Troubleshooting FAQs

Premise enforces Google's Context Aware Access for all users accessing their Premise Google account. Best practices typically require a VPN or proxy to secure internet communications from company hardware; however, CAA allows Premise to follow a zero trust security model by requiring devices connecting to Premise's Google environment to be up to date and secure. It also adds an additional layer by ensuring laptops and desktops are approved company devices. This allows users to still easily access the internet and do their work without having to worry about a VPN, which has benefits as well as risks and downsides.

Premise deploys CAA by registering your computer's serial number in our Google Workspace environment, by ensuring you have the proper Chrome extensions installed, and by ensuring your device is secure and updated before connecting to Premise's Google environment.

All Premise employees, contractors, interns, and consultants who have @premise.com email addresses are affected. If you want to log into your Premise Google account (Gmail, Calendar, Google Cloud, etc.), you must meet one of the following criteria:

• Be on a company Mac or Windows computer

  • If you are a contractor/consultant permitted to use a non-Premise computer, you must provide your computer serial number to Technology Services (IT) to properly register it.

• Use Google Chrome and ensure Google Chrome's Endpoint Verification is installed

  • You must be logged into Endpoint Verification with your Premise Google account.

• Ensure your computer's operating system is up to date

• If you are using a mobile device, it needs to be up to date

• Ensure multi-factor authentication is enabled

No, they will not be affected. Anyone logging into Premise Portal, Iris, or My Premise will not be affected. The only people affected are those who have an @premise.com Google account (i.e., employees and contractors/consultants).

The "You don't have access" screen pops up when the device you are using is not up to date with its latest patches or is not a company-approved device. You must be using Google Chrome when you are on a macOS or Windows device.

Please make sure your macOS, Windows, iOS, and Android devices are up to date. You must be on company macOS or Windows to access your Google account. Mobile devices are BYOD (bring your own device) so you can use a personal device as long as it is up to date.

Make sure you are on the latest iOS or Android operating system versions. You can update your iPhone or iPad by following these directions. For Android, the steps are similar but may differ slightly depending on the manufacturer of the device.

If you are still having issues accessing your account from a mobile device, download and install the latest Gmail app. There are known issues when using a native mail client (e.g., the Apple Mail client) where it does not properly sync information to Google. Once you download and log into the Gmail app, and re-authenticate, your phone should be good to go. You may have to do this process twice, as the error may show up the first time, but should log you in on the second time. After completing these steps, you should be able to use the Gmail app and your native mail client as well.

Our customers expect the best security from us, and we must follow industry guidelines for best information security practices. This will help us attract new customers and obtain official security certifications.

You can follow the guides here:

• macOS

• iOS

• Samsung Android

• Google Android

• Motorola Android

• Windows

If you are having issues, try restarting your device and browser and be sure you are using Google Chrome. Make sure your instance of Chrome has the Managed Bookmarks in the Bookmarks bar, as that will ensure it is a properly registered device and Chrome browser.

Reach out to the Slack channel #it-tips-tricks-n-advice if you want to start a conversation to solve the issue.

If you are in this situation and have an @premise.com Google account, the Context-Aware Access rules still apply. You must install Endpoint Verification and provide your computer's serial number to Technology Services (IT). This should have been done during your onboarding but reach out via Slack (#it-tips-tricks-n-advice) or email (tech-services@premise.com) if you are having issues.

How to Install Endpoint Verification Extension

1. Go to the EndPoint Verification extension. Install to your Chrome browser.

2. Make sure to log into your Premise Google account in Chrome.

3. Restart your Chrome browser.

How to check for the serial number on your computer

• MacOS: From the Apple Menu in the top-right corner of your desktop screen, select About This Mac. A window should pop up providing an overview of your mac, including the serial number.

• Windows OS: Search for Command Prompt. To get the serial number, type "wmic bios get serialnumber", then press Enter. The serial number will be shown on the screen.

