Hello Looker Team
I am confused between user roles vs content access. Why they both are different? For example:
part 1: - If I have created a role:-
marketing role = marketing models + developer permissions
This role means that a user can only create looks, dashboards, see data from marketing models and play with it, (eg: access data, create, see lookml dashboards etc). I assigned that role to ‘marketing’ user group
Part 2: There is content folder called ‘marketing’ which stores all the marketing content (eg: looks, dashboard), and on that folder I only give ‘view’ access to marketing user group.
Part 1 and part 2 contradicts each other. On one side I am telling users to access marketing models and create content and on the other side I am telling the same users just to ‘view’ content in ‘marketing’ folder
Can someone please clarify this confusion
Thanks a lot!
Best answer by Maddie
Ok, let’s stick to your example of the Marketing team.
There are a lot of cases where you would want to customise content access independent of data access, for example:
(1) In a lot of companies, the creators of dashboards are not also the consumers of these dashboards. Therefore they would want to only allow the Marketing team to only view the content in the Marketing folder and not accidentally delete a dashboard, move a tile etc; or save new content in this folder which is not relevant to all users.
(2) There are dashboards which are currently being developed by the analysts in the Marketing team which are still work in progress and not yet ready to be shared with the wider Marketing team, therefore they would keep them in a (hidden-to-the-world) Marketing Dev folder before moving them to the Marketing Prod folder.
(3) Sometimes content of a dashboard can come from multiple models, for example senior management reporting where data access restrictions are not required. In this case you would want them to only see one folder rather than every shared folder in the company.
It does make sense for access to be managed at these levels, especially because a lot of the times there is no requirement for data access to be segregated based on teams.
Hope this helps!