Effectively managing content access in a large Looker deployment is a critical step for protecting your data and your customers' data. Occasionally, it may make the most sense to automate this process with Looker's API. This is especially true for an embedded Looker deployment.
This article will walk through a sequence of API calls that enable you to add or edit content access permissions for both groups and users. We will be leveraging Looker's interactive API docs, which can typically be accessed by the following URL (replacing <instance_name.looker.com> with the URL of your Looker instance):
https://<instance_name.looker.com>:19999/api-docs/index.html. If the default URL doesn't respond, check with your Looker administrator for the correct URL for your Looker installation.
You will need an API key and secret to log in and access the Looker API. Please reference the Users documentation for details about generating and using API credentials.
What's Covered in This Article
- Checking content access for a given folder
- Modifying existing content access permissions for a given folder via the API
- Adding content access permissions to a given folder via the API
Checking Content Access for a Given Folder via the API
Folder permissions can be found and updated via the
content endpoints. Each
folder_id has a corresponding
content_metadata_id. First, we will need to determine a folder's
content_metadata_id, for use in API calls that modify folder permissions.
We have a folder ID number 115. Using the Get Folder endpoint, we can find what that folder's content metadata ID is.
From the response, we can see that folder 115's content metadata ID is 24. Now that we have the content metadata ID, we can modify the access to this folder.
Modifying Existing Content Access Permissions for a Given Folder via the API
If you want to modify existing access to this folder, you will want to use the Get All Content Metadata Access endpoint to get existing permissions.
Note: To only get the access for this specific folder, you'll want to define the content access ID in the call, since this endpoint returns all content access by default.
From the response, we can see that Group ID 32 has View access to this folder (although the response doesn't show this, admins also always have Edit access to each folder).
If we want to modify this so Group ID 32 has edit access to this folder instead, we will use the Update Content Metadata Access endpoint. Grabbing the ID from the previous response, our body for the update endpoint will look something like:
And you are done! Group ID 32 now has edit permissions for that folder.
Adding Content Access Permissions to a Given Folder via the API
Now, we want to grant an individual user view access to folder ID 115.
The first thing we will need is that user's ID. Once we have this, we can use the Create Content Metadata Access endpoint to create a new content metadata access ID for that folder.
All you need for this endpoint is the content metadata ID for the folder, the user or group ID, and the permission type:
And that's it! User ID 323 now has view access to Folder 115.
One Thing to Note
If the folder inherits content access permissions from a parent folder, that folder will return an empty response for the content metadata access endpoint.