Custom roles
Custom roles are available in Cube Cloud on Enterprise plan. (opens in a new tab)
Cube comes with default roles that cover common use cases. However, if you need more customization, you can create custom roles with a fine-grained set of permissions tailored to your organization's specific needs.
Managing roles
In Cube Cloud, users are not assigned permissions directly. Instead, they are assigned roles that are associated with policies. Each policy define what actions they can perform and on what resources they can perform those actions. This approach makes it easier to manage permissions at scale.
Each role can be associated with one or more of the following policies:
| Policy | Description |
|---|---|
Global | Controls account-level functionality, e.g., as Billing. |
Deployment | Controls deployment-level functionality, e.g., as Playground. |
Report | Controls access to specific reports in Saved Reports. |
ReportFolder | Controls access to specific folders in Saved Reports. |
Agent | Controls access to specific AI agents. |
AgentSpace | Controls access to specific AI agent spaces. |
Workbook | Controls access to specific workbooks. |
Each policy can apply to all resources or specific resources. For example, a policy could apply to all deployments or only to a specific deployment.
Also, each policy can have all actions or only specific actions associated with it. For example, a policy could allow a user to view, create, or delete one or more deployments if it's associated with those specific actions.
See actions reference for a list of available actions.
Browsing roles
To see a list of custom roles, go to the Admin -> Custom Roles page in your Cube account:
Creating a role
To create a new role, click the Add Role button. Enter a name and an optional description for the role, then click Add Policy and select either Deployment or Global for this policy's scope.
Deployment policies apply to deployment-level functionality, such as the Playground and Data Model editor. Global policies apply to account-level functionality, such as Billing. Once the policy scope has been selected, you can restrict which actions this role can perform by selecting "Specific" and using the dropdown to select specific actions.
When you are finished, click Create to create the role.
Assigning roles to users
To assign custom roles to users:
- Navigate to Admin → Users
- Choose one of the following methods:
- From the users table: Use the dropdown in the users table
- From individual user page: Click on a user and assign roles from their profile page
- You can assign multiple custom roles to a single user
Actions
Policies can have the following actions associated with them.
Global
| Action | Description |
|---|---|
Alerts AccessAlerts CreateAlerts EditAlerts Delete | View, create, edit, and delete budgets. |
Billing Access | Access the billing data of the Cube Cloud account. |
Deployment Manage | Create and delete deployments in the Cube Cloud account. |
Agent Admin | Administer AI agents across the account. |
AI BI Developer | Developer-level access to AI BI features with full AI token usage. |
AI BI User | User-level access to AI BI features with standard AI token usage. |
AI BI Viewer | Viewer-level access to AI BI features with limited AI token usage. |
Deployment
| Action | Description |
|---|---|
Deployment ViewDeployment Edit | Access the deployment, change its settings. |
Playground Access | Use Playground. |
Data Model View | View the source code in the data model editor, use Visual Model. |
Data Model Edit (all branches)Data Model Edit (dev branches only) | Use the development mode, edit the data model, perform Git operations (e.g., commit, pull, push). |
Queries & Metrics Access | Use Query History and Performance Insights. |
SQL Runner Access | Use SQL Runner. |
Data Assets Access | Use Semantic Catalog. |
Report
| Action | Description |
|---|---|
Report ReadReport Manage | View and create/delete reports. |
ReportFolder
| Action | Description |
|---|---|
Report ReadReport Manage | View and create/delete report folders. |
Agent
| Action | Description |
|---|---|
Agent AccessAgent Manage | View and manage AI agents. |
AgentSpace
| Action | Description |
|---|---|
Agent Space Manage | Manage AI agent spaces. |
Workbook
| Action | Description |
|---|---|
Workbook ReadWorkbook ManageWorkbook Edit | View, manage, and edit workbooks. |