ContextQMD
Back to Cube

Custom roles

docs/content/product/administration/users-and-permissions/custom-roles.mdx

1.6.436.0 KB
Original Source

Custom roles

<InfoBox>

Custom roles are available on the Enterprise plan.

</InfoBox>

Cube comes with default roles that cover common use cases. However, if you need more customization, you can create custom roles with a fine-grained set of permissions tailored to your organization's specific needs.

Managing roles

In Cube Cloud, users are not assigned permissions directly. Instead, they are assigned roles that are associated with policies. Each policy define what actions they can perform and on what resources they can perform those actions. This approach makes it easier to manage permissions at scale.

Each role can be associated with one or more of the following policies:

PolicyDescription
GlobalControls account-level functionality, e.g., as Billing.
DeploymentControls deployment-level functionality, e.g., as Playground.
ReportControls access to specific reports in Saved Reports.
ReportFolderControls access to specific folders in Saved Reports.
AgentControls access to specific AI agents.
AgentSpaceControls access to specific AI agent spaces.
WorkbookControls access to specific workbooks.

Each policy can apply to all resources or specific resources. For example, a policy could apply to all deployments or only to a specific deployment.

Also, each policy can have all actions or only specific actions associated with it. For example, a policy could allow a user to view, create, or delete one or more deployments if it's associated with those specific actions.

See actions reference for a list of available actions.

Browsing roles

To see a list of custom roles, go to the Admin -> Custom Roles page in your Cube account:

<Screenshot alt="Cube Cloud Custom Roles" src="https://lgo0ecceic.ucarecd.net/60f2733e-4e70-4e83-944d-7611e4102c38/" />

Creating a role

To create a new role, click the <Btn>Add Role</Btn> button. Enter a name and an optional description for the role, then click <Btn>Add Policy</Btn> and select either <Btn>Deployment</Btn> or <Btn>Global</Btn> for this policy's scope.

Deployment policies apply to deployment-level functionality, such as the Playground and Data Model editor. Global policies apply to account-level functionality, such as Billing. Once the policy scope has been selected, you can restrict which actions this role can perform by selecting "Specific" and using the dropdown to select specific actions.

<Screenshot alt="Cube Cloud Custom Roles" src="https://lgo0ecceic.ucarecd.net/94f9a6b0-b77e-415f-b096-60426369b2c6/" />

When you are finished, click <Btn>Create</Btn> to create the role.

Assigning roles to users

To assign custom roles to users:

  1. Navigate to <Btn>Admin → Users</Btn>
  2. Choose one of the following methods:
    • From the users table: Use the dropdown in the users table
    • From individual user page: Click on a user and assign roles from their profile page
  3. You can assign multiple custom roles to a single user

Actions

Policies can have the following actions associated with them.

Global

ActionDescription
Alerts Access
Alerts Create
Alerts Edit
Alerts DeleteView, create, edit, and delete budgets.
Billing AccessAccess the billing data of the Cube Cloud account.
Deployment ManageCreate and delete deployments in the Cube Cloud account.
Agent AdminAdminister AI agents across the account.
AI BI DeveloperDeveloper-level access to AI BI features with full AI token usage.
AI BI UserUser-level access to AI BI features with standard AI token usage.
AI BI ViewerViewer-level access to AI BI features with limited AI token usage.

Deployment

ActionDescription
Deployment View
Deployment EditAccess the deployment, change its settings.
Playground AccessUse Playground.
Data Model ViewView the source code in the data model editor, use Visual Modeler.
Data Model Edit (all branches)
Data Model Edit (dev branches only)Use the development mode, edit the data model, perform Git operations (e.g., commit, pull, push).
Queries & Metrics AccessUse Query History and Performance Insights.
SQL Runner AccessUse SQL Runner.
Data Assets AccessUse Semantic Catalog.

Report

ActionDescription
Report Read
Report ManageView and create/delete reports.

ReportFolder

ActionDescription
Report Read
Report ManageView and create/delete report folders.

Agent

ActionDescription
Agent Access
Agent ManageView and manage AI agents.

AgentSpace

ActionDescription
Agent Space ManageManage AI agent spaces.

Workbook

ActionDescription
Workbook Read
Workbook Manage
Workbook EditView, manage, and edit workbooks.