Introducing Data Access Policies (GA) and LDAP integration in Cube Cloud

Granular access control has always been a core pillar of Cube's universal semantic layer. A few months ago, we've launched the private preview of the data access policies feature. Since then, we've iterated on the feedback from Cube Cloud customers and ensured that this feature meets the needs of both enterprise customers and open-source users.

Today, we're announcing the general availability of data access policies in Cube Core and Cube Cloud. On top of that, we're announcing the all-new LDAP integration in Cube Cloud, which allows you to load user roles and permissions from your LDAP server and use them in your data access policies. Finally, we're also announcing the Cube Cloud authentication integration, which enhances Cube's authentication mechanisms with Cube Cloud-only features such as the LDAP integration.

Data access policies

Since its inception, Cube has provided a way to manage member-level and row-level security of the data. Now, with data access policies, you can define all access control rules in data model files, allowing for an organized and maintainable approach to security.

As an example, here's an example policy that provides unrestricted access to users with the leadership role and exposes a subset of members to EMEA-based users with the manager role, ensuring that they can only access orders of users from their own country:

views:
  - name: orders
    # ...

    access_policy:
      - role: leadership
        member_level:
          includes: "*"
        row_level:
          allow_all: true

      - role: manager
        conditions:
          - if: "{ securityContext.is_EMEA_based }"
        member_level:
          includes:
            - created_at
            - status
            - count
        row_level:
          filters:
            - member: country
              operator: equals
              values: [ "{ securityContext.country }" ]

Here's a quick demo of how data access policies, Cube Cloud authentication integration, and the LDAP integration work in Cube Cloud:

You can also use the new Access Policies section in Cube Cloud to analyze data access policies defined in your data models:

Data access policies are available both in Cube Core, starting from v1.2.0, and Cube Cloud. We recommend upgrading to the latest version to try them out.

You can learn more about data access policies in the documentation.

Cube Cloud authentication integration

This feature tighlty integrates features that are only possible or available in Cube Cloud with Cube's authentication mechanisms.

For example, with Cube Cloud authentication integration, you can authenticate connections to Cube's SQL API against the list of users in your Cube Cloud account. You can see this in action at this step in the demo video above. As a yet another example, you can let Cube Cloud load user roles and permissions from your LDAP server and use them in the data access policies defined in Cube's data model files.

In both cases, Cube Cloud authentication integration will read and (or) populate the security context of your request with the user's attributes. This way, you can use that information from the security context in your data access policies:

{
  "cubeCloud": {
    "roles": [
      "leadership",
      "Developer"
    ],
    "username": "igor@cube.dev"
  }
}

You can enable Cube Cloud authentication integration in the settings of your Cube Cloud deployments. Also, you can learn more about this feature in the documentation.

LDAP integration

LDAP integration in Cube Cloud allows you to load user roles and permissions from your LDAP server and use them in your data access policies. This feature is particularly useful for enterprise customers who already have an LDAP server, such as Microsoft Entra ID or Secure LDAP service in Google Workspace.

When the LDAP integration is configured, Cube Cloud will automatically load user attributes from the LDAP server and populate the security context of your request with them. Then, this information can be further used in your data access policies:

{
  "cubeCloud": {
    "meta": {
      "ldap": {
        "enabled": true
      }
    },
    "roles": [
      "leadership",
      "Developer"
    ],
    "userAttributes": {
      "email": "igor@cube.dev",
      "fullName": "Igor Lukanin"
    },
    "username": "igor@cube.dev"
  }
}

You can see how it works at this step in the demo video above.

You can enable LDAP integration in the Team & Security settings of your Cube Cloud account. Learn more about its configuration in the documentation.

What's next?

We believe that this set of features will streamline managing access control in Cube and make Cube Cloud a natural choice for enterprise customers who need to manage access control to data at scale.

We're excited to see how you will use these features in your projects and are looking forward to your feedback. Please share it with the customer experience team in Cube Cloud via the in-product chat or reah out via the community Slack.

Still not a Cube Cloud user? Contact us or sign up for free today.