Required_access_grants

Hello, I’m hoping to get some help with Lookml syntax regarding required_access_grants.

Using the example from the Looker documentation (https://docs.looker.com/reference/model-params/access_grant#definition) The following example applies two different access grants so that only users that have either the value "finance" or "executive" assigned to their department user attribute and have the value "yes" assigned to their view_payroll user attribute can access the view. I’m hoping to get syntax advice on how to alter the required_access_grants piece so belonging to only one of the groups would allow access to the view instead of both groups.

Any help you can offer will be much appreciated!
Cheers!!

access_grant: can_view_financial_data {
user_attribute: department
allowed_values: [ “finance”, “executive” ]
}

access_grant: can_view_payroll_data {
user_attribute: view_payroll
allowed_values: [ “yes” ]
}

view: payroll {

required_access_grants: [can_view_financial_data, can_view_payroll_data]
}

Can anyone from Looker offer a suggestion?

Hey Jason!

Not from Looker here, but wanted to mention that this is the reason I’ve ended up going away from “department” as a source of attributes (just a source of which extends get applied), and instead keeping access grants and user attribute parameters in sync, and assigning default user attributes to various Groups. For your examples below, I would have a user_attribute called can_view_financial_data (just like your access_grant) with just “yes” or “no”. Then, I would make a User Group called “finance” which would have default options for can_view_financial_data. If I’m thinking this through properly, this should give you the robustness you’re looking for.

Cheers!

1 Like