Business
May 17, 2024

Looker Permissions: Groups, Roles, and Access Grants

Headshot of Amy Sheldrake
Amy Sheldrake
Spectacles Writer
A large metal vault (Midjourney)

Every organization has its own distinct needs and challenges when it comes to permissions and security. There's no one-size-fits-all solution. This guide aims to give you the tools that you need to decide what works best for you and your teams.

Before we begin, why are permissions important?

Firstly, the obvious one, security. From a data protection perspective, it is important to ensure that each user only has access to the data that they need, and that it is appropriate for them to see. Permissions allow control and oversight within your organization. 

Secondly, but no less importantly, Looker permissions allow you to simplify the user experience for users entering a Looker instance for the first time. Keeping the UX clean, and giving people the option of requesting access to further Explores, if they need to, prevents Looker overwhelm (!) and ensures that everyone gets the most out of Looker across your organization. 

Understanding Looker's Permission Structure ‍

Before we begin, here is a reminder of Looker Objects. If we start with ‘Models’ as the umbrella, beneath that level we have ‘Explores’, ‘Views’, and ‘Fields’ (such as ‘Dimensions’ and ‘Measures’) nested beneath them. The highest level that you can set permissions for is at the ‘Model’ level.

Within these levels, Looker operates a flexible and scalable permission structure made up of Groups and Roles.

1. Groups:

Groups in Looker are collections of users organized based on shared characteristics, such as departmental affiliation, job role, or access level. By grouping users together, administrators can efficiently manage permissions and access controls, making it easier to assign roles and define user attributes. For example, a company may create groups for departments like Sales, Marketing, Finance, and Engineering, each with its own set of permissions tailored to the specific needs of the users within that group.

2. Roles:

Roles in Looker define what users can and cannot do within the platform. Essentially, they are a combination of a permission set and a model set, i.e. what you can do on what models. Looker comes with four default roles: admin, developer, viewer, and user, each with its own set of predefined permissions and access levels.

  • Admin: An admin in Looker has full control over the platform, including user management, permission settings, system configurations, and overall account management. They can create and manage spaces, access roles, and schedules, and have the highest level of access and control within the Looker environment.
  • Developer: Developers in Looker have the ability to create and modify content within the Looker environment, such as building and maintaining LookML models, creating dashboards, and designing reports. They can also manage data connections, explore data, design data models, and work on data visualization.
  • User: Users in Looker have the ability to access and interact with content created by developers, such as viewing dashboards, reports, and exploring data sets. They can also create and save their own reports and dashboards, share content with colleagues, and schedule and receive data alerts and notifications.
  • Viewer: Viewers in Looker have limited access compared to other roles. They can view dashboards, reports, and explore data, but they have restricted abilities to create or modify content within the Looker platform. Viewers are typically used for stakeholders or team members who need access to data insights without the need for creating or managing content.

When these default roles aren’t the right fit for your teams, you can create custom roles tailored to their specific needs. Custom roles enable administrators to define granular permissions and access controls based on the requirements of different user groups.

Assigning roles to users

Groups and roles in Looker work together to establish a comprehensive and customizable security framework that meets the unique needs of each organization. 

Once you have all the roles your organization needs, you’re ready to assign them to users. While you can assign roles to users on an individual, most organizations benefit from assigning roles via groups. This results in far fewer Looker admin headaches and makes it easier to track what is happening in your growing Looker instance!

Most often, the process of assigning roles looks like this:

  1. Create the roles your organization needs.
  2. Divide your user base across the groups that need different permissions and access. N.B.: users can be in multiple groups!
  3. Assign the roles to those groups.
  4. Take a break and have a coffee. You deserve it.

User attributes and access grants

  1. User attributes can be used to further customize access controls to Explores, fields and data in Looker. For example, administrators can define user attributes based on job title, department, or geographic location and use them to restrict access to specific datasets or reports.

For when you want to get (way) more granular, there are a few options available to you.

  1. Access grants allow you to control what fields and Explores a user can see at a level more granular that just the “Model”. You can use them in your LookML code to assign different levels of access in Looker in a way that roles can’t.
  2. Access filters allow you to control what data a user can actually  see within the Explores that they have access to. If a user should only see data for their region or division, you can use access filters to achieve this.

    Custom filters allow you to go beyond access filters and control access to data at an even more granular level. You can write custom filters using liquid within LookML parameters like sql_always_where and derived tables.

To see examples of these in action - head to our webinar “Robust Access Control And Permission Management”.

Let us demonstrate - Spectacles’s free webinar

For a comprehensive walk through of how you can use each of these tools, take a look at our webinar. Our Co-Founder, Dylan Atlas-Baker, has a wealth of experience developing Looker instances, including security and permissions infrastructure for businesses across a broad range of industries. In this webinar he shares his top recommendations, and answers questions from our Looker dev community via Slack.

Our Recommendations

  1. Groups are your best friend:

    Groups can play a crucial role in simplifying the management of permissions and access controls. By organizing users into groups based on shared characteristics, administrators can streamline the assignment of roles and permissions, making it easier to manage access for large numbers of users. If you can leverage groups from an identity provider that's going to auto update, then that is going to make your life easier too. We’re all about working smarter, not harder!
  2. Use user roles for broad access and then user attribute based solutions for more granular access:

    This stops you from going down the path of multiple user attributes for each user, which can become cumbersome to manage. Defining user roles within your organization ahead of time, likely working alongside your IT and/or HR teams, will make the onboarding process and maintenance of users easier.
     
  3. Leverage SSO/SAML if you can:

    If your organization uses a central user directory (Okta or equivalent) then you can use SSO/SAML to define your groups and permissions there, and push those directly to Looker. This will streamline your onboarding process for new users, and reduce duplication of efforts across multiple platforms.

So there you have it - our comprehensive guide to Looker permissions and security. If you have questions or comments on anything we have shared here, please hop over to our Slack channel and join our community.

Spectacles runs webinars every two weeks, designed for the Looker community, that enable you to up-level your Looker instances and leverage the power of Looker across your organization. To sign up to future webinars, visit our website: https://www.spectacles.dev/webinars.