> ## Documentation Index
> Fetch the complete documentation index at: https://cubed3-feat-druid-driver-streaming.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Control

> Learn how Cube separates authentication and authorization to control who can access your data and platform features.

Access control

Access control in Cube involves *authentication* and *authorization*.

## Authentication

Authentication determines if a user can access Cube.

* **Cube** cloud platform provides built-in authentication mechanisms. Users are assigned
  [roles and permissions][ref-roles-perms] that determine available features of the Cube
  platform.
* **Cube Core** provides several [authentication methods][ref-auth-methods] for its API
  endpoints.

## Authorization

Authorization determines what data a user can access though Cube.

Authorization is managed declaratively via [access policies][ref-dap], a built-in
capability of Cube's data modeling layer. There are also programmatic controls for
advanced use cases, such as the [`query_rewrite`][ref-query-rewrite] configuration
parameter.

* **Cube** cloud platform applies access policies to users based on their
  [groups][ref-user-groups] and [attributes][ref-user-attributes].
* **Cube Core** applies access policies to users based on their groups derived from the
  [security context][ref-sec-ctx]. See the [`context_to_groups`][ref-ctx-to-groups]
  configuration parameter for details.

[ref-roles-perms]: /admin/users-and-permissions/roles-and-permissions

[ref-auth-methods]: /embedding/authentication/jwt

[ref-user-groups]: /admin/users-and-permissions/user-groups

[ref-user-attributes]: /admin/users-and-permissions/user-attributes

[ref-sec-ctx]: /docs/data-modeling/access-control/context

[ref-dap]: /docs/data-modeling/data-access-policies

[ref-query-rewrite]: /reference/configuration/config#query_rewrite

[ref-ctx-to-groups]: /reference/configuration/config#context_to_groups