Roles, permission sets, and model sets are used together to manage what users can do, and what they can see.
Definitions
- A model set defines what data and LookML fields a user or group can see. You select a combination of LookML models to which a user or group should have access. It must be used as part of a role to have any effect.
- A permission set defines what a user or group can do. You select a combination of permissions that you want to assign to a user or group. It must be used as part of a role to have any effect.
- A role is a combination of one permission set and one model set, and is used to assign a certain set of privileges to a certain set of models for a user or group.
Model Sets
A model set defines what data and LookML fields a user or group can see. It is simply a list of LookML models to which a user or group should have access. You can think of a model set as performing two functions:
- A model set controls which models in your LookML the permissions apply to (if those permissions are model specific).
- A model set limits what data and LookML fields a user can see, because each model is connected to a specific database connection and contains certain LookML fields.
To create a model set, click the New Model Set button at the top of the Roles page. Looker will display a new page where you can enter a name for the model set and select the models that should be a part of it. Once you’ve configured the set as desired, click the New Model Set button that will be at the bottom of the page.
After a model set has been created, you can edit or delete it by clicking the Edit or Delete buttons to the right of the model set on the Roles page.
To learn more about models, see our model reference. You may also find this Community topic useful, as it explains in greater detail how multiple models can be used to control user data access.
Permission Sets
A permission set defines what a user or group can do. It is simply a list of permissions that you want a user or group to have. Permissions can be applied in one of two ways:
- Model Specific: This type of permission is only applied to the model sets (described above) that are a part of the same role.
- Instance Wide: This type of permission applies to your Looker instance as a whole and exposes parts of the Admin menu to non-admin users. Non-admin users will be able to access content and functionality across the entire Looker instance—even if they haven’t been granted access to the particular model that uses that content.
All the available permissions, and their types, are discussed in more detail below.
Default Permission Sets
Looker includes several default permission sets that you can start with:
- Developer
- User
- LookML dashboard user
- User who can’t view LookML
You’ll see these permission sets appear as options when you create a new role. If you select one of these permission sets, Looker will display the list of permissions it includes.
Looker also includes a special permission set, Admin. The Admin permission set cannot be edited or deleted, and cannot be assigned to a role. It is assigned only to the Admin role, which also cannot be edited or deleted. The only way to grant the Admin permission set to a group or user is to add the Admin role to that group or user.
Creating Permission Sets
To create a permission set, click the New Permission Set button at the top of the Roles page. Looker will display a new page where you can enter a name for the permission set and select the permissions that should be a part of it. Once you’ve configured the set as desired, click the New Permission Set button that will be at the bottom of the page.
After a permission set has been created, you can edit or delete it by clicking the Edit or Delete buttons to the right of the permission set on the Roles page.
Permissions and Dependencies
Some permissions depend on others to work properly. For example, it makes sense that someone who wants to develop in LookML must first be able to see LookML.
When you create a permission set you’ll see the available permissions in an indented list. If a privilege is indented under another (parent) privilege, you must select the parent privilege first. Consider this example:
In this case Looker uses indentation to indicate that:
- The
access_dataprivilege can be selected at any time. - The
see_lookml_dashboardsandsee_looksprivileges require theaccess_dataprivilege to be selected first. - The
see_user_dashboardsprivilege depends on thesee_looksprivilege, which in turn depends onaccess_dataprivilege.
You cannot select a child privilege without selecting its parent first, which ensures that the permissions are configured correctly.
