Appearance
Model access control
You can restrict which users can see and query a data model by adding an access block to the model's YAML configuration. Models without an access block are visible to everyone in the account.
Basic usage
Restrict by user properties
Use user_properties to require that users have specific properties assigned to them. All specified properties must match (AND logic). When a specific property has an array of values, the user must match at least one.
yaml
models:
salaries:
name: Salaries
table: hr.salaries
access:
user_properties:
department: hr
data_level: sensitive
properties:
employee_id:
name: Employee ID
type: String
salary:
name: Salary
type: NumberThe user must have department=hr and data_level=sensitive to see this model.
Restrict by email
Use user_email to allow only specific users by their email address.
yaml
models:
exec_dashboard:
name: Executive Dashboard
table: reporting.exec_summary
access:
user_email:
- alice@example.com
- bob@example.com
properties:
revenue:
name: Revenue
type: NumberArray values for OR matching
When a user property can have multiple acceptable values, use an array. The user's property must match any one of the listed values.
yaml
access:
user_properties:
region:
- eu
- usThis grants access to users with region=eu or region=us.
Combining conditions with AND
When you specify multiple conditions at the root level of access, the user must satisfy all of them.
yaml
access:
user_properties:
department: hr
user_email:
- alice@example.comThe user must have department=hr and their email must be alice@example.com.
Creating exceptions with any
Use the any block when you want to grant access if the user matches at least one of the conditions. This is useful for creating exceptions — for example, allowing a specific user to access a model without assigning them all the required properties.
yaml
models:
salaries:
name: Salaries
table: hr.salaries
access:
any:
user_properties:
department: hr
user_email:
- special-snowflake@example.com
properties:
employee_id:
name: Employee ID
type: StringThe user has department=hr or is special-snowflake@example.com.
Combining AND and OR
Root-level conditions and any can be combined. Root-level conditions are AND-ed together, any conditions are OR-ed, and the two groups are AND-ed with each other: (root conditions) AND (any conditions).
yaml
models:
sensitive_salaries:
name: Sensitive Salaries
table: hr.salaries_sensitive
access:
user_properties:
data_level: sensitive
any:
user_properties:
department: hr
user_email:
- special-snowflake@example.com
properties:
employee_id:
name: Employee ID
type: StringThe user must have data_level=sensitive and either department=hr or be special-snowflake@example.com.
Derived models
Derived models inherit the access block from their base model by default. You can override this by defining access on the derived model — this replaces the base model's access entirely (it does not merge).
yaml
models:
salaries:
name: Salaries
table: hr.salaries
access:
user_properties:
department: hr
properties:
employee_id:
name: Employee ID
type: String
salaries_public:
name: Salaries (Public)
base_model: salaries
access: {}An empty access: {} makes the derived model visible to everyone, regardless of the base model's restrictions.
What happens when a model is hidden
When a user does not satisfy a model's access conditions:
- The model does not appear in model listings or the explore UI
- Queries referencing the model as
baseModelIdfail with insufficient privileges error - Relations pointing to the hidden model are not available
- Metrics based on the hidden model are not visible
- Derived models that inherit the base model's access are also hidden