cube-js · igorlukanin · Mar 7, 2025 · Mar 6, 2025 · Mar 7, 2025 · Mar 7, 2025
diff --git a/docs/pages/product/workspace/access-control.mdx b/docs/pages/product/workspace/access-control.mdx
@@ -1,12 +1,7 @@
----
-redirect_from:
-  - /cloud/access-control/
----
-
 # Access Control
 
-As an account administrator, you can define roles with specific permissions for
-resources and apply those roles to users within the account.
+As a Cube Cloud account administrator, you can define roles with specific permissions
+for Cube Cloud resources and apply those roles to users within the account.
 
 <SuccessBox>
 
@@ -15,25 +10,59 @@ Access control is available in Cube Cloud on
 
 </SuccessBox>
 
-## List all roles
+You can [manage accounts](#managing-accounts) as an account administrator,
+[manage roles](#managing-roles), [assign them](#assigning-roles-to-users) to users,
+and associate [supported actions](#actions) with those roles.
+
+## Managing accounts
+
+Account administrators have ultimate control over the Cube Cloud account, including
+[managing roles](#managing-roles) and assigning them to users.
+
+You can see which users are account administrators on the <Btn>Members</Btn> tab of the
+<Btn>Team & Security</Btn> page in your Cube Cloud. Account administrators have the
+<Btn>Admin</Btn> toggle enabled next to their name.
+
+## Managing roles
+
+In Cube Cloud, users are not assigned permissions directly. Instead, they are assigned
+_roles_ that are associated with _policies_. Each policy define what _actions_ they can
+perform and on what _resources_ they can perform those actions. This approach makes it
+easier to manage permissions at scale.
 
-To see a list of roles in your account, first go to the Team settings page by
-clicking on your avatar in the top right corner, then clicking on the "Team"
-button.
+Each role can be associated with one or more of the following policies:
 
-On the Team settings page, click the "Roles" tab to see all the roles in your
-account:
+| Policy | Description |
+| --- | --- |
+| `Global` | Controls account-level functionality, e.g., as Billing. |
+| `Deployment` | Controls deployment-level functionality, e.g., as Playground. |
+| `Report` | Controls access to specific reports in Saved Reports. |
+| `ReportFolder` | Controls access to specific folders in Saved Reports. |
+
+Each policy can apply to _all resources_ or _specific resources_. For example, a policy
+could apply to all deployments or only to a specific deployment.
+
+Also, each policy can have _all actions_ or only _specific actions_ associated with it.
+For example, a policy could allow a user to view, create, or delete one or more
+deployments if it's associated with those specific actions.
+
+See [actions reference](#actions) for a list of available actions.
+
+### Browsing roles
+
+To see a list of roles, go to the <Btn>Team & Security</Btn> page in your Cube Cloud
+account, then navigate to the <Btn>Roles</Btn> tab:
 
 <Screenshot
   alt="Cube Cloud Team Roles tab"
   src="https://ucarecdn.com/476cb30f-4939-41a8-a399-53d4f8a47dee/"
 />
 
-## Create a role
+### Creating a role
 
-To create a new role, click the "Add Role" button. Enter a name and optional
-description for the role, then click "Add Policy" and select either "Deployment"
-or "Global" for this policy's scope.
+To create a new role, click the <Btn>Add Role</Btn> button. Enter a name and an optional
+description for the role, then click <Btn>Add Policy</Btn> and select either <Btn>Deployment</Btn>
+or <Btn>Global</Btn> for this policy's scope.
 
 Deployment policies apply to deployment-level functionality, such as the
 Playground and Data Model editor. Global policies apply to account-level
@@ -63,3 +92,51 @@ Existing users' roles can be modified from the "Members" tab on the Team page:
   alt="Cube Cloud Team Roles tab"
   src="https://ucarecdn.com/a72cad30-487b-484a-b557-0f0e157c89b1/"
 />
+
+## Actions
+
+Policies can have the following actions associated with them.
+
+Actions for the `Global` policy:
+
+| Action | Description |
+| --- | --- |
+| `Alerts Access`<br/>`Alerts Create`<br/>`Alerts Edit`<br/>`Alerts Delete` | View, create, edit, and delete [budgets][ref-budgets]. |
+| `Billing Access` | Access the billing data of the Cube Cloud account. |
+| `Deployment Manage` | Create and delete deployments in the Cube Cloud account. |
+
+Actions for the `Deployment` policy:
+
+| Action | Description |
+| --- | --- |
+| `Deployment View`<br/>`Deployment Edit` | Access the deployment, change its settings. |
+| `Playground Access` | Use [Playground][ref-playground]. |
+| `Data Model View` | View the source code in the [data model][ref-data-model] editor, use [Visual Model][ref-visual-model]. |
+| `Data Model Edit (all branches)`<br/>`Data Model Edit (dev branches only)` | Use the [development mode][ref-dev-mode], edit the data model, perform Git operations (e.g., commit, pull, push). |
+| `Queries & Metrics Access` | Use [Query History][ref-query-history] and [Performance Insights][ref-perf-insights]. |
+| `SQL Runner Access` | Use [SQL Runner][ref-sql-runner]. |
+| `Data Assets Access` | Use [Semantic Catalog][ref-semantic-catalog] and [AI Assistant][ref-ai-assistant]. |
+
+Actions for the `Report` policy:
+
+| Action | Description |
+| --- | --- |
+| `Report Read`<br/>`Report Manage` | View and create/delete reports. |
+
+Actions for the `ReportFolder` policy:
+
+| Action | Description |
+| --- | --- |
+| `Report Read`<br/>`Report Manage` | View and create/delete report folders. |
+
+
+[ref-budgets]: /product/workspace/budgets
+[ref-playground]: /product/workspace/playground
+[ref-data-model]: /product/workspace/data-model
+[ref-visual-model]: /product/workspace/visual-model
+[ref-dev-mode]: /product/workspace/dev-mode
+[ref-query-history]: /product/workspace/query-history
+[ref-perf-insights]: /product/workspace/performance
+[ref-sql-runner]: /product/workspace/sql-runner
+[ref-semantic-catalog]: /product/workspace/semantic-catalog
+[ref-ai-assistant]: /product/workspace/ai-assistant