This page refers to the
required_access_grants
parameter that is part of an Explore.
required_access_grants
can also be part of a join, described on therequired_access_grants
(for joins) parameter documentation page.
required_access_grants
can also be part of a view, described on therequired_access_grants
(for views) parameter documentation page.
required_access_grants
can also be part of a dimension, dimension group, measure, filter, or parameter, described on therequired_access_grant
parameter documentation page.
Usage
explore: explore_name { required_access_grants: [access_grant_name, access_grant_name, ...] }
Hierarchy
required_access_grants |
Default Value
None
Accepts
Square brackets containing a comma-separated list of access grant names
|
Definition
required_access_grants
pairs with the model-level access_grant
parameter to limit access of an Explore to only those users who have a specific user attribute value assigned to them.
required_access_grants
works like this:
- You define an access grant using the
access_grant
parameter. As part of the definition, you associate the access grant with a user attribute. You also specify which user attribute values provide access to the access grant. - Next, you use
required_access_grants
to restrict an Explore to only those users who have access to every access grant listed.
This LookML requires that users have access to both the can_view_financial_data
and the view_payroll
access grants to see the payroll
Explore:
explore: payroll {
...
required_access_grants: [can_view_financial_data, view_payroll]
}
Users who don't have access to all of the access grants assigned to the Explore will not see the Explore at all. They are restricted from viewing any Looks or dashboard tiles based on the Explore and they will not see the Explore in the Explore menu.
For more information on how to define an access grant, see the access_grant
parameter documentation page.
Example
Expose the financial
Explore to only those users who have access to the accounting
access grant:
explore: financial {
...
required_access_grants: [accounting]
}
Additional considerations
Restricting access to an Explore does not restrict access to its underlying LookML structures. So an unrestricted join, view, or field that is part of other Explores will still be available if those Explores are unrestricted. Use the required_access_grants
parameter at the join, view, or field level to restrict those items individually.