Setting Up Effective Looker Studio Access Control

Setting up effective Looker Studio access control is crucial for any organization. By doing so, you can ensure that only authorized users have access to sensitive data.

To start, Looker Studio uses a role-based access control system, which means that users are assigned to specific roles that determine their level of access. This system is based on a hierarchy of roles, with some roles inheriting permissions from others.

Each role in Looker Studio has a set of permissions that define what actions a user can perform. For example, a user with the "Viewer" role can only view reports, while a user with the "Editor" role can edit reports and create new ones.

You can also create custom roles with specific permissions to fit your organization's needs. This is especially useful if you have a unique set of requirements that don't fit into the standard roles.

To control feature and data access in Looker, you usually create a group of users and assign that group to a role. A role ties together a set of permissions with a set of LookML models.

Creating a permission set with the appropriate permissions is key to controlling the actions a user can perform. You can then assign a group or user to a role with that permission set.

To control what fields a user can access, you need to create a model with the appropriate fields and assign a group or user to a role with that model. This way, users will only see the fields you've made available to them.

Access filters are another way to limit a user to the appropriate data. You can apply specific data limits to specific users with access filters.

If you want to control what database connections a Looker developer can access, you need to create a project with the appropriate connections and associate the project with a set of models. Then, assign a group or user to a role with those models.

Here are the basic steps to control feature access:

You can assign multiple roles to a user or group, and users will have all the permissions from all the roles they have. For example, if you assign two roles to a group, they'll be able to see dashboards on both models associated with those roles.

Controlling feature access is a crucial part of Looker Studio access control. You can control the types of activities that a user or group can do by creating a permission set that contains the appropriate permissions.

To assign permissions, you need to identify one or more groups of users that should have a permission set, create a permission set, and then create a role that combines the permission set and, if necessary, a model set. You can assign the role from the Roles page.

Assigning multiple roles to a user or group allows them to have all the permissions from all the roles they have. For example, if Role1 gives the ability to see dashboards on Model1 and Role2 gives the ability to see dashboards and to explore on Model2, assigning both roles to a group of users will allow them to see dashboards on both Model1 and Model2, but only explore on Model2.

Here are the basic steps to control feature access:

Projects in Looker allow you to restrict database connections for specific models, ensuring that developers only interact with authorized data sets.

This restriction applies to the Looker SQL Runner as well, preventing developers from accessing prohibited database connections.

Content access is managed by users or Looker admins, with user roles determining feature and data access, affecting what they can do in a folder and whether they can view Looks and dashboards.

Users with the access_data permission but without see_looks or see_user_dashboards can't see folders or content.

Organization-Owned Content is a key feature of Looker Studio Pro, ensuring continuity of access and management of reports and data sources even if the original creator leaves the company.

Content access is managed by users when they are viewing a folder, or managed by a Looker admin on the Content Access page in the Admin panel.

The roles that are assigned to a user determine the user's feature and data access, which affects what the user can do in a folder and whether they can view Looks and dashboards.

Users with the access_data permission, but without the see_looks or see_user_dashboards permission, cannot see any folders or content.

Content access and permissions are also affected by project ownership, where organisation-owned content ensures continuity of access and management of reports and data sources, even if the original creator leaves the company.

Organisation-owned content is linked to a Google Cloud project, and project-level permissions are governed through IAM, enhancing security and access management.

Here's a summary of the different types of content access:

If a user receives an Error 400: invalid_scope message, it means their organization hasn't authorized the app or has done so incorrectly. This can be a frustrating experience, especially if you're eager to get started.

To resolve this issue, the user will need to request that their organization authorize the app. This is a simple step that can get your project back on track.

You can manage individual users and groups of users in Looker. Users are managed on the Users page of Looker's Admin panel, while groups are managed on the Groups page.

To avoid the tedium of assigning, adjusting, and removing controls for users individually, use groups. Typically, the combination of activities to allow for a user can be arranged by having that user belong to one or more groups. If no combination of groups is enough, consider creating a group with only one user, which lets you potentially expand that group to more people in the future.

You can assign user attributes to groups, which can be useful for access filters. Consider using user attributes since you can assign user attributes to groups.

In Looker, roles are a combination of one permission set and one model set. A permission set is composed of one or more permissions, and it defines what the role may do. A model set is composed of one or more models, and it defines which LookML models the role applies to.

You can assign an individual user, or a group of users, to a role. If you add some roles to an individual user, and other roles to a group that the user belongs to, the user will inherit all of those roles put together.

Here's a simple way to think about roles:

If you assign both roles to the same group of users, then they can see dashboards on both Model1 and Model2 but only can explore on Model2.

The best practice is to identify one or more groups of users that should have a permission set, creating a group if necessary. You can give permissions to individual users if desired.

To ensure secure access to Looker Studio, you need to authorize the app for your organization. This involves configuring domain-wide delegation.

To do this, sign in to your Google Admin console and navigate to domain-wide delegation. Then, click on API clients and add a new client.

You'll need to enter the Client ID of the app to authorize, which is the app that uses the Looker Studio API. Additionally, you should enter all OAuth scopes required by the app.

Commonly requested scopes for using the Looker Studio API to manage assets include:

After authorizing the app, any Workspace user belonging to the organization will automatically be authorized to use the app with the Looker Studio API.