Extensions are web applications built with Looker components that are developed through the Lookerextension framework. These extensions will inherit the permissions structure of your Looker instance, handling permissions at the model set level. If a user does not have permissions to access certain models in the standard Looker application, they won't be able to access those models in Looker extensions. This page explains how Looker admins can grant users the appropriate permissions to access Looker extensions.

TheLooker Marketplace deploys an extension by importing a newproject into your Looker application. This project contains everything required to run the extension and has at least onemodel file. Looker admins can control how a user views or interacts with content based on that model by assigning them arole that has permissions to access the extension's model.

For example, if your Looker instance has data based on models calledfinance,marketing, andsales, but you only want certain users to access the finance data, you would grant users access to only thefinance model. Permissions for extensions work similarly.

Looker admins can control permissions to access an extension's model (and therefore access the extension itself) as well as the model or models upon which any contentwithin the extension is based.

Looker admins can configure the available model sets for a Looker instance bynavigating to theRoles page in theAdmin panel. To access and use the extension, users must be assigned a role that has eithermanage models permissions orexplore ordevelop permissions for all models or the model set that contains the extensions's model.

Granting users permissions to extensions

Looker extensions are developed through the Lookerextension framework and are available for installation through theLooker Marketplace. Extensions require that theExtension Framework andMarketplace features be enabled.

In addition to these features, there are three types of permissions associated with extensions:

• Permissions to develop extensions
• Permissions to install extensions from the Looker Marketplace
• Permissions to use extensions

Permissions to develop extensions

To develop an extension using the Looker extension framework, users need LookML developer permissions to the instance, as well as the skills recommended on theIntroduction to the Looker extension framework documentation page.

Permissions to install extensions from the Looker Marketplace

Each extension will have a project with at least one dedicated LookMLmodel. For example, theData Dictionary extension uses thedata-dictionary model.

To install an extension from the Looker Marketplace, a user must havedevelop,manage_models, anddeploy permissions for the extension's model.

When installing an extension that requires an access key from the Looker Marketplace, a configuration screen prompts the user for access key values, which will be stored asuser attributes for the Looker instance.

Permissions to use extensions

If the extension isinstalled through the Looker Marketplace ormade available from within a Looker instance, the Looker admin will need to configure user permissions.

For most extension use cases, the extension always runs with the permissions granted to the user when they log in. By default, once the extension is installed, any user with a role that hasexplore ordevelop permissions andModel Set access set toAll will automatically have the ability to view and use the extensionand its content with no additional permission configuration required. Usersmust have access to all the models that the extension uses for the extension to function fully.

Looker displays the extension in theApplications section of the Looker main menu.

Looker only displays the extension for Looker users who have access to at least one of the extension's underlying models.

Forembedded extensions, the extension takes on thepermissions given to the createdembed user ID, just like an embedded Look, dashboard, or Explore.

Forfull screen extensions that use the/spartan option in the extension URL, you can add users to anExtensions Only user group. Users in this group are prevented from viewing Looker pages outside of the extension. Looker admins can customize theExtensions Only group like any other group and assign it a role that has certain permissions andmodel set access. Users are not required to belong to theExtensions Only group to view a full screen extension; if a user is not in that user group, the extension will run with the permissions of that logged-in user.

Adding user permissions

A Looker admin will need to grant users and embed users apermission set that includesaccess_data and any more restrictive permissions associated with that extension. These permissions must be applied to a model set that includes the extension's model or models.

To grant users access to the extension, Looker admins must:

1. Create a model set that includes the extension's model — oredit an existing model set to add the extension's model.
2. Confirm that users areassigned to a role with at least theaccess_data permission (and any more restrictive permissions associated with that extension) for this model set.

Example: Data Dictionary extension

TheData Dictionary extension project uses thedata-dictionary model.

Users whose roles don't includeexplore ordevelop permissions or that haveModel Set accessnot set toAll will need a Looker admin to grant themexplore ordevelop permissions for a model set that includes thedata-dictionary model.

For example, say that you want to give your finance team access to the Data Dictionary extension. The finance team is assigned theFinance Team model set, but it does not currently grant access to thedata-dictionary model:

To add thedata-dictionary model to their model set, select theEdit button next to theFinance Team model set and check thedata-dictionary model checkbox.

SelectUpdate Settings to save your selection.

After adding thedata-dictionary model to theFinance Team model set, confirm that the finance team's role uses a permission set that containsexplore ordevelop permissions. In this example, the finance team's role (Finance Department) contains theDeveloper permission set, along with theFinance Team model set.

TheDeveloper permission set contains both theexplore and thedevelop permissions.

Now, any users assigned to theFinance Department role will have access to the Data Dictionary extension because that role contains the appropriate permissions and the appropriate model access.