home User Guide Getting Started Help Center Documentation Community Training Certification
menu
close
settings
Looker keyboard_arrow_down
language keyboard_arrow_down
English
Français
Deutsch
日本語
search
print
Users

The Users page in the Users section of the Admin menu lists all the user accounts on your Looker instance.

add

Starting in Looker 21.6, when the New Users Page option is enabled in Labs, the Users page shows a redesigned table and pagination to increase performance on instances with a large number of users.

New Users page

Enable the New Users Page Labs feature to view the redesigned Users page. If the New Users Page Labs feature is not enabled, your Users page is described in the Users page section of this documentation page.

Viewing and searching users

The Users page shows the following information:

  1. The Standard Users, Embed Users, and Looker Support tabs group your users by type:

    • The Standard Users tab shows users who log in to Looker directly, either through your regular authentication process or through the Looker API.
    • The Embed Users tab shows SSO embed users who are authenticated through a third-party application.
    • The Looker Support tab shows Looker Support analysts who have been granted access to your Looker instance.
  2. You can use the Filter List field to limit which users are displayed. When you click the Filter List field, you are given the choice to filter on user ID, name, or email address. When you filter on user ID, entering a user ID will display that user. In the case of name and email address, when you enter any string, the list of users displayed will show all the users whose name or email address contains the string you entered in the filter field. The Filter List replaces the search function on the previous version of the Users page.

  3. You can sort the table by username in either ascending or descending order by clicking the User column heading.
  4. Each row lists the user’s name, ID, and email address, and includes an icon indicating the type of access the user has. You can hold your cursor over the icon to see what the icon represents.

    Click on the row to edit the user. Users who cannot be edited are indicated by a lock on the user icon. These users are either system created (such as members of the All Users group), or externally managed by the LDAP, SAML, or OpenID Connect protocol.

  5. The Active Credential column lists the types of access the user has to your Looker instance.

  6. The Group column lists all groups to which the user belongs.
  7. The Role column lists all roles assigned to the user.
  8. Click the Add Users button to display the Adding a new user page, which lets you create new users.
  9. Click the three-dot Options menu to display a menu that lets you disable the user, sudo as the user, or delete the user.

    Deleting a user is irreversible. Consider your organization’s compliance and security needs before doing so.

Adding users

To add a user, click the Add Users button.

In the Adding a new user page, you can type or paste a comma-separated list of email addresses and select the roles and groups that will be assigned to each. Click the Save button when you’re done to create the users and, if you’ve selected the Send setup emails checkbox, send sign-up emails.

Editing users

To edit a user, click user’s row. There you’ll be able to adjust many settings:

Profile tab

The Profile tab displays and lets you set descriptive information about your user, as well as assign groups and roles to the user.

First Name

Add or edit the user’s first name, if applicable. This field does not require a value, but it can be useful for organizational purposes.

Last Name

Add or edit the user’s last name, if applicable. This field does not require a value, but it can be useful for organizational purposes.

Email

Add or edit the user’s email address. When the user logs in to Looker, the email address will serve as their username.

Send Setup Link / Send Password Reset Link

If the user has never logged in before, this button is labeled Send Setup Link. If the user has logged in before, this button is labeled Send Password Reset Link. If you need to send a setup email to a new user or to reset a password for an existing user, you can send a link to the email address specified above by clicking the this button. The URL that is sent to the user will be displayed in this field. See the Password requirements documentation page to learn about specifying password complexity requirements in Looker. If the user does not set their password within one hour, the password’s reset link will expire.

Edit API3 Keys

An API3 key is used to access the Looker API. API3 keys are created by Looker and consist of a client ID and a client secret. Looker requires an API3 key for these tasks:

To generate API keys, click the Edit Keys button. This will open the Edit User API3 keys page, where you can see the existing API3 keys; or you can click the New API3 key button to generate a new key.

The API3 keys have the same permissions as the user account from which they were created.

The best practice is to create dedicated user accounts for API scripts — one user account for each script. That way, you can configure a user account with the specific set of permissions that allow the script to perform its function, and only its function. For example, for an API script that runs queries, you can create a user account with the access_data permission, but no other permissions.

This technique lets you increase security by compartmentalizing a script’s access. Also, if you ever need to stop a script, you can simply disable (or delete) that script’s user account. Be sure to read the Removing user access section on this page before you delete any user account.

