bigquery/ERR/2023_006

An organization’s policy doesn’t block the BigQuery user domain

Product: BigQuery Rule class: ERR - Something that is very likely to be wrong

Description

There can be domain restriction policies applied to customer’s organization. The domain of the user (the part after ‘@’ in the user’s email) that you are trying to share the BigQuery dataset with should be present in the list of “Allowed” fields for the constraint constraints/iam.allowedPolicyMemberDomains.

Using the below logs filter, you can see the IAM policy bindings for the dataset. Please go through the list of bindings to identify the user whose domain is not allowed within your organization policies:

resource.type="bigquery_dataset"
protoPayload.methodName="google.iam.v1.IAMPolicy.SetIamPolicy"
severity=ERROR
protoPayload.status.message:"One or more users named in the policy do not belong
to a permitted customer."

Remediation

If the domain of the user is not present in the “Allowed” fields for the constraint constraints/iam.allowedPolicyMemberDomains, please add it to resolve the error.

Further information

Restricting Domains - Setting the Organization Policy