https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/Recent content in BigQuery onHugoenhttps://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/overview/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/overview/<ol id="toc"></ol> <script> // JavaScript to generate the table of contents from H2 headings document.addEventListener("DOMContentLoaded", function () { //get all h2 headings within the 'main' element and generate a toc with links to them //excluding h2 heading 'Feedback' if it exists const toc = document.getElementById("toc"); const headings = document.querySelectorAll("main h2"); headings.forEach(heading => { if (heading.textContent === "Feedback") { return; // Skip the 'Feedback' heading } const li = document.createElement("li"); const a = document.createElement("a"); const id = heading.textContent.toLowerCase().replace(/\s+/g, '-'); heading.id = id; // Set the id for the heading a.href = `#${id}`; a.textContent = heading.textContent; li.appendChild(a); toc.appendChild(li); }); }); </script> <h2 id="solution-overview">Solution Overview</h2> <p>The GCP (Google Cloud Platform) BigQuery Protector is a cloud-native, serverless product for fine-grained data protection. This enables the invocation of Protegrity data protection cryptographic methods in cloud-native serverless technology. The benefits of serverless include rapid auto-scaling, performance, low administrative overhead, and reduced infrastructure costs compared to a server-based solution.</p>https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/architecture/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/architecture/<ol id="toc"></ol> <script> // JavaScript to generate the table of contents from H2 headings document.addEventListener("DOMContentLoaded", function () { //get all h2 headings within the 'main' element and generate a toc with links to them //excluding h2 heading 'Feedback' if it exists const toc = document.getElementById("toc"); const headings = document.querySelectorAll("main h2"); headings.forEach(heading => { if (heading.textContent === "Feedback") { return; // Skip the 'Feedback' heading } const li = document.createElement("li"); const a = document.createElement("a"); const id = heading.textContent.toLowerCase().replace(/\s+/g, '-'); heading.id = id; // Set the id for the heading a.href = `#${id}`; a.textContent = heading.textContent; li.appendChild(a); toc.appendChild(li); }); }); </script> <p> <h2 id="deployment-architecture">Deployment Architecture</h2> <p>The Protegrity product should be deployed in the customer’s Cloud account within the same Google Cloud region as the BigQuery dataset. The product incorporates Protegrity’s vaultless tokenization engine within Google Cloud Functions. The encrypted data security policy from an ESA is deployed periodically as a static resource together with Cloud Function binaries. The policy is decrypted in memory at runtime within the Cloud Function. This architecture allows Protegrity to be highly available and scale very quickly without direct dependency on any other Protegrity services.</p>https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/configuration/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/configuration/<ol id="toc"></ol> <script> // JavaScript to generate the table of contents from H2 headings document.addEventListener("DOMContentLoaded", function () { //get all h2 headings within the 'main' element and generate a toc with links to them //excluding h2 heading 'Feedback' if it exists const toc = document.getElementById("toc"); const headings = document.querySelectorAll("main h2"); headings.forEach(heading => { if (heading.textContent === "Feedback") { return; // Skip the 'Feedback' heading } const li = document.createElement("li"); const a = document.createElement("a"); const id = heading.textContent.toLowerCase().replace(/\s+/g, '-'); heading.id = id; // Set the id for the heading a.href = `#${id}`; a.textContent = heading.textContent; li.appendChild(a); toc.appendChild(li); }); }); </script> <p> <h2 id="gcp-project-bigquery-required-permissions">GCP Project BigQuery required permissions</h2> <p>Configuring BigQuery connection requires permissions included in the following predefined IAM roles:</p>https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/no-access-behavior/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/no-access-behavior/<h1 id="no-access-behavior">No Access Behavior</h1> <p>The security policy maintains a <strong>No Access Operation</strong>, configured in an ESA, which determines the response for unauthorized unprotect requests.</p> <p><img src="https://docs.protegrity.com/cloud-protect/4.0.0/docs/common/protector/no_access_behaviour_border.png" alt="" title="no access settings"></p> <p>The following table describes the result returned in the response for the various no access unprotect permissions.</p> <table> <thead> <tr> <th>No Access Operation</th> <th>Data Returned</th> </tr> </thead> <tbody> <tr> <td>Null</td> <td>null</td> </tr> <tr> <td>Protected</td> <td>(protected value)</td> </tr> <tr> <td>Exception</td> <td>Query will fail with an exception</td> </tr> </tbody> </table> <div class="alert alert-info" role="alert"> <h4 class="alert-heading">Note</h4> An unauthorized protect will throw an exception. </div>https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/upgrading/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/upgrading/<div class="alert alert-warning" role="alert"> <h4 class="alert-heading">Important</h4> <ul> <li>Upgrading the Policy Agent component to version <strong>4</strong> from any previous major version requires a new installation</li> <li>Upgrading the Protector component to version <strong>4</strong> from any previous major version requires a new installation</li> <li>Upgrading the Log Forwarder component to version <strong>4</strong> from any previous major version requires a new installation</li> </ul> </div> <!-- Disabled for this release; re-enable in a future release: readfile /docs/gcp/common/upgrading/index.txt -->https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/known-limitations/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/big_query/known-limitations/<ul> <li> <p>Only protect and unprotect operations are supported. The re-protect operation is not supported.</p> </li> <li> <p>The Semi-structured (JSON) data type is not supported in the product.</p> </li> </ul> <ul> <li> <p><strong>Cloud Function (Gen2) labels must not be updated from the Cloud Run Services console.</strong> When updating labels for a GCP Cloud Function (Gen2) through the <strong>Cloud Run Services</strong> console, GCP creates a new Cloud Run revision with the updated labels, but the underlying Cloud Function retains the old labels. Because the policy agent reads labels from the Cloud Function definition (not the Cloud Run revision), it will not detect the label change and will not trigger a policy update.</p>