The Users page lists all of the user accounts on your Looker instance. Users consist of two types:
- Regular (human) users who login via their email address and a password
- API users, which you use to access your Looker instance programmatically
Viewing and Searching Users
The table of users that appears on the page shows basic information about your users:
|ID||A user ID assigned by Looker at the time of user creation|
|Name||The actual name of the user that they enter when they initially sign up|
|Credentials||The user name of the user, which is an email address for normal users, and an API key for API users|
|Groups||A list of groups that the user belongs to|
|Roles||A list of roles assigned to the user|
|Actions||Actions you can take for a user|
You can sort the table by either the ID or Name column by clicking on those column’s headers.
You can also search the Name or Credentials column by entering a search term into the search box in the upper right, then pressing [Enter].
To add a user, simply click the Add Users button in the upper left of the page. You’ll be brought to a dialog where you can type or paste in a comma-separated list of email addresses, and select the roles and groups that will be assigned to those users. Remember to click the Add Users button when you’re done to create the users and send sign-up emails (if you’ve chosen the Send setup emails checkbox).
To edit a user, click the Edit button on the right hand side of their row. There you’ll be able to adjust many settings:
Choose to enable or disable a user. You may want to consider disabling users in favor of totally deleting them.
The first name of the user, if applicable. You aren’t required to add a value here, but it is useful for organizational purposes.
The last name of the user, if applicable. You aren’t required to add a value here, but it is useful for organizational purposes.
The email address of the user. For regular users, this will serve as their username when they login. It is not required for API users.
If you’ve enabled user specific time zones on your Looker instance, you can select the time zone that will be used when this user runs a query in Looker.
If you need to reset a password, you can send a reset link to the email address specified above by clicking the Send reset link button. The reset URL that is sent to the user will be displayed.
An API3 key is used to access the Looker API. API3 keys are created by Looker and consist of a Client ID and a Client Secret. Looker requires an API3 key for the following:
- Executing commands via the Looker API.
- Accessing Looker’s interactive API documents (if the Looker instance is configured to require API login to see API documents).
To generate API keys and turn this user into an API user, click the Edit Keys button from the Edit Users page. This will open the Edit User API3 keys page, where you can see the existing API3 keys, or click the New API3 key button to generate a new key.
The API3 keys have the same permissions as the user account from which they were created.
The best practice is to create dedicated user accounts for API scripts—one user account for each script. That way, you can configure a user account with the specific set of permissions that allow the script to perform its function, and only its function. For example, for an API script that runs queries, you can create a user account with the
access_data permission, but no other permissions.
This technique lets you increase security by compartmentalizing a script’s access. Also, if you ever need to stop a script, you can simply disable (or delete) that script’s user account. Be sure to read Removing User Access before deleting any user account.
Enables you to select the roles this user should have, if you want to assign roles individually. See the Roles page for more information on configuring roles, or the Permissions Management page for a broader discussion of Looker permissions.
We generally suggest assigning roles to groups instead of assigning roles directly to individual users.
Roles from Groups
If the user is assigned to any groups they may have inherited some roles from those groups. These roles are listed here.
Enables you to select the groups this user should belong to. Users can also be added to groups on the groups page.
Access Filter Fields
Access filter fields allow you to limit the data that a user will have access to. It requires several setup steps, including changes to your LookML. You can read about how to create these limits on the
Removing User Access
If you want to remove a user’s access to Looker you can either disable their account or delete their account. For most situations, best practice is to disable the account.
Differences between disabling and deleting a user account is described in the following table:
|User can log into the Looker instance||No||No|
|User’s personal space||Still exists||Deleted|
|Looks and dashboards in user’s personal space||Still exist||Moved to the Trash space|
|Looks and dashboards that user saved to a Shared space||Still exist in the Shared space||Still exist in the Shared space|
|Schedules based on the user’s personal space’s Looks and dashboards||If created by disabled user, the schedule will be stopped. If created by another user, the schedule will continue to run.||The schedules will be deleted.|
|Historical usage information for the user||Kept||Most deleted|
If you need to stop user access to Looker, the best practice is typically to disable the user account. When disabling a user account, the user’s usage history and personal content is kept. To see details on the differences between disabling and deleting users, see the table in the Removing User Access section.
To disable a user account, click the Disable button on the right hand side of their row. You’ll receive a confirmation dialog before you disable the user.
Deleting a user is irreversible. Consider your organization’s compliance and security needs before doing so.
Instead of deleting, a great alternative is to disable the user account instead. This prevents a user from being able to login, but their information, content, and history remain intact. To see details on the differences between disabling and deleting users, see the table in the Removing User Access section.
To delete a user:
Click the Edit button on the right hand side of their row.
At the bottom of the Edit User page, click Delete.
You’ll receive a confirmation dialog before you delete the user. Click OK to delete the user.
Impersonating (sudo-ing) Users
“Sudo” is a unix term that means to emulate the permissions of another user. When you sudo as a user (by clicking the Sudo button on the right hand side of their row), you can see what their experience of Looker is like. This is a good way to validate that you’ve properly configured permissions and other features. Sudo-ing is also a useful way to see a user’s LookML development before they’ve committed and pushed their changes.
When you sudo you’ll see a bar at the top of the screen that warns you that you’re in a sudo-ed state, and that enables you to exit the sudo-ed state. Keep in mind that any changes you make while in this state will impact the user that you’re emulating.