Restrict schema access with embed token?

  • 20 September 2018
  • 1 reply

Userlevel 2

We are using Looker in our SaaS web application using private embeds and SSO. The web app has multiple customers, one schema per customer in Looker.

Our marketing team is excited about Looker and would like to make a private embed available on a marketing site. The goal is to allow potential customers to be able to run Explores using demo data.

Because the embed token doesn’t restrict access by schema we don’t want to put that token on a marketing site for security reasons. If the site were compromised the token might be exposed giving access to customer schemas.

While we could create a local Looker user account with schema-limited access, we use SSO for Looker logins, and the log in process isn’t very elegant when a local user has to log in to an SSO-enabled Looker instance.

One option is to build a custom application consisting of just an API that would create embed strings for the marketing site so that the embed key doesn’t need to be stored in the marketing site. We would limit access to just marketing’s demo schema in the application when the embed string was generated.

However, it would be another app to build and maintain so I’m wondering, has anyone has accomplished anything similar to this just using Looker? Other ideas welcome as well.


1 reply

Userlevel 7
Badge +1

Hey Ezra!

Super cool idea to set that up as a marketing tool!

If I’m reading this right, by embed token you mean the embed secret you use to generate SSO urls, correct? If so, you’re right that it grants unfettered instance-wide access, which is the reason it needs to be super duper locked down-- It should never be stored anywhere in the code or the filesystem of the website, but rather stored in an environment variable or somewhere else secure, to minimize the risk of it being exposed. We’ve got plenty of customers doing similar things with robust security setups, so it’s definitely possible to achieve this goal while keeping your environment locked down.

That said, your API example is also a good idea, and if your setup is such that there’s no possibility of using SSO embed on a publicly available website, I would also go that route. Another possibility would be discussing with your Looker account team if it would be possible to set up a new instance to use for this scenario!