Effectively managing content access in a large Looker deployment is a critical step for protecting you and your customers' data. Occasionally, it may make the most sense to automate this process with Looker's API. This is especially true for an embedded Looker deployment.
This article will walk you through a sequence of API calls that enable you to add or edit content access permissions for both groups and users.
What's Covered in This Article:
- Checking content access for a given space
- Modifying existing content access permissions for a given space via the API
- Adding content access permissions to a given space via the API
Checking Content Access for a Given Space via the API
Space permissions can be found/defined via the content access endpoints. Each Space ID belongs to content access ID.
We have a space ID number 115. Using the Get Space endpoint, we can find what that space's content metadata ID is.
From the response, we can see that space 115's content metadata ID is 24. Now that we have the content metadata ID, we can modify the access to this space.
Modifying Existing Content Access Permissions for a Given Space via the API
If you want to modify existing access to this space, you will want to use the Get All Content Metadata Access endpoint to get existing permissions.
Note: To only get the access for this specific space, you'll want to define the content access ID in the call, since this endpoint returns all content access by default.
From the response, we can see that Group ID 32 has view access to this space (although the response doesn't show this, admins also always have Edit access to each space).
If we want to modify this so Group ID 32 has edit access to this space instead, we will use the Update Content Metadata Access endpoint. Grabbing the ID from the previous response, our body for the update endpoint will look something like:
And you are done! Group ID 32 now has edit permissions for that space.
Adding Content Access Permissions to a Given Space via the API
Now, we want to grant an individual user view access to Space ID 115.
The first thing we will need is that user's ID. Once we have this, we can use the Create Content Metadata Access endpoint to create a new content metadata access ID for that space.
All you need for this endpoint is the content metadata ID for the space, the user or group ID, and the permission type:
And that's it! User ID 323 now has view access to Space 115.
One Thing to Note
If the space inherits content access permissions from a parent space, that space will return an empty response for the content metadata access endpoint.