Administration

8.1 Overview

The Administration section covers the tools and features available to CUBE_ADMIN users for managing security, compliance, audit logging, EPM migration, and AI-powered assistance.

8.2 Access Control (Row-Level Security)

Row-level security restricts which dimension members a user can see in query results. When enabled for a hierarchy, only members explicitly granted to the user are visible.

How Row-Level Security Works

1. An administrator creates security rules that map users to specific members within a dimension.
2. When a cube query is executed, the application checks the current user against the security rules.
3. Results are filtered to include only members the user is authorized to see.
4. Users without any security rules for a given dimension have unrestricted access to all members in that dimension.

Managing Security Rules

Navigate to Admin → Access Control to manage security rules.

Adding a Rule

1. Select the cube from the dropdown
2. Expand Add Security Rule
3. Select the Hierarchy (dimension)
4. Search for and select a Member, or type the member name directly
5. Enter the User Name (the Snowflake username)
6. Check Active to enable the rule immediately
7. Click Add Rule

Editing Rules

The security rules table supports inline editing:

• Edit any field directly in the table
• Add new rows using the table’s add row feature
• Delete rows by selecting and removing them
• Click Save Changes to commit all edits

Security Rule Properties

Property	Description
Cube Name	Which cube the rule applies to.
Hierarchy	Which dimension the rule restricts.
Member Name	The specific member the user is granted access to. Access includes the member and all its descendants.
User Name	The Snowflake username the rule applies to.
Active	Whether the rule is currently enforced. Deactivate to temporarily disable without deleting.

Important Notes

• A user must have at least one active rule for a secured dimension to see any data in that dimension.
• Multiple rules can be created for the same user/dimension combination to grant access to multiple members.
• Security is enforced at query time using the CURRENT_USER() function, which requires the READ SESSION privilege.
• Security rules are per-cube. A user may have different access across different cubes.

8.3 Audit Log

The Audit Log provides a complete record of all operations performed in Casabase Cube. It is accessible from the Audit Log page in the sidebar.

Who Can See What

Role	Access
CUBE_ADMIN	Full audit log: all events from all users.
CUBE_PUBLIC / CUBE_WRITER	Own activity only: filtered to the current user’s events.

Audit Log Dashboard

The Audit Log page displays:

• Summary metrics: Total events, events in the last 24 hours, unique users, error count
• Filterable event list: Filter by cube, event type, user, status, date range, and free-text search
• Event details: Click any row to view full details including the POV, parameters, and execution context
• Export: Download filtered results as CSV

Filters

Filter	Options
Cube	Filter to a specific cube or view all.
Event Type	DATA_QUERY, HIERARCHY_CREATE, HIERARCHY_REBUILD, CUBE_CLONE, APP_INSTALL, APP_UPGRADE, CLASSIFICATION_CHANGE, LOG_PURGE, TABLE_DROP, and more.
User	Filter to a specific user (admin only).
Status	All, SUCCESS, ERROR, or PARTIAL.
Date Range	Last 24 hours, 7 days, 30 days, or 90 days.
Search	Free-text search across user name, event type, action, object name, and error messages.

Exporting Audit Records

For compliance and external review, export audit records via the Admin → Compliance → Audit Export tab:

1. Set the Start Date and End Date
2. Optionally filter by Event Type
3. Set the Max Records limit
4. Click Export Audit Log
5. Review the results and click Download CSV

Via SQL:

CALL CASABASE_CUBE.CUBE.EXPORT_AUDIT_LOG(
    '2025-01-01'::TIMESTAMP_LTZ,     -- Start date
    '2025-03-31'::TIMESTAMP_LTZ,     -- End date
    'DATA_QUERY',                     -- Event type filter (NULL for all)
    'MY_CUBE',                        -- Cube filter (NULL for all)
    10000                             -- Max records
);

Retention & Purging

Audit log records can be purged based on a retention period. This is managed from the Audit Log page or the Admin → Compliance tab.

Preview what will be purged (dry run):

CALL CASABASE_CUBE.CUBE.PURGE_AUDIT_LOG(90, FALSE);

Execute the purge:

CALL CASABASE_CUBE.CUBE.PURGE_AUDIT_LOG(90, TRUE);

The default retention period is 90 days. The minimum is 7 days and the maximum is 365 days.

8.4 Compliance

The Compliance section (under Admin → Compliance) provides tools for governance and regulatory review.

Privacy Report

Generate a privacy report that summarizes:

• Total cubes and their data classification levels
• Which cubes have row-level security enabled
• Data handling practices
• Recommendations for improving security posture

Click Generate Privacy Report to produce the report on demand.

Data Inventory

View a complete inventory of all data objects referenced by Casabase Cube, including source tables, dimension tables, and their accessibility status.

Click Load Data Inventory to generate the inventory.

Access Review

Review all active security grants and user activity:

• Row-Level Security Grants: A downloadable table of all security rules across all cubes.
• User Activity (30 days): Summary of each user’s total actions, query count, error count, and last activity timestamp.

8.5 Cube Variables

Cube variables are substitution values that can be referenced in POV strings using [CUBE_VAR=name] syntax. They allow queries and saved queries to be dynamic. For example, you can reference “current year” without hardcoding a specific year.

Managing Variables

Variables are managed from the Cube Config page under the cube’s settings.

Property	Description
Variable Name	The name used in POV references (e.g., current_year).
Value	The member name the variable resolves to (e.g., FY25).

