User Guide Getting Started Help Center Documentation Community Training
New LookML
Old LookML
New LookML
Looker
  
English
日本語
access_grant

Usage

access_grant: access_grant_name {
  user_attribute: user_attribute_name
  allowed_values: [ "value_1", "value_2" , … ]
}

Hierarchy

access_grant

Default Value

None

Accepts

The name of a user attribute with the user_attribute subparameter and a list of user attribute values with the allowed_values subparameter

Definition

An access grant is a LookML structure that controls access to other LookML structures, specifically Explores, joins, views, and fields. The access_grant parameter defines an access grant.

access_grant takes the name of a user attribute with the user_attribute subparameter and a list of acceptable values for the user attribute with the allowed_values subparameter. Only those users who are assigned one of the allowed values in the specified user attribute can access structures to which the access grant is required.

Once defined, you can use the required_access_grants parameter at the Explore, join, view, or field level to require the access grant to access those structures.

For example, the LookML below creates an access grant called can_view_financial_data, which is based on the department user attribute. Only those users who are assigned the values "finance" or "executive" in the department user attribute are given access to the can_view_financial_data access grant:

access_grant: can_view_financial_data { user_attribute: department allowed_values: [ "finance", "executive" ] }

You then associate the can_view_financial_data access grant with a LookML structure using the required_access_grants parameter:

dimension: financial_data_field … required_access_grants: [can_view_financial_data] }

In the example above, only users who have the proper user attribute value for the can_view_financial_data access grant will see the financial_data_field dimension.

You can define multiple access grants in a model, and you can assign multiple access grants to a LookML structure with the required_access_grants parameter. In that case, a user must have access to all of the specified access grants to have access to the LookML structure.

For example, the LookML below defines two different access grants:

access_grant: can_view_financial_data { user_attribute: department allowed_values: [ "finance", "executive" ] } access_grant: can_view_payroll_data { user_attribute: view_payroll allowed_values: [ "yes" ] }

Then in the view file below, the required_access_grants parameter specifies both access grants:

view: payroll { … required_access_grants: [can_view_financial_data, can_view_payroll_data] }

In this case, only users that have either the value "finance" or "executive" assigned to their department user attribute and have the value "yes" assigned to their view_payroll user attribute can access the view.

Example

Define an access grant that requires users to have either the value "product_management" or "engineering" in the department user attribute to have access to the engineering access grant:

access_grant: engineering { user_attribute: department allowed_values: [ "product_management", "engineering" ] }

Additional Considerations

A user who does not have access to an access grant will experience different behavior depending on which LookML structure they are trying to access. See the required_access_grants documentation pages at the Explore, join, view, or field level for information about how access to those structures is restricted.

Access Grants at Multiple Levels are Added Together

If you nest access grants, the access grants are additive. For example, you can create required_access_grants for a view and create required_access_grants for a field inside the view. In order to see the field, a user must have access grants to both the field and the view. Likewise for joins: If you create required_access_grants for the views in a join and also create required_access_grants for the join of these two views, a user must have access grants to both views and the join in order to see the joined view.

Accessing Structures that Reference Restricted Structures

Users can have access to Looks or dashboards that contain LookML objects they don’t have access to. In these situations the Look or dashboard will display as if those LookML objects have been removed from the model.

Suppose we have an Explore A, which contains join A, view A, and field A. Next, we place an access restriction on Explore A. As expected, join A, view A, and field A will inherit that restriction, but only when users are interacting with Explore A. If join A, view A, or field A is used in a different Explore B, they will not necessarily have any access restrictions. Therefore, if you plan to re-use LookML elements, we suggest you apply access restrictions at the lowest level possible.

Top