We are building a microservice system with the majority of the data stored in Bigtable. Currently, each microservice must be given access at the instance level, which means each microservice could potentially read/write directly from another service's datastore.

For better data isolation, (leading to better data integrity, non-repudiation, security, etc.) There should be a way to add permission at a finer-grained level than the full instance.

A middle level in the hierarchy (some kind of collection of tables) would be nice, much like spanner has, but directly table-level permissions would also work.