Manage Space Access with the API

keep
(jesse.carah) #1

Effectively managing content access in a large Looker deployment is a critical step for protecting your and you customer’s data. Occasionally, it may make most sense to automate this process with Looker’s API. This is especially true for an embedded Looker deployment. This article will walk you through a sequence of API calls that will enable you to add or edit content access permissions for both groups and users.

What’s covered in this article:

  1. Checking content access for a given space
  2. Modifying existing content access permissions for a given space via the API
  3. Adding content access permissions to a given space via the API

Checking content access for a given space via the API

Space permissions can be found/defined via the content access endpoints. Each Space ID belongs to content access id.

Say, we have space 115. Using the Get Space endpoint, we can find what that space’s content metadata id is.

From the response, we can see that space 115’s content metadata id is 24. Now that we have the content metadata id, we can modify the access to this space.

Modifying existing content access permissions for a given space via the API

If you want to modify existing access to this space, you’ll want to use the Get All Content Metadata Access endpoint to get existing permissions.

Note: to only get the access for this specific space, you’ll want to define the content access id in the call since this endpoint returns all content access by default

From the response, we can see that Group 32 has view access to this space. (Although the response doesn’t show this, Admins also always have Edit access to each space).

If we want to modify this so that Group 32 has edit access to this space instead, we’ll use the Update Content Metadata Access endpoint. Grabbing the ID from the previous response, our body for the update endpoint will look something like:

{
    "permission_type": "edit"
}

And you’re DONE! Group ID 32 now has edit permissions for that space.

Adding content access permissions to a given space via the API

Say that now, we want to grant an individual user view access to Space 115. First thing we’ll need is that User’s ID. Once we have this, we can use the Create Content Metadata Access endpoint to create a new content metadata access ID for that space. All you need for this endpoint is the content metadata id for the space, the user or group ID and the permission type:

{
  "content_metadata_id": "24",
  "permission_type": "view",
  "user_id": 323
}

And that’s it! User ID 323 now has view access to Space 115.

Some additional things to note

If the space inherits content access permissions from a parent space, that space will return an empty response for the content metadata access endpoint.

Shoutout to @paola for originally putting this together.

2 Likes

(Mike Rogove) #2

Very cool! I can’t wait to use this. I’m new to using the API; what’s the fastest way to get to/build an interface like the one you took screenshots from above? Thanks!

0 Likes

(Mike Rogove) #3

Is this thread the answer to my searching? Generating Client SDKs for the Looker API

0 Likes

(Izzy) #4

Hey @Mike_Rogove,

The screenshots from the examples above are actually the Looker Interactive API Docs, which can be found in the admin panel under API. in order to access them, you must first have an API key and API secret generated for your user in the users panel.

Be aware that anything you do in the API docs will actually execute against your looker instance, so don’t go deleting things just to try it out :). Once you’ve figured things out there, you might want to play around with our SDK’s (https://docs.looker.com/reference/api-and-integration/api-sdk)

For more reference, our docs page on Getting Started with the Looker API has a bunch of clear info about, well, getting started with the looker API!

1 Like

(Joe Rzepiejewski) #5

This article is great. However, I’m having an issue trying to add access to a space for a group. By default the space is inheriting from the parent “shared” space. I can see this too as also mentioned above:

If the space inherits content access permissions from a parent space, that space will return an empty response for the content metadata access endpoint.

I am trying to add a group to have edit or view access, but I receive the error: “Can’t add access when inheriting”. What am I doing wrong? I am using the create_content_metadata_access API with all the appropriate params. I’d love some guidance.

0 Likes

(jesse.carah) #6

Hey Joe, that’s a good callout! I saw you posted a followup here . Looks like you’re on the right track – are you in a good spot now?

0 Likes

(Joe Rzepiejewski) #7

Hi @jesse.carah. Thanks for asking, Yep, I am all good. Got it all working this weekend. Your article was super, I just needed that little bit (as you saw in my followup). Don’t know if you’d want to add to your article; as an alternate scenario in there.

0 Likes