Within a Looker (Google Cloud core) instance, several settings are available for managing users.
Required permission
In order to manage users within a Looker (Google Cloud core) instance, you must have the Admin role within Looker.
The Users page
The Admin > Userspage within Looker displays active users within Looker (Google Cloud core) and lets you make certain edits to their accounts within Looker, such as editing the following account settings:
Users' names and email addresses must be edited within the identity provider that is used for authentication.
Unlike within Looker (original) instances, the following isn't available in the Looker (Google Cloud core) Userspage:
- add users (with the exception of service accounts )
- send setup link / send reset link
- set up two-factor authentication
- sudo as a user
Adding users to a Looker (Google Cloud core) instance
To add individual Looker (Google Cloud core) users, add users within your identity provider . Their Looker accounts will be created upon first login. Individual users cannot be added on the Userspage; however, API-only service accounts can be added on the Userspage.
Creating an API-only service account
Service accounts are the only accounts that can be created within a Looker (Google Cloud core) instance.
You can create API-only accounts (often called service accounts ) from the Userspage within a Looker (Google Cloud core) instance. These accounts can be granted Admin Looker roles and Looker API credentials. However, these accounts can't log in to Looker (Google Cloud core) through the UI. To add a service account, follow these steps:
- Click the Add Service Accountsbutton to open the Adding a new Service Accountpage.
- In the Service Account Namefield, enter a name for the service account.
- The Create default set of API credentialsswitch is enabled by default. If you don't want API credentials created for the account, click the switch to disable this option.
- Select the Groups and Roles to assign to the service account.
- Click the Savebutton.
You can view and edit existing service accounts in the Service Accountstab on the Userspage. To edit a service account, click the service account row to display the Edit Userpage. From the Edit Userpage you can do the following:
- Enable or disable the service account
- Edit the service account name
- Manage the service account API keys
- Assign different groups and Roles
- Edit the user attributes that are associated with the service account
Removing access to Looker (Google Cloud core)
Remove access to a Looker (Google Cloud core) instance by updating the identity provider that was used for authentication. Although the user can no longer log in to the instance, the user account will still appear active on the Userspage. To remove the user account from the Userspage, delete the user within the Looker (Google Cloud core) instance.
Deleting users from a Looker (Google Cloud core) instance that is associated with a Looker Studio Pro subscription reduces the number of complimentary Looker Studio Pro licenses that are allocated to your instance. If the number of complimentary Pro licenses that are allocated to your instance becomes less than the number of licenses that are in use, the difference will be converted immediately to paid licenses, subject to Looker Studio Pro pricing .
Selecting an authentication method for Looker (Google Cloud core) users
An OAuth client must be set up as part of instance creation, and OAuth authentication is the backup authentication method for Looker (Google Cloud core). However, you can choose between several different primary authentication methods. The Authentication methods for Looker (Google Cloud core) documentation page lists the available authentication methods.
Setting a default Looker role within the Looker (Google Cloud core) instance
Before you add any users, you can set the default Looker role that will be granted to user accounts with the Looker Instance User IAM role upon their first login to a Looker (Google Cloud core) instance. To set a default role, follow the steps provided in the documentation for your identity provider: OAuth , SAML , or OpenID Connect .
