Admin settings - Roles

Roles,permission sets, andmodel sets are used together to manage whatusers can do and what they can see. TheRoles page in theUsers section of theAdmin panel lets you view, configure, and assign roles, permission sets, and model sets.

You can search for specific roles, permission sets, and model sets by entering a search term into the search box in the upper right and pressingEnter.

Note: If you have a permission that provides access to only select pages in the Admin panel, such as manage_schedules,manage_themes, orsee_admin, but you don't have theAdmin role, the page or pages that are described here may not be visible to you in the Admin panel.

Definitions

Arole defines the privileges that auser orgroup will have for a specific set ofmodels in Looker. You create a role by combining one permission set with one model set.
Apermission set defines what auser orgroup can do. You select a combination of permissions that you want to assign to a user or group. It must be used as part of a role to have any effect.
Amodel set defines what data and LookML fields auser orgroup can see. You select a combination of LookML models to which a user or group should have access. It must be used as part of a role to have any effect.

Managing roles

A role is a combination of one permission set and one model set. It's a common convention to name roles after types of people or groups of people in your organization — administrator, Looker developer, Finance team — although you can certainly follow your own naming conventions.

A user can have more than one role in Looker. This can be useful when you have users who play multiple roles in your company or when you want to create complex systems of access to your models.

Note:

Adding users to multiple roles can have important implications for how the users'permissions are applied. For example, if a user has themanage_models permission (an instance-wide permission) in only one of their roles, they will be able to manage any model. In contrast, if a user has theaccess_data permission (a model-specific permission) in only one of their roles, that user can access only the models that are specified in that role.

Multiple roles can also cause unexpected effects on dashboards. SeeManaging business user features for information about dashboards and multiple roles.

Creating, editing, and deleting roles

To create a role, follow these steps:

Click theNew Role button at the top of theRoles page.
Looker displays theNew Role page, where you can configure the following settings:
- Name: Enter a name for the role.
- Permission Set: Choose a permission set to associate with the role.
- Model Set: Choose a model set to associate with the role.
- Groups: Optionally, choose one or moregroups to assign the role to.
- Users: Optionally, choose one or moreusers to assign the role to.
Once you've configured the role as intended, click theNew Role button at the bottom of the page.

After a role has been created, you can edit it by clicking theEdit button to the right of the role on theRoles page. ClickingEdit takes you to theEdit Role page for that role, where you can edit the name, the permission set, the model set, and the groups or users who are assigned to the role.

To delete a role, click theDelete button to the right of the role on theRoles page.

Default roles

For new instances, Looker creates the following default roles, each of which includes adefault permission set of the same name:

The default roles in the following sections have conditions for use.

Admin via IAM

TheAdmin via IAM role is available only inLooker (Google Cloud core), and it can be managed only through the Google Cloud console. For more information, see theAuthentication and authorization with OAuth and IAM andAdmin Looker role versus the Admin via IAM Looker role documentation.

TheAdmin via IAM role uses theAdmin permission set.

Tip: If a user's OAuth refresh token is expired, that user will no longer have theAdmin via IAM role within the Looker (Google Cloud core) instance. To refresh the token, ask the user to sign in again with OAuth.

Looker CI Users

TheLooker CI Users role is created automatically for Looker instances that have been enabled for Continuous Integration. TheLooker CI Users role is applied to the Looker CI service accounts that can be viewed in theService Accounts tab of theUsers Admin page. Looker uses these CI service accounts to performCI runs on the instance.

TheLooker CI Users role has the following permissions that are required to perform CI runs:

deploy: required for setting up the GitHub webhooks that are required for CI runs
see_ci: required to view the results of CI runs, view the CISuites page, and run CI suites
manage_ci: required to create CI suites, manage CI users, and configure the Git connection with Continuous Integration

Gemini

TheGemini role cannot be renamed or deleted and contains only thegemini_in_looker permission in its permission set. By default, this role's permission set applies to all models on the Looker instance. To restrict users to accessing Gemini in Looker features with specific models, remove those user accounts from theGemini role and create a new role that applies thegemini_in_looker permission on selected models. Make sure to remove those users from theGemini Default Users group.

Thegemini_in_looker permission that is included in this role enables users to perform the following tasks in the Looker instance with Gemini assistance:

Write LookML — when they also have a Looker role that contains thedevelop permission for at least one model in a LookML project.
Create custom Looker visualizations — when they also have a Looker role that contains thecan_override_vis_config permission.
Query Looker Explore data in Looker Studio withConversational Analytics, even if the user hasn't been assignedexplore permissions in Looker, when they also have a Looker role that contains theaccess_data permission.

Additional permissions are required to use Conversational Analytics in Looker, which can be granted with either theConversational Analytics Agent Manager orConversational Analytics User role.

For more information about Gemini in Looker features, see theGemini in Looker overview.

Conversational Analytics Agent Manager

TheConversational Analytics Agent Manager role consists of theConversational Analytics Agent Manager permission set for all models that are on the Looker instance. Users with this role can create, edit, share, and delete Conversational Analytics data agents that use Looker Explores.

Note: When a user creates a data agent, they're granted Manage Access, Edit content access automatically; however, they must be granted this access for the data agent if they want to edit, share, or delete a data agent that was created by another user.

