Your organization is migrating its internal employee performance analytics application to Google Cloud. The HR department needs access to aggregated employee data stored in BigQuery for analytics but should not have permissions to modify the data or access detailed personal information. As the project lead, you need a solution that ensures the least privilege access with minimal maintenance. What should you do?