Solved: Looker Studio Hosting Project

hafiz1 · 12-19-2023 01:59 PM

Looker Studio requires a google big query billing project to host/run the looker studio report, and permissions to billing project comes through gbq.

Providing access to billing project (for the purpose to read the LookerStudio dashboard) will also provide access to run queries on our team's project, which is not required.

Is it possible to host the Looker Studio read access without having to provide billing access (to readers) to gbq project?

kolban

If I am reading this article correctly ... a dashboard in Looker Studio is created by a user (joe@example.com). It appears that when the dashboard is created, the identity of the user creating (owning?) the dashboard is saved/remembered. When queries (views of the dashboard) using that dashboard are executed by others, the permissions to view the content are those of the creator and not (by default) the permissions (if any) of the viewer. This implies to me that viewers (readers) of the dashboard need have no special permissions themselves.

View solution in original post

Poala_Tenorio

Looker Studio typically requires access to the underlying data warehouse, such as Google BigQuery, to generate reports and dashboards. However, controlling access and permissions can be nuanced.

One potential approach to limit access to the billing project in BigQuery while still allowing access to Looker Studio reports is by utilizing Google Cloud's IAM (Identity and Access Management) capabilities. Here are a few strategies to consider:

Google Cloud IAM Custom Roles:

Create Custom Roles: Define custom roles in Google Cloud IAM with specific permissions needed for Looker Studio without granting broad access to the billing project or other resources.
Restrict Permissions: Assign only the necessary permissions to access the resources required by Looker Studio, such as reading data or viewing specific datasets without allowing query execution.
Scoped Access: Utilize IAM policies to restrict access at the dataset or project level. You can specify who has access to specific datasets within the BigQuery billing project.

Service Accounts and OAuths:

Service Accounts: Use service accounts to control access. Looker Studio can authenticate via a service account that has limited permissions tailored to only access the required datasets for generating reports.
OAuth Scopes: Configure OAuth scopes to restrict what operations the authenticated users can perform within Looker Studio. Limiting scopes can help in controlling access to specific BigQuery functionalities.

kolban

If I am reading this article correctly ... a dashboard in Looker Studio is created by a user (joe@example.com). It appears that when the dashboard is created, the identity of the user creating (owning?) the dashboard is saved/remembered. When queries (views of the dashboard) using that dashboard are executed by others, the permissions to view the content are those of the creator and not (by default) the permissions (if any) of the viewer. This implies to me that viewers (readers) of the dashboard need have no special permissions themselves.

hafiz1

Thank you kolban & Poala_Tenorio.

Kolban's you were right on the money.

To add up some points, there are three ways you can setup a billing project access.

Go to: Resources -> Manage added data sources -> EDIT -> Data credentials:
Here you have 3 options to execute queries:

by Viewer's Credentials (default)
by Owner's Credentials
by Service Account Credentials

Once you select Owner's Credentials or SA, the viewer will not require to have billing project access.