Member-level security
The data model serves as a facade of your data. With member-level security, you can define whether data model entities (cubes, views, and their members) are exposed to end users and can be queried via APIs & integrations.
Member-level security in Cube is similar to column-level security in SQL databases. Defining whether users have access to cubes and views is similar to defining access to database tables; defining whether they have access to dimensions and measures — to columns.
By default, all cubes, views, and their members are public, meaning that they can be accessed by any users and they are also visible during data model introspection.
Managing member-level access
You can use access policies to configure member-level access
for different groups. With the access_policy parameter in
cubes and views, you can define which members
are accessible to users with specific groups.
Use the member_level parameter to specify either:
includes: a list of allowed members, orexcludes: a list of disallowed members
You can use "*" as a shorthand to include or exclude all members.
When you define access policies for specific groups, access is automatically denied to all other groups. You don’t need to create a default policy that denies access.
In the following example, member-level access is configured for different groups:
views:
- name: orders_view
cubes:
- join_path: orders
includes:
- status
- created_at
- count
- count_7d
- count_30d
access_policy:
# Managers can access all members except for `count`
- group: manager
member_level:
excludes:
- count
# Observers can access all members except for `count` and `count_7d`
- group: observer
member_level:
excludes:
- count
- count_7d
# Guests can only access the `count_30d` measure
- group: guest
member_level:
includes:
- count_30dview(`orders_view`, {
cubes: [
{
join_path: orders,
includes: [
`status`,
`created_at`,
`count`,
`count_7d`,
`count_30d`
]
}
],
access_policy: [
{
// Managers can access all members except for `count`
group: `manager`,
member_level: {
excludes: [
`count`
]
}
},
{
// Observers can access all members except for `count` and `count_7d`
group: `observer`,
member_level: {
excludes: [
`count`,
`count_7d`
]
}
},
{
// Guests can only access the `count_30d` measure
group: `guest`,
member_level: {
includes: [
`count_30d`
]
}
}
]
})This configuration results in the following access:
| Group | Access |
|---|---|
manager | All members except for count |
observer | All members except for count and count_7d |
guest | Only the count_30d measure |
| All other users | No access to this view at all |
Access policies also respect member-level security restrictions configured via
public parameters. For more details, see the access policies
reference.
If you want to return masked values for restricted members instead of hiding them entirely, see data masking.
Was this page useful?