Actions > Remove from group
To learn more about how you can manage your Google group, visit Google’s support pages.
Granting manager access
In certain cases, you might need to provide a group manager role for another user, so they can manage access to your Open Data access-group too. To grant the manager role for someone, proceed as follows:
- Sign in to Google Groups with a Google account that has the Manager role already.
- Click My Groups.
- Select Switch organization view to: emarsys.com.
- Under the name of the Open Data access-group you want to manage, click Manage members.
- Choose the member you want to provide the Manager role.
- Click Actions > Add to role > Manager.
A group may not be the manager of another group.
Revoking manager access
- Sign in to Google Groups with a Google account that has the Manager role already.
- Click My Groups.
- Select Switch organization view to: emarsys.com.
- Under the name of the Open Data access-group you want to manage, click Manage members.
- Choose the member you want to revoke the Manager role from. Click Actions > Remove from role > Manager.
Creating an API key
You can access your Open Data project via API by using a Service account we prepare during the Open Data project setup. To create an access key, proceed as follows:
- Open Google Cloud Console. Make sure you use an account that was previously added to your Open Data access-group. You can double-check the active account in the top right corner.
- Select your Open Data project. The name of your project always follows the
ems-od-<customer>
naming convention. - Open the menu, hover over Identity and select Service accounts.
You don’t have access to the Google Cloud Identity and Access Manager pages other than the Service account administrator page because of security reasons.
- Find the Service account that has a name like this:
client-service-account@ems-od-<customer>.iam.gserviceaccount.com
.
- Click Actions > Create key.
- Choose the desired Key type and click the Create button.
Creating a Service Account
In case you want to separate the programmatic access to your Google Cloud Platform project, you might want to create multiple Service Accounts. To create a new Service Account, proceed as follows:
- Open Google Cloud Console. Make sure you use an account that was previously added to your Open Data access-group. You can double-check the active account in the top right corner.
- Select your Open Data project. The name of your project always follows the
ems-od-<customer>
naming convention. - Open the menu, hover over IAM & Admin and select Service accounts.
You don’t have access to the Google Cloud IAM pages other than the Service account administrator page because of security reasons.
- Click the Create Service Account button.
- Fill the form and click the Create button.
- To provide the necessary access for this freshly created Service Account, you must add it to your Open Data access-group: copy its address and follow the steps in the Granting access section.
Rotating your Service Account keys
You need to rotate your Service Account keys every 90 days to keep your access as secure as possible.
If your Open Data Service Account credentials need changing, for example, they are more than 90 days old, the Notification Center sends you a message. This message includes a link that takes you to the Service Account dashboard.
Follow these steps to update your credentials:
- Click your Service Account.
- In the Keys tab, click Add Key.
- Select your format (JSON or p12) and click Create to download the new key.
- Replace the old key with the new one wherever you are using it.
- Test the new key to verify it works correctly.
- Delete the old key from the Keys tab of the Service Account.
The name of the file contains the beginning of the key ID. It makes it easier for you to know when the key was created and allows you to manage the service key updates without relying on notifications.
Accessing an Open Data project from an external project
If you already have an existing Google Cloud Platform project for using a tool such as Lookerstudio and want to work in that project rather than the one we provide, then you can connect your external project to Open Data.
To secure your data, we use Google VPC Service Controls, which means enabling an external project has to go through a two-step process:
- Get the project added to our security perimeter.
- Add the project in Google.
By adding an external project, you can then execute your queries, or work natively in your own project or tool rather than having to use the one provided by Emarsys.
External Google Cloud Platform projects and tools are owned and maintained by you, the customer, which means that you are responsible for providing and managing access to these external resources. As these tools and projects exist outside of the Emarsys Data Protection features, it means that you have to own all security related topics for your project or tools. Because of this Emarsys shall not be liable for any incident originating from a tool or project that you request to have added to our VPC service Control perimeter. If malicious traffic is detected from a (possibly compromised) external project, then Emarsys will suspend this project’s access without prior notification.
1. Adding a project to the Emarsys security perimeter
To add a project to our security perimeter, you will need to get the project number and then provide that to either our Technical Support teams or your Implementation Consultant, if you have one.
They will then arrange for this project to be associated with your Open Data account, and then confirm when you are able to add the project in Google.
2. Granting access from your Google Cloud Platform project
To grant access to your Open Data project from your Google Cloud Platform project, proceed as follows:
- Open the Google Cloud Console and open the project you want to grant access to.
- Navigate to Identity/IAM and select Service accounts.
- Copy a Service account’s address you want to grant access to.
- Add this account’s address to your Open Data access-group in the way you grant access to a simple user.
Once you have completed these steps, you will be able to programmatically access your Open Data account from your own project. If you want to run queries via the browser, then you will also need to make sure that your user account has also been set up with permission to access the Open Data account. This is required because the browser authenticates as the logged-in user account, rather than using the service account.
Open Data datasets store data in the EU. If your data is stored in a different location, you might need to copy the dataset to a different region. To learn more about BigQuery locations, visit Google’s Support pages.