The Users page lists all of the user accounts on your Looker instance. Users consist of two types:
- Regular (human) users who login via their email address and a password
- API users, which you use to access your Looker instance programmatically
Viewing and Searching Users
The table of users that appears on the page shows basic information about your users:
|ID||A user ID assigned by Looker at the time of user creation|
|Name||The actual name of the user that they enter when they initially sign up|
|Credentials||The user name of the user, which is an email address for normal users, and an API key for API users|
|Groups||A list of groups that the user belongs to|
|Roles||A list of roles assigned to the user|
|Actions||Actions you can take for a user|
You can sort the table by either the ID or Name column by clicking on those column’s headers.
You can also search the Name or Credentials column by entering a search term into the search box in the upper right, then pressing [Enter].
To add a user, simply click the Add Users button in the upper left of the page. You’ll be brought to a dialog where you can type or paste in a comma-separated list of email addresses, and select the roles and groups that will be assigned to those users. Remember to click the Add Users button when you’re done to create the users and send sign-up emails (if you’ve chosen the Send setup emails checkbox).
To edit a user, click the Edit button on the right hand side of their row. There you’ll be able to adjust many settings:
Choose to enable or disable a user. You may want to consider disabling users in favor of totally deleting them.
The first name of the user, if applicable. You aren’t required to add a value here, but it is useful for organizational purposes.
The last name of the user, if applicable. You aren’t required to add a value here, but it is useful for organizational purposes.
The email address of the user. For regular users, this will serve as their username when they login. It is not required for API users.
If you’ve enabled user specific time zones on your Looker instance, you can select the time zone that will be used when this user runs a query in Looker.
If you need to reset a password, you can send a reset link to the email address specified above by clicking the Send reset link button. The reset URL that is sent to the user will be displayed.
API 3 Keys
To generate API keys and turn this user into an API user, click the API 3 Keys button.
Enables you to select the roles this user should have, if you want to assign roles individually. See the Roles page for more information on configuring roles, or the Permissions Management page for a broader discussion of Looker permissions.
We generally suggest assigning roles to groups instead of assigning roles directly to individual users.
Roles from Groups
If the user is assigned to any groups they may have inherited some roles from those groups. These roles are listed here.
Enables you to select the groups this user should belong to. Users can also be added to groups on the groups page.
Access Filter Fields
Access filter fields allow you to limit the data that a user will have access to. It requires several setup steps, including changes to your LookML. You can read about how to create these limits on the
Removing User Access
If you want to remove a user’s access to Looker you can either disable their account or delete their account. For most situations, best practice is to disable the account.
Differences between disabling and deleting a user account is described in the following table:
|User can log into the Looker instance||No||No|
|User’s personal space||Still exists||Deleted|
|Looks and dashboards in user’s personal space||Still exist||Moved to the Trash space|
|Looks and dashboards that user saved to a Shared space||Still exist in the Shared space||Still exist in the Shared space|
|Schedules based on the user’s personal space’s Looks and dashboards||If created by disabled user, the schedule will be stopped. If created by another user, the schedule will continue to run.||The schedules will be deleted.|
|Historical usage information for the user||Kept||Most deleted|
If you need to stop user access to Looker, the best practice is typically to disable the user account. When disabling a user account, the user’s usage history and personal content is kept. To see details on the differences between disabling and deleting users, see the table in the Removing User Access section.
To disable a user account, click the Disable button on the right hand side of their row. You’ll receive a confirmation dialog before you disable the user.
Deleting a user is irreversible. Consider your organization’s compliance and security needs before doing so.
Instead of deleting, a great alternative is to disable the user account instead. This prevents a user from being able to login, but their information, content, and history remain intact. To see details on the differences between disabling and deleting users, see the table in the Removing User Access section.
To delete a user:
Click the Edit button on the right hand side of their row.
At the bottom of the Edit User page, click Delete.
You’ll receive a confirmation dialog before you delete the user. Click OK to delete the user.
Impersonating (sudo-ing) Users
“Sudo” is a unix term that means to emulate the permissions of another user. When you sudo as a user (by clicking the Sudo button on the right hand side of their row), you can see what their experience of Looker is like. This is a good way to validate that you’ve properly configured permissions and other features. Sudo-ing is also a useful way to see a user’s LookML development before they’ve committed and pushed their changes.
When you sudo you’ll see a bar at the top of the screen that warns you that you’re in a sudo-ed state, and that enables you to exit the sudo-ed state. Keep in mind that any changes you make while in this state will impact the user that you’re emulating.