This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Limiting SQL Runner Permissions

on ‎05-10-2022 10:18 AM

fabio1
Staff
0 0 2,640
Tutorial

Looker will not be updating this content, nor guarantees that everything is up-to-date. 

Organizations often want to grant users access to run their own ad-hoc queries with Looker's SQL Runner tool, but sometimes with more limited access. Perhaps a user should only be able to query one specific connection in SQL Runner, or only have access to a few connections. With a combination of Looker roles and database-level permissions, you can make user SQL Runner access as specific as needed.

Implementation

In this example, we are creating a user with limited SQL Runner permissions to restrict them to one specific connection.

Note: This approach will not be applicable for users that have an admin role, or users that otherwise have been granted the manage_models permission.

  1. Database permissions: Outside of Looker, set up the more limited user (or users) and permissions on your database.
  2. Create a "limited" connection in Looker: From the Connections page in the Admin panel, add a new connection specifically for the restricted database user. Alternatively, you can leverage parameterized connections on an already existing connection to make the connection specific to the user running a query.
     
    c8a58050-f158-4a99-88cd-b827854c7fdd.png
  3. Create a "limited" LookML model: Because the end goal of creating limited SQL Runner permissions is essentially unrelated to any actual LookML modeling, it is cleanest to create a separate project and model specifically for the limited connection. This model will help us create the appropriate model set and permission set in later steps:
     
    • From the Develop menu, select Manage LookML Projects > New LookML Project:
       
      9ee63349-3154-4ddb-8f71-55f3c9043385.png
    • Next, from the Develop drop-down menu, select Manage LookML Projects > Configure New Model:
       
      51ef1a96-9602-4d8c-9dd7-4c7a4a9f0d2e.png
    • Finally, add LookML to the model file for the model to be available for configuring permissions:
       
      ff05f267-077e-4b03-b5c3-2f9428e3793e.png
  4. Now, we will create and assign a limited Model Set and Permission Set to complete the process.
     
    • To create a limited_connection model set, navigate to the new model set page in the Admin panel: From the Admin drop-down menu, select Admin > Roles > New Model Set (or navigate to the page by appending /admin/model_sets/new to your instance URL):
       
      951bdfb4-efae-45b8-a0a2-4f9ed08b7cd1.png
    • Create a sql_runner permission set: From the Admin drop-down menu, select Admin > Roles > New Permission Set (or navigate to the page by appending/admin/permission_sets/new to your instance URL):
       
      a66cafb4-1207-4a09-be09-c5af4d97c8bc.png
    • Create a limited_model_x_sql_runner role: From the Admin drop-down menu, select Admin > Roles > New Role (or navigate to the page by appending/admin/roles/new to your instance URL):
       
      7eae6cf7-28b2-4922-be0a-0dcc8463e118.png
    • Assign the role to users. Typically, we highly recommend assigning roles to groups for easier management. In this example, however, we will grant the role directly to a user:
       
      88517a9c-15d0-4917-9362-419884643413.png


Now this user is able to explore the full connection:

c5f25f0e-ba98-469b-948d-7804e76dcb29.png

But, can only query the limited-connection in SQL Runner:

7c7862e9-da4f-4c40-8fe3-b549a638f2ea.png
0 Likes
Version history
Last update:
‎05-10-2022 10:18 AM
Updated by: