Manage users within Looker (Google Cloud core)

Within a Looker (Google Cloud core) instance, several settings are available for managing users.

Required permission

In order to manage users within a Looker (Google Cloud core) instance, you must have the Admin role within Looker.

The Users page

The Admin > Users page within Looker displays active users within Looker (Google Cloud core) and lets you make certain edits to their accounts within Looker, such as editing the following account settings:

Users' names and email addresses must be edited within the identity provider that is used for authentication.

Unlike within Looker (original) instances, the following isn't available in the Looker (Google Cloud core) Users page:

add users (with the exception of service accounts)
send setup link / send reset link
set up two-factor authentication
sudo as a user

Adding users to a Looker (Google Cloud core) instance

To add individual Looker (Google Cloud core) users, add users within your identity provider. Their Looker accounts will be created upon first login. Individual users cannot be added on the Users page; however, API-only service accounts can be added on the Users page.

Creating an API-only service account

Service accounts are the only accounts that can be created within a Looker (Google Cloud core) instance.

You can create API-only accounts (often called service accounts) from the Users page within a Looker (Google Cloud core) instance. These accounts can be granted Admin Looker roles and Looker API credentials. However, these accounts can't log in to Looker (Google Cloud core) through the UI. To add a service account, follow these steps:

Click the Add Service Accounts button to open the Adding a new Service Account page.
In the Service Account Name field, enter a name for the service account.
The Create default set of API credentials switch is enabled by default. If you don't want API credentials created for the account, click the switch to disable this option.
Select the Groups and Roles to assign to the service account.
Click the Save button.

You can view and edit existing service accounts in the Service Accounts tab on the Users page. To edit a service account, click the service account row to display the Edit User page. From the Edit User page you can do the following:

Enable or disable the service account
Edit the service account name
Manage the service account API keys
Assign different groups and Roles
Edit the user attributes that are associated with the service account

Removing access to Looker (Google Cloud core)

Remove access to a Looker (Google Cloud core) instance by updating the identity provider that was used for authentication. Although the user can no longer log in to the instance, the user account will still appear active on the Users page. To remove the user account from the Users page, delete the user within the Looker (Google Cloud core) instance.

Deleting users from a Looker (Google Cloud core) instance that is associated with a Looker Studio Pro subscription reduces the number of complimentary Looker Studio Pro licenses that are allocated to your instance. If the number of complimentary Pro licenses that are allocated to your instance becomes less than the number of licenses that are in use, the difference will be converted immediately to paid licenses, subject to Looker Studio Pro pricing.

Selecting an authentication method for Looker (Google Cloud core) users

An OAuth client must be set up as part of instance creation, and OAuth authentication is the backup authentication method for Looker (Google Cloud core). However, you can choose between several different primary authentication methods. The Authentication methods for Looker (Google Cloud core) documentation page lists the available authentication methods.

Setting a default Looker role within the Looker (Google Cloud core) instance

Before you add any users, you can set the default Looker role that will be granted to user accounts with the Looker Instance User IAM role upon their first login to a Looker (Google Cloud core) instance. To set a default role, follow the steps provided in the documentation for your identity provider: OAuth, SAML, or OpenID Connect.