Conversational Analytics User

TheConversational Analytics User role consists of theConversational Analytics User permission set for all models on the Looker instance. Users with this role can chat with any Conversational Analytics data agent in Looker, as long as they have been grantedView access to the data agent.

Support Advanced Editor and Support Basic Editor

These roles won't appear on a Looker (original) instance if a Looker admin has disabled theTiered Support Access Labs feature. These roles won't appear on a Looker (Google Cloud core) instance if the instance usesprivate connections (private services access or Private Service Connect) networking orhybrid connections networking.

TheSupport Advanced Editor andSupport Basic Editor roles cannot be edited, deleted, or assigned to users other thansupport access users.

Assigning default roles to a user

To update an individual user's settings to assign a default role, follow these steps:

Navigate to theUsers page in theUsers section of theAdmin panel.
Select the user or group whose permissions you want to change.
From theRoles drop-down menu, select the role name.
SelectSave to retain these settings.

Permission sets

A permission set defines what auser orgroup can do. Admins can use Looker'sdefault permission sets orcreate original permission sets, keeping in mind permissiondependencies.

All the available permissions, and their types, are discussed in more detail in thepermissions list.

Default permission sets

For new installations, Looker includes several default permission sets that you can start with:

Permission Set	Included Permissions
Admin	All permissions
Developer	`access_data`,`can_create_forecast`,`clear_cache_refresh`,`create_custom_fields`,`create_table_calculations`,`deploy`,`develop`,`download_without_limit`,`explore`,`manage_spaces`,`mobile_app_access`,`save_content`,`save_dashboards`,`save_looks`,`schedule_look_emails`,`see_drill_overlay`,`see_lookml`,`see_lookml_dashboards`,`see_looks`,`see_pdts`,`see_sql`,`see_user_dashboards`,`send_to_integration`,`schedule_without_limit`,`use_sql_runner` NOTE: The`see_pdts` permission is included in theDeveloper default permission only for Looker installations that were created with Looker 21.18 or later. To verify whether the`see_pdts` permission is included in theDeveloper permission set on your instance, go to theRoles page in theAdmin panel in the Looker UI.
Gemini	`gemini_in_looker`
Conversational Analytics Agent Manager	`access_data`,`gemini_in_looker`,`chat_with_agent`,`chat_with_explore`,`save_agents`
Conversational Analytics User	`access_data`,`gemini_in_looker`,`chat_with_agent`
Customer Engineer Advanced Editor	`access_data`,`can_create_forecast`,`can_override_vis_config`,`chat_with_agent`,`chat_with_explore`,`clear_cache_refresh`,`create_custom_fields`,`create_table_calculations`,`deploy`,`develop`,`explore`,`follow_alerts`,`gemini_in_looker`,`manage_embed_settings`,`manage_models`,`manage_privatelabel`,`manage_project_connections`,`manage_project_connections_restricted`,`manage_project_models`,`manage_themes`,`save_agents`,`save_content`,`save_dashboards`,`save_looks`,`see_admin`,`see_alerts`,`see_datagroups`,`see_drill_overlay`,`see_logs`,`see_lookml`,`see_lookml_dashboards`,`see_looks`,`see_pdts`,`see_queries`,`see_schedules`,`see_sql`,`see_system_activity`,`see_user_dashboards`,`see_users`,`update_datagroups`,`use_global_connections` NOTE: TheCustomer Engineer Advanced Editor permission set is available only when theTiered Support Access Labs feature is enabled. TheCustomer Engineer Advanced Editor permission set can't be edited or deleted.
Support Advanced Editor	`access_data`,`clear_cache_refresh`,`create_custom_fields`,`create_table_calculations`,`develop`,`explore`,`follow_alerts`,`manage_embed_settings`,`manage_models`,`manage_privatelabel`,`manage_project_connections`,`manage_project_connections_restricted`,`manage_project_models`,`manage_themes`,`see_admin`,`see_alerts`,`see_datagroups`,`see_drill_overlay`,`see_logs`,`see_lookml`,`see_lookml_dashboards`,`see_looks`,`see_pdts`,`see_queries`,`see_schedules`,`see_sql`,`see_system_activity`,`see_user_dashboards`,`see_users`,`update_datagroups`,`use_global_connections` NOTE: TheSupport Advanced Editor permission set is available only when theTiered Support Access Labs feature is enabled. TheSupport Advanced Editor permission set can't be edited or deleted.
Support Basic Editor	`access_data`,`clear_cache_refresh`,`create_custom_fields`,`create_table_calculations`,`explore`,`follow_alerts`,`manage_privatelabel`,`manage_themes`,`see_admin`,`see_alerts`,`see_drill_overlay`,`see_logs`,`see_lookml`,`see_lookml_dashboards`,`see_looks`,`see_pdts`,`see_schedules`,`see_sql`,`see_datagroups`,`see_system_activity`,`see_user_dashboards`,`see_users` NOTE: TheSupport Basic Editor permission set is available only when theTiered Support Access Labs feature is enabled. TheSupport Basic Editor permission set can't be edited or deleted.
LookML dashboard user	`access_data`,`clear_cache_refresh`,`mobile_app_access`,`see_lookml_dashboards`
User	`access_data`,`can_create_forecast`,`clear_cache_refresh`,`create_custom_fields`,`create_table_calculations`,`download_without_limit`,`explore`,`manage_spaces`,`mobile_app_access`,`save_content`,`save_dashboards`,`save_looks`,`schedule_look_emails`,`see_drill_overlay`,`see_lookml`,`see_lookml_dashboards`,`see_looks`,`see_sql`,`see_user_dashboards`,`send_to_integration`,`schedule_without_limit`
User who can't view LookML	`access_data`,`can_create_forecast`,`clear_cache_refresh`,`create_custom_fields`,`create_table_calculations`,`download_without_limit`,`explore`,`manage_spaces`,`mobile_app_access`,`save_content`,`save_dashboards`,`save_looks`,`schedule_look_emails`,`see_lookml_dashboards`,`see_looks`,`see_user_dashboards`,`send_to_integration`,`schedule_without_limit`
Viewer	`access_data`,`clear_cache_refresh`,`download_without_limit`,`mobile_app_access,schedule_look_emails`,`see_drill_overlay`,`see_lookml_dashboards`,`see_looks`,`see_user_dashboards`,`schedule_without_limit`

