Problem
Enterprise customers using BigQuery with Google SSO need data rights propagation - when a user signs into nao via their Google account, the agent should inherit their BigQuery permissions. This ensures users can only query tables they have access to in BigQuery, without admins having to duplicate permission management in nao.
Redshift impersonation already exists. BigQuery needs the same.
Expected behavior
- When a user authenticates via Google SSO, nao reads their BigQuery IAM permissions
- The agent enforces the same table/dataset-level access the user has in BigQuery
- No extra permission configuration needed in nao - it mirrors what's already set in GCP
Problem
Enterprise customers using BigQuery with Google SSO need data rights propagation - when a user signs into nao via their Google account, the agent should inherit their BigQuery permissions. This ensures users can only query tables they have access to in BigQuery, without admins having to duplicate permission management in nao.
Redshift impersonation already exists. BigQuery needs the same.
Expected behavior