Required_access_grants in multiple extended views

Hello, is there a way for two Lookml views that have been extended by a single Lookml view to have two separate user attributes in the required_access_grants? In this case, the parent file that extends the two files has no required_access_grants and its job is only to combine the two view files. For example, I need regular users to access the fields defined in the first extended view and only admin users to access the fields defined in the second extended view. Is there a way to do this by defining required_access_grants on a view level?

Thanks.

Hey Prapti!

Thanks so much for asking this question - I’ve been struggling to wrap my head around this one as well, as we’re trying to accomplish the same thing. What I’ve done is to put the required_access_grant on field level, but I’d love to do it as you’ve suggested.

Because extends get merged with a clone of the base view’s codebase (so from Looker’s perspective it becomes ‘one view’), I’m actually not too sure whether required_access_grants applied to the ‘extend’ views would be applied to just the fields within it, or all of the fields on the base view. If anyone knows the answer to this (or Prapti, if you happen to test this) I’d love to hear. Otherwise I’ll probably give it a shot within a couple of weeks and will gladly report back.

1 Like

Hey Ben! I actually tried this in my Looker model. I included request_access_grants in one of the views being extended, and in a second view that was also being extended, I did not include any request_access_grants. This resulted in the same access control being applied to the measures defined in both of the views, even though the second view had no request_access_grants.
The ordering of the views being extended in the “extend” parameter of the parent view had no impact in the end result. No matter the order, the access control being applied to the first view applied to all of the measures in the second view as well.

Thanks.

Bummer! If anyone at Looker is reading this, it feels like there’s a great use case for selecting the order of application of permission layers to be prior to or after the merged view is created, or at least a “required_access_grant_for_fields” that would apply the access grant requirement to all fields in the extension view before the merged view is created rather than after.

Especially when you get into multidisciplinary Explores, this would be an enormous benefit compared to establishing required access grants on individual fields (not so scalable, prone to error since one has to add the grant requirement on each field, and violates DRY principles) or making separate Explores (not a singular source at that point, and violates DRY principles).

1 Like