You'll see these permission sets appear as options when you create a new role. If you select one of these permission sets, Looker will display the list of permissions that it includes.

Note: The Admin permission set cannot be edited or deleted, and it cannot be assigned to a role. It is assignedonly to the Admin role, which also cannot be edited or deleted. The only way to grant the Admin permission set to a user orgroup is to add the Admin role to that user or group.

Creating permission sets

To create a permission set, click theNew Permission Set button at the top of theRoles page. Looker will display a page where you can enter a name for the permission set and select the permissions that it should include. Once you've configured the set as needed, click theNew Permission Set button at the bottom of the page.

After a permission set has been created, you can edit or delete it by clicking theEdit orDelete buttons to the right of the permission set on theRoles page.

Permissions and dependencies

Some permissions depend on others to work properly. For example, it makes sense that someone who wants to develop in LookML must first be able to see LookML.

When you create a permission set, you'll see the available permissions in an indented list. If a privilege is indented under another (parent) privilege, you must select the parent privilege first. The permission list may look like this:

☑️ access_data  ☑️ see_lookml_dashboards  ☑️ see_looks    ☑️ see_user_dashboards

In this example, Looker uses indentation to indicate the following:

Theaccess_data privilege can be selected at any time.
Thesee_lookml_dashboards andsee_looks privileges require theaccess_data privilege to be selected first.
Thesee_user_dashboards privilege depends on thesee_looks privilege, which in turn depends onaccess_data privilege.

You cannot select a child privilege without first selecting its parent.

Permissions and Looker licenses

Looker licenses classify users into three types:

Developer (Admin)
Standard (Creator)
Viewer

The permissions granted to a user determine how that user is classified under the Looker license:

A user is classified as a Developer (Admin) user if they have the Admindefault role, or at least one of the following permissions:
A user is classified as a Standard (Creator) user if they have none of the Developer (Admin) permissions but do have at least one of the following permissions:
A user is classified as a Viewer if they have theaccess_data permission, but none of the Developer (Admin) permissions and none of the Standard (Creator) permissions.

Permissions list

Permissions can be classified as one of three types:

Model Specific: This type of permission is applied only to themodel sets that are part of the same role. This permission is applied to individual models or model sets, rather than across the entire Looker instance.
Connection Specific: This type of permission is applied at theconnection level. A user with this type of permission will see content on pages in theAdmin panel that uses a connection associated with a model to which they have data access, even if that connection is used with another model to which they do not have data access.
Instance Wide: This type of permission applies to the Looker instance as a whole and has three types:
- NN =No content access, No menu access: These permissions allow users to perform certain functions across the entire Looker instance, but do not allow users to access content based on models not included in their role's model set.
- CN =Content access, No menu access: These permissions allow users to access content and query information across the entire Looker instance — even for content and queries based on models not included in their role's model set.
- CM =Content access, Menu access: These permissions may expose parts of theAdmin menu to non-admin users and allow users to see information about content and queries based on models not included in their role's model set.

The following list describes all the permissions that are available in Looker, in the order in which they appear on theNew Permission Set page in theAdmin section:

