Skip to content

Access policy with row level filter defined through JS variable throws compilation error #9999

New issue
New issue
Open
Open
Access policy with row level filter defined through JS variable throws compilation error#9999
@HrisIord

Description

@HrisIord
HrisIord
opened on Sep 24, 2025

Describe the bug
When defining an access policy with a row level filter the server fails to compile the Cube and throws an error. The exact same access policy works as expected when in-lined into the Cube. Cube definitions support the use of variables in dimensions and measures, and even though this syntax isn't documented I expected it to work, and allow for DRY-ing up schema definitions.

To Reproduce
Use the minimally reproducible Cube Schema, then make a load request to the REST API for any of the cube's dimensions. The query will generate the following error:

Compiling schema error: 004a058c-1e31-4fd5-a7fd-c4131cb87a36-span-1 (50ms)
{
  "version": "default_schema_version_b865a63ed1e9d34856f6c6116c0490a8"
} 
Error: Compile errors:
Task cube: (accessPolicy[0].rowLevel.filters[0] = [object Object]) does not match any of the allowed types
    at ErrorReporter.throwIfAny (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/schema-compiler/src/compiler/ErrorReporter.ts:139:13)
    at DataSchemaCompiler.throwIfAnyErrors (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/schema-compiler/src/compiler/DataSchemaCompiler.js:422:23)
    at /home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/schema-compiler/src/compiler/DataSchemaCompiler.js:240:16
    at CompilerApi.compileSchema (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/server-core/src/core/CompilerApi.js:99:25)
    at CompilerApi.applyRowLevelSecurity (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/server-core/src/core/CompilerApi.js:302:23)
    at /home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:1256:58
    at async Promise.all (index 0)
    at ApiGateway.getNormalizedQueries (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:1244:48)
    at ApiGateway.load (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:1845:9)
    at /home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:307:7
Internal Server Error: 004a058c-1e31-4fd5-a7fd-c4131cb87a36-span-1 (82ms)
--
{
  "dimensions": [
    "Task.id",
    "Task.title",
    "Task.description"
  ]
}
--
{} 
Error: Compile errors:
Task cube: (accessPolicy[0].rowLevel.filters[0] = [object Object]) does not match any of the allowed types
    at ErrorReporter.throwIfAny (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/schema-compiler/src/compiler/ErrorReporter.ts:139:13)
    at DataSchemaCompiler.throwIfAnyErrors (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/schema-compiler/src/compiler/DataSchemaCompiler.js:422:23)
    at /home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/schema-compiler/src/compiler/DataSchemaCompiler.js:240:16
    at CompilerApi.compileSchema (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/server-core/src/core/CompilerApi.js:99:25)
    at CompilerApi.applyRowLevelSecurity (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/server-core/src/core/CompilerApi.js:302:23)
    at /home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:1256:58
    at async Promise.all (index 0)
    at ApiGateway.getNormalizedQueries (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:1244:48)
    at ApiGateway.load (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:1845:9)
    at /home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:307:7

Expected behavior
The schema should compile and the query should return a result as it does when the access policy is in-lined.

Minimally reproducible Cube Schema
In case your bug report is data modelling related please put your minimally reproducible Cube Schema here.
You can use selects without tables in order to achieve that as follows.

const myAccessPolicy = {
  role: "*",
  memberLevel: { includes: `*` },
  rowLevel: {
    filters: [
      {
        member: `priority`,
        operator: `equals`,
        values: [9],
      },
    ],
  },
};

const description = {
  sql: () => `text`,
  type: `string`,
};

cube(`Task`, {
  sql: `select * from task`,

  dimensions: {
    id: {
      sql: `id`,
      type: `number`,
    },
    title: {
      sql: `title`,
      type: `string`,
    },
    priority: {
      sql: `priority`,
      type: `number`,
    },
    description,
  },

  accessPolicy: [myAccessPolicy],
});

Version:
[e.g. v1.2.34]
The version above is the version I got the exact error log from, but I also tried upgrading to v1.3 and got a similar error.

Additional context
I assume the syntax for extracting access policies into a variable will need to be slightly different than the in-line syntax, as with dimensions. If you could provide details on the differences that'd be really useful.

Thank you for looking at this!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions