Documentation
Access control
Member-level security

Member-level security

The data model serves as a facade of your data. With member-level security, you can define whether data model entities (cubes, views, and their members) are exposed to end users and can be queried via APIs & integrations.

Member-level security in Cube is similar to column-level security in SQL databases. Defining whether users have access to cubes and views is similar to defining access to database tables; defining whether they have access to dimensions and measures — to columns.

By default, all cubes, views, and their members are public, meaning that they can be accessed by any users and they are also visible during data model introspection.

Managing member-level access

You can use access policies to configure member-level access for different groups. With the access_policy parameter in cubes and views, you can define which members are accessible to users with specific groups.

Use the member_level parameter to specify either:

  • includes: a list of allowed members, or
  • excludes: a list of disallowed members

You can use "*" as a shorthand to include or exclude all members.

When you define access policies for specific groups, access is automatically denied to all other groups. You don't need to create a default policy that denies access.

In the following example, member-level access is configured for different groups:

YAML
JavaScript
views:
  - name: orders_view
    cubes:
      - join_path: orders
        includes:
          - status
          - created_at
          - count
          - count_7d
          - count_30d
    
    access_policy:
      # Managers can access all members except for `count`
      - group: manager
        member_level:
          excludes:
            - count
      
      # Observers can access all members except for `count` and `count_7d`
      - group: observer
        member_level:
          excludes:
            - count
            - count_7d
      
      # Guests can only access the `count_30d` measure
      - group: guest
        member_level:
          includes:
            - count_30d

This configuration results in the following access:

GroupAccess
managerAll members except for count
observerAll members except for count and count_7d
guestOnly the count_30d measure
All other usersNo access to this view at all

Access policies also respect member-level security restrictions configured via public parameters. For more details, see the access policies reference.

Row-level securityCube Core Authentication