DATA OPS
BigQuery Orphaned & Overdue Grant Audit with PagerDuty Escalation
Daily, cross-checks live BigQuery IAM bindings against the grant ledger to find untracked or long-overdue access, posts an audit summary to Slack.
How it runs
The automated pipeline, trigger to output.
- TriggerDaily schedule triggers audit
- ActionRead live BigQuery IAM bindingsBigQuery
- ActionRead expected grant ledgerPostgres
- LogicDiff sets, classify orphaned/overdue, score risk
- ActionPost audit summary to SlackSlack
- OutputPage on-call for high-risk findingsPagerDuty
What it does
This workflow audits the gap between what BigQuery actually grants and what your ledger says should exist. It reads live IAM bindings, compares them to the ledger, and flags two problems: orphaned grants (present in BigQuery but untracked) and overdue grants (long past expiry but never revoked). It reports findings to Slack and escalates genuinely risky cases to PagerDuty.
When to use it
Use it as a compliance and drift-detection backstop when your revocation automation can fail silently or when bindings get added out-of-band. Ideal for SOC2/audit-driven data teams that must prove access matches policy.
How it works
- 1A daily schedule triggers the audit.
- 2BigQuery returns the current IAM bindings across audited datasets.
- 3Postgres returns the expected active grant ledger.
- 4A logic step diffs the two sets to classify orphaned and overdue grants and assign risk.
- 5Slack receives a summary of all findings.
- 6If any high-risk grant is detected, PagerDuty opens an incident for on-call.
Set it up
What you configure once, before turning it on.
- 1Connect BigQueryDatasets, queries, schemas.
- 2Connect PostgresAny Postgres URL — query, write, migrate.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Connect PagerDutyIncidents, on-call, escalations.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More Data Ops workflows
Snowflake column type-drift sentinel with Linear fix ticket
Snapshots the data types of every column in your tracked Snowflake schemas on a schedule, diffs against the last snapshot.
Daily BigQuery Scheduled-Query Cost Attribution to Owners
Each morning, totals the prior day's on-demand bytes-billed per scheduled query, maps each query to its owner from a label, and posts a per-owner cost leaderboard to Slack.
BigQuery dropped/renamed column sentinel with PagerDuty incident
Detects when a column is dropped or renamed in your governed BigQuery datasets and, because that breaks downstream queries hard, pages the on-call via PagerDuty and posts…
PR-time Snowflake schema contract check on dbt model changes
When a pull request changes a dbt model, it compares the model's declared output columns against the live Snowflake table it will replace and blocks the merge with a GitHub check…
Agent-triaged warehouse drift with impact analysis and runbook update
On a webhook from your warehouse audit log, an agent investigates the changed column, traces which downstream models and dashboards depend on it.
Cross-warehouse replication schema mismatch reconciler
Compares the column shape of mirrored tables between BigQuery and Snowflake and, when a replicated table has drifted out of sync between the two, opens an Asana task for the data…
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.