catalog logoThe IAM Privilege Catalog

services / Google Cloud / BigQuery jobs

BigQuery models allow users to build machine-learning pipelines within BigQuery.

Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.

bigquery.​models.​updateMetadata

'From Google: "Update model metadata.". Allows users to update description, labels and change model expiration time.' Allows users to destroy a model by setting its expiration to 0.

Risks

  1. Artifact destruction (MEDIUM)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​bigquery/​docs/​access-​control
  • https:​/​/​cloud.​google.​com/​bigquery/​docs/​updating-​model-​metadata
  • https:​/​/​cloud.​google.​com/​bigquery/​docs/​reference/​rest/​v2/​models/​patch

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog