access_filters

LookML
Version

On this Page
Docs Menu

Go to Explore Parameter List

Definition

access_filters lets you apply user-specific data restrictions. Unlike most LookML parameters, it needs to be used in conjunction with other settings in Looker in order to work properly. An access_filters parameter is specific to a single explore, so you need to make sure you apply an access_filters parameter to each explore that needs a restriction.

Please do not forget to add access_filters to every explore that needs it. If you forget to add access_filters to an explore that should have it, the data will not be restricted and users will be able to see all the data in that explore.

The behavior of access_filters would be similar to you sitting with a user and requiring them to apply one or more filters in the Explore UI before they run any query. For example, the user might only deal with a subset of your customers, so you would require that user to apply a customer name filter.

There are several steps you should take in order to implement an access filter:

  1. Decide what field or fields need to have a restriction. In the example above, we might have a customer explore with a dimension called name. The way that field would be referenced is customer.name.
  2. Every user who will interact with the explore in question needs a value for the access filter. In our example, every user will need the list of customer names they are allowed to see. You apply these values to each user or user group by utilizing Looker’s user attributes feature, which you can read about here. Let’s suppose we create an allowed_customers user attribute.
  3. Finally, connect the user attribute you created with the field that should use its value as a filter. In our example, we’ll want to connect the allowed_customers user attribute with the customer.name field, like this:
- explore: customer access_filters: - user_attribute: allowed_customers field: customer.name

Examples

Limit users to seeing information about their sales region:

- explore: sales access_filters: - user_attribute: sales_region field: sales.region

Limit users to seeing information about specific departments within their customers:

- explore: customer access_filters: - user_attribute: allowed_customers field: customer.name - user_attribute: allowed_departments field: product.department

Common Challenges

access_filters Requires Fully Scoped Field Names

If you write a field name without a view name, most parameters in Looker will assume a view name based on the place that the parameter is used. However, access_filters does not work this way and requires you to write both the view name and field name.

For example, you might think this would work, and that name would be interpreted as the customer name:

- explore: customer access_filters: - user_attribute: allowed_customers field: name

However, this is not the case, and you will receive an error. Instead you must write:

- explore: customer access_filters: - user_attribute: allowed_customers field: customer.name

Even Admins Must Have Filter Values Set in the UI

Every user who accesses an explore that uses access_filters must have a value in the referenced user attribute. This even applies to Admins, despite the fact that they can see all data. Users who don’t have a user attribute value set will receive an error when trying to view the explore.

To give an admin or other user access to all values of a string field, use a %.

To give an admin or other user access to all values of a number field, use >0 or NOT NULL.

Still have questions?
Go to Discourse - or - Email Support
Top