1. Home
  2. Knowledge Base
  3. Universal Analytics Backup
  4. Data access requirements for the Looker Studio UA Backup Reports

How to ensure report Viewers have access to your Looker Studio reports

This article discusses the permissions required for Viewers of a Looker Studio report.  It is discussed in the context of the UA Backup Looker Studio report template created by Analytics Canvas, but is applicable to all Looker Studio reports that use BigQuery or Sheets as the data sources. 

Image

This article relates to the Universal Analytics Backup Utility offered by Analytics Canvas. To share reports in Looker Studio, consult this Looker Studio Support article. 

Data Access Requirements to Access Looker Studio Reports

Looker Studio doesn't host data, rather the data is stored in an underlying data source. Using the UA Backup Looker Studio reports, this can be either Google Sheets or BigQuery.

When a user lands on the report, they access the data through:

  1. The data source Owner's credentials
  2. The user's own Viewer's credentials
  3. A Google Cloud Service Account credential when the data source is BigQuery

When a Looker Studio report is generated from the Looker Studio Linking API, the Data Credentials used for the report are set to "Viewer's Credentials". This means that any user in Looker Studio viewing the report must have access to the raw data in BigQuery or Sheets.

Image

Using Viewer's Credentials to Access Data in Looker Studio

To continue with this option, the Looker Studio user must have access to the Drive folder or BigQuery Dataset, whichever location holds the data used in the report.

Find the location of the data by logging into Analytics Canvas, going to UA Backups, then clicking on the Exports link for the backup.  For BigQuery, it will show the Google Cloud Platform Project that holds the Dataset, and the name of the Dataset that holds the tables.  For Sheets, it will show the Drive folder that holds the backup, and the credential used to create it. 

Sheets as the Data Source

When Google Sheets is used as the data source, the report Viewer must have access to the Drive folder that holds the Sheets.  

Image

BigQuery as the Data Source

When BigQuery is used as the data source, the report Viewer must have access to run queries against the BigQuery Project and must be able to View the BigQuery Dataset.

Shown below is an example. The BigQuery Dataset listed will be the one selected by the user who created the backup and will be in the format "Project.Dataset".  In the example below, the Project is "analyticscanvasdemo", and the data set is "UAbackups". 

Image

Providing Viewers with Access in BigQuery

When BigQuery is used as the data source, the report Viewer must have the following access: 

  1. BigQuery Job User at the Project Level in Google Cloud IAM
  2. BigQuery Data Viewer on the Dataset in BigQuery.

These the two permissions provide the least amount of access to BigQuery.  It limits access to the dataset used in the report, and allows the account to create and run queries in BigQuery. 

1. BigQuery Job User at the Project Level in Google Cloud IAM

To add the first of the two permissions, BigQuery Job User on the Project to allow the user to refresh tables in the report, start by going directly to this URL to select your project, or login to the console and find IAM as shown in the screenshot below.

Image

Next, while still in IAM & Admin, click "Grant Access", then add the user or users, give the role "BigQuery Job User", and click save

Image
2. BigQuery Data Viewer on the Dataset in BigQuery

The next step is to allow the user to view the tables in BigQuery. Go to Google BigQuery and to the Project and Dataset that holds the data for the dashboard.  Click on the dataset, go to Sharing > Permissions.  Next click "Add Principal", then add the user or users as principals.  Assign them the role of "BigQuery Data Viewer", and click Save.  That's it!

ImageImage

Individual users will now have access to the BigQuery data source used in the Looker Studio report. 

Using Owner's Credentials to Access Data in Looker Studio

This method involves using the credential of a single account - an "Owner" who has access to the underlying data source. In Sheets or in BigQuery, this account will need to maintain access to the data indefinitely.

The process is the same for Looker Studio reports linked to Sheets or BigQuery.

To continue with this option, the report author or any Editor of the report, must change the Data Source Data Credentials to "Owner's Credentials" from Viewer's Credentials.  

  1. Go to the report, under the Resource menu,
  2. Select Manage Added Data Sources.  
  3. Click Edit on a data source
  4. Click Data Credentials and change the radio button selector from Viewer's Credentials to Owner's Credentials.  
  5. Repeat for all data sources in the report (there are 28 by default).

Note the credential owner is the user who is logged into Looker Studio and has access to the data.  

ImageImageImageImage

Once you have changed all data sources to Owner's credentials, anyone who the report is shared with can view the data.  

Note: the queries will run as the Owner and query costs will be attributed to them.  Review this article for details on how to estimate the usage costs. 

Using Service Account Credentials to Access Data in Looker Studio when the Data Source is BigQuery

This option is only available when the data source connectors are linked to BigQuery tables.

To continue with this option, the report author or any Editor of the report, must change the Data Source Data Credentials from "Owner's Credentials" or "Viewer's Credentials" to "Service Account Credentials" using the same process as above. 

A service account is a special type of Google account that is intended to represent a non-human user that can authenticate and be authorized to access data in Google APIs and products.  Using it ensures that access to the data remains in-tact, even when an individual user leaves the company, and that anyone who is invited to View the report can do so without additional data access permissions.

Learn how to Setup a Google Cloud service account for Looker Studio.  

You can find your organization's Service Agent here

To continue with this option, the report author or any Editor of the report, must change the Data Source Data Credentials to "Service Account Credentials" from Viewer's Credentials.  

  1. Create a Google Cloud Service account for the Project by going to IAM & Admin > Service Accounts > +Create Service Account.
  2. Give the account the following permissions in Google Cloud IAM:
    1. BigQuery Job User
    2. BigQuery Data Viewer
    3. Service Account Token Creator 
Image
  1. Give the account the following permissions in Google Cloud IAM:
    1. BigQuery Job User
    2. BigQuery Data Viewer
    3. Service Account Token Creator
Image
  1. Capture your Looker Studio Service Agent for your Organization.  Ensure you are logged in to a browser  using a Google account that has access to the Project that holds your UA backup. 
  2. Under IAM, grant the following permissions to the Service Agent account:
    1. Service Account Token Creator
    2. Service Account User
Image
  1. Change all data sources in the Looker Studio report to Service Account credentials, using the Service Account created in step 1.
  2. Repeat for all data sources in the report (there are 28 by default).
Image

You must change each data source in Looker Studio from Viewers credentials to Service Account Credentials.  Once you've done so, anyone who you share the report with can view the report without directly getting access in BigQuery.

Support 

If you have followed the instructions above and your users cannot view the report, consult Looker Studio's documentation or contact-us for further assistance. 

Was this article helpful?

Related Tutorials/Video