BigQuery Data Policy API

Name: BigQuery Data Policy API API
Brand: BigQuery Data Policy API
Availability: InStock

✓ Official Vendor SpecSecurityComplianceoauth29 EndpointsREST

For Agents

Manage column-level masking and access policies attached to BigQuery policy tags. Agents can create, rename, and IAM-bind data policies that protect sensitive columns at query time.

Quickstart

Get started with BigQuery Data Policy API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"create a BigQuery column masking policy"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with BigQuery Data Policy API API.

Create data policies that apply masking rules to columns tagged with a policy tag

List all data policies in a project and location for inventory and audit

Patch a data policy to change its data-masking expression

Rename a data policy resource without re-tagging columns

GET STARTED

Start building with BigQuery Data Policy API API

Explore with Jentic

View OpenAPI Document

Use for: I need to create a data policy that masks customer email columns, List all BigQuery data policies under a project and location, Get the masking rule attached to a specific data policy, Update the masking expression on an existing data policy

Not supported: Does not run queries, manage encryption keys, or transfer data — use for column-level masking policy management only.

The BigQuery Data Policy API manages column-level masking policies that BigQuery enforces at query time. You attach a data policy to a policy tag in Data Catalog, and any column tagged with it is masked, hashed, or nulled out for callers who lack the unmask role. The API exposes create, list, patch, rename, and delete operations on data policies plus IAM policy management on each resource. Together with policy tags, this lets data platform teams enforce GDPR/HIPAA-style column controls without writing per-query views.

Use Cases

Patterns agents use BigQuery Data Policy API API for, with concrete tasks.

★ PII Masking at Query Time

Apply masking policies to columns tagged with sensitivity labels so PII is hashed or nulled for callers without the unmask role. Data policies are managed at /v1/{parent}/dataPolicies and bound via setIamPolicy. This avoids creating per-team views and keeps a single source of truth for the underlying table.

Create a data policy named mask_email_sha256 that applies SHA256 to columns tagged with the pii.email policy tag in project myproj location US.

Tiered Access Across Analyst Groups

Grant the dataPolicies.maskedReader role to broad analyst groups and roles/datacatalog.categoryFineGrainedReader to a small unmask group. Use setIamPolicy on the data policy resource to control which principals see the raw values. The whole tiering can be expressed as a few API calls, avoiding hand-managed BigQuery views.

Bind roles/bigquerydatapolicy.maskedReader to group analysts@example.com on data policy projects/myproj/locations/US/dataPolicies/mask_email_sha256.

Compliance Audit and Inventory

Periodically list all data policies in each project and location and verify that critical policy tags have a policy attached. The list endpoint at /v1/{parent}/dataPolicies returns the policy expression and bound resources, which can be exported into a compliance system.

List all data policies in project myproj location US and return any that have an empty data masking expression.

Agent-Driven Policy Provisioning

An AI agent can take a request like 'mask credit card numbers everywhere they appear' and create the matching data policy via Jentic. The agent loads the create operation, generates the masking expression, and binds the right IAM role to a reviewer group. Sensitive credentials never leave the Jentic vault.

From the request 'redact CCN columns for everyone except finance', create the data policy and grant unmask role to finance-readers@example.com.

Key Endpoints

9 endpoints — the bigquery data policy api manages column-level masking policies that bigquery enforces at query time.

METHOD

PATH

DESCRIPTION

POST

/v1/{+parent}/dataPolicies

Create a new data policy under a project and location

GET

/v1/{+parent}/dataPolicies

List data policies under a project and location

GET

/v1/{+name}

Get a single data policy

PATCH

/v1/{+name}

Update a data policy's masking expression

POST

/v1/{+name}:rename

Rename a data policy resource

DELETE

/v1/{+name}

Delete a data policy

POST

/v1/{+resource}:setIamPolicy

Set the IAM policy on a data policy

POST

/v1/{+parent}/dataPolicies

Create a new data policy under a project and location

GET

/v1/{+parent}/dataPolicies

List data policies under a project and location

GET

/v1/{+name}

Get a single data policy

PATCH

/v1/{+name}

Update a data policy's masking expression

POST

/v1/{+name}:rename

Rename a data policy resource

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google OAuth 2.0 client credentials and refresh tokens are stored encrypted in the Jentic vault (MAXsystem). The agent only ever sees a scoped, short-lived access token, so it cannot persist or exfiltrate the refresh token.

Intent-based discovery

Agents search Jentic with intents like 'mask a BigQuery column' and Jentic returns the create dataPolicy operation with its dataMaskingPolicy schema, so the agent can call the right endpoint without reading the Discovery doc.

Time to first call

Direct integration: half a day for OAuth and learning the policyTag/maskingPolicy shape. Through Jentic: under 30 minutes — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

BigQuery API

Runs the queries that the data policies mask at execution time.

Choose BigQuery when the agent needs to query data; choose Data Policy when it needs to set up the masking that BigQuery applies.

Complementary

Cloud KMS API

Manages encryption keys that protect the underlying data at rest.

Use Cloud KMS for at-rest encryption of the table; use Data Policy for query-time masking of specific columns.

Alternative

BigQuery Connection API

Provides a different control plane for federated source access.

Use Connection to control access to whole external sources; use Data Policy for column-level masking inside BigQuery.

FAQs

Specific to using BigQuery Data Policy API API through Jentic.

What authentication does the BigQuery Data Policy API use?

The BigQuery Data Policy API uses Google OAuth 2.0 with the cloud-platform and bigquery scopes. Jentic stores the OAuth refresh token encrypted and provides the agent only a scoped access token at execution time.

Can I attach a masking expression to a Data Catalog policy tag?

Yes. Create the data policy via POST /v1/{parent}/dataPolicies with a policyTag field referencing the Data Catalog tag and a dataMaskingPolicy expression (for example SHA256, DEFAULT_MASKING_VALUE, or a custom UDF). BigQuery enforces it on every query.

What are the rate limits for the BigQuery Data Policy API?

Project-level quotas apply: typically a small write QPS for create/patch/rename/delete on the same data policy and a few hundred QPS for reads. Specific per-project values are visible in the Google Cloud quotas console.

How do I rename a data policy through Jentic?

Search Jentic for 'rename a BigQuery data policy', load the schema for POST /v1/{name}:rename, and execute with the new newDataPolicyId. Jentic forwards the OAuth token; the policyTag binding stays intact.

Does this API mask data in tables that have no policy tag?

No. Data policies only take effect on columns whose schema includes a policyTag that this policy is attached to. Untagged columns are returned in cleartext regardless of how many data policies exist.