Permission	Depends On	Type	Definition
`access_data`	None	Model Specific	Users can access data from Looker, but only the data that admins specify. This permission is necessary for almost all Looker functions. A user with this permission, if given access to any model in a given project, can access any file in theData section of that project (such as a JSON custom map file). Looker Studio users with this permission can view Looker data on Looker Studio reports that use the Looker connector.
`see_lookml_dashboards`	`access_data`	Model Specific	Users can see the LookML`Dashboards` folder, which includes all LookML dashboards. Users must have`explore` permission for any relevant models to explore those dashboards. Users who also have the`develop` permission cancreate LookML dashboards.
`see_looks`	`access_data`	Model Specific	Users can see saved Looks (but not dashboards) within folders. Users must have`explore` permission for any relevant models to explore those Looks. Users will also need theView content access level to see Looks in folders.
`see_user_dashboards`	`see_looks`	Model Specific	Users canview user-defined dashboards in folders but must have`explore` permission for any relevant models to explore those dashboards. Users also needView content access to see dashboards in folders. Users who also have both the`save_dashboards` permission and theManage Access, Edit content access to a folder cancreate user-defined dashboards in that folder.
`explore`	`see_looks`	Model Specific	Users can access and usethe Explore page to generate Looks and dashboards. Without this permission, users can view saved dashboards only (if`see_lookml_dashboards` or`see_user_dashboards` has been granted). Looker Studio users with this permission can create a data source in Looker Studio based on a Looker Explore. They can also view and edit that data source's configuration in Looker Studio.
`create_table_calculations`	`explore`	Instance WideNN	Users can view, edit, or addtable calculations
`create_custom_fields`	`explore`	Instance WideNN	Users can view, edit, or addcustom fields; users who have only the`explore` permission can only view custom fields.
`can_create_forecast`	`explore`	Instance WideNN	Users can create and editforecasts in visualizations; users who don't have this permission can only view existing forecasts in the content to which they have access.
`can_override_vis_config`	`explore`	Instance WideNN	Users can access theChart Config Editor, which lets them modify theHighchart API JSON values of a visualization and customize the visualization appearance and format.
`save_content`	`see_looks`	Instance WideNN	This permission is a parent permission of`save_dashboards`,`save_looks`, and`create_public_looks`. This permission must be granted with either`save_dashboards` or`save_looks`.
`save_dashboards`	`save_content`	Instance WideNN	Users can save and edit dashboards. Users must have`explore` permission for any relevant models to explore from those dashboards. Users must have`download_with_limit` and/or`download_without_limit` permissions to download the content.
`save_looks`	`save_content`	Instance WideNN	Users can save and edit Looks. Users must have`explore` permission for any relevant models to explore from those Looks. Users must have`download_with_limit` and/or`download_without_limit` permissions to download the content.
`create_public_looks`	`save_looks`	Model Specific	Users canmark a saved Look as public, which will then generate URLs that grant access to that Look without authentication.
`download_with_limit`	`see_looks`	Model Specific	This permission applies to Looks and dashboards in Looker and to reports in Looker Studio that use the Looker connector. Users candownload data but must specify a row limit of 5,000 or fewer to avoid memory problems from large downloads. Looker Studio Pro users with this permission can download Looker Studio reports that use the Looker connector.
`download_without_limit`	`see_looks`	Model Specific	This permission applies to Looks and dashboards in Looker and to reports in Looker Studio that use the Looker connector. The same as`download_with_limit`, but does not require the user to specify a row limit. Downloading all results for some types of queries may require substantial memory, potentially causing performance issues or even crashing the Looker instance. Looker Studio Pro users with this permission can download Looker Studio reports that use the Looker connector.
`schedule_look_emails`	`see_looks`	Model Specific	This permission applies to Looks and dashboards in Looker and to reports in Looker Studio that use the Looker connector. Users canschedule for delivery any Looks, dashboards, and queries with visualizations to which they havedata access to email. Users can schedule delivery to occur after adatagroup has been triggered, has managed the cache, and has rebuilt relevant PDTs. To send or scheduleSystem Activity dashboards, users must have access to all models. Users who are also assigned the`create_alerts` permission can send emailalert notifications. Looker admins can control the email domains that Looker users and embed users can send email deliveries to with theEmail domain allowlist on theSettings page of theAdmin panel. Users who are also assigned the`schedule_without_limit` permission can selectAll Results when delivering Looks or Explores, which delivers all rows of data from the query results. Without the`schedule_without_limit` permission, user's deliveries of Look or Explore data are subject to the row limits of 5,000 rows. Looker Studio Pro users with this permission can schedule deliveries of Looker Studio reports that use the Looker connector.
`schedule_external_look_emails`	`schedule_look_emails`	Model Specific	Users candeliver any Looks, dashboards, and queries with visualizations to which they havedata access to email. Users can schedule delivery to occur after adatagroup has been triggered, has managed the cache, and has rebuilt relevant PDTs. To send or scheduleSystem Activity dashboards, users must have access to all models. Users who also have`create_alerts` permissions can send emailalert notifications. Users can email content deliveries or alert notifications to email addresses with any domain, regardless of whether theEmail domain allowlist on theSettings page of theAdmin panel contains any email domains.
