docs: Data access policies + LDAP integration

docs/pages/guides/recipes/multitenancy/custom-data-model-per-tenant.mdx

@@ -67,10 +67,10 @@ module.exports = {
 
 ## Data modeling
 
-### Customizing publicity
+### Customizing member-level access
 
-The simplest way to customize the data models is by changing the [publicity][ref-publicity]
-of data model entities. It works great for use cases when tenants share parts of
+The simplest way to customize the data models is by changing the [member-level access][ref-mls]
+to data model entities. It works great for use cases when tenants share parts of
 their data models.
 
 By setting the `public` parameter of [cubes][ref-cubes-public], [views][ref-views-public],
@@ -168,7 +168,7 @@ cube(`cube_x`, {
 
 </CodeTabs>
 
-For your convenience, [Playground][ref-playground] ignores publicity configration
+For your convenience, [Playground][ref-playground] ignores member-level access configration
 and marks data model entities that are not accessible for querying through
 [APIs][ref-apis] with the lock icon.
 
@@ -182,8 +182,8 @@ And here's the *perspective* of `Bob`:
 
 ### Customizing other parameters
 
-Similarly to [customizing publicity](#customizing-publicity), you can set other
-parameters of data model entities for each tenant individually:
+Similarly to [customizing member-level access](#customizing-member-level-access),
+you can set other parameters of data model entities for each tenant individually:
 
 - By setting `sql` or [`sql_table` parameters][ref-cube-sql-table] of cubes, you
 can ensure that each tenant accesses data from its own tables or database schemas.
@@ -364,7 +364,7 @@ code that fetches data model files for each tenant.
 [ref-scheduled-refresh-contexts]: /reference/configuration/config#scheduled_refresh_contexts
 [ref-context-to-app-id]: /reference/configuration/config#context_to_app_id
 [ref-config-files]: /product/configuration#cubepy-and-cubejs-files
-[ref-publicity]: /product/data-modeling/concepts/publicity
+[ref-mls]: /product/auth/member-level-security
 [ref-cubes-public]: /reference/data-model/cube#public
 [ref-views-public]: /reference/data-model/view#public
 [ref-measures-public]: /reference/data-model/measures#public

docs/pages/product/_meta.js

@@ -3,8 +3,8 @@ module.exports = {
   "getting-started": "Getting started",
   "configuration": "Configuration",
   "data-modeling": "Data modeling",
+  "auth": "Access control",
   "caching": "Caching",
-  "auth": "Authentication & authorization",
   "apis-integrations": "APIs & integrations",
   "workspace": "Workspace",
   "deployment": "Deployment",

docs/pages/product/auth.mdx

@@ -1,9 +1,4 @@
----
-redirect_from:
-  - /security
----
-
-# Overview
+# Access control
 
 In Cube, authorization (or access control) is based on the **security context**.
 The diagram below shows how it works during the request processing in Cube:

docs/pages/product/auth/_meta.js

@@ -1,3 +1,6 @@
 module.exports = {
-  "context": "Security context"
+  "context": "Security context",
+  "member-level-security": "Member-level security",
+  "row-level-security": "Row-level security",
+  "data-access-policies": "Data access policies"
 }

docs/pages/product/auth/data-access-policies.mdx

@@ -0,0 +1,51 @@
+# Data access policies
+
+TODO
+
+## Data access roles
+
+TODO
+
+## Member-level access
+
+TODO
+
+
+```
+Привет! Можешь проверить, что я правильно мыслю? Снова access policies.
+
+Вот есть такие политики. Для пользователя с ролью status_checker_2_3_4 она ожидаемо делает доступным куб и все его мемберы.
+    access_policy:
+      - role: "*"
+        member_level:
+          includes: []
+
+      - role: status_checker_2_3_4
+        member_level:
+          includes: '*'
+
+А вот такие политики (поменял includes на excludes) для пользователя с ролью status_checker_2_3_4 
+    access_policy:
+      - role: "*"
+        member_level:
+          excludes: '*'
+
+      - role: status_checker_2_3_4
+        member_level:
+          includes: '*'
+```
+
+
+
+написать, что public takes preference
+
+
+написать, что вьюшки не наследуют mls от кубов
+
+When evaluating Cube and View level policies:
+- member level policy at the view always wins (you can expose a hidden
+  member of a Cube on a View)
+
+## Row-level access
+
+TODO

docs/pages/product/data-modeling/concepts/publicity.mdx → docs/pages/product/auth/member-level-security.mdx

@@ -1,4 +1,4 @@
-# Publicity of data model entities
+# Member-level security
 
 The data model serves as a facade of your data and enables running
 [queries][ref-queries] via a [rich set of APIs][ref-apis] by referencing data
@@ -10,7 +10,7 @@ By default, all cubes, views, measures, dimensions, and segments are *public*,
 meaning that they can be used in API queries and they are visible during data
 model introspection.
 
-## Managing publicity
+## Managing member-level access
 
 You can explicitly make a data model entity public or private by setting its
 `public` parameter to `true` or `false`. This parameter is available for

docs/pages/product/auth/row-level-security.mdx

@@ -0,0 +1,3 @@
+# Row-level security
+
+TODO

docs/pages/product/configuration.mdx

@@ -152,8 +152,7 @@ Cube can be run in an insecure, development mode by setting the
 mode does the following:
 
 - Disables authentication checks.
-- Disables access control checks based on the [publicity][ref-data-model-publicity]
-of data model entities.
+- Disables [member-level access control][ref-mls].
 - Enables Cube Store in single instance mode.
 - Enables background refresh for in-memory cache and [scheduled
   pre-aggregations][link-scheduled-refresh].
@@ -177,6 +176,6 @@ of data model entities.
 [ref-dynamic-data-models]: /product/data-modeling/dynamic
 [ref-custom-docker-image]: /product/deployment/core#extend-the-docker-image
 [link-docker-env-vars]: https://docs.docker.com/compose/environment-variables/set-environment-variables/
-[ref-data-model-publicity]: /product/data-modeling/concepts/publicity
+[ref-mls]: /product/auth/member-level-security
 [link-current-python-version]: https://github.com/cube-js/cube/blob/master/packages/cubejs-docker/latest.Dockerfile#L13
 [link-current-nodejs-version]: https://github.com/cube-js/cube/blob/master/packages/cubejs-docker/latest.Dockerfile#L1