In a LookML model file, define an access_grant block with a name, the user_attribute it reads, and the allowed_values that grant access
Apply required_access_grants: [your_grant_name] to the Explore, view, join, or individual field that should be restricted
In Looker Admin, create a matching user attribute with the same name used in the access_grant definition and assign appropriate values to users or groups
Test by logging in as a user without the required attribute value and confirming the restricted Explore or field is not visible in the Looker UI
For row-level security (beyond field-level), add an access_filter parameter to the Explore referencing a user attribute that dynamically appends a WHERE condition to all queries against that Explore
Known gotchas
Access grants are additive when nested: if a view has a required_access_grant and a field within it also has a required_access_grant, users must satisfy both grants to see the field — this can create unintended double-restriction
Required access grants only control visibility of LookML structures; they do not restrict direct database queries or Looker API calls that bypass the Explore layer — complement with warehouse-level permissions for full data security
access_filter for row-level security applies a dynamic WHERE clause but does not prevent a user from running a query that omits the filtered dimension if they access data through a different Explore without the filter defined
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp