Granting Runtime Permission on Cubes to Groups of Externally-Authenticated Users

You can grant runtime permissions on published cubes to AtScale groups that are mapped to directory groups, so that you can grant these permissions to multiple users at a time.

About this task

When you are managing users by means of an external directory service, such as an LDAP server, Google Directory, or Microsoft Active Directory, the users are assigned to groups in that directory service. By granting runtime permissions directly to AtScale groups that are mapped to directory groups, you can prevent a large amount of administrative overhead costs that would accrue from managing access for individual users.

The runtime permissions allow users in the groups to query published versions of a cube and to create tables from SELECT statements on published versions of a cube. The tables are created in your data warehouse.

  • If you are using Google BigQuery, the tables are created directly in BigQuery.
  • If you are using a Hadoop cluster, the tables are created in the Hive metastore.

Before you begin

  1. Ensure that your user ID is an administrator for your AtScale organization or is a super user.

  2. Connect to an external directory service.

  3. Create the AtScale groups that you need.

  4. Map directory groups to AtScale groups.

    1. Choose Security from the main navigation, then click Group Mappings.
    2. In the section Directory Group to Group Mappings, add the mappings that you need.


  1. In the main navigation bar, click Projects.

  2. Click the project you want to modify, then click the cube you want to edit permissions for.

  3. On the cube page, select Security > Runtime Permissions. The Cube Runtime Permissions dialog box opens.

  4. Enable the Restrict Access toggle.

  5. Optionally, enable the Enforce Restricted Access to Simple & Calculated Measures toggle.

  6. In the Groups list, expand the groups you want to set permissions for, and enable/disable the following permissions as needed.

    Runtime PermissionDescription
    Create Table as Select (CTAS)Users can issue SELECT statements against the cube and write the results back to the data warehouse as a new table.
    QueryUsers can issue SELECT statements against the cube.
    Access All MeasuresOnly available when Enforce Restricted Access to Simple & Calculated Measures is enabled. When selected, users can access all measures in the cube.

    Alternatively, you can configure access to specific measures by selecting the checkboxes next to the folders and individual measures in the list. You can also use the text box to filter for specific measures, then click the Check All Displayed button to enable access to just the matching measures.

    Note: This functionality is not availale for secondary metrical attributes.
  7. Click Save.