Extensions are web applications built with Looker components that are developed through the Looker extension framework. These extensions will inherit the permissions structure of your Looker instance, handling permissions at the model set level. If a user does not have permissions to see certain models in the standard Looker application, they will not be able to see those models in Looker extensions. This page explains how Looker admins can grant users the appropriate permissions to access Looker extensions.
The Looker Marketplace deploys an extension by importing a new project into your Looker application. This project contains everything required to run the extension and has at least one model file. Looker admins can control how a user views or interacts with content based on that model by assigning them a role that has permissions to access the extension’s model.
For example, if your Looker instance has data based on models called
sales, but you only want certain users to see the finance data, you would grant users access to only the
finance model. Permissions for extensions work similarly.
Looker admins can control permissions to access an extension’s model (and therefore access the extension itself) as well as the model or models upon which any content within the extension is based.
Looker admins can see the available model sets for a Looker instance by navigating to the Roles page in the Admin panel. To access and use the extension, users must be assigned a role that has either
manage models permissions or has
develop permissions for all models or the model set that contains the extensions’s model.
Granting users permissions to extensions
Looker extensions are developed through the Looker extension framework and are available for installation through the Looker Marketplace. Extensions require that the Extension Framework and Marketplace Labs features be enabled.
In addition to these Labs features, there are three types of permissions associated with extensions:
- Permissions to develop extensions
- Permissions to install extensions from the Looker Marketplace
- Permissions to use extensions
Permissions to develop extensions
To develop an extension using the Looker extension framework, users need LookML developer permissions to the instance, as well as the skills recommended on the Getting started with the Looker extension framework documentation page.
Permissions to install extensions from the Looker Marketplace
Each extension will have a project with at least one dedicated LookML model. For example, the Data Dictionary extension uses the
To install an extension from the Looker Marketplace, a user must have
deploy permissions for the extension’s model.
When installing an extension that requires an access key from the Looker Marketplace, a configuration screen prompts the user for access key values, which will be stored as user attributes for the Looker instance.
Permissions to use extensions
If the extension is installed through the Looker Marketplace or made available from within a Looker instance, the Looker admin will need to configure user permissions.
For most extension use cases, the extension always runs with the permissions granted to the user when they log in. By default, once the extension is installed, any user with a role that has
develop permissions and Model Set access set to All will automatically have the ability to view and use the extension and its content with no additional permission configuration required. Users must have access to all the models that the extension uses for the extension to function fully.
Any Looker users who have access to at least one of the extension’s underlying models can see the extension listed in the Looker Browse menu:
For embedded extensions, the extension takes on the permissions given to the created embed user ID, just like an embedded Look, dashboard, or Explore.
For full screen extensions that use the
/spartan option in the extension URL, you can add users to an Extensions Only user group. Users in this group are prevented from viewing Looker pages outside of the extension. Looker admins can customize the Extensions Only group like any other group and assign it a role that has certain permissions and model set access. Users are not required to belong to the Extensions Only group to view a full screen extension; if a user is not in that user group, the extension will run with the permissions of that logged-in user.
Adding user permissions
A Looker admin will need to grant users and embed users a permission set that includes
access_data and any more restrictive permissions associated with that extension. These permissions must be applied to a model set that includes the extension’s model or models.
To grant users access to the extension, Looker admins must:
- Create a model set that includes the extension’s model — or edit an existing model set to add the extension’s model.
- Confirm that users are assigned to a role with at least the
access_datapermission (and any more restrictive permissions associated with that extension) for this model set.
Example: Data Dictionary extension
The Data Dictionary extension project uses the
Users whose roles do not include
develop permissions or that have Model Set access not set to All will need a Looker admin to grant them
develop permissions for a model set that includes the
For example, say that you want to give your finance team access to the Data Dictionary extension, but the
Finance Team model set does not currently grant access to the
Next to the
Finance Team model set, click the Edit button and check the
data_dictionary model checkbox:
Click Update Settings to save your selection.
After adding the
data_dictionary model to the
Finance Team model set, confirm that the finance team users are assigned to a role that has
develop permissions for the
Finance Team model set. In this example, any users assigned to the Finance Department role will have access to the Data Dictionary extension.
Once using the Data Dictionary extension, users will have access to view only the models that they have permissions for. Even if a user outside the finance team has access to the
Finance Team model set, they will be able to interact only with content in the Data Dictionary that is based on the other models in their model set.