Timezone

If you’ve enabled User Specific Time Zones on your Looker instance, you can select the time zone that will be used when this user runs a query in Looker.

Locale

The Locale field sets the user-interface language and model locale for a user.

If you would like the user to view certain user interface (UI) text in a specific language, Looker supports the UI translations shown in the table below. Enter the code in the Locale field.

If you would like the user to view a localized version of one or more data models, enter the title of the model’s strings file for that locale in the Locale field.

If you would like the user to view both model localization and Looker’s built-in UI translations, the model’s strings file should have the same name as the appropriate locale code in the table below, and that code should be entered in the Locale field.

To confirm the Locale setting, click Save at the bottom of the page.

Language Locale Code and Strings Filename
English en
Czech cs_CZ
German de_DE
Spanish es_ES
French fr_FR
Hindi hi_IN
Italian it_IT
Japanese ja_JP
Korean ko_KR
Lithuanian lt_LT
Norwegian (Bokmål) nb_NO
Dutch nl_NL
Polish pl_PL
Brazilian Portuguese pt_BR
Portuguese pt_PT
Russian ru_RU
Swedish sv_SE
Thai th_TH
Turkish tr_TR
Ukrainian uk_UA
Simplified Chinese zh_CN
Traditional Chinese zh_TW

For users with no Locale set, Looker uses the locale chosen on the Localization page of the Admin panel as the default locale; and, if no locale is set there, Looker defaults to en.

Setting a Custom Locale

Looker developers can create custom locales to use for model localization only. Custom locale codes are designated by the titles of the string files created in the model localization process. For example, if a developer creates a tag_PH.strings.json file, to apply that custom locale to users, you would perform these steps:

  1. Click on the Locale field.

  2. Enter the custom locale code. In this example, you would enter tag_PH. Once you begin typing in the field, any pre-existing text will disappear.

  3. Click Create “tag_PH”.

  4. Click Save at the bottom of the page.

Currently, the Looker UI does not support custom locales. If you use a custom locale in a user’s Locale field, that user’s UI defaults to the language set in the instance locale.

Number Format

Looker's default number format setting for numbers that appear in data tables and visualizations is 1,234.56. However, the number format can be set to any of the following:

For more information about and examples of using the Number Format setting, see the Localizing number formatting documentation page.

Groups

Lists the groups the user is a member of. You can add the user to a new group by selecting the group from the drop-down, or remove the user from a group by clicking the X next to the group name in the list.

Users can also be added to groups on the Groups admin page.

Roles

Lists the roles assigned to the user. You can add a new role to the user by selecting the role from the drop-down, or remove a role from the user by clicking the X next to the role name in the list.

Roles can also be added on the Roles admin page.

User Attributes tab

The User Attributes tab displays and lets you set and unset user attributes for a user. Values assigned to an individual user always override any values assigned to that user as a member of a group. System settings are not editable.

Users page

If the New Users Page Labs feature is not enabled, Looker displays the prior version of the Users page:

Viewing and searching users

Users are listed in a table that displays the following basic information for each user:

Column Definition
ID A user ID assigned by Looker at the time of user creation
Name The user’s actual name, which they enter when they initially sign up
Credentials The user’s email address, which serves as the username
Groups A list of groups the user belongs to
Roles A list of roles assigned to the user
Actions Actions you can take for the user

You can sort the table by either the ID or the Name column by clicking on the column’s header.

You can also search the Name and Credentials columns by entering a search term into the search box in the upper right and pressing Enter.

Adding users

To add a user, click the Add Users button.

In the resulting dialog box, you can type or paste a comma-separated list of email addresses and select the roles and groups that will be assigned to each. Click the Add Users button when you’re done to create the users and, if you’ve selected the Send setup emails checkbox, send sign-up emails.

Editing users

To edit a user, click the Edit button to the right of the user’s row. This opens the Edit User page, where you can adjust many settings:

Account

Enable or disable a user’s account. You may want to consider disabling user accounts instead of totally deleting them.

First Name

Add or edit the user’s first name, if applicable. This field does not require a value, but it can be useful for organizational purposes.

Last Name

Add or edit the user’s last name, if applicable. This field does not require a value, but it can be useful for organizational purposes.

Email

Add or edit the user’s email address. When the user logs in to Looker, the email address will serve as their username.

Locale

The Locale field sets the user-interface language and model locale for a user.

If you would like the user to view certain user interface (UI) text in a specific language, Looker supports the UI translations shown in the table below. Enter the code in the Locale field.

