Access Control
As a Cube Cloud account administrator, you can define roles with specific permissions for Cube Cloud resources and apply those roles to users within the account.
Access control is available in Cube Cloud on Enterprise and above (opens in a new tab) product tiers.
You can manage accounts as an account administrator, manage roles, assign them to users, and associate supported actions with those roles.
Managing accounts
Account administrators have ultimate control over the Cube Cloud account, including managing roles and assigning them to users.
You can see which users are account administrators on the Members tab of the Team & Security page in your Cube Cloud. Account administrators have the Admin toggle enabled next to their name.
Managing roles
In Cube Cloud, users are not assigned permissions directly. Instead, they are assigned roles that are associated with policies. Each policy define what actions they can perform and on what resources they can perform those actions. This approach makes it easier to manage permissions at scale.
Each role can be associated with one or more of the following policies:
| Policy | Description |
|---|---|
Global | Controls account-level functionality, e.g., as Billing. |
Deployment | Controls deployment-level functionality, e.g., as Playground. |
Report | Controls access to specific reports in Saved Reports. |
ReportFolder | Controls access to specific folders in Saved Reports. |
Each policy can apply to all resources or specific resources. For example, a policy could apply to all deployments or only to a specific deployment.
Also, each policy can have all actions or only specific actions associated with it. For example, a policy could allow a user to view, create, or delete one or more deployments if it's associated with those specific actions.
See actions reference for a list of available actions.
Browsing roles
To see a list of roles, go to the Team & Security page in your Cube Cloud account, then navigate to the Roles tab:
Creating a role
To create a new role, click the Add Role button. Enter a name and an optional description for the role, then click Add Policy and select either Deployment or Global for this policy's scope.
Deployment policies apply to deployment-level functionality, such as the Playground and Data Model editor. Global policies apply to account-level functionality, such as Billing. Once the policy scope has been selected, you can restrict which actions this role can perform by selecting "Specific" and using the dropdown to select specific actions.
When you are finished, click "Create Role" to create the role.
Assigning roles to users
Roles are assigned to new users when inviting them:
Existing users' roles can be modified from the "Members" tab on the Team page:
Actions
Policies can have the following actions associated with them.
Actions for the Global policy:
| Action | Description |
|---|---|
Alerts AccessAlerts CreateAlerts EditAlerts Delete | View, create, edit, and delete budgets. |
Billing Access | Access the billing data of the Cube Cloud account. |
Deployment Manage | Create and delete deployments in the Cube Cloud account. |
Actions for the Deployment policy:
| Action | Description |
|---|---|
Deployment ViewDeployment Edit | Access the deployment, change its settings. |
Playground Access | Use Playground. |
Data Model View | View the source code in the data model editor, use Visual Model. |
Data Model Edit (all branches)Data Model Edit (dev branches only) | Use the development mode, edit the data model, perform Git operations (e.g., commit, pull, push). |
Queries & Metrics Access | Use Query History and Performance Insights. |
SQL Runner Access | Use SQL Runner. |
Data Assets Access | Use Semantic Catalog and AI Assistant. |
Actions for the Report policy:
| Action | Description |
|---|---|
Report ReadReport Manage | View and create/delete reports. |
Actions for the ReportFolder policy:
| Action | Description |
|---|---|
Report ReadReport Manage | View and create/delete report folders. |