access_filter_fields

LookML
Version

On this Page
Docs Menu

Go to Explore Parameter List

As of release 4.10 we suggest you use the new access_filter parameter instead of access_filter_fields

access_filter_fields is a special feature that must be enabled by Looker Support

Usage

access_filter_fields is a child of
explore
explore: view_name
...
1st
Tab
access_filter_fields: [view.field]
one or more fully scoped,
existing field names

Definition

access_filter_fields enables you to apply user-specific data restrictions. Unlike most LookML parameters, it needs to be used in conjunction with other settings in Looker in order to work properly. An access_filter_fields parameter is specific to a single explore, so you need to make sure you apply an access_filter_fields parameter to each explore that needs a restriction.

The behavior of access_filter_fields would be similar to you sitting with a user and requiring them to apply one or more filters in the Explore UI before they run any query. For example, the user might only deal with a subset of your customers, so you would require that user to apply a customer name filter.

The first step in using access_filter_fields is deciding what field or fields need to have a restriction. In the example above, we would likely have a customer view with a dimension called name. The way that field would be referenced is customer.name.

Next, every user who will interact with the explore in question needs a value for the access filter fields. In our example, every user will need the list of customer names they are allowed to see. You apply these values in the Admin section of Looker as shown below:

The field name that you enter here should be a fully scoped LookML field name of the form view_name.field_name. The default values that you specify accept these types of expressions.

The final step is to add the access_filter_fields parameter to the appropriate explore parameters. Again, the fully scoped field name should be used (view_name.field_name).

Examples

Limit a user to order information after 2014-01-01:

- explore: order access_filter_fields: [order.created_date]

Limit a user to order information from the customer named “Acme”:

- explore: order access_filter_fields: [customer.name] joins: - join: customer sql_on: ${order.customer_id} = ${customer.id}

Common Challenges

access_filter_fields Requires Fully Scoped Field Names

If you write a field name without a view name, most parameters in Looker will assume a view name based on the place that the parameter is used. However, access_filter_fields does not work this way and requires you to write both the view name and field name.

For example, you might think this would work, and that id would be interpreted as the Order ID:

- explore: order access_filter_fields: [id]

However, this is not the case, and you will receive an error. Instead you must write:

- explore: order access_filter_fields: [order.id]

Even Admins Must Have Filter Values Set in the UI

Every user who accesses an explore that uses access_filter_fields must have the necessary filter values configured in their user profile. This even applies to Admins, despite the fact that they can see all data. Users who don’t have a filter value set will receive an error when trying to view the explore.

To give an admin or other user access to all values of a string field, use a % like this:

To give an admin or other user access to all values of a number field, use >0 or NOT NULL like this:

Things to Know

Careless Use Of access_filter_fields Can Result In Unintended Data Access

There are two primary ways that careless use of access_filter_fields can result in data access that you don’t want:

1) Forgetting To Add access_filter_fields

If you forget to add access_filter_fields to an explore that a user has access to, that explore will not be filtered. Please make sure you add access_filter_fields where needed.

2) Referencing An Invalid Field In access_filter_fields

If you reference a field in access_filter_fields that is not joined to your explore, users will see an error but still be able to access all of the data. For example, this will not work because customer has not been joined into order:

- explore: order access_filter_fields: [customer.name]

For this to function properly customer must be joined into order, with something like this:

- explore: order access_filter_fields: [customer.name] joins: - join: customer sql_on: ${order.customer_id} = ${customer.id}

Please do not forget to validate proper joins and operation of access_filter_fields.

Still have questions?
Go to Discourse - or - Email Support
Top