If you would like the user to view a localized version of one or more data models, enter the title of the model’s strings file for that locale in the Locale field.

If you would like the user to view both model localization and Looker’s built-in UI translations, the model’s strings file should have the same name as the appropriate locale code in the table below, and that code should be entered in the Locale field.

To confirm the Locale setting, click Save at the bottom of the page.

Language Locale Code and Strings Filename
English en
Czech cs_CZ
German de_DE
Spanish es_ES
French fr_FR
Hindi hi_IN
Italian it_IT
Japanese ja_JP
Korean ko_KR
Lithuanian lt_LT
Norwegian (Bokmål) nb_NO
Dutch nl_NL
Polish pl_PL
Brazilian Portuguese pt_BR
Portuguese pt_PT
Russian ru_RU
Swedish sv_SE
Thai th_TH
Turkish tr_TR
Ukrainian uk_UA
Simplified Chinese zh_CN
Traditional Chinese zh_TW

For users with no Locale set, Looker uses the locale chosen on the Localization page of the Admin panel as the default locale; and, if no locale is set there, Looker defaults to en.

Setting a custom locale

Looker developers can create custom locales to use for model localization only. Custom locale codes are designated by the titles of the string files created in the model localization process. For example, if a developer creates a tag_PH.strings.json file, that custom locale can be applied to users using the following steps:

  1. Click on the Locale field.

  2. Enter the custom locale code. Once you begin typing in the field, any pre-existing text will disappear.

  3. Click Create “tag_PH”.

  4. Click the Save button at the bottom of the page.
  5. Once created, the code will be added to the user’s locale drop-down menu.

Currently, the Looker UI does not support custom locales. If you use a custom locale in a user’s Locale field, that user’s UI defaults to the language set in the instance locale.

Number format

Looker's default number format setting for numbers that appear in data tables and visualizations is 1,234.56. However, the number format can be set to any of the following:

For more information about and examples of using the Number format setting, see the Localizing number formatting documentation page.

Timezone

If you’ve enabled User Specific Time Zones on your Looker instance, you can select the time zone that will be used when this user runs a query in Looker.

Send setup link / Send reset link

If the user has never logged in before, this button is labeled Send setup link. If the user has logged in before, this button is labeled Send reset link. If you need to set or reset a password, you can send a link to the email address specified above by clicking the this button. The URL that is sent to the user will be displayed in this field. See the Password requirements documentation page to learn about specifying password complexity requirements in Looker. If the user does not reset their password within one hour, the password’s reset link will expire.

Two-Factor Secret

You will see this option if you have enabled two-factor authentication (2FA) on your instance. Click the Reset button to reset 2FA for the user. This causes Looker to prompt the user to rescan a QR code with the Google Authenticator app the next time they attempt to log in to the Looker instance.

API3 Keys

An API3 key is used to access the Looker API. API3 keys are created by Looker and consist of a client ID and a client secret. Looker requires an API3 key for these tasks:

To generate API keys, click the Edit Keys button from the Edit Users page. This will open the Edit User API3 keys page, where you can see the existing API3 keys; or you can click the New API3 key button to generate a new key.

The API3 keys have the same permissions as the user account from which they were created.

The best practice is to create dedicated user accounts for API scripts — one user account for each script. That way, you can configure a user account with the specific set of permissions that allow the script to perform its function, and only its function. For example, for an API script that runs queries, you can create a user account with the access_data permission, but no other permissions.

This technique lets you increase security by compartmentalizing a script’s access. Also, if you ever need to stop a script, you can simply disable (or delete) that script’s user account. Be sure to read the Removing user access section on this page before you delete any user account.

Individual Roles

You can select the roles this user should have, if you want to assign roles individually. See the Roles page for more information on configuring roles, or the Permissions management documentation page for a broader discussion of Looker permissions.

We generally suggest assigning roles to groups instead of assigning roles directly to individual users.

Groups

Lists the groups the user is a member of. You can add the user to a new group by selecting the group from the drop-down, or remove the user from a group by clicking the X next to the group name in the list.

Users can also be added to groups on the Groups admin page.

Roles

Lists the roles assigned to the user. You can add a new role to the user by selecting the role from the drop-down, or remove a role from the user by clicking the X next to the role name in the list.

Roles can also be added on the Roles admin page.

User attributes

Set and unset the values of a user’s user attributes. Values assigned to an individual user always override any values assigned as a result of membership in a group. System settings are not editable.

