This page refers to the
required_access_grantsparameter that is part of a view.
required_access_grantscan also be part of an Explore, described on this documentation page.
required_access_grantscan also be part of a join, described on this documentation page.
required_access_grantscan also be part of a dimension, dimension group, measure, filter, or parameter as described on this documentation page.
required_access_grants: [access_grant_name, access_grant_name, …]
AcceptsSquare brackets containing a comma-separated list of access grant names
required_access_grants pairs with the model-level
access_grant parameter to limit access for a view to only those users who have a specific user attribute value assigned to them.
required_access_grants works like this:
- You define an access grant using the
access_grantparameter. As part of the definition, you associate the access grant with a user attribute. You also specify which user attribute values provide access to the access grant.
- Next, you use
required_access_grantsto restrict a view to only those users who have access to every access grant listed.
For example, the following LookML requires that users have access to both the
can_view_financial_data and the
view_payroll access grants to see the
Users who don’t have access to all of the access grants assigned to the view will not see any of the fields in the restricted view. They will not see those fields in the Field Picker while exploring. If the user views a Look that includes fields from the restricted view, they will see a warning message saying, “
<view.field> no longer exists on
<view>, or you do not have access to it, and it will be ignored.” The warning message is suppressed on dashboard tiles.
For more information on how to define an access grant, see the
access_grant documentation page.
payroll dimension to only those users who have access to the
accounting access grant:
Viewing Restricted Views with Calculated Fields on Saved Looks and Dashboards
Since users who do not have access to a restricted view cannot access the fields in the view, this can cause changes in viewed data in a saved Look or dashboard tile.
For example, a measure that uses a dimension from a restricted view will not have access to the data from that view, so the measure aggregation occurs without that data. Thus, users who do not have access to the restricted view sees different results than users who do have access to the restricted view.
Table calculations based on a field in a restricted view display an error for users who do not have access to the restricted view, since the table calculation does not have access to the field in the restricted view.
Restricting Access to Underlying LookML Structures
Restricting access to a view does not restrict access to its underlying LookML structures. So an unrestricted field that is part of other views will still be available if those views are unrestricted. Use the
required_access_grants parameter at the field level level to restrict fields individually.