Permissions List
The following list describes all of the permissions that are available in Looker:
| Permission | Depends On | Type | Definition | Added In |
|---|---|---|---|---|
access_data |
None | Model Specific | Lets users access data from Looker, but only the data you specify. This permission is necessary for almost all Looker functions. A user with this permission, if given access to any model in a given project, can access any file in the Data section of that project (such as a JSON custom map file). |
3.2 |
see_lookml_dashboards |
access_data |
Model Specific | Looker lets dashboards be created by users, or defined in LookML. This permission lets users see the “LookML Dashboards” Space, which includes all LookML dashboards. Users must have explore permission for any relevant model(s) to explore those dashboards. |
3.6 |
see_looks |
access_data |
Model Specific | Lets users see saved Looks (but not dashboards) within Spaces. Users must have explore permission for any relevant model(s) to explore those Looks. Users will also need the View content access level to see Looks in Spaces. |
3.2 |
see_user_dashboards |
see_looks |
Model Specific | Looker lets dashboards be created by users, or defined in LookML. This permission lets users see user-created dashboards in Spaces. Users must have explore permission for any relevant model(s) to explore those dashboards. Users will also need the View content access level to see dashboards in Spaces. |
3.6 |
explore |
see_looks |
Model Specific | Lets users access and use the Explore page to generate reports. Without this permission users can only view saved dashboards (if see_lookml_dashboards or see_user_dashboards has been granted). |
3.2 |
create_table_calculations |
explore |
Instance Wide | Table calculations and custom fields can be viewed by anyone with the explore permission, but can only be added or edited with this permission. |
3.18 |
save_content |
see_looks |
Instance Wide | Lets users save and edit Looks and dashboards. Users must have explore permission for any relevant model(s) to explore from those Looks and dashboards. |
3.8 |
create_public_looks |
save_content |
Model Specific | Looker lets users mark a saved Look as public, which will then generate URLs that give access to that report without authentication. This permission determines whether or not a user can do this. | 3.4 |
download_with_limit |
see_looks |
Model Specific | Let users download queries (as CSV, Excel, and other formats), but always require that the user specifies a row limit of 5,000 or fewer, which can help to avoid memory problems on your instance for very large downloads. | 3.8 |
download_without_limit |
see_looks |
Model Specific | The same as download_with_limit, but does not require the user to specify a row limit.This permission has an associated legacy feature. |
3.8 |
schedule_look_emails |
see_looks |
Model Specific | Looker lets users have data sent to them via email on a defined schedule. This permission determines if a user can do this. You can set email domain whitelists on the Settings page of Looker’s Admin panel. | 3.8 |
schedule_external_look_emails |
schedule_look_emails |
Instance Wide | The same as schedule_look_emails, but users can send emails to any domain, regardless of your email domain whitelist settings. |
3.14 |
send_to_s3 |
see_looks |
Instance Wide | Looker lets users have data sent directly to an S3 bucket. This permission determines whether or not a user can do this. | 4.2 |
send_to_sftp |
see_looks |
Instance Wide | Looker lets users have data sent directly to an SFTP server. This permission determines whether or not a user can to do this. | 4.6 |
send_outgoing_webhook |
see_looks |
Instance Wide | Looker lets users have data sent to a URL, via webhook, on a defined schedule. This permission determines whether or not a user can do this. | 3.46 |
see_sql |
see_looks |
Model Specific | Lets users have access to the SQL tab while exploring and any SQL errors caused by their queries. | 4.10 |
see_lookml |
see_looks |
Model Specific | Lets users have read-only access to your LookML. Users must have this permission to see the Go to LookML link in the Field Picker. If you want a user to be able to edit LookML you must also give them the develop permission. This permission interacts with model sets in a potentially unexpected way, as described below. |
3.2 |
develop |
see_lookml |
Model Specific | Lets a user make local changes to your LookML, but will not let them make those changes available to everyone unless they also have the deploy permission. This permission interacts with model sets in a potentially unexpected way, as described below.This permission is also required to see the Chat option in the Help menu, and is required for users to access the Rebuild Derived Tables and Run option in the Explore gear menu. Note that this is not model-specific. So, if a user has this permission in one model, they will have access to Rebuild Derived Tables and Run in all models. |
3.2 |
deploy |
develop |
Instance Wide | Lets a user push their local LookML changes to production, so that those changes become available to everyone. | 3.4 |
support_access_toggle |
develop |
Instance Wide | Lets a user enable or disable access to your Looker instance by Looker analysts. | 4.22 |
use_sql_runner |
see_lookml |
Model Specific | Lets users use the SQL Runner to run raw SQL against their allowed connections. | 3.4 |
see_drill_overlay |
access_data |
Model Specific | Lets users see the results of drilling into a dashboard tile, but not the ability to explore those results. If explore is granted, this permission is also automatically granted (even if it isn’t checked). |
3.54 |
