Your company is deploying a new service on Google Cloud that will handle proprietary analytics. You need to set up access controls so that data analysts can access and query data in BigQuery but cannot view or manage resources in GCP. Your solution should minimize future access management overhead. How should you proceed?