If you or your team needs access to certain Google Workspace (formerly called G-Suite) items, raise a ticket in this portal. Common requests Tech Services can assist with are:

• Creating or modifying Google Groups

• Access issues with Google Drive and shared drives

• Calendar and conference room inquiries

• Service account requests (non-GCP service accounts)

For requests related to GCP identity and access management (IAM) resources/groups, service account creation/modification, services, or BigQuery dataset/table/schema modification, visit developer.premise.com.

If you have issues or challenges, you can slack us at #it-tips-tricks-n-advice or for official support, submit a troubleshooting ticket here.

User and Service Account Troubleshooting

If you believe that you need additional access to perform your daily job, check https://console.cloud.google.com/iam-admin/project=[project-id] (e.g., https://console.cloud.google.com/iam-admin/iam?project=premise-prod) and do the following:

1. Find the Google Group you belong to. (They are in the format "iam_gcp_[job role]@premise.com). Click through to see if there is a Google Group inside of it that you are a part of.

2. If you do not see your Google Group, it means your job title does not have permissions in that project/role.

3. You can request access in a faster, more automated way through developer.premise.com.

   1. • You can find more information on roles by going to https://console.cloud.google.com/iam-admin/roles?project=premise-prod (or your respective project).

      • When submitting, make sure you input the correct project, resource, role, and principal (user or service account).

4. If you are having issues or certain projects/resources are not shown, submit a troubleshooting ticket here.

There are three Looker instances, each with a different intended purpose.

1. Looker Dev: https://analytics.dev.premise.com/

   1. • Looker Dev is intended for development work.

      • This should be used to play around with Looker, explore capabilities, test integrations, etc.

      • Dashboards should be made in Looker Dev, then the migration tool must be used to migrate dashboards to Internal or External.

2. Looker Internal: https://analytics.internal.premise.com/

   1. • Looker Internal is intended for hosting production dashboards that are internal-facing only.

      • These dashboards should NOT be visible in Premise Portal or any other customer-facing solution.

      • Since this is a production environment, editing dashboards directly here is restricted (the migration tool must be used).

3. Looker External: https://analytics.premise.com/

   1. • Looker External is intended for hosting production dashboards that are external-facing.

      • Dashboards for customers and that are linked to in Premise Portal should be in Looker External.

      • Since this is a production environment, editing dashboards directly here is restricted (the migration tool must be used).

Viewer Role

If you only need to view dashboards and not actually do any dashboard editing/creating work

• access_data

• clear_cache_refresh

• create_alerts

• create_table_calculations

• download_without_limit

• mobile_app_access

• schedule_look_emails

• see_drill_overlay

• see_lookml_dashboards

• see_looks

• see_user_dashboards

• send_outgoing_webhook

• send_to_integration

• send_to_s3

• send_to_sftp

User Role

If you do dashboard editing/creating work.

• access_data

• clear_cache_refresh

• create_alerts

• create_public_looks

• create_table_calculations

• download_without_limit

• explore

• manage_spaces

• mobile_app_access

• save_content

• schedule_external_look_emails

• schedule_look_emails

• see_drill_overlay

• see_lookml

• see_lookml_dashboards

• see_looks

• see_sql

• see_user_dashboards

• send_to_integration

• send_to_s3

• send_to_sftp

Developer

Most of you do not need this. This is for folks that do ML Modeling work, or use Looker API to develop solutions.

• access_data

• clear_cache_refresh

• create_alerts

• create_public_looks

• create_table_calculations

• deploy

• develop

• download_with_limit

• download_without_limit

• explore

• follow_alerts

• manage_spaces

• mobile_app_access

• save_content

• schedule_look_emails

• see_drill_overlay

• see_lookml

• see_lookml_dashboards

• see_looks

• see_sql

• see_user_dashboards

• send_outgoing_webhook

• send_to_integration

• send_to_s3

• send_to_sftp

• use_sql_runner