diff --git a/website/docs/docs/dbt-versions/release-notes.md b/website/docs/docs/dbt-versions/release-notes.md index e610d95e792..c099e4c0e90 100644 --- a/website/docs/docs/dbt-versions/release-notes.md +++ b/website/docs/docs/dbt-versions/release-notes.md @@ -19,7 +19,7 @@ Release notes are grouped by month for both multi-tenant and virtual private clo [^*] The official release date for this new format of release notes is May 15th, 2024. Historical release notes for prior dates may not reflect all available features released earlier this year or their tenancy availability. ## July 2024 -- **Enhancement**: The dbt Semantic Layer now offers more granular control by supporting multiple data platform credentials, which can represent different roles or service accounts. Map credentials to service tokens for secure authentication. Refer to [Set up dbt Semantic Layer](/docs/use-dbt-semantic-layer/setup-sl#set-up-dbt-semantic-layer) for more details. +- **Enhancement**: The dbt Semantic Layer now offers more granular control by supporting multiple data platform credentials, which can represent different roles or service accounts. Available for dbt Cloud Enteprise plans, you can map credentials to service tokens for secure authentication. Refer to [Set up dbt Semantic Layer](/docs/use-dbt-semantic-layer/setup-sl#set-up-dbt-semantic-layer) for more details. ## June 2024 - **New:** Introduced new granularity support for cumulative metrics in MetricFlow. Granularity options for cumulative metrics are slightly different than granularity for other metric types. For other metrics, we use the `date_trunc` function to implement granularity. However, because cumulative metrics are non-additive (values can't be added up), we can't use the `date_trunc` function to change their time grain granularity. diff --git a/website/docs/docs/use-dbt-semantic-layer/dbt-sl.md b/website/docs/docs/use-dbt-semantic-layer/dbt-sl.md index 6e8472c1b73..56204237ae7 100644 --- a/website/docs/docs/use-dbt-semantic-layer/dbt-sl.md +++ b/website/docs/docs/use-dbt-semantic-layer/dbt-sl.md @@ -19,7 +19,7 @@ import DeprecationNotice from '/snippets/_sl-deprecation-notice.md'; The dbt Semantic Layer, powered by [MetricFlow](/docs/build/about-metricflow), simplifies the process of defining and using critical business metrics, like `revenue` in the modeling layer (your dbt project). By centralizing metric definitions, data teams can ensure consistent self-service access to these metrics in downstream data tools and applications. The dbt Semantic Layer eliminates duplicate coding by allowing data teams to define metrics on top of existing models and automatically handles data joins. -Moving metric definitions out of the BI layer and into the modeling layer allows data teams to feel confident that different business units are working from the same metric definitions, regardless of their tool of choice. If a metric definition changes in dbt, it’s refreshed everywhere it’s invoked and creates consistency across all applications. To ensure secure access control, the dbt Semantic Layer implements robust [authentication](/docs/use-dbt-semantic-layer/setup-sl#group-permissions) mechanisms. +Moving metric definitions out of the BI layer and into the modeling layer allows data teams to feel confident that different business units are working from the same metric definitions, regardless of their tool of choice. If a metric definition changes in dbt, it’s refreshed everywhere it’s invoked and creates consistency across all applications. To ensure secure access control, the dbt Semantic Layer implements robust [access permissions](/docs/use-dbt-semantic-layer/setup-sl#set-up-dbt-semantic-layer) mechanisms. Refer to the [dbt Semantic Layer FAQs](/docs/use-dbt-semantic-layer/sl-faqs) or [Why we need a universal semantic layer](https://www.getdbt.com/blog/universal-semantic-layer/) blog post to learn more. diff --git a/website/docs/docs/use-dbt-semantic-layer/setup-sl.md b/website/docs/docs/use-dbt-semantic-layer/setup-sl.md index 660bd8b5e6b..16ec1db47a0 100644 --- a/website/docs/docs/use-dbt-semantic-layer/setup-sl.md +++ b/website/docs/docs/use-dbt-semantic-layer/setup-sl.md @@ -6,7 +6,7 @@ sidebar_label: "Set up your Semantic Layer" tags: [Semantic Layer] --- -With the dbt Semantic Layer, you can centrally define business metrics, reduce code duplication and inconsistency, create self-service in downstream tools, and more. Configure the dbt Semantic Layer in dbt Cloud to connect with your integrated partner tool. +With the dbt Semantic Layer, you can centrally define business metrics, reduce code duplication and inconsistency, create self-service in downstream tools, and more. @@ -22,14 +22,6 @@ import SetUp from '/snippets/_v2-sl-prerequisites.md'; -#### Group permissions -- You must be part of the Owner group, and have the correct [license](/docs/cloud/manage-access/seats-and-users) and [permissions](/docs/cloud/manage-access/self-service-permissions) to set up the Semantic Layer at the environment and project level. - - Enterprise plan: - - Developer license with Account Admin permissions, or - - Owner with a Developer license, assigned Project Creator, Database Admin, or Admin permissions. - - Team plan: Owner with a Developer license. - - Free trial: You are on a free trial of the Team plan as an Owner, which means you have access to the dbt Semantic Layer. - import SLCourses from '/snippets/_sl-course.md'; diff --git a/website/docs/docs/use-dbt-semantic-layer/sl-faqs.md b/website/docs/docs/use-dbt-semantic-layer/sl-faqs.md index b1fa516cf61..bc9b73af202 100644 --- a/website/docs/docs/use-dbt-semantic-layer/sl-faqs.md +++ b/website/docs/docs/use-dbt-semantic-layer/sl-faqs.md @@ -260,9 +260,12 @@ Yes, all of our interfaces or APIs expose metric descriptions, which you can sur +The dbt Semantic