Usage in Queries

CALL CASABASE_CUBE.CUBE.QUERY_CUBE(
    'FIN_PLAN',
    'FINANCE_DB.PLANNING.FACT_PLAN',
    'AMT',
    '{
        "ACCOUNT": [{"children": "Total P&L"}],
        "PERIOD": ["[CUBE_VAR=current_period]"],
        "ENTITY": ["Corporate"],
        "SCENARIO": ["[CUBE_VAR=current_scenario]"],
        "VERSION": ["Final"]
    }',
    NULL
);

When the query executes, [CUBE_VAR=current_period] is replaced with the variable’s current value. To change the target period, update the variable. All queries referencing it automatically use the new value.

8.6 Data Classification

Each cube can be assigned a data classification level to indicate the sensitivity of the data it accesses:

Classification	Description
PUBLIC	Data that is generally available and not sensitive.
INTERNAL	Data intended for internal use only.
CONFIDENTIAL	Sensitive data requiring restricted access.
RESTRICTED	Highly sensitive data with strict access controls.

Classification is set on the Cube Config page under Cube Settings. It is used in the Privacy Report and as a governance label. It does not automatically enforce access restrictions beyond what row-level security and application roles already provide.

8.7 Importing from Oracle Essbase & Cloud EPM

Casabase Cube can import cube metadata from Oracle Essbase and Cloud EPM, enabling migration from legacy EPM platforms. The import tools are available under Admin → Import from Oracle.

Essbase Outline Import (XML)

Import dimension hierarchies from an Essbase outline export file:

1. Export the outline from Essbase as XML
2. Upload the XML file to a Snowflake stage
3. Grant READ access on the stage to the Casabase Cube application
4. On the Admin page, enter the Stage Path (e.g., @my_db.my_schema.my_stage/outline.xml)
5. Enter the Cube Name for the new cube
6. Optionally enable Auto-register dimensions to automatically configure the imported dimensions
7. Click Import Outline

The importer parses the XML, creates dimension tables in the application, and optionally registers them as hierarchies.

Cloud EPM Metadata Import (CSV)

Import dimension metadata from Cloud EPM metadata export files:

1. Export metadata from Cloud EPM (Application → Overview → Actions → Export Metadata)
2. Upload the CSV file(s) to a Snowflake stage
3. Grant READ access on the stage to the application
4. On the Admin page, enter the Stage Path and Cube Name
5. Optionally specify the Dimension Name (or leave blank for auto-detection)
6. Click Import Cloud EPM Metadata

The parser auto-detects standard Cloud EPM column names including Parent, Child, Alias, Data Storage, Consolidation, Formula, UDA, Account Type, Time Balance, and Skip Value.

Data Import

Import fact data from Essbase export files:

1. Upload the export file to a Snowflake stage
2. Specify the Stage Path, File Name, Target Table, Cube Name, and Dense Dimension
3. Optionally toggle Ignore unknown members to skip data for members not in the hierarchy
4. Click Import Data

8.8 AI Agent Setup

Casabase Cube can be exposed as a Cortex Agent in Snowflake Intelligence, allowing users to interact with cubes using natural language.

What the Agent Can Do

Capability	Description
Discover	List cubes with their dimensions, members, and formulas.
Query	Execute OLAP queries using natural language (e.g., “Show me revenue by entity for Q1”).
Search docs	Search the built-in knowledge base for answers to how-to questions.
Diagnose	Gather cube configuration, recent errors, and system information for troubleshooting.
Health check	Validate cube configuration and identify issues.
Add dimension	Add a hierarchy from a source table via natural language.
Browse tables	List and inspect consumer tables and their columns.
Search members	Search for specific members within a hierarchy.
Visualize	Generate charts from query results.

Setting Up the Agent

1. Grant Cortex access to the application:

GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO APPLICATION CASABASE_CUBE;

2. Grant a warehouse to the application:

GRANT USAGE ON WAREHOUSE COMPUTE_WH TO APPLICATION CASABASE_CUBE;

3. Run AI Setup from the Admin tab to create the Cortex Search service for the knowledge base

4. Create a Snowflake Intelligence object (once per account):

CREATE SNOWFLAKE INTELLIGENCE IF NOT EXISTS SNOWFLAKE_INTELLIGENCE_OBJECT_DEFAULT;

5. Generate and deploy the agent: Click Generate Agent SQL on the Admin tab, then run the generated SQL in a Snowflake worksheet

6. Grant access to users: Assign application roles to users who will interact with the agent:

GRANT APPLICATION ROLE CASABASE_CUBE.CUBE_PUBLIC TO ROLE analyst_role;
GRANT APPLICATION ROLE CASABASE_CUBE.CUBE_ADMIN TO ROLE admin_role;

Example Prompts

• “What cubes do I have?”
• “Show me the hierarchies in my PLAN cube”
• “Query revenue by entity for Q1”
• “Add a geography dimension from MY_DB.PUBLIC.GEO_DIM”
• “My query returns no data — help me troubleshoot”
• “How do I set up time balance?”

8.9 Application Upgrades

When a new version of Casabase Cube is available:

• Marketplace installs: Upgrades may be automatic (depending on your account settings) or can be approved manually from the application details page in Snowsight.
• Manual upgrade via SQL:

ALTER APPLICATION CASABASE_CUBE UPGRADE;

What Happens During an Upgrade

• Application logic (procedures, functions, Streamlit UI) is replaced with the new version.
• Configuration data (cubes, hierarchies, formulas, saved queries, security rules, audit log, variables, locks, data forms, write-back data) is preserved.
• The current and previous version numbers are recorded for reference.

Checking the Current Version

DESC APPLICATION CASABASE_CUBE;