`create_alerts`	`see_looks`	Instance WideNN	This permission applies to dashboards in Looker and to charts in Looker Studio that use the Looker connector. From the dashboard tile, users cancreate,duplicate, and delete their own alerts; and can see and duplicate alerts that are markedPublic by other users. The user must be signed in to Slack to see dashboard tile alerts that send Slack notifications. Users can view, edit, disable, and enable alerts that they own on theManage Alerts user page. Users must have the`schedule_look_emails` or the`schedule_external_look_emails` permission to send email alert notifications. Looker Studio Pro users with this permission can create, duplicate, and delete alerts on Looker Studio reports that use the Looker connector.
`follow_alerts`	`see_looks`	Instance WideNN	Users can view andfollow alerts. View the alerts that they have followed or for which they are listed as a recipient from theManage Alerts user page.
`send_to_s3`	`see_looks`	Model Specific	Users candeliver any Looks, dashboards, and queries with visualizations to which they havedata access to an Amazon S3 bucket. Users can schedule delivery to occur after adatagroup has been triggered, has managed the cache, and has rebuilt relevant PDTs. This permission is applied to individual models or model sets, rather than across the entire Looker instance.
`send_to_sftp`	`see_looks`	Model Specific	Users candeliver any Looks, dashboards, and queries with visualizations to which they havedata access to an SFTP server. Users can schedule delivery to occur after adatagroup has been triggered, has managed the cache, and has rebuilt relevant PDTs. This permission is applied to individual models or model sets, rather than across the entire Looker instance.
`send_outgoing_webhook`	`see_looks`	Model Specific	Users candeliver any Looks, dashboards, and queries with visualizations to which they havedata access to a webhook. Users can schedule delivery to occur after adatagroup has been triggered, has managed the cache, and has rebuilt relevant PDTs. This permission is applied to individual models or model sets, rather than across the entire Looker instance.
`send_to_integration`	`see_looks`	Model Specific	Users candeliver any Looks, dashboards, and queries with visualizations to which they havedata access to thethird-party services integrated with Looker using the Looker Action Hub. If usingcustom actions withuser attributes, users must have this permissionand have a non-null and valid user attribute value for the specified user attribute to deliver Looker content to that action destination. This permission is not related todata actions. Users can schedule delivery to occur after adatagroup has been triggered, has managed the cache, and has rebuilt relevant PDTs. This permission is applied to individual models or model sets, rather than across the entire Looker instance.
`schedule_without_limit`	`see_looks`	Model Specific	Added 26.2 When combined with at least one other permission that allows a user to deliver Looker content, this permission allows users todeliver Looks or Explores that send all data rows. This permission makes visible theAll Results option in the Looker Scheduler for Looks and Explores.
`see_sql`	`see_looks`	Model Specific	Users can access theSQL tab while exploring and on any SQL errors that are caused by their queries.
`see_lookml`	`see_looks`	Model Specific	Users have read-only access to LookML. Users must have this permission to see theGo to LookML link in theAdmin panel. If you want a user to be able to edit LookML, you must also grant them the`develop` permission. NOTE: This permission interacts with model sets in a potentially unexpected way. If you assign the`see_lookml` permission to a user, and you've allowed that user to seeany model that is a part of a project, they will be able to see the LookML forall models in that project. However, they will still not be able toquery models that you have not allowed.
`develop`	`see_looks`	Model Specific	Users can make local changes to LookML but won't let them make those changes available to everyone unless they also have the`deploy` permission. This permission is required to see theGet support option in theHelp menu, and to seemetadata in the Looker IDE. Users also need this permission to access theRebuild Derived Tables & Run option in the Explore gear menu. This is not model-specific, so if a user has this permission in one model, they will have access toRebuild Derived Tables & Run in all models. NOTE: This permission interacts with model sets in a potentially unexpected way. If you assign the`develop` permission to a user, and you've allowed that user to seeany model that is a part of a project, they will be able to develop the LookML forall models in that project. However, they will still not be able toquery models that you have not allowed.
`deploy`	`develop`	Instance WideNN	Users can push their local LookML changes to production so that those changes become available to everyone.
`support_access_toggle`	`develop`	Instance WideNN	Users canenable or disable access by Looker analysts to your Looker instance.
`manage_project_models`	`develop`	Model Specific	Users can add, edit, or delete model configurations for allowed models on theEdit Model Configuration page. When configuring a model, users can use only project-scoped connections. NOTE: This permission interacts with model sets in a potentially unexpected way. If you create a role with the`manage_project_models` permission, the role will grant access to all models that share a project with any of the models in the role's model sets.
`use_global_connections`	`manage_project_models`	Model Specific	Users can configure allowed models with any project-scoped connection or any instance-wide connection.
`manage_project_connections_restricted`	`develop`	Model SpecificCM	Users can see theConnections page in theAdmin menu. They can see, edit, and create project-scoped connections for any projects in the model set. However, they can edit only the following connection settings: All settings in theGeneral settings section All settings in theSSH Server section All settings in theTime Zone section TheAdditional JDBC Parameters,SSL,Verify SSL, andUse TNS settings in theAdditional Settings section Users cannot edit any other settings in theAdditional Settings section. They also cannot edit any settings in thePersistent Derived Tables (PDTs) section. NOTE: This permission interacts with model sets in a potentially unexpected way. If you assign the`manage_project_connections_restricted` permission to a user, the user will be able to see, edit, and create project-scoped connections for any projects included in the model set.
