access_filterparameter instead of
access_filter_fieldsis a special feature that must be enabled by Looker Support
access_filter_fields is a child of
one or more fully scoped,
existing field names
access_filter_fields enables you to apply user-specific data restrictions. Unlike most LookML parameters, it needs to be used in conjunction with other settings in Looker in order to work properly. An
access_filter_fields parameter is specific to a single
explore, so you need to make sure you apply an
access_filter_fields parameter to each
explore that needs a restriction.
The behavior of
access_filter_fields would be similar to you sitting with a user and requiring them to apply one or more filters in the Explore UI before they run any query. For example, the user might only deal with a subset of your customers, so you would require that user to apply a customer name filter.
The first step in using
access_filter_fields is deciding what field or fields need to have a restriction. In the example above, we would likely have a customer view with a dimension called name. The way that field would be referenced is customer.name.
Next, every user who will interact with the explore in question needs a value for the access filter fields. In our example, every user will need the list of customer names they are allowed to see. You apply these values in the Admin section of Looker as shown below:
The field name that you enter here should be a fully scoped LookML field name of the form view_name.field_name. The default values that you specify accept these types of expressions.
The final step is to add the
access_filter_fields parameter to the appropriate
explore parameters. Again, the fully scoped field name should be used (view_name.field_name).
Limit a user to order information after 2014-01-01:
Limit a user to order information from the customer named “Acme”:
access_filter_fields Requires Fully Scoped Field Names
If you write a field name without a view name, most parameters in Looker will assume a view name based on the place that the parameter is used. However,
access_filter_fields does not work this way and requires you to write both the view name and field name.
For example, you might think this would work, and that id would be interpreted as the Order ID:
However, this is not the case, and you will receive an error. Instead you must write:
Even Admins Must Have Filter Values Set in the UI
Every user who accesses an explore that uses
access_filter_fields must have the necessary filter values configured in their user profile. This even applies to Admins, despite the fact that they can see all data. Users who don’t have a filter value set will receive an error when trying to view the explore.
To give an admin or other user access to all values of a string field, use a
% like this:
To give an admin or other user access to all values of a number field, use
NOT NULL like this:
Things to Know
Careless Use Of
access_filter_fields Can Result In Unintended Data Access
There are two primary ways that careless use of
access_filter_fields can result in data access that you don’t want:
1) Forgetting To Add
If you forget to add
access_filter_fields to an
explore that a user has access to, that explore will not be filtered. Please make sure you add
access_filter_fields where needed.
2) Referencing An Invalid Field In
If you reference a field in
access_filter_fields that is not joined to your explore, users will see an error but still be able to access all of the data. For example, this will not work because customer has not been joined into order:
For this to function properly customer must be joined into order, with something like this:
Please do not forget to validate proper joins and operation of