Skip to main content

Member-level security

The data model serves as a facade of your data. With member-level security, you can define whether data model entities (cubes, views, and their members) are exposed to end users and can be queried via APIs & integrations. Member-level security in Cube is similar to column-level security in SQL databases. Defining whether users have access to cubes and views is similar to defining access to database tables; defining whether they have access to dimensions and measures — to columns. By default, all cubes, views, and their members are public, meaning that they can be accessed by any users and they are also visible during data model introspection.

Managing member-level access

You can use access policies to configure member-level access for different groups. With the access_policy parameter in cubes and views, you can define which members are accessible to users with specific groups. Use the member_level parameter to specify either:
  • includes: a list of allowed members, or
  • excludes: a list of disallowed members
You can use "*" as a shorthand to include or exclude all members.
When you define access policies for specific groups, access is automatically denied to all other groups. You don’t need to create a default policy that denies access.
In the following example, member-level access is configured for different groups: 
views:
  - name: orders_view
    cubes:
      - join_path: orders
        includes:
          - status
          - created_at
          - count
          - count_7d
          - count_30d
    
    access_policy:
      # Managers can access all members except for `count`
      - group: manager
        member_level:
          excludes:
            - count
      
      # Observers can access all members except for `count` and `count_7d`
      - group: observer
        member_level:
          excludes:
            - count
            - count_7d
      
      # Guests can only access the `count_30d` measure
      - group: guest
        member_level:
          includes:
            - count_30d
This configuration results in the following access:
GroupAccess
managerAll members except for count
observerAll members except for count and count_7d
guestOnly the count_30d measure
All other usersNo access to this view at all
Access policies also respect member-level security restrictions configured via public parameters. For more details, see the access policies reference.
If you want to return masked values for restricted members instead of hiding them entirely, see data masking in access policies.