`manage_project_connections`	`manage_project_connections_restricted`	Model SpecificCM	Users can see theConnections page in theAdmin menu. They can see, edit, and create project-scoped connections for any projects included in the model set. NOTE: This permission interacts with model sets in a potentially unexpected way. If you assign the`manage_project_connections_restricted` permission to a user, the user will be able to see, edit, and create project-scoped connections for any projects included in the model set.
`see_ci`	`develop`	Instance WideNN	Added 25.6Users can view the results ofContinuous Integration runs, view the Continuous IntegrationSuites page, and run test suites.
`manage_ci`	`see_ci`	Instance WideNN	Added 25.6Users can createContinuous Integration suites, manage Continuous Integration users, and configure the git connection with Continuous Integration. Only an admin can enable the Continuous Integration feature for a Looker instance.
`use_sql_runner`	`see_lookml`	Model Specific	Users can useSQL Runner to run raw SQL against their allowed connections. Users will also be able to download results using theDownload option in the SQL Runner gear menu, regardless of whether the user has the`download_with_limit` or`download_without_limit` permissions.
`certify_content`	`access_data`	Model Specific	Added 25.20Users cancertify dashboards, Looks, and self-service Explores. This permission is available only if theAccess Content Certification Labs feature has been enabled for your instance.
`clear_cache_refresh`	`access_data`	Model Specific	Users can clear cache and refresh internal and embedded dashboards, dashboard tiles, Looks, and Explores. The`clear_cache_refresh` permission is automatically added to any pre-existingpermission sets that contain any of the following permissions:`see_user_dashboards`,`see_lookml_dashboards`, or`explore`. The`clear_cache_refresh` permission is not automatically applied to anyembedded roles. Looker Studio users with this permission can refresh Looker data on Looker Studio reports that use the Looker connector.
`see_drill_overlay`	`access_data`	Model Specific	Users can see the results of drilling into a dashboard tile but cannot explore those results. If`explore` is granted, this permission is also automatically granted (even if it isn't checked). Users must also have`explore` permissions to download drill results in PNG format.
`manage_schedules`	None	Model SpecificCM	Added 25.2Users can reassign and delete schedules on theSchedules page for the specified models. This permission does not grant users the ability to see theSchedule History page.
`manage_spaces`	None	Instance WideCN	Users can create, edit, move, and delete folders. Users will also need theManage Access, Edit content access permission.
`manage_homepage`	None	Instance WideNN	Users canedit and add content to the sidebar that all Looker users see on theprebuilt Looker homepage.
`manage_models`	None	Instance WideCN	Each LookML model is mapped to a specific set of database connections on theManage LookML Projects page. With this permission, users can configure these mappings, create new projects, and delete projects. Non-admin users who are granted this permission will have access to all connections that are allowed by the models to which they have access. NOTE: This permission interacts with model sets in a potentially unexpected way. If you assign the`manage_models` permission to a user, the user will be able to access all models in all projects in the instance.
`create_prefetches`	None	Instance Wide	Prefetching is strongly discouraged. We recommend usingdatagroups instead.
`login_special_email`	None	Instance Wide	Users can log in with email/password credentials, even if other login mechanisms (such as Google, LDAP, or SAML) have been enabled on your instance. This can be useful for consultants or others who may not be a part of your normal authentication system.
`embed_browse_spaces`	None	Instance WideNN	Enables the content browser forsigned embeds. If you're using signed embeds, you should grant this permission to users who have the`save_content` permission. On non-embedded instances, this permission removes thefavorite icon for internal users.
`embed_save_shared_space`	None	Instance Wide	Allows user with the`save_content` permission to save content to the organization'sShared folder, if there is one. Users who have the`save_content` permission but not the`embed_save_shared_space` permission will only have the option to save content to theirpersonal embed folder.
`manage_embed_settings`	None	Instance WideCM	Users can edit embed settings on theEmbed page in thePlatform section of theAdmin menu.
`manage_themes`	None	Instance WideCM	Users can configure theme settings for embedded dashboards, Looks, and Explores on theThemes page in thePlatform section of theAdmin menu. This permission is available only if themes have been enabled for your instance.
`manage_internal_themes`	None	Instance WideCM	Users can configure theme settings for dashboards that are internal to Looker (non-embedded) on theThemes page in thePlatform section of theAdmin menu. This permission is available only if theInternal Dashboard Theming Labs feature has been enabled for your instance.
`manage_privatelabel`	None	Instance WideCM	Users can configure private label settings on thePrivate Label page in thePlatform section of theAdmin menu. This permission is available only if private label has been enabled for your instance.
`see_alerts`	None	Instance WideCM	Users can access theAlerts andAlert History pages in theAdmin section, allowing users to see all alerts on a Looker instance. Users can view, follow, edit, self-assign, and disable alerts that are owned by other users from theAlerts Admin page. Users must have permissions to access the alert's underlying content to view or explore from the alert's visualization (in theAlert Details page) or to navigate to its dashboard. This permission does not grant users the ability to view, create, follow, or delete alerts from the dashboard tile.
`see_queries`	None	Instance WideCM	Users can see theQueries page in theAdmin section of Looker. This privilege does not give a user the ability to terminate a query on theQueries page.
`see_logs`	None	Instance WideCM	Users can see theLog page in theAdmin section of Looker.
`see_users`	None	Instance WideCM	Users can see theUsers page (but not theGroups page) in theAdmin section of Looker. This privilege does not give a user the ability to create new users, see or create API credentials, reset passwords, or otherwise modify users or privileges. A user granted this permission can see all users in all groups on an instance, even on aclosed system. A user can see all group names and all role names, which some companies may consider sensitive information.
