Row-level security

The data model serves as a facade of your data. With row-level security, you can define whether some data model facts are exposed to end users and can be queried via APIs & integrations.

Row-level security in Cube is similar to row-level security in SQL databases. Defining whether users have access to specific facts from cubes and views is similar to defining access to rows in database tables.

By default, all rows are public, meaning that no filtering is applied to data model facts when they are accessed by any users.

Managing row-level access

You can use data access policies to manage both member-level and row-level security based on user attributes or groups.

Here's an example of how to filter rows by a user attribute using data access policies:

cubes:
  - name: orders
    # ...
 
    access_policy:
      - role: manager
        row_level:
          filters:
            - member: country
              operator: equals
              values: [ "{ userAttributes.country }" ]

Advanced scenarios

For more complex scenarios, you can use query_rewrite for programmatic query filtering or adjust the sql parameter in dynamic data models.