Different levels of content access determine which users may view and edit content in Looker Spaces. Whereas permissions are associated with a user according to that person’s role, content access is associated with a Space, and defines how open the Space is to users at various levels.
Types of Access to Spaces
There are two levels of access that can be assigned to a user or group for any given Space.
View: With this access level, a user can see that the Space exists and can see the Looks and dashboards inside it.
Manage Access, Edit: This access level lets a user do everything that the View access level does, plus make changes to the Space, such as:
- Editing Looks and editing dashboards in the Space
- Specifying which users and groups of users can view or manage the Space.
- Creating subspaces
- Renaming, moving, and deleting a Space
- Copying and moving Looks and dashboards
- Deleting Looks and dashboards
Open and Closed Systems of Access to Spaces
Looker’s settings will help you structure user access based on your company’s policies and the kinds of users who will be interacting with your Spaces. In general, the system you devise will fall into one of three broad categories: completely open, open with restrictions, or closed.
|Level of Access to Spaces||Description||Recommended Use|
|Completely open||All users can view and modify all shared content. This is Looker’s default configuration.||An open system is recommended for small companies or teams using Looker, companies with open policies about data, and companies where sharing editable reports is a primary use case.|
|Open with restrictions||Access to shared content is restricted in some way, either so that only certain people can edit certain content, or so that certain content is entirely invisible to particular people.||An open system with restrictions is recommended for medium-sized or larger teams and companies, highly diversified user bases where reports aren’t relevant to everybody, or companies that want content to be viewable by everybody but editable by only a few.|
|Closed||Also called a multitenant installation, this system silos content to certain groups and prevents users from different groups from knowing about each other.||A closed system is recommended for whitelabel and SSO embed use cases where customers host clients into the system who may be from different companies or groups and should not know about one another.|
Once you determine what kind of system you want, this page will walk you through the steps to configure it. For the initial setup, we recommend using the Content Access section of the Admin panel, as it’s a single place to make changes to each Space.
How Access to a Space Affects Its Subspaces
Before you decide how open or closed you want your system to be, it’s important to understand how the access you set in parent Spaces will affect their subspaces, as well as what you can and can’t change at lower levels in the hierarchy.
|Access Type||Inheritance Pattern||Description|
|Manage Access, Edit||Flows all the way down the Space hierarchy||Once you give a user access to Manage Access, Edit in a Space, they will retain that access level to all Looks, dashboards, and subspaces within that Space. You won’t be able to lock down their access at a lower part of the Space hierarchy.|
|View||Can be removed at any point down the Space hierarchy||Removing View access at the Space level revokes a user’s ability to see that Space and all its content. You can also remove View access at any point lower in the hierarchy, to restrict users from viewing specific Looks, dashboards, or subspaces within an otherwise viewable Space.|
Looker admins have Manage Access, Edit access to all Spaces and therefore all content. This ensures their ability to manage the system, prevent orphaned content, and assist any user who runs into issues.
Configuring a Completely Open System
Looker’s default configuration allows completely open access to all Spaces. The All Users group is assigned to Manage Access, Edit on the Shared Space, and all subspaces within the Shared Space will inherit that access from it. Manage this setting from the Content Access section of the Admin panel:
Once a user has Manage Access, Edit access to a Space, they also have Manage Access, Edit access to all content in that Space, including all subspaces under it. That means there are no restrictions on content access in this system.
Personal Spaces exist in a separate hierarchy, and they also have default settings. The All Users group is set to View on all personal Spaces, and each user determines whether to make their Space private or not:
Configuring an Open System with Restrictions
You need to be a Looker admin to fully configure your system in the way described below.
These steps will help you configure an open system with restrictions:
- Plan out your structure.
- Configure groups to provide granular access.
- Change the All Users group’s access to View on the Shared Space.
- Remove All Users from any Space you don’t want viewable by the whole company.
Plan Out Your Structure
Who do you want to allow to view and edit particular Spaces? It will make your life easier if you sketch out your plan before you start configuring access. This also gives you a place to check off changes as you go through the process, so you don’t have to go back to check on various Spaces. Placing users into groups will help you manage access for different departments or teams within your company.
One of the most common configurations is to have one Space per department or team, which looks something like this:
- Within your Shared Space, create a Space for a department, team, or project. We’ll use the example of a Finance team in this section.
- Give the CFO (or the main analyst for Finance) the Manage Access, Edit access on that Space. Give the rest of the team View access.
- Create two subspaces: One for editable content and one for read-only content. If needed, add a third subspace for private content.
- In the subspace for editable content, grant Manage Access, Edit access to the whole Finance team using a Finance group. Once you give the Finance group that level of access, all of its members can add, delete, or change content in that subspace.
- In the subspace for read-only content, grant View access to the whole Finance group. The CFO is still able to Manage Access, Edit content in this Space, because they inherit that access from the main Finance Space.
- In the (optional) private subspace, remove the Finance group completely. Only the CFO can see this Space or manage its content.
Configure Groups to Provide Granular Access
If you’re planning to restrict access to content, Looker groups make things much easier. Groups can be granted access to Spaces and subspaces the same way that users are, and groups can contain other groups. For information about how to configure groups, see the Groups page.
