agent hive
Join the Waitlist

DATA OPS

BigQuery Access-Grant Expiry Sweep with Slack Revoke Notice

Each morning, finds row-level and dataset IAM grants past their expiry date in BigQuery, revokes them, and DMs each affected user on Slack with what was removed and how…

CategoryData Ops
Enginesim
Difficultyintermediate
Triggerschedule
Steps6
Setup~15 min

How it runs

The automated pipeline, trigger to output.

  • TriggerDaily schedule fires the expiry sweep
  • ActionQuery expired active grants from ledgerPostgreSQLPostgres
  • LogicFilter out already-revoked or extended grants
  • ActionRevoke BigQuery IAM binding for each grantGoogle BigQueryBigQuery
  • ActionMark grant revoked in ledgerPostgreSQLPostgres
  • OutputDM affected user the revocation noticeSlack

What it does

This workflow keeps temporary BigQuery access from silently becoming permanent. It scans your grant ledger for any access whose expiry timestamp has passed, revokes the underlying BigQuery IAM binding, records the revocation, and notifies the person who lost access on Slack so there are no surprises.

When to use it

Run it when you grant time-boxed access to datasets, tables, or row-level policies (for incidents, audits, contractor work) and need expiry enforced automatically instead of relying on someone to remember. Ideal for data platform and security teams with compliance retention windows.

How it works

  1. 1A daily schedule fires the sweep.
  2. 2Postgres is queried for grants whose `expires_at` is in the past and `status = 'active'`.
  3. 3A logic step filters out grants already marked revoked or extended past today.
  4. 4For each expired grant, BigQuery removes the IAM binding (dataset, table, or row-access policy).
  5. 5Postgres is updated to mark the grant revoked with a timestamp and actor.
  6. 6A Slack DM tells each user exactly what was revoked and links the self-serve extension request form.

Set it up

What you configure once, before turning it on.

  1. 1
    Connect BigQueryDatasets, queries, schemas.
  2. 2
    Connect PostgresAny Postgres URL — query, write, migrate.
  3. 3
    Connect SlackChannels, DMs, threads, mentions.
  4. 4
    Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
  5. 5
    Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
  6. 6
    Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More Data Ops workflows

Weekly BigQuery Cost Trend Sheet and Exec Digest

Compiles week-over-week BigQuery scheduled-query cost by owner and dataset into a Google Sheet with trend columns.

Daily BigQuery Scheduled-Query Cost Attribution to Owners

Each morning, totals the prior day's on-demand bytes-billed per scheduled query, maps each query to its owner from a label, and posts a per-owner cost leaderboard to Slack.

BigQuery Per-Team Budget Breach Alert to PagerDuty

Tracks month-to-date BigQuery scheduled-query spend per team and, when a team crosses its monthly budget, pages the team's on-call in PagerDuty and snapshots the spend breakdown…

dbt source freshness watcher with severity-routed alerts

Checks Snowflake loaded-at timestamps against each dbt source's freshness SLA, then routes warnings to Slack and hard breaches to a PagerDuty incident so stale data never…

dbt orphan model detector with Linear cleanup tickets

Scans your dbt manifest for models that no other model, exposure, or BI tool consumes.

Raw Sensor Telemetry Archive to BigQuery

Captures every incoming building sensor reading via webhook, normalizes the payload into a consistent schema.

Browse all Data Ops

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBrowse all workflows