Member-level security - Cube

The data model serves as a facade of your data. With member-level security, you can define whether data model entities (cubes, views, and their members) are exposed to end users and can be queried via APIs & integrations.

Member-level security in Cube is similar to column-level security in SQL databases. Defining whether users have access to cubes and views is similar to defining access to database tables; defining whether they have access to dimensions and measures — to columns.

By default, all cubes, views, and their members are public, meaning that they can be accessed by any users and they are also visible during data model introspection.

Managing member-level access

You can use access policies to configure member-level access for different groups. With the access_policy parameter in cubes and views, you can define which members are accessible to users with specific groups.

Use the member_level parameter to specify either:

includes: a list of allowed members, or
excludes: a list of disallowed members

You can use "*" as a shorthand to include or exclude all members.

<Info>

When you define access policies for specific groups, access is automatically denied to all other groups. You don't need to create a default policy that denies access.

</Info>

In the following example, member-level access is configured for different groups:

yaml

views:
  - name: orders_view
    cubes:
      - join_path: orders
        includes:
          - status
          - created_at
          - count
          - count_7d
          - count_30d
    
    access_policy:
      # Managers can access all members except for `count`
      - group: manager
        member_level:
          excludes:
            - count
      
      # Observers can access all members except for `count` and `count_7d`
      - group: observer
        member_level:
          excludes:
            - count
            - count_7d
      
      # Guests can only access the `count_30d` measure
      - group: guest
        member_level:
          includes:
            - count_30d

javascript

view(`orders_view`, {
  cubes: [
    {
      join_path: orders,
      includes: [
        `status`,
        `created_at`,
        `count`,
        `count_7d`,
        `count_30d`
      ]
    }
  ],

  access_policy: [
    {
      // Managers can access all members except for `count`
      group: `manager`,
      member_level: {
        excludes: [
          `count`
        ]
      }
    },
    {
      // Observers can access all members except for `count` and `count_7d`
      group: `observer`,
      member_level: {
        excludes: [
          `count`,
          `count_7d`
        ]
      }
    },
    {
      // Guests can only access the `count_30d` measure
      group: `guest`,
      member_level: {
        includes: [
          `count_30d`
        ]
      }
    }
  ]
})

</CodeGroup>

This configuration results in the following access:

Group	Access
`manager`	All members except for `count`
`observer`	All members except for `count` and `count_7d`
`guest`	Only the `count_30d` measure
All other users	No access to this view at all

Access policies also respect member-level security restrictions configured via public parameters. For more details, see the access policies reference.

<Info>

If you want to return masked values for restricted members instead of hiding them entirely, see data masking in access policies.

</Info>