manage_spaces |
None | Instance Wide | Lets users create, edit, move, and delete Spaces. Users will also need the Manage Access, Edit content access level. |
3.4 |
manage_homepage |
None | Instance Wide | Lets users edit and add content to the sidebar that all of their Looker users will see on their personalized home pages. | 5.6 |
manage_models |
None | Instance Wide | Each LookML model is mapped to a specific set of database connections on the Manage LookML Projects page. This permission lets the user configure these mappings and create new projects. Therefore, users with this permission have access to every database connection. If you want developers to be limited to certain connections, do not grant this permission and leave the model connection mapping to admins. | 3.8 |
create_prefetches |
None | Instance Wide | Lets an API user make calls to the pre-fetch API endpoint, which you can read more about in this Community topic. | 3.36 |
login_special_email |
None | Instance Wide | Lets a user log in with traditional email/password credentials, even if other log-in mechanisms (such as Google, LDAP, or SAML) have been enabled on your instance. This can be useful for consultants or others who may not be a part of your normal authentication system. | 3.14 |
embed_browse_spaces |
None | Instance Wide | Enables the content browser for single sign-on (SSO) embeds. If you are using SSO embeds you should usually give this permission to users who have the save_content permission. |
4.8 |
see_queries |
None | Instance Wide | Lets users see the Queries page in the Admin section of Looker. This privilege does not give a user the ability to terminate a query on the Queries page. | 3.48 |
see_logs |
None | Instance Wide | Lets users see the Logs page in the Admin section of Looker. | 3.48 |
see_users |
None | Instance Wide | Lets users see the Users page (but not the Groups page) in the Admin section of Looker. This privilege does not give a user the ability to create new users, see or create API credentials, reset passwords, or otherwise modify users or privileges. A user granted this permission can see all users in all groups on an instance, even on a closed system. | 3.48 |
sudo |
see_users |
Instance Wide | Lets a user sudo (in other words, act as and temporarily inherit the permissions of) another user by clicking the Sudo button on the Users page. The sudo permission does not allow a non-admin to sudo as an admin, but a non-admin could potentially escalate their privileges by using sudo, so exercise caution. |
3.48 |
see_schedules |
None | Instance Wide | Lets a user see the Scheduler Plans and History pages in the Admin section of Looker. | 3.52 |
see_pdts |
None | Instance Wide | Lets a user see the PDTs page in the Admin section of Looker. | 3.50 |
see_datagroups |
None | Instance Wide | Lets a user see the Datagroups page in the Admin section of Looker, and also lets a user see the Datagroup update trigger option with a list of datagroups when scheduling a data delivery. | 4.16 |
update_datagroups |
see_datagroups |
Instance Wide | Lets a user trigger a datagroup, or reset its cache, via the Datagroups page in the Admin section of Looker. | 4.16 |
see_system_activity |
None | Instance Wide | Lets a user access Looker’s internal i__looker database and view usage, history, and other metadata about a Looker instance. |
5.20 |
The
developandsee_lookmlpermissions interact with model sets in a potentially unexpected way. In Looker’s IDE, a single project can contain multiple model files. If you assigndeveloporsee_lookmlto a user, and you’ve allowed them to see any model that is a part of a project, they will be able to develop or see the LookML for all models in that project. However, they will still not be able to query models that you have not allowed.
Roles
As mentioned above, to make use of a model set or permission set you must combine them in a role.
A role is a combination of one permission set and one model set. The name of a role usually represents a type of person in your organization, such as an administrator, a developer, or a member of the finance department, though it doesn’t have to.
It’s important to note that users can have more than one role. This can be useful for users who play multiple roles in your company, or when you want to execute complex access models.
Adding users to multiple roles has important implications for how their permissions are applied. For example, if you allow someone to
save_content(an instance-wide permission) in only one of their roles, they will be allowed to save content everywhere. In contrast, if you allow someone toaccess_data(a model-specific permission) in only one of their roles, they can only access the models that are a part of that role.Multiple roles can also cause unexpected effects on dashboards. See the Managing Business User Features documentation page for information about dashboards and multiple roles.
To create a role, click the New Role button at the top of the Roles page. Looker will display a new page where you can enter a name for the role, choose a permission set, and choose a model set. You will also be able to assign the role to a set of groups or users. Once you’ve configured the role as desired click the New Role button that will be at the bottom of the page.
After a role has been created, you can edit it by clicking the Edit button to the right of the role on the Roles page. This will take you to that role’s page, where you can:
- rename the role
- assign or edit the permission set associated with that role
- assign a model set to the role
- assign the role to groups and users.
To delete a role, click the Delete button to the right of the role on the Roles page.