Access, Security and Feature Sets

Question 1

What are the three main concepts Looker uses for security and access?

Answer 1

1. Content Access
2. Feature Access
3. Data Access

Question 2

Using this main access feature, an admin can enable users or user groups to see looks and dashboards in a folder, move and create looks and dashboards in that folder or rename and delete dashboards or looks

Answer 2

Content Access

Question 3

How does an admin set Content Access

Answer 3

Navigate to the parent folder, select the gear icon then choose “manage access”

Question 4

How does an admin create and manage a user group

Answer 4

Navigate to groups - Admin > Users > Groups
Create a new group
Assign users

Question 5

How does an admin set Feature Access

Answer 5

create a new permission set by naming it and adding permissions. If one already exists the admin wants to use assign this to a role.

Question 6

What are the 6 default permission sets

Answer 6

Admin: All permissions
Developer: access_data, create and deploy look_ml, unlimited explore access, download, and schedule reports
User: access_data, explores, table_calcs, see look_ml, see_dashboards, see_looks, schedule reports
Viewer: access_data, download data, see reports, see looks, schedule reports
LookML dashboard user: see dashboards, access data
User who can’t view LookML: everything except develop and view lookML

Question 7

How does Looker classify users (permission types) into licenses?

Answer 7

Developer (Admin)
Standard (Creator): (can create anything from LookML to looks)
Viewer

Question 8

How does an Admin manage data Access

Answer 8

Through model sets
- Reminder models have the file name .model.lkml

Also a model file must have

• Connection
• Include:

Question 9

How do developers limit access to data that a user has access to with model permissions?

Answer 9

Access grants
Access Filters
Row Level Security with Liquid HTML

Question 10

What are access grants and how should they be used?

Answer 10

Access grants allow users to see dimensions, measures, views or explores. If you do not have access this content will not appear in an explore, look or dashboard

How do you use them? Create the grant then apply it as a parameter to the dimension, measure or view.

access_grant: can_view_financial_data {
user_attribute: department
allowed_values: [ “finance”, “executive” ]
}

– Applied to dimension
dimension: financial_data_field
…
required_access_grants: [can_view_financial_data]
}

Notes: Must have specific user attribute to see data with required_access_grants parameter applied
Values listed in allowed_values must match user attribute values exactly

Question 11

What are access filters and how should they be used?

Answer 11

Access filters are filters that are applied to all queries in an explore.

They are based on a user attribute and are similar to requiring the user enter a specific value for a filter on everything they are looking at. For example CSM Territory = Amer High Touch

explore: customer {
  access_filter: {
    field: customer.name
    user_attribute: allowed_customers
  }
}

Note: Filed must be fully scoped with view.field naming convention
Even admins must have a value for the user attribute or they cannot view all of the data.

Question 12

What is Row Level Security with Liquid HTML

Answer 12

This is similar to access filters only it is applied with manual liquid HTML. This can be a bit confusing and is a non Looker standard application and only applies to dimension names

add the HTML to a dimension

html: {% if _user_attributes['marketing_accessrole'] ==1  %}
{{ rendered_value }}
{% else %}
[Insufficient Permissions]
{% endif %};;

Question 13

How does looker suggest you design and configure a system of access and security?

Answer 13

Choose if you are going to have an open or closed system of access

Open: Default is trusting the org with all data and hiding only very specific things
Closed: Users cannot access anything without admin providing access

Next determine how your organization is structured and how data will be used. Often this is set up around Business Function (Finance, Sales, Marketing, Production / Engineering etc.)

Map out databases, data warehouses, systems of record and end users

Define who will be maintaining Looker (connections) Data governance, who will be building content and end users.

Define who will be using the dashboards (Executives? Managers, front line te`am)

Configure user groups to give granular access to data / explores

Configure permissions for teams who will be building, maintaining and using dashboards

Document, Document, Document!!!