Layer uses service tokens for authentication, mapped to underlying data platform credentials. These credentials control physical access to the raw data. The credential configuration allows admins to create a credential and map it to service tokens, which can then be shared to relevant teams for BI connection setup. You can configure credentials and service tokens to reflect your teams and their roles. + Currently, the credentials you configure when setting up the dbt Semantic Layer are used for every request. Any physical access policies you have tied to your credentials will be respected. We are currently working on introducing more fine-grained access controls, including user-level access and group credentials, that enable flexible granular permissions. + ## Implementation diff --git a/website/snippets/_new-sl-setup.md b/website/snippets/_new-sl-setup.md index 51d20f39dda..dfa8664dfde 100644 --- a/website/snippets/_new-sl-setup.md +++ b/website/snippets/_new-sl-setup.md @@ -1,57 +1,82 @@ +You must be part of the Owner group, and have the correct [license](/docs/cloud/manage-access/seats-and-users) and [permissions](/docs/cloud/manage-access/self-service-permissions) to set up the Semantic Layer at the environment and project level. +- Enterprise plan: + - Developer license with Account Admin permissions, or + - Owner with a Developer license, assigned Project Creator, Database Admin, or Admin permissions. +- Team plan: Owner with a Developer license. +- Free trial: You are on a free trial of the Team plan as an Owner, which means you have access to the dbt Semantic Layer. Here's how to set up the Semantic Layer in dbt Cloud: ### 1. Account settings and configuration -- Navigate to **Account Settings** in the navigation menu. -- On the **Settings** sidebar, select the specific project you want to enable the Semantic Layer for. -- In the **Project details** page, navigate to the **Semantic Layer** section. Select **Configure Semantic Layer** - +1. Navigate to **Account settings** in the navigation menu. +2. On the **Settings** left sidebar, select the specific project you want to enable the Semantic Layer for. +3. In the **Project details** page, navigate to the **Semantic Layer** section. Select **Configure Semantic Layer** + -- In the **Semantic Layer & Credentials** page, select the deployment environment you want for the Semantic Layer and click **Save**. This provides administrators with the flexibility to choose the environment where the Semantic Layer will be enabled.
+4. In the **Semantic Layer & Credentials** page, select the deployment environment you want for the Semantic Layer and click **Save**. This provides administrators with the flexibility to choose the environment where the Semantic Layer will be enabled. -### 2. Add Semantic Layer credential and service token +### 2. Add credential and service token -Next, we recommend using role-based access for building credentials based on your teams needs. Assign specific roles to credentials, which can be applied to different users based on team structures. Authenticate to the dbt Semantic Layer in downstream interfaces using a [service token](/docs/dbt-cloud-apis/service-tokens) for more granular control. +:::info +- dbt Cloud Enterprise plans can [add multiple credentials](#4-add-more-credentials) for more granular control and tailored access for different teams and projects. +- Teams plans can manage a single credential and map service tokens, however cannot add new credentials for tailored access. Book a demo to learn more about dbt Cloud Enterprise. +::: -The credential configuration allows admins to map service tokens to the appropriate credentials, which can then be distributed to the relevant teams for BI connection setup. +The dbt Semantic Layer uses [service tokens](/docs/dbt-cloud-apis/service-tokens) for authentication, mapped to underlying data platform credentials. These credentials control physical access to the raw data. The credential configuration allows admins to create a credential and map it to service tokens, which can then be shared to relevant teams for BI connection setup. -- Admins can link multiple service tokens to a one single credential within a project. However, each service token can only be linked to one credential per project. -- When you send a request through our APIs, the service token you provide will be linked to the corresponding credential and will follow access policies of the data used to build your semantic objects. +We recommend configuring credentials and service tokens to reflect your teams and their roles. For example, create tokens or credentials that align with your team's needs, such as providing finance-related schemas to the Finance team. + +Note that: +- Admins can link multiple service tokens to a single credential within a project, but each service token can only be linked to one credential per project. +- When you send a request through the APIs, the service token of the linked credential will follow access policies of the data used to build your semantic objects. - [Environment variables](/docs/build/environment-variables), like `{{env_var('DBT_WAREHOUSE')}` aren't supported the dbt Semantic Layer yet. You must use the actual credentials instead. -Create tokens or credentials that align with your team's need. As an example, let's say you have a fictional Finance team. Set up Semantic Layer credentials if you'd like to provide a Semantic Layer credential to the trusty Finance team, who only have access to finance-related schemas. +To add a credential and service token: -- On the **Credentials & service tokens** page, click the **Add Semantic Layer credential** button to configure the credentials you want the Semantic Layer to use specific to your data platform. You can configure as many credentials as you need for more granular