cube-js
diff --git a/‎packages/cubejs-backend-native/test/example-group-config.js‎
Lines changed: 48 additions & 0 deletions b/‎packages/cubejs-backend-native/test/example-group-config.js‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎packages/cubejs-backend-native/test/example-group-policy.js‎
Lines changed: 125 additions & 0 deletions b/‎packages/cubejs-backend-native/test/example-group-policy.js‎
Lines changed: 125 additions & 0 deletions
diff --git a/‎packages/cubejs-backend-native/test/example-mixed-policies.js‎
Lines changed: 121 additions & 0 deletions b/‎packages/cubejs-backend-native/test/example-mixed-policies.js‎
Lines changed: 121 additions & 0 deletions
@@ -0,0 +1,48 @@
+// Example configuration using group-based access control
+module.exports = {
+  // Use contextToGroups for group-based access control
+  // Note: Cannot be used together with contextToRoles
+  contextToGroups: async (context) => context.securityContext.auth?.groups || [],
+  
+  canSwitchSqlUser: async () => true,
+  
+  checkSqlAuth: async (req, user, password) => {
+    if (user === 'analyst') {
+      return {
+        password,
+        superuser: false,
+        securityContext: {
+          auth: {
+            username: 'analyst',
+            groups: ['analytics', 'reporting'],
+          },
+        },
+      };
+    }
+    if (user === 'manager') {
+      return {
+        password,
+        superuser: false,
+        securityContext: {
+          auth: {
+            username: 'manager',
+            groups: ['management', 'hr'],
+          },
+        },
+      };
+    }
+    if (user === 'finance') {
+      return {
+        password,
+        superuser: false,
+        securityContext: {
+          auth: {
+            username: 'finance',
+            groups: ['finance', 'accounting'],
+          },
+        },
+      };
+    }
+    throw new Error(`User "${user}" doesn't exist`);
+  }
+};
@@ -0,0 +1,125 @@
+// Example cube showing group-based access policies
+cube('Example', {
+  sql_table: 'public.example',
+
+  data_source: 'default',
+
+  dimensions: {
+    id: {
+      sql: 'id',
+      type: 'number',
+      primary_key: true,
+    },
+    name: {
+      sql: 'name',
+      type: 'string',
+    },
+    department: {
+      sql: 'department',
+      type: 'string',
+    },
+  },
+
+  measures: {
+    count: {
+      type: 'count',
+    },
+  },
+
+  access_policy: [
+    // Role-based policy (existing functionality)
+    {
+      role: 'admin',
+      memberLevel: {
+        includes: ['*'],
+      },
+      rowLevel: {
+        allowAll: true,
+      },
+    },
+
+    // Group-based policy (new functionality) - single group
+    {
+      group: 'analytics',
+      memberLevel: {
+        includes: ['id', 'name', 'count'],
+      },
+      rowLevel: {
+        filters: [
+          {
+            member: 'department',
+            operator: 'equals',
+            values: ['Analytics'],
+          },
+        ],
+      },
+    },
+
+    // Groups-based policy (plural - preferred for multiple groups)
+    {
+      groups: ['finance', 'accounting'],
+      memberLevel: {
+        includes: ['id', 'name', 'department', 'count'],
+      },
+      rowLevel: {
+        filters: [
+          {
+            member: 'department',
+            operator: 'in',
+            values: ['Finance', 'Accounting'],
+          },
+        ],
+      },
+    },
+
+    // Manager role policy (separate from group-based policies)
+    {
+      role: 'manager',
+      memberLevel: {
+        includes: ['*'],
+      },
+      rowLevel: {
+        filters: [
+          {
+            member: 'department',
+            operator: 'equals',
+            values: ['Management'],
+          },
+        ],
+      },
+    },
+
+    // HR groups policy (using 'groups' with single value)
+    {
+      groups: 'hr',
+      memberLevel: {
+        includes: ['id', 'name', 'department', 'count'],
+      },
+      rowLevel: {
+        filters: [
+          {
+            member: 'department',
+            operator: 'equals',
+            values: ['HR'],
+          },
+        ],
+      },
+    },
+
+    // Default policy for users with no specific role/group
+    {
+      memberLevel: {
+        includes: ['count'],
+      },
+      rowLevel: {
+        filters: [
+          {
+            member: 'department',
+            operator: 'equals',
+            values: ['Public'],
+          },
+        ],
+      },
+    },
+  ],
+});
@@ -0,0 +1,121 @@
+// Example cube showing mixed role-based and group-based access policies
+// This demonstrates that contextToRoles and contextToGroups can coexist
+// but individual policies must use either role OR group, not both
+cube('MixedAccess', {
+  sql_table: 'public.mixed_access',
+  
+  data_source: 'default',
+
+  dimensions: {
+    id: {
+      sql: 'id',
+      type: 'number',
+      primary_key: true,
+    },
+    name: {
+      sql: 'name',
+      type: 'string',
+    },
+    department: {
+      sql: 'department',
+      type: 'string',
+    },
+    region: {
+      sql: 'region',
+      type: 'string',
+    },
+  },
+
+  measures: {
+    count: {
+      type: 'count',
+    },
+  },
+
+  access_policy: [
+    // ✅ Role-based policy
+    {
+      role: 'admin',
+      memberLevel: {
+        includes: ['*'],
+      },
+      rowLevel: {
+        allowAll: true,
+      },
+    },
+    
+    // ✅ Another role-based policy
+    {
+      role: 'manager',
+      memberLevel: {
+        includes: ['*'],
+      },
+      rowLevel: {
+        filters: [
+          {
+            member: 'region',
+            operator: 'equals',
+            values: () => COMPILE_CONTEXT.securityContext.region,
+          },
+        ],
+      },
+    },
+
+    // ✅ Group-based policy (single group)
+    {
+      group: 'analytics',
+      memberLevel: {
+        includes: ['id', 'name', 'count'],
+      },
+      rowLevel: {
+        filters: [
+          {
+            member: 'department',
+            operator: 'equals',
+            values: ['Analytics'],
+          },
+        ],
+      },
+    },
+
+    // ✅ Group-based policy (multiple groups)
+    {
+      groups: ['finance', 'accounting'],
+      memberLevel: {
+        includes: ['id', 'name', 'department', 'count'],
+      },
+      rowLevel: {
+        filters: [
+          {
+            member: 'department',
+            operator: 'in',
+            values: ['Finance', 'Accounting'],
+          },
+        ],
+      },
+    },
+
+    // ❌ This would be invalid (mixing role and group in same policy):
+    // {
+    //   role: 'manager',
+    //   group: 'hr',
+    //   memberLevel: { includes: ['*'] }
+    // }
+
+    // Default policy for users without specific roles/groups
+    {
+      memberLevel: {
+        includes: ['count'],
+      },
+      rowLevel: {
+        filters: [
+          {
+            member: 'department',
+            operator: 'equals',
+            values: ['Public'],
+          },
+        ],
+      },
+    },
+  ],
+});