Lots of assumptions and assertions:
- For Analytics data, we want to map on multiple dimensions
- Map Compute (WH) by user's Organization to track spending
- Map Data Access (Grants) by user's "Data Role" and Org, so that we can control access to schemas with sensitive or expensive data, or custom views for a particular org.
- E.g.: Only some users should be able to see FLUENTD_EVENTS or AURORA data directly, and we might end up with Schemas like Revenue with custom stuff
- We have looked at OAuth, but at this time it is untenable because it can't be used with PDTs and would make explore caches useless.
- We are using a Service Account for Looker connections to Snowflake
So in this setup, we are authorizing as LOOKER_USER, but using the user attributes to construct the Role and WH: