Back to Details

lookml-access-grants

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Instructions

操作说明

  1. Define Access Grant:
    • Defined at the Model level.
    • Links a 
      user_attribute
      to a set of 
      allowed_values
      .
  2. Apply Access Grant:
    • Use 
      required_access_grants: [grant_name]
      at the Explore, Join, View, or Field level.
    • User must match all listed grants to see the object.
  3. Best Practices:
    • Exact Match: 
      allowed_values
      must match the user attribute value distinctively (no wildcards/partial matches).
    • Additive: Grants are additive. If a View requires Grant A and a Field requires Grant B, the user needs both to see the field.
  1. 定义Access Grant:
    • Model级别定义。
    • user_attribute
      关联到一组
      allowed_values
  2. 应用Access Grant:
    • 在Explore、Join、View或Field级别使用
      required_access_grants: [grant_name]
    • 用户必须匹配所有列出的授权才能查看该对象。
  3. 最佳实践:
    • 精确匹配
      allowed_values
      必须与用户属性值完全匹配(不支持通配符/部分匹配)。
    • 累加性:授权是累加的。如果一个View需要授权A,而某个Field需要授权B,那么用户必须同时拥有这两个授权才能查看该字段。

Examples

示例

Basic Access Grant

基础Access Grant

lookml
undefined
lookml
undefined

In model file

In model file

access_grant: can_view_finance { user_attribute: department allowed_values: ["finance", "executive"] }
access_grant: can_view_finance { user_attribute: department allowed_values: ["finance", "executive"] }

In view file

In view file

view: finance_data { required_access_grants: [can_view_finance]

...

}
undefined
view: finance_data { required_access_grants: [can_view_finance]

...

}
undefined

Field-Level Security

字段级安全控制

lookml
dimension: salary {
  type: number
  sql: ${TABLE}.salary ;;
  required_access_grants: [can_view_finance]
}
lookml
dimension: salary {
  type: number
  sql: ${TABLE}.salary ;;
  required_access_grants: [can_view_finance]
}