Content Access in Looker 4.10 and Looker 4.14+


(Carter Moar) #1

###Summary
The way Looker displays content is changing in Looker 4.10 and Looker 4.14. Users won’t be able to query more information, however, they may see previously been hidden Look and Dashboard titles. Instance administrators should exclude users from any Space that contains Look and Dashboard titles to which they should not be exposed.

If your Looker instance is configured to use a single model file you will most likely not be impacted. Users who can view all Looks and Dashboards in a Space or sub-Space will not be impacted by these changes.

The way Looker handles data access and display is changing to make things more streamlined and make it easier to manage what users can see (it’ll also set us up better for some of the new things we’re cooking up).

We are working toward a world in which content access controls just manage access to content and data access manages what queries can actually be run. In other words, users with the ability to see something in a Space will be able to see it, independent of their ability to successfully run a query against it.

This will result in users being able to see all Looks and Dashboards in any Space to which they have access. If they do not have access to the model on which the Look or Dashboard Element is based, they will not be able to run or get data from the piece of content. Instance administrators should exclude users from any Space that contains Look and Dashboard titles to which they should not be exposed. Administrators should continue to set users’ data access using models.

Table of Contents

  • What we mean by “Content Access” and “Data Access”
  • Who should pay extra attention to these changes
  • What to do if you don’t know
  • What to do if your users are affected
  • How things are changing

What we mean by “Content Access” and “Data Access”

Content access governs what saved Looks and User Defined Dashboards (UDDs) a user can see and data access governs what queries and results a user can see.

If a user has access to a Look or Dashboard, but not the ability to query it, they will still be able to see its title as well as any information that comes from “Explore from here” links or API responses.

Data Access

  • Governs a user’s ability to run a query
  • against certain models
  • and get an unfiltered result set
  • Configured by setting Model Sets

Content Access

Who should pay extra attention to these changes

If your entire Looker instance is based off of a single model file it is unlikely that this will affect your users’ experience. The breadth and depth of impact (if any) will depend on your current Space and model file configurations and your organization’s taste for report visibility.

Deeper consideration is strongly recommended if you can answer “yes” to either of the following questions. Regardless of your answers, you should probably take a few minutes to review the “How things are changing” section below to assess.

  1. Do I have external users logging in to my system?
  2. Do I have any users who should not be able to see all content in a Space?

What to do if you don’t know

Looker 4.12 and 4.14 will have three new tiles added to the end of the Usage Panel dashboard (Admin->Usage): “Activated User Email Domains”, “Looks and Users by Model”, and “Spaces with Content from Multiple Models”. These Looks will help you identify the answers to the above questions.

To answer question 1:

Head to the “Activated User Email Domains” tile. This Element lists every email domain tied to a user that can log in to your instance as well as all of the model sets associated with those users. If you have email domains that are not your own, the answer is probably “yes”.

To answer question 2:

Head to “Looks and Users by Model” and see if you have models that are not accessible to all of your users. If you do, you can check out the Spaces that make use of that model with the “Spaces with Content from Multiple Models” Element. You can also go right to “Spaces with Content from Multiple Models” and check out the Spaces with Looks and/or Dashboards with based on several models.

Answer “yes” if any of these Spaces has users that should not know about all of the Looks and Dashboards. For example, a Space with both the “finance” and “users_who_cant_see_finance” models might be a cause for concern.

What to do if your users are affected

Assuming that you do not want to run with a completely open system, you will want to configure an access scheme following the best practices for either the open with restrictions or a closed systems.

At a high level, what you’re going to be doing is limiting Group access to your highest-level Spaces, increasing access as you go down the chain. The best practice tutorials and reference guides linked below are well worth reviewing.

How things are changing (in detail)

The pre-Looker 4.10 system had a bunch of exceptions to the rules, which can make things confusing. The best way to understand visibility is to check out the below matrices. Permissions are on the vertical axis and content visibility is on the horizontal. Bold cell borders indicate changes from the prior release.

The new world (Looker 4.14+) will be pretty simple: users with the ability to see something will be able to see it, independent of their ability to successfully run a query against it.

In both worlds, users will not be able to run a Look or Dashboard element if they do not have access_data on the model on which the query is based.

Pre-Looker 4.10

Notes

  • Assumes user has access to a given Space
  • Space access rules are not applied to the access_data, see_user_dashboards and see_user_dashboards cases
  • Assumes that access_data comes with access to at least one model used by a Look or UDD
  • If a user has access to any one model referenced by a UDD they will be able to see the Dashboard. If they do not have access to a model used by an element they will see the tile but will not receive query results.

Looker 4.10

Notes

  • Assumes user has access to a given Space
  • Assumes that access_data comes with access to at least one model used by a Look or UDD
  • If a user has access to any one model referenced by a UDD they will be able to see the Dashboard. If they do not have access to a model used by an element they will see the tile but will not receive query results.
  • In the access_data, see_user_dashboards case, the Look page will be visible only when Looks can be seen due to content access, are on a dashboard, AND the user has to have see_user_dashboards on the model of the Look.

Looker 4.14

Notes

  • Assumes user has access to a given Space
  • All Looks and Dashboards in a Space will be visible if the Space is visible to a user.

Looker 4.10 Release Notes
Looker 4.14 Release Notes