`sudo`	`see_users`	Instance WideCM	Users can sudo (in other words, act as and temporarily inherit the permissions of) another user by clicking theSudo button on theUsers page. The`sudo` permission does not allow a non-admin to sudo as an admin,but a non-admin could potentially escalate their privileges by using sudo, so exercise caution. Note:Looker (Google Cloud core) instances don't contain the`sudo` permission.
`manage_groups`	`see_users`	Instance WideCM	Users can create, edit, and delete groups on theGroups page in theUsers section of theAdmin menu, with the exception of any groups that are associated with theAdmin role.
`manage_roles`	`manage_groups`	Instance WideCM	Users can create, edit, and delete roles, except for theAdmin role, on theRoles page in theUsers section of theAdmin menu. Users still cannot create, edit, or delete permission sets or model sets.
`manage_user_attributes`	`see_users`	Instance WideCM	Users can create, edit, and delete user attributes on theUser Attributes page in theUsers section of theAdmin menu.
`see_schedules`	None	Instance WideCM	Users can see theSchedules andSchedule History pages from theAdmin panel in Looker. This privilege does not give a user the ability to reassign, edit, or delete other users' schedules on theSchedules andSchedule History pages.
`see_pdts`	None	Connection Specific	Users can see thePersistent Derived Tables page in theAdmin section of Looker and view information about PDTs from projects that use any connection associated with models for which they havedata access. This permission is included in theDeveloperdefault permission set for new Looker installations. This permission is applied to connections to which users have data access, rather than across the entire Looker instance or to individual models or model sets.
`see_datagroups`	None	Model Specific	Users can see theDatagroups page in theAdmin section of Looker. Users can see connection names, model names, and other information about datagroups defined in a model for which they havedata access. This permission is applied to individual models or model sets, rather than across the entire Looker instance or to connections.
`update_datagroups`	`see_datagroups`	Model Specific	Users can trigger a datagroup, or reset its cache, through theDatagroups page in theAdmin section of Looker. Like users who have the`see_datagroups` permission, users who have the`update_datagroups` permission can see datagroups that are defined in projects that use a model for which they havedata access. This permission is applied to individual models or model sets, rather than across the entire Looker instance or to connections.
`see_system_activity`	None	Instance WideCM	Users can access the System ActivityExplores anddashboards to view usage, history, and other metadata about a Looker instance.
`see_admin`	None	Instance WideCM	Users can have read-only access to admin resources, includingpages in theAdmin panel, with the exception of the following pages: Support Access Labs Legacy Features Export Content Access Actions (if the page displays only the enabled or disabled states of actions) This permission doesn't provide access to System Activity pages.
`mobile_app_access`	None	Instance WideNN	Users can sign in to your instance on a mobile device using theLooker mobile app. For users to be able to sign in to the Looker mobile app, theMobile Application Access option in theGeneral Settings page in theAdmin section of Looker first must be enabled. The`mobile_app_access` permission can be added to a new or existing permission set, and it is part of all of Looker'sdefault permission sets.
`manage_modelsets_restricted`	None	Model SpecificCM	Added 25.2Users can modify model sets for which they have the`manage_modelsets_restricted` permission. A user can only add models contained in model sets for which the user also has the`manage_modelsets_restricted` permission. NOTE: This permission interacts with model sets in a potentially unexpected way. If you assign the`manage_modelsets_restricted` permission to a user, and you've allowed that user to accessany model that is a part of a project, they will be able to assignall models in that project to model sets that they have access to.
`upload_data`	None	Instance WideNN	Added 25.20Users can upload files to your instance to createself-service Explores.
`gemini_in_looker`	None	Model Specific	This permission is the only permission that is included in theGeminidefault role. This permission grants users the ability to perform the following tasks: Write LookML using Gemini assistance when they also have a Looker role that contains the`develop` permission for at least one model in a LookML project Create custom Looker visualizations using Gemini assistance when they also have a Looker role that contains the`can_override_vis_config` permission UseConversational Analytics with Looker Explore data in Looker Studio, even if they don't have a role that contains the`explore` permission, when they also have a Looker role that contains the`access_data` permission on the model that they are querying
`chat_with_agent`	`gemini_in_looker`	Model Specific	Added 25.18Conversational Analytics users can chat withdata agents that use one or more Looker Explores. The user must also have a role that contains this permission and the`access_data` permission on each model that underlies the Explores that are used by the data agent. SeeCreate and manage data agents for more information about data agent permissions.
`chat_with_explore`	`chat_with_agent`	Model Specific	Added 25.18Conversational Analytics users can chat with a Looker Explore when they have the`access_data` permission on the model that underlies the Explore.
`save_agents`	`chat_with_explore`	Model Specific	Added 25.18Conversational Analytics users can create, edit, delete, and sharedata agents. To edit, delete, or share a data agent that was created by another user, users must be granted a role that contains this permission on every model that is used by the agent. SeeCreate and manage data agents for more information about data agent permissions.
`admin_agents`	`gemini_in_looker`	Model Specific	Added 25.18Conversational Analytics users can create, edit, share, and deletedata agents. With this permission, a user doesn't need to be grantedcontent access to the data agent to be able to edit, delete, or share a data agent that was created by another user.

