Documentation
Access control
Member-level security

Member-level security

The data model serves as a facade of your data. With member-level security, you can define whether data model entities (cubes, views, and their members) are exposed to end users and can be queried via APIs & integrations.

Member-level security in Cube is similar to column-level security in SQL databases. Defining whether users have access to cubes and views is similar to defining access to database tables; defining whether they have access to dimensions and measures — to columns.

By default, all cubes, views, and their members are public, meaning that they can be accessed by any users and they are also visible during data model introspection.

Managing member-level access

You can use data access policies to configure member-level access for different roles. With the access_policy parameter in cubes and views, you can define which members are accessible to users with specific roles.

In development mode in Playground, access control checks are disabled and all access policies are not evaluated. It helps you conveniently debug the data model by querying any members in API queries and during data model introspection.

Use the member_level parameter to specify either:

  • includes: a list of allowed members, or
  • excludes: a list of disallowed members

You can use "*" as a shorthand to include or exclude all members.

In the following example, member-level access is configured for different roles:

YAML
JavaScript
views:
  - name: orders_view
    cubes:
      - join_path: orders
        includes:
          - status
          - created_at
          - count
          - count_7d
          - count_30d
    
    access_policy:
      # Default policy: no access for users without specific roles
      - role: "*"
        member_level:
          includes: []
      
      # Managers can access all members except for `count`
      - role: manager
        member_level:
          excludes:
            - count
      
      # Observers can access all members except for `count` and `count_7d`
      - role: observer
        member_level:
          excludes:
            - count
            - count_7d
      
      # Guests can only access the `count_30d` measure
      - role: guest
        member_level:
          includes:
            - count_30d

This configuration results in the following access:

RoleAccess
managerAll members except for count
observerAll members except for count and count_7d
guestOnly the count_30d measure
All other usersNo access to this view at all

Access policies also respect member-level security restrictions configured via public parameters. For more details, see the data access policies reference.

Using the public parameter

You can explicitly make a data model entity public or private by setting its public parameter to true or false. This parameter is available for cubes, views, measures, dimensions, hierarchies, and segments.

You can also control whether a data model entity should be public or private dynamically by using the security context.

While the public parameter provides a simple way to restrict access, it applies globally to all users. It is recommended to use data access policies by default as they allow you to define granular access control rules in one place.

Row-level securityCube Core Authentication