Configuring Looker to Impersonate Users
Follow these steps if you have a shared dashboard and wish to to send the end-user's identity to AtScale for use in run-time cube security decisions.
Before you begin
Make sure you have created a connection in Looker. For details, see Creating Looker Connection.
Procedure
- 
In Looker, locate the connection to the AtScale instance, and edit it by configuring the following settings: - Username: Enter an AtScale user name that has the permissions required to impersonate other users (see step 2 below for details).
- Password: Password for the AtScale account.
- Additional Params:
;hive.server2.proxy.user={{ _user_attributes['ldap_user_id'] }}
 
- 
In AtScale, go to the Security/Setup menu and set PROXY USER ATTRIBUTE to the attribute that contains the same value used by Looker. Usually this is sAMAccountName or userPrincipalName. 
- 
In the Admin section in Looker, go to the LDAP page in the Authentication section, and set Login Attrs to the same value as in step 2 above. 
- 
In AtScale, go to the Security/Role Assignment menu, and ensure that the Looker user account is assigned to a role that grants the following permissions: - Impersonate Users
- Login
- Query
- Read Projects
 
- 
Ensure that the Looker service account user has Runtime access to the desired cubes. Note that you must republish a project for security changes to take effect. 
- 
Ensure that the Looker report users have Runtime access to the desired cubes. Again, you must republish a project for security changes to take effect. 
For more information about configuring Looker to authenticate users via LDAP, see LDAP authentication.