Start by setting access to individual subspaces first, and then work your way up to setting access for the whole Shared Space. Because access flows down the hierarchy of spaces, it’s safest to begin by manipulating the access to the lowest subspaces individually. Then you can move up through parent-level spaces, giving them the access level you want and making sure that your changes don’t conflict with decisions you have made at the lower levels.
In this example, we’ll start with the subspaces inside of the Shared Space. Manage these settings from the Content Access section of the Admin panel.
Set each Space within the Shared Space to A custom list of users and assign Manage Access, Edit access to the groups and users you want to be able to edit content, then assign View access to groups and users you want to have read-only access:
As mentioned above, until you change the settings for the top-level Shared Space, nothing goes into effect. The access level for the All Users group is set to Manage Access, Edit in the Shared Space and flows down through all individual subspaces. You cannot modify the settings for All Users in individual subspaces until the access level for that group is changed in the Shared Space.
Click on the Space you want to configure and then click Manage Access:
Change the All Users Group’s Access to View on the Shared Space
This is when your changes go into effect. Remember to consult the plan for your structure.
First, unless you want everyone to have editing access to all content in your system, click Manage Access for the Shared Space and change All Users from Manage Access, Edit to View:
Then, if your plan is to display certain subfolders only to certain groups, continue to the following section.
Remove the All Users Group from Spaces You Don’t Want Viewable
If you want any Spaces to be private to a certain subgroup of users, go back and remove All Users completely from those Spaces using the
X to the right of its access level. Now those Spaces will only appear for groups and users you explicitly list:
Configuring a Closed System
Only enable the Closed System option if you plan to whitelabel Looker or use SSO embed for your customers. Internal use cases should use a different system. You need to be a Looker admin to fully configure your system in the way described below.
Looker offers a Closed System option that makes the following changes:
- Removes the All Users group. There will be no way to refer to all the users in the system as one group. Instead, Looker admins should create one group per tenant, or customer, as discussed below. For this discussion, we’ll assume that each customer is a company.
- Makes all user Spaces private by default. Users can still choose to share content in their Spaces with other members of their groups.
Prevents users from seeing other users unless they share a group. So if Charles is a member of the Company C group, he only sees other members of Company C, and the members of Companies A and B are invisible to him.
As an example of how enabling the Closed System option will restrict what Charles can see, here are some of the places in Looker where he will only see other Company C members and their content:
These steps will help you configure a closed system:
- Ask for the Closed System option.
- Plan out your structure.
- Configure groups to provide granular access.
- Enable the closed system in the Admin panel.
- Give each company group in your system View access for the Shared Space.
- Configure access levels for each subspace of the Shared Space.
- Migrate content into subspaces.
These steps assume that no content for multitenant users is currently housed in the Shared Space. In order to silo content under a closed system and prevent customers or other groups from seeing each other, move any such content out of the Shared Space and into separate subspaces before beginning the steps below.
Ask for the Closed System Option
To request that the Closed System option be enabled for your instance, contact your Looker Account Manager or open a support request in Looker’s Help Center by clicking Contact Us.
Plan Out Your Structure
It makes setting up your system much easier if you have set up your plan in advance. There are two main areas to think about:
First, be sure to create a group for each company. A company group associates all users from each company together, and keeps those users separate from other companies.
Second, consider whether you’ll want to have multiple companies looking at the same Space (for example, for dashboards that are relevant to all companies), or whether you’ll want one top-level Space for each company (for distinct content that only applies to a single company).
Configure Groups to Provide Granular Access
While there should be at least one group per company, there may also be subgroups within that group. If you would like to allow some users at a company to edit and manage content, and allow others only to view content, we recommend creating separate subgroups for those different types of users. For example, you can start by creating Company A as the umbrella group, and then add two subgroups: Editors at Company A and Viewers at Company A:
All groups that pertain to an individual company should be housed under one umbrella group.
For information about how to configure groups, see the Groups page.
Enable the Closed System Option in the Admin Panel
It’s best to enable the Closed System option before setting up any access controls on Spaces, since enabling the Closed System option makes changes to your system (see the introduction to Configuring a Closed System above). Enable the option by going to the Settings section of the General panel in Looker’s Admin section:
Give Each Company Group View Access for the Shared Space
Grant View access to each company group for the Shared Space. This lets members of those groups access the Shared Space and see their own company’s Space within it. If a group does not have View access to the Shared Space, they will not be able to see their own company’s Space. Manage these settings from the Content Access section of the Admin panel:
Configure Access Levels for Each Subspace
Set access levels to establish who can view or edit content in each subspace. Subspaces default to their parents’ access settings until you change them. This means that a company with View access to the Shared Space could view content in another company’s subspace unless you restrict access to that subspace. Review each subspace and restrict access appropriately:
In the above example, we selected A custom list of users and Company B was removed from Company A’s content. Company B can’t see that Company’s A’s content exists.
Migrate Content into Subspaces
If your company has allowed users to see their own Space and other personal Spaces, we recommend migrating any content from those personal Spaces into the appropriate folders in the main Shared hierarchy.