Things to know about permission sets

The following permissions interact with model sets in a potentially unexpected way:

develop;see_lookml — In Looker's IDE, a single project can contain multiple model files. If you assign thedevelop orsee_lookml permissions to a user, and you've allowed that user to seeany model that is a part of a project, they will be able to develop or see the LookML forall models in that project. However, they will still not be able toquery models that you have not allowed.
manage_models — If you assign themanage_models permission to a user, the user will be able to access all models in all projects in the instance.
manage_modelsets_restricted — If you assign themanage_modelsets_restricted permission to a user, they can assign any model in a project to which they have access.
manage_project_connections — If you assign themanage_project_connections_restricted ormanage_project_connections permissions to a user, the user will be able to see, edit, and create project-scoped connections for any projects that are included in the model set.

Model sets

A model set defines what data and LookML fields auser orgroup can see. Each set is a list of LookML models to which a user or group should have access. You can think of a model set as performing two functions:

A model set controls which models in your LookML the permissions apply to (if those permissions are model specific).
A model set limits what data and LookML fields a user can see, because each model is connected to a specific database connection and contains certain LookML fields.

Creating a model set

To create a model set:

Click theNew Model Set button at the top of theRoles page.

Looker displays theNew Model Set page. Enter a name for the new model set.
Select the model or models that should be included in the new model set.
Click theNew Model Set button at the bottom of the page. The new model set will appear in theModel Sets section of theRoles page.

Models that are included inpending projects appear in theModels list on theNew Model Set andEdit Model Set pages.
Deleting or renaming a model will not change any model sets that include that model. When a model is removed orrenamed, we recommend that Looker admins also remove that model's name from any associated model sets, using theEdit Model Set page. Removing a deleted model's name from a model set prevents a new model with the same name from unintentionally being included in that model set.

To learn more about models, see theModel parameters documentation page.

Creating multiple models and model sets

The following example illustrates how you can use multiple model sets to limit access to data. Consider a scenario where you have two teams, Marketing and Support. In this example, these two teams should not have access to the entire model, so you would create a separate model for each team. To separate their data access, you would perform the following steps:

Copy the model into two new models.
In the first of the new models, include only the views, fields, and Explores that the Marketing team should have access to.
Create a model set for the Marketing team that includes only this new model.
Create a new role for the Marketing team that includes this new model set and the appropriate permissions for the Marketing team.
Assign this new role to the Marketing team group.
Repeat steps 2 through 5 to configure the second model for the Support team.

Editing a model set

After a model set has been created, perform the following steps to edit it:

On theRoles page, click theEdit button to the right of the model set you want to edit.
Looker displays theEdit Model Set page. Optionally, enter a new name for the model set in theName field.
Add or remove any models from the model set in theModels section.
Click theUpdate Model Set button at the bottom of the page.

Models that are included inpending projects appear in theModels list on theNew Model Set andEdit Model Set pages.
Deleting or renaming a model will not change any model sets that include that model. When a model is removed orrenamed, we recommend that Looker admins also remove that model's name from any associated model sets, using theEdit Model Set page. Removing a deleted model's name from a model set prevents a new model with the same name from unintentionally being included in that model set.

Deleting a model set

To delete a model set, on theRoles page, clickDelete to the right of the model set that you want to delete.

Creating and assigning custom roles

A custom role combines a default or custompermission set and a default or custommodel set. Roles can only be created based on permission and model sets that already exist. If a permission set doesn't exist that represents everything that you want the user to be able to do or if a model set doesn't exist that contains all the models that you want the user to be able to do those actions on, you must create the permission set or model set, respectively.

Create a custom role that uses existing permission and model sets

To assign a custom role with an existing permission set and an existing model set, follow these steps:

Navigate to theRoles page in theUsers section of theAdmin panel.
SelectNew Role.
Enter a name for your new role. Often role names indicate something about what tasks the role allows the user to do.
Next toPermission Set, select the permission set that you want to use for this role. The set of permissions appears beside the selected permission set.
Next toModel Set, select the model set that you want to use for this role. The set of models appears beside the selected permission set. To apply the selected permission set to all models on the Looker instance, selectAll.
Optionally, underGroups orUsers, select the groups or users that you want to assign the custom role to. You can also add users and groups to the role later by updating the role settings or you can assign the role later from theUsers orGroups page in theAdmin panel.
ClickNew Role to save this custom role.

Create a custom role that uses new permission and model sets

To create a custom role using new permission and model sets, first navigate to theRoles page in theUsers section of theAdmin panel.

To create a new permission set, follow these steps:

SelectNew Permission Set.
Provide a label for your new permission set in theName field.
Select the permissions that you want and clickNew Permission Set.

To create a new model set, follow these steps:

From theRoles page, selectNew Model Set.
Enter a label for your new model set in theName field.
Select the models that you want to apply your role to.
SelectNew Model Set.

To create the custom role using the new permission and model sets, follow these steps:

On theRoles page, selectNew Role.
Enter a name for your new role. Often role names indicate something about what tasks the role allows the user to do.
Provide a label for your new role in theName field.
ForPermission Set, select the permission set that you just created.
ForModel Set, select the specific models that you would like to apply thegemini_in_looker permission to. You may need to create a model set that contains the appropriate models before you can assign a model set to your new custom role.
Optionally, underGroups orUsers, select the groups or users that you want to assign the custom role to. You can also add users and groups to the role later by updating the role settings or you can assign the role later from theUsers orGroups page in theAdmin panel.
ClickNew Role to save this custom role.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.

Movatterモバイル変換

Admin settings - Roles Stay organized with collections Save and categorize content based on your preferences.