Removing user access

If you want to remove a user’s access to Looker, you can either disable or delete their account. For most situations, the best practice is to disable the account.

Differences between disabling and deleting a user account are described in the following table:

Description Disabled Deleted
The user can log in to the Looker instance No No
The user’s personal folder Still exists Deleted
Looks and dashboards in the user’s personal folder Still exist Moved to the Trash folder
Looks and dashboards the user saved to a Shared folder Still exist in the Shared folder Still exist in the Shared folder
Schedules created by the user Schedules are disabled Schedules are deleted
Schedules based on the user’s content, but created by another user Schedules continue to run User’s content is deleted; schedules based on that content are deleted
Schedules that list the user as a recipient and are created by another user with the ability to deliver content to external email accounts Schedules will continue to run and deliver normally (user will be treated as an external user) Schedules continue to run and deliver normally (user will be treated as an external user)
Schedules that have Run schedule as recipient enabled and list the user as a recipient Schedules will continue to run but will fail to deliver to the disabled user upon next run Schedules continue to run but will fail to deliver to all users with error run_as_recipient was specified on ScheduledPlan but recipient is not a Looker user
Boards created by the user Still exist Still exist
Alerts created by the user Remain active, but are not visible or editable from the dashboard on which the alert is set unless self-assigned by another active user. Admins can edit or self-assign the alert from the Alerts management admin page in the Admin panel. Remain active, but are not visible or editable from the dashboard on which the alert is set unless self-assigned by another active user. Admins can edit or self-assign the alert from the Alerts management admin page in the Admin panel.
Historical usage information for the user Kept Most are deleted

Disabling users

If you need to stop user access to Looker, the best practice is typically to disable the user account. When you disable a user account, the user’s usage history and personal content is retained. For details about the differences between disabling and deleting users, see the table in the Removing user access section on this page.

If you have enabled the New Users Page Labs feature, to disable a user account, select Disable user from the three-dot Options menu to the right of the user’s row:

If you have not enabled the New Users Page Labs feature, to disable a user account, click the Disable button to the right of the user’s row. A dialog box will ask you to confirm that you want to disable the user’s account.

Deleting users

Deleting a user is irreversible. Consider your organization’s compliance and security needs before doing so.

Instead of deleting a user, a great alternative is to disable the user account instead. This prevents a user from being able to log in, but their information, content, and history remain intact. For details about the differences between disabling and deleting users, see the table in the Removing user access section on this page.

If you have enabled the New Users Page Labs feature, to delete a user account, select Delete User from the three-dot Options menu to the right of the user’s row:

If you have not enabled the New Users Page Labs feature, to delete a user, perform these steps:

  1. Click the Edit button to the right of the user’s row.

  2. At the bottom of the Edit User page, click Delete.

  3. A dialog box will ask you to confirm that you want to delete the user’s account. Click OK to delete the user.

Impersonating (sudoing) users

Sudo is a UNIX term that means to emulate the permissions of another user. Sudoing allows you to navigate Looker as if you were a different user, with all their privileges and abilities.

Only admins and users who have both the see_users and the sudo permissions have the ability to sudo as other users. Admins can sudo as any other user, including other admins. Users with the see_users and sudo permissions can sudo as other non-admin users.

If you have enabled the New Users Page Labs feature, to sudo as another user, select Sudo as this user from the three-dot Options menu to the right of the user’s row:

If you have not enabled the New Users Page Labs feature, to sudo as another user, click the user’s Sudo button from the Users admin page:

This is a good way to validate that you’ve properly configured permissions and other features. Sudoing is also a useful way to see a user’s LookML development before they’ve committed and pushed their changes.

When you sudo, you’ll see a bar at the top of the screen that warns you that you’re in a sudoed state, and that enables you to exit the sudoed state. Any changes you make while in this state will impact the user you’re emulating.

Keep in mind that if you are in Development Mode, your changes are not visible to other users until you deploy your changes to production. If you haven’t deployed your changes for other users to see, you will not see your changes when you sudo as a different user.

For database connections that use OAuth, such as Snowflake and Google BigQuery, an admin sudoing as another user will use the sudoed user’s OAuth access token when running queries. For Snowflake connections, if the user’s access token is expired, the admin will not be able to have a new token created on behalf of the sudoed user; the user will have to log in to Snowflake and reauthorize Looker.

Top