Roles & Permissions
Understanding user roles and access control in Cube.
Cube implements a role-based access control system with three main user roles: Admin, Developer, and User. Each role has specific permissions and access levels designed to support different responsibilities within the platform.
Deployment Structure
- Database connections are managed through Semantic Model Deployments
- Multiple Semantic Model Deployments can exist under one account
- Roles can be either global (across all deployments) or deployment-specific
- Admin role is always global
Role Permissions
Admin Role
- Has highest level of privileges
- Can manage semantic models
- Can manage other users
- Has access to admin section
- Full query capabilities
Developer Role
- Can create and edit semantic models
- Can execute SQL queries against data sources
- Can create and edit workbooks
- Can create and edit data apps
- No access to admin settings
User Role
- Can query semantic models
- Can create and edit workbooks
- Can create and edit data apps
- Can execute Semantic SQL queries
- Cannot make changes to semantic models
- Cannot query source data directly
Future Implementation
A Viewer role is planned for future implementation with the following capabilities:
- Use Analytics Chat with ability to query Semantic Views and existing reports
- View (read-only) access to shared data apps
Agent Permissions
Agents are connected to Semantic Model Deployments and inherit the permission level of the user they are operating under.
Each agent can be configured to use the Restrict Views feature which allows to select the views that are visible to the agent. This feature should not be used as a security measure. Configure data access policies instead.
Typical Usage Scenarios
- Users: Typically data consumers and analysts
- Developers: Usually data stewards and data engineers
- Admin: Typically assigned to data engineers managing the entire Cube instance