Please check out the original documentation for most up-to-date information.
access_filter lets you apply user-specific data restrictions. Unlike most LookML parameters, it needs to be used in conjunction with other settings in Looker in order to work properly. An access_filter parameter is specific to a single Explore, so you need to make sure you apply an access_filter parameter to each Explore that needs a restriction.
The behavior of access_filter would be similar to you sitting with a user and requiring them to apply one or more filters in the Explore UI before they run any query. For example, the user might only deal with a subset of your customers, so you would require that user to apply a customer name filter.
There are several steps you should take in order to implement an access filter:
- Decide what field or fields need to have a restriction. In the example above, your users might have a Customer Explore with a dimension called Name. The way that field would be referenced is customer.name.
- Every user who will interact with the Explore in question needs a value for the access filter. In our example, every user will need the list of customer names they are allowed to see. You apply these values to each user or user group by utilizing Looker’s user attributes feature, which you can read about on the User attributes documentation page. Let’s suppose we create an allowed_customers user attribute.
- Finally, connect the user attribute you created with the field that should use its value as a filter. In our example, we’ll want to connect the allowed_customers user attribute with the customer.name field, like this:
explore: customer {
access_filter: {
field: customer.name
user_attribute: allowed_customers
}
}
Warning: Please do not forget to add access_filter to every Explore that needs it. If you forget to add access_filter to an Explore that should have it, the data will not be restricted and users will be able to see all the data in that Explore.
The access_filter documentation page details the followings:
- access_filter requires fully scoped field names
- Even admins must have filter values set in the UI