Question

Prevent users from changing dashboard filters

  • 6 March 2018
  • 1 reply
  • 180 views

Hi,


I’m using dashboard private embedding with SSO. The dashboard has one filter let’s call it p_id. Once user visits my site I generate singed embed URL with a specific p_id. This works fine. However, it turns out that later user can change p_id in the URL and get the results from Looker (undesired, this should be restricted). Is there any way to prevent this?


Thanks.


The embed URL looks like this:

https://my.looker.instance.com/login/embed/%2Fembed%2Fdashboards%2F25%3Fp_id%3Ddsn5x5j1hm8938h6?nonce="bNUzoojT8D6fa9eL"&time=1520350106&session_length=86400&external_user_id="user-777"&permissions=["see_user_dashboards"%2C"see_lookml_dashboards"%2C"access_data"%2C"see_looks"]&models=["my_model"]&access_filters={}&first_name="First"&last_name="Last"&group_ids=[6]&external_group_id=""&user_attributes={}&force_logout_login=true&signature=FrdEGRi5uOJJaLAUwTKLM3ajOKc%3D


1 reply

Hello @Andrii_Zavada . Looker Support here! With your example it can help to have more details as to how users are changing the URL. Please visit help.looker.com with more information and we will be happy to review.


Typically, even if a User does have access to the URL and does edit the URL, doing so should invalidate that URL since the that will not match the signature encoded in the URL during the SSO URL creation process. We look forward to hearing more about your example and investigating further.

Reply