Census reads data from one or more tables (possibly across different schemata) in your data warehouse and publishes it to the corresponding objects in external systems, such as Salesforce. To limit the load on your database as well as external APIs, Census computes a “diff” to determine changes between each update. In order to compute these diffs, Census creates and writes to a number of tables in the
census dataset ('dataset' is what Google calls their equivalent of a 'schema' in standard database terminology).In order for the Census connection to work correctly, the account you provide to Census must have these permissions:
Permission to create a new
census dataset or an existing
census dataset, and full admin access to all schema/tables within that dataset (including creating and deleting tables, and reading and writing to all tables).
Read-only access to any tables and views in any schemata that you would like Census to publish to Salesforce.
BigQuery manages these permissions through their IAM Policy mechanism. Specifically, Census uses two BigQuery policies by default:
bigquery.dataViewer - Allows Census read-only access to list the datasets and tables in the BigQuery instance, and to get data from the tables.
bigquery.user - Allows Census to create new datasets which we use to create the
census dataset. This then grants Census the
bigquery.dataOwner role on the contents of this dataset.
Because permissions are a bit unique on BigQuery so the process of creating a new connection to Census requires a few extra steps.
Visit the Connections section on Census, and press Add Data Warehouse Connection, selecting BigQuery from the list.
Census will ask you to provide the Google Cloud Project ID that contains your BigQuery instance. You can find that on the Google Cloud Console in the Project Info section. If you have multiple Google Cloud projects, you'll need to first select the correct one with the project picker in the top right.
Once you've provided Census with your Project ID, Census will automatically generate a new Role Account we'll use to communicate with your BigQuery and provide you with two copy and paste-able commands you can use to grant permissions for this account on this project. The easiest way to execute these commands is within the Google Cloud Shell in the Google Cloud Console.
Once you've run both commands, press the Test button in Census. This will validate that you've granted the appropriate credentials. Once you've got a checkmark for all four steps, you're good to go!
BigQuery supports External Tables which allows Google Sheets and tabular data in Google Drive to appear as tables in BigQuery. In order for Census to access these resources, it must be given explicit access to the Google Sheet or Google Drive document.
First, you'll need Census service account's email address for your specific connection. You can see that in the Connections Tab. It's of the form census-[LONG ID]@sutrolabs-giza-production.iam.gserviceaccount.com
Next, in Google Drive, click Share and give that email address permission to View the contents of the document.
If Census does not have view access to the document, you will see an error indicating that Census does not have permission to access the underlying data for that table.
BigQuery does things a bit differently from other data warehouses. Unfortunately, as of this moment, BigQuery does not support limiting access to specific IP addresses.