DATA OPS
Agentic BigQuery Grant Lifecycle Reviewer with Linear Tickets
An agent reviews grants nearing expiry, decides per-grant whether to auto-extend low-risk access, revoke unused access, or open a Linear ticket for human review.
How it runs
The automated pipeline, trigger to output.
- TriggerDaily schedule starts grant review
- ActionPull grant metadata and recent usageBigQuery
- LogicAgent decides extend, revoke, or escalate
- ActionApply extend/revoke to IAM bindingsBigQuery
- ActionOpen Linear ticket for escalationsLinear
- OutputNotify holder of decision on SlackSlack
What it does
This workflow uses an agent to make a judgment call on each BigQuery grant approaching expiry instead of applying one blanket rule. It weighs recent query activity, the dataset's sensitivity, and the holder's role to choose an action: auto-extend trusted low-risk access, revoke access that has gone unused, or escalate ambiguous cases to humans via a Linear ticket. Every decision is explained and the holder is told what happened.
When to use it
Use it when a fixed expiry policy is too blunt — high-traffic platforms where some grants clearly should renew and others clearly should lapse, but a meaningful middle needs human eyes. Best for teams that want to cut manual grant-review toil while keeping an auditable rationale.
How it works
- 1A daily schedule starts the review for grants expiring within 48 hours.
- 2The agent pulls each grant's metadata and recent query usage from BigQuery and the ledger.
- 3Per grant it decides: auto-extend, revoke, or escalate, with a written rationale.
- 4Extend and revoke actions are applied directly to BigQuery IAM bindings.
- 5Escalations open a Linear ticket assigned to the dataset owner with the agent's reasoning.
- 6The holder is notified on Slack of the decision and next steps.
Set it up
What you configure once, before turning it on.
- 1Connect BigQueryDatasets, queries, schemas.
- 2Connect PostgresAny Postgres URL — query, write, migrate.
- 3Connect LinearIssues, projects, cycles, triage.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More Data Ops workflows
Snowflake column type-drift sentinel with Linear fix ticket
Snapshots the data types of every column in your tracked Snowflake schemas on a schedule, diffs against the last snapshot.
Daily BigQuery Scheduled-Query Cost Attribution to Owners
Each morning, totals the prior day's on-demand bytes-billed per scheduled query, maps each query to its owner from a label, and posts a per-owner cost leaderboard to Slack.
BigQuery dropped/renamed column sentinel with PagerDuty incident
Detects when a column is dropped or renamed in your governed BigQuery datasets and, because that breaks downstream queries hard, pages the on-call via PagerDuty and posts…
PR-time Snowflake schema contract check on dbt model changes
When a pull request changes a dbt model, it compares the model's declared output columns against the live Snowflake table it will replace and blocks the merge with a GitHub check…
Agent-triaged warehouse drift with impact analysis and runbook update
On a webhook from your warehouse audit log, an agent investigates the changed column, traces which downstream models and dashboards depend on it.
Cross-warehouse replication schema mismatch reconciler
Compares the column shape of mirrored tables between BigQuery and Snowflake and, when a replicated table has drifted out of sync between the two, opens an Asana task for the data…
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.