control. -- In the **Add credentials** section, fill in the data platform's credentials, which will link to a [service tokens](/docs/dbt-cloud-apis/service-tokens). +1. On the **Credentials & service tokens** page, click the **Add Semantic Layer credential** button to configure the credential for your data platform. +2. In the **Add credentials** section, fill in the data platform's credentials, which will link to a [service tokens](/docs/dbt-cloud-apis/service-tokens). We recommend using “read-only” credentials. -- In the **Map new service token** section, map a service token to the credential you configured in the previous step. dbt Cloud automatically selects the service token permission set you need (Semantic Layer Only and Metadata Only). +3. In the **Map new service token** section, map a service token to the credential you configured in the previous step. dbt Cloud automatically selects the service token permission set you need (Semantic Layer Only and Metadata Only). + - To add another service token, click **Add service token** under the **Linked service tokens** section. + +4. Click **Save** to link the service token to the credential. Remember to copy and save the service token securely, as it won't be viewable again after generation. -- Click **Save** to link the service token to the credential. Make sure to copy and save the service token somewhere safe. Once the token is generated, you won't be able to view this token again. + -
+4. To delete a credential, go back to the **Semantic Layer & Credential**s page. +5. Select **Delete credential** to remove a credential and click **Save**. When you delete a credential, any service tokens mapped to that credential in the project will no longer work and will break for any end users. ### 3. View connection detail -- Go back to the **Project details** page for connection details to connect to downstream tools. -- Copy and share the environment ID, service token, host, as well as the service token name to the relevant teams for BI connection set up. If your tool uses the GraphQL API, save the GraphQL API host information instead of the JDBC URL. +1. Go back to the **Project details** page for connection details to connect to downstream tools. +2. Copy and share the environment ID, service token, host, as well as the service token name to the relevant teams for BI connection set up. If your tool uses the GraphQL API, save the GraphQL API host information instead of the JDBC URL. -For info on how to connect to other integrations, refer to [Available integrations](/docs/cloud-integrations/avail-sl-integrations). + For info on how to connect to other integrations, refer to [Available integrations](/docs/cloud-integrations/avail-sl-integrations). -## Additional configurations +### 4. Add more credentials + +dbt Cloud Enterprise plans allow you to optionally add multiple credentials, offering more granular control and tailored access for different teams and projects. + +1. To add more credentials, click **Add new credential** on the **Credentials & service tokens** page. +2. Follow the same steps described in [Step 2](#2-add-credential-and-service-token) to configure the credential and map a service token to it. + + -There are several flexible configurations you can make to your Semantic Layer credentials: +## Additional configuration -#### Add more service tokens or unlink existing ones + The following are the additional flexible configurations for Semantic Layer credentials. -- Optionally add more service tokens to the credential by clicking **Add service token** under the **Linked service tokens** section. +### Unlink service tokens - Unlink a service token from the credential by clicking **Unlink** under the **Linked service tokens** section. If try to query the Semantic Layer with an unlinked credential, you'll experience an error in your BI tool because no valid token is mapped. -#### Delete credentials +### Manage from service token page +**View credential from service token** +- View your Semantic Layer credential directly by navigating to the **API tokens** and then **Service tokens** page. +- Select the service token to view the credential it's linked to. This is useful if you want to know which service tokens are mapped to credentials in your project. -- To remove a credential, go back to the **Semantic Layer & Credentials** page. -- Select **Delete credential** to remove a credential. -- When you delete a credential, any service tokens mapped to that credential in the project will no longer work and will break for any end users. +**Create a new service token** +- From the **Service tokens** page, create a new service token and map that to the credential(s) (assuming the semantic layer permission exists). This is useful if you want to create a new service token and directly map it to a credential in your project. +- Make sure to select the correct permission set for the service token (Semantic Layer Only and Metadata Only). -#### View service tokens in the project -You can also view your Semantic Layer credential in the separate **Service token details** page by going to **API tokens** and then **Service tokens**. + diff --git a/website/static/img/docs/dbt-cloud/semantic-layer/sl-create-service-token-page.jpg b/website/static/img/docs/dbt-cloud/semantic-layer/sl-create-service-token-page.jpg new file mode 100644 index 00000000000..8e288183be2 Binary files /dev/null and b/website/static/img/docs/dbt-cloud/semantic-layer/sl-create-service-token-page.jpg differ diff --git a/website/static/img/docs/dbt-cloud/semantic-layer/sl-credential-created.jpg b/website/static/img/docs/dbt-cloud/semantic-layer/sl-credential-created.jpg new file mode 100644 index 00000000000..8c0081129fa Binary files /dev/null and b/website/static/img/docs/dbt-cloud/semantic-layer/sl-credential-created.jpg differ