Managing User Access with Multiple Models


Prior to release 3.10, Model Sets are called Domains, and Permission Sets are called Role Types.

This page deals with limiting user data access. If you want to limit user capabilities, check out our documentation on roles, permission sets, and model sets.

Creating Multiple Models and Model Sets

In this example, imagine you have two teams: marketing and finance. These two teams should not have access to the entire model. Their access can be limited be creating two separate models for each user group called thelook_marketing and thelook_finance, like so:

Now, create a **Model Set** for each team and only grant access to the appropriate model:

Next, create a new **Role** for that group of users and limit their **Model Set** to the one you just created.

We now have separate user roles for each of the **marketing** and **finance** teams. These roles limit access to only ```thelook_marketing``` or ```thelook_finance```, respectively.

The next step is limiting what the marketing and finance teams can see within the model they have access to. In each model, you can manage user access to specific views and dashboards, fields, and data.

Managing View and Dashboard Access

View and dashboard access can be managed through the use of include statements in the model. Most of the time, all dashboard and view files are included in the model, like so:

- include: '*.dashboard.lookml'
- include: '*.view.lookml'

In order to limit which model has access to which files, write include statements for each of the files the model can access. For example, you may want to limit which dashboards marketing and finance users can see, while also limiting view file access in the finance model:

Managing Field Access

Limiting user access to specific fields is possible through the use of sets within view files. Check out this article to find out more.

Managing Data Access Through Filters

User access to specific data can be limited through filter parameters. Check out sql_always_where, always_filter, conditionally_filter, and access_filter_fields to learn more about filtering data at the explore level.

Can you restrict a view for a given user?
Troubleshooting Looker SSO Embed URL Generation
Content Access in Looker 4.10 and Looker 4.14+
(Andrew Kraemer) #2

I’ve been trying to figure out how extends work for some time. After reading this (short) post once, and referencing the example, I feel like I finally get it. Nice work!