Looker

Overview

LightBeam Spectra users can connect various data sources to the LightBeam application and these data sources will be continuously monitored for PII, PHI data.

Example: Looker, DynamoDB, Redshift, etc.

About Looker

Looker is a BI and data visualization platform by Google. It facilitates data connection and visualization across multiple sources. As an intermediary layer over structured data sources like Redshift, BigQuery, and MySQL, it enables the creation of custom data models. Users can perform SQL queries on these models, which Looker then translates for the underlying databases. By integrating into LightBeam, Looker serves as a structured data source by augmenting data analysis and visualization functionalities.

Features

Datasource Registration

Looker administrators create users with limited permissions, using the restricted user’s clientID and clientSecret for the registration process. The registration requires the Looker instance’s URL, clientID, and clientSecret. Users can actively select specific projects and models within those projects to scan.

Metadata Scanning

LightBeam systematically scans models defined in the scanning conditions. Each model is treated as a separate database in our system, named with the structure project_name.model_name. This naming convention incorporates the project name to provide a fully qualified name for each model, allowing users to easily identify the project a model belongs to by its name displayed in the UI.

• Within each model, LightBeam examines all explores and views that are accessible through these explores.

• Explores and views are regarded as tables in our system.

• The naming convention for an explore follows its own name, whereas for a view, it adopts the explore_name.view_name format. This approach ensures that views remain unique, especially since a single view might be associated with multiple explores within the same model.

• The scanning extends to dimensions within explores and views, which are interpreted as columns in our system, offering a granular look at the data structure.

PII Detection

Lightbeam retrieves sample data from each explore or view, classifying each dimension present within the explore or view to detect personally identifiable information (PII).

Limitations

• Entity and Attribute Instance Creation: Not supported due to Looker API limitations that prevent the joining of different views.

• Table Size Information: Unavailable as Looker's API does not provide the size details of explores or views.

Onboarding Looker Data Source

1. Login to your LightBeam Instance.

2. Click on DATASOURCES on the Top Navigation Bar.

3. Click on “Add a data source”.

1. Search for Looker.
2. Click on Looker.

3. Fill in the details as shown below and click Next:

Basic Information

1. Instance Name: This is the unique name given to the data source.

2. Description: This is an optional field needed to describe the use of this data source.

3. Primary Owner: Email address of the person responsible for this data source which will get alerts by default.

4. Source of Truth: LightBeam Spectra would have monitored data sources that contain data acting as a single point of truth and that can be used for looking up entities/attributes that help to identify if the other attributes/entities found in any other data source are accurate or not. A Source of Truth data set would create entities based on the attributes found in the data.

5. Location: The location of the data source.

6. Purpose: The purpose of the data being collected/processed.

7. Stage: The stage of the data source. Example: Source, Processing, Archival, etc.

4. In this step, insert the credentials as shown below and click Test Connection –

1. Verify that you get the message Connection Success! on the screen. Click on Next.

2. In the next step, you will see a list of databases presented from your Looker cluster. Fig 6. Looker - Select database

Displayed Databases: By default, all databases to which you have access permissions will be shown.

Custom Selection: If you wish not to scan certain databases, simply deselect them from the list.

Please verify that all databases selected for scanning show up in the list of databases. Ensure you've made your desired selections before connecting the datasource.

1. Finally, click on Start Sampling to connect to the Looker datasource.

APPENDIX

Minimal permissions setup

To enable LightBeam to scan Looker data, a user with minimal permissions is necessary. Follow these steps to create such a user and generate the required API keys for integration with LightBeam.

1. Role Creation

   • A role in Looker is defined by a combination of a Model Set and a Permission Set.

   • Navigate to the Admin Panel in Looker.
2. Model Set Configuration

   • Access Admin → Users → Roles.
   • Click on New Model Set using the blue button at the top of the page.

   • In the new Model Set, select the models you intend to scan with LightBeam.

3. Permission Set Configuration

   • Still in Admin → Users → Roles, select the New Permission Set with the blue button.
   • Configure a new Permission Set with the required permissions for Lightbeam scanning.

4. Finalizing the Role

   • After setting up the Model Set and Permission Set, go to New Role via the blue button.

   • Create a new role that includes the permissions and model set specified in the previous steps.

5. User Creation and Role Assignment

   • Under Admin → Users, navigate to Users.

   • Select Add Service Accounts with the blue button at the top.
   • Create a new user and assign the newly created role to this account.

6. API Key Retrieval

   • Go to the newly created user's account page.
   • Click Edit API keys, then copy the clientID and clientSecret.

   • Securely store the copied keys for use while registering Looker with LightBeam.

By following these instructions, you will have successfully created a Looker user with minimal permissions, suitable for integrating with Lightbeam and conducting necessary scans.

Validate permissions to the database

Next, the user needs to validate these permissions to the datasource. This ensures authorized access to the datasource by the credentials provided by the user. After validating the permissions to the datasource, the user can onboard Looker in Lightbeam.

Steps

2. Go into sql_user_check_looker directory

3. Please refer to the README.md file in the directory for detailed instructions.

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.