User Guide Getting Started Help Center Documentation Community Training
Looker
  
English
Français
Deutsch
日本語
Designing and Configuring a System of Access Levels

New in Look 6.20, Spaces have been renamed to folders.

Different levels of content access determine which users may view and edit content in Looker folders. Whereas permissions are associated with a user according to that person’s role, content access is associated with a folder, and defines how open the folder is to users at various levels.

Types of Access to Folders

There are two levels of access that can be assigned to a user or group for any given folder.

View: With this access level, a user can see that the folder exists and can see the Looks and dashboards inside it.

Manage Access, Edit: This access level lets a user do everything that the View access level does, plus make changes to the folder, such as:

Open and Closed Systems of Access to Folders

Looker’s settings will help you structure user access based on your company’s policies and the kinds of users who will be interacting with your folders. In general, the system you devise will fall into one of three broad categories: completely open, open with restrictions, or closed.

Level of Access to Folders Description Recommended Use
Completely open All users can view and modify all shared content. This is Looker’s default configuration. An open system is recommended for small companies or teams using Looker, companies with open policies about data, and companies where sharing editable reports is a primary use case.
Open with restrictions Access to shared content is restricted in some way, either so that only certain people can edit certain content, or so that certain content is entirely invisible to particular people. An open system with restrictions is recommended for medium-sized or larger teams and companies, highly diversified user bases where reports aren’t relevant to everybody, or companies that want content to be viewable by everybody but editable by only a few.
Closed Also called a multitenant installation, this system silos content to certain groups and prevents users from different groups from knowing about each other. A closed system is recommended for whitelabel and SSO embed use cases where customers host clients into the system who may be from different companies or groups and should not know about one another.

Once you determine what kind of system you want, this page will walk you through the steps to configure it. For the initial setup, we recommend using the Content Access section of the Admin panel, as it’s a single place to make changes to each folder.

How Access to a Folder Affects Its Subfolders

Before you decide how open or closed you want your system to be, it’s important to understand how the access you set in parent folders will affect their subfolders, as well as what you can and can’t change at lower levels in the hierarchy.

Access Type Inheritance Pattern Description
Manage Access, Edit Flows all the way down the folder hierarchy Once you give a user access to Manage Access, Edit in a folder, they will retain that access level to all Looks, dashboards, and subfolders within that folder. You won’t be able to lock down their access at a lower part of the folder hierarchy.
View Can be removed at any point down the folder hierarchy Removing View access at the folder level revokes a user’s ability to see that folder and all its content. You can also remove View access at any point lower in the hierarchy, to restrict users from viewing specific Looks, dashboards, or subfolders within an otherwise viewable folder.

Looker admins have Manage Access, Edit access to all folders and therefore all content. This ensures their ability to manage the system, prevent orphaned content, and assist any user who runs into issues.

Configuring a Completely Open System

Looker’s default configuration allows completely open access to all folders. The All Users group is assigned to Manage Access, Edit on the Shared folder, and all subfolders within the Shared folder will inherit that access from it. Manage this setting from the Content Access section of the Admin panel:

Once a user has Manage Access, Edit access to a folder, they also have Manage Access, Edit access to all content in that folder, including all subfolders under it. That means there are no restrictions on content access in this system.

Personal folders exist in a separate hierarchy, and they also have default settings. The All Users group is set to View on all personal folders, and each user determines whether to make their folder private or not:

Configuring an Open System with Restrictions

You need to be a Looker admin to fully configure your system in the way described below.

These steps will help you configure an open system with restrictions:

  1. Plan out your structure.
  2. Configure groups to provide granular access.
  3. Change the All Users group’s access to View on the Shared folder.
  4. Remove All Users from any folder you don’t want viewable by the whole company.

Plan Out Your Structure

Who do you want to allow to view and edit particular folders? It will make your life easier if you sketch out your plan before you start configuring access. This also gives you a place to check off changes as you go through the process, so you don’t have to go back to check on various folders. Placing users into groups will help you manage access for different departments or teams within your company.

One of the most common configurations is to have one folder per department or team, which looks something like this:

Configure Groups to Provide Granular Access

If you’re planning to restrict access to content, Looker groups make things much easier. Groups can be granted access to folders and subfolders the same way that users are, and groups can contain other groups. For information about how to configure groups, see the Groups page.

Start by setting access to individual subfolders first, and then work your way up to setting access for the whole Shared folder. Because access flows down the hierarchy of folders, it’s safest to begin by manipulating the access to the lowest subfolders individually. Then you can move up through parent-level folders, giving them the access level you want and making sure that your changes don’t conflict with decisions you have made at the lower levels.

In this example, we’ll start with the subfolders inside of the Shared folder. Manage these settings from the Content Access section of the Admin panel.

Set each folder within the Shared folder to A custom list of users and assign Manage Access, Edit access to the groups and users you want to be able to edit content, then assign View access to groups and users you want to have read-only access:

As mentioned above, until you change the settings for the top-level Shared folder, nothing goes into effect. The access level for the All Users group is set to Manage Access, Edit in the Shared folder and flows down through all individual subfolders. You cannot modify the settings for All Users in individual subfolders until the access level for that group is changed in the Shared folder.

Click on the folder you want to configure and then click Manage Access:

Change the All Users Group’s Access to View on the Shared Folder

This is when your changes go into effect. Remember to consult the plan for your structure.

First, unless you want everyone to have editing access to all content in your system, click Manage Access for the Shared folder and change All Users from Manage Access, Edit to View:

Then, if your plan is to display certain subfolders only to certain groups, continue to the following section.

Remove the All Users Group from Folders You Don’t Want Viewable

If you want any folders to be private to a certain subgroup of users, go back and remove All Users completely from those folders using the X to the right of its access level. Now those folders will only appear for groups and users you explicitly list:

Configuring a Closed System

Only enable the Closed System option if you plan to whitelabel Looker or use SSO embed for your customers. Internal use cases should use a different system. You need to be a Looker admin to fully configure your system in the way described below.

Looker offers a Closed System option that makes the following changes:

These steps will help you configure a closed system:

  1. Ask for the Closed System option.
  2. Plan out your structure.
  3. Configure groups to provide granular access.
  4. Enable the closed system in the Admin panel.
  5. Give each company group in your system View access for the Shared folder.
  6. Configure access levels for each subfolder of the Shared folders.
  7. Migrate content into subfolders.

These steps assume that no content for multitenant users is currently housed in the Shared folders. In order to silo content under a closed system and prevent customers or other groups from seeing each other, move any such content out of the Shared folder and into separate subfolders before beginning the steps below.

Ask for the Closed System Option

To request that the Closed System option be enabled for your instance, contact your Looker Account Manager or open a support request in Looker’s Help Center by clicking Contact Us.

Plan Out Your Structure

It makes setting up your system much easier if you have set up your plan in advance. There are two main areas to think about:

First, be sure to create a group for each company. A company group associates all users from each company together, and keeps those users separate from other companies.

Second, consider whether you’ll want to have multiple companies looking at the same folder (for example, for dashboards that are relevant to all companies), or whether you’ll want one top-level folder for each company (for distinct content that only applies to a single company).

Configure Groups to Provide Granular Access

While there should be at least one group per company, there may also be subgroups within that group. If you would like to allow some users at a company to edit and manage content, and allow others only to view content, we recommend creating separate subgroups for those different types of users. For example, you can start by creating Company A as the umbrella group, and then add two subgroups: Editors at Company A and Viewers at Company A:

All groups that pertain to an individual company should be housed under one umbrella group.

For information about how to configure groups, see the Groups page.

Enable the Closed System Option in the Admin Panel

It’s best to enable the Closed System option before setting up any access controls on folders, since enabling the Closed System option makes changes to your system (see the introduction to Configuring a Closed System above). Enable the option by going to the Settings section of the General panel in Looker’s Admin section:

Give Each Company Group View Access for the Shared Folder

Grant View access to each company group for the Shared folders. This lets members of those groups access the Shared folder and see their own company’s folder within it. If a group does not have View access to the Shared folders, they will not be able to see their own company’s folders. Manage these settings from the Content Access section of the Admin panel:

Configure Access Levels for Each Subfolder

Set access levels to establish who can view or edit content in each subfolder. Subfolders default to their parents’ access settings until you change them. This means that a company with View access to the Shared folder could view content in another company’s subfolder unless you restrict access to that subfolder. Review each subfolder and restrict access appropriately:

In the above example, we selected A custom list of users and Company B was removed from Company A’s content. Company B can’t see that Company’s A’s content exists.

Migrate Content into Subfolders

If your company has allowed users to see their own folder and other personal folders, we recommend migrating any content from those personal folders into the appropriate folders in the main Shared hierarchy.

Top