Model Access in dbt Cloud
As organizations scale their data platforms, controlling data access and ownership becomes increasingly important. Teams need clear rules around who can use specific datasets, how models are shared across projects, and how data governance is enforced without slowing down collaboration.
dbt Cloud provides powerful model access features that help analytics engineers and data teams manage visibility, ownership, and cross-project collaboration. By defining groups and access levels such as private, protected, and public, organizations can build scalable and secure data architectures aligned with modern data mesh principles.
This article explains how model access works in dbt Cloud using a producer-consumer project setup. We will explore access levels, group configuration, cross-project references, and how model relationships appear in the Catalog and lineage graph.
In this article:
- Why Model Access Matters in Modern Data Platforms
- Understanding Model Access Levels in dbt
- Producer and Consumer Project Setup
- Configuring Groups in dbt
- Testing Private Model Access
- Using Protected Models
- Configuring Public Models for Cross-Project Use
- Star Schema Example with Mixed Access Levels
- Exploring Model Ownership in the dbt Catalog
- Referencing Public Models from Consumer Projects
- Understanding Lineage Graphs and Dependencies
- Benefits of Model Access Control in dbt
- Best Practices for Managing Model Access
- Conclusion
- Watch the Video
- Meet the Speaker
Why Model Access Matters in Modern Data Platforms
In a growing data ecosystem, multiple teams often build and consume data models simultaneously. Without clear access control, this can lead to:
- Unclear data ownership
- Breaking changes across teams
- Data quality risks
- Limited governance
- Uncontrolled dependencies
dbt addresses these challenges by allowing teams to:
- Control who can reference specific models
- Define ownership through groups
- Enable safe collaboration between teams
- Support data mesh architectures
- Manage cross-project dependencies
With proper configuration, organizations can ensure reliable and scalable data pipelines while maintaining flexibility.
Understanding Model Access Levels in dbt
dbt provides three main model access levels that control visibility and usage across projects and teams.
Private Models
Private models are restricted to a specific group. Only models within the same group can reference them.
Key characteristics:
- Limited visibility
- Strong access control
- Internal use within a team
- Prevents external dependencies
Private models are useful for intermediate transformations or sensitive data that should not be widely accessible.
Protected Models
Protected models allow broader usage while maintaining controlled ownership.
Key characteristics:
- Can be referenced outside their group
- Still managed by a specific owner
- Suitable for shared internal data
- Balanced control and accessibility
By default, dbt models are typically configured with protected access unless specified otherwise.
Public Models
Public models are designed for cross-project collaboration and wider consumption.
Key characteristics:
- Accessible across projects
- Supports data sharing
- Enables data mesh architecture
- Clear ownership boundaries
Public models are commonly used as trusted data products that other teams depend on.
Producer and Consumer Project Setup
To demonstrate model access behavior, we use two dbt Cloud projects:
- Producer Project: Provides models for consumption
- Consumer Project: References public models from the producer
This setup reflects real-world scenarios where one team publishes data assets and another team consumes them.
Configuring Groups in dbt
Groups in dbt define ownership and control access to models. They help manage responsibilities and enforce governance.
A group can be configured in YAML files and assigned to specific models or entire folders.
Assigning Groups to Individual Models
For example, an analytics group can be defined and assigned to models such as:
- Orders per supplier country customer
- Orders per customer
- Orders per supplier
- Orders per country
This configuration ensures that models follow consistent ownership and access rules.
Assigning Groups to Folders
Instead of configuring each model individually, teams can assign a group to an entire folder using the project configuration file. This approach simplifies governance and ensures consistent access settings.
Testing Private Model Access
Private models can only be referenced by models within the same group. If a model outside the group attempts to reference a private model, dbt returns an error.
To resolve this, the referencing model must be added to the same group configuration.
This behavior ensures:
- Clear ownership boundaries
- Reduced risk of unintended dependencies
- Improved data security
Private access is particularly useful for internal transformations or staging logic that should remain hidden from external teams.
Using Protected Models
Protected models offer more flexibility. They can be referenced outside their group without requiring additional configuration.
This makes them ideal for:
- Shared business logic
- Reusable transformations
- Internal reporting models
- Organization-wide metrics
Protected access balances governance with usability.
Configuring Public Models for Cross-Project Use
Public models allow other projects to reference them, enabling collaboration across teams.
For public models to be visible to other projects, dbt Cloud requires:
- A successful job run
- An environment defined as staging or production
- Metadata resolution by the dbt Cloud service
Once these conditions are met, public models become available to consumer projects.
This mechanism ensures that only validated and production-ready models are shared.
Star Schema Example with Mixed Access Levels
A typical data modeling setup might include a star schema with dimensions and fact tables.
In this scenario:
- Most models are configured as public
- Specific models, such as certain dimensions, may remain protected
- Protected models are used internally by other models
- Only necessary data is exposed externally
This design prevents unnecessary data exposure while maintaining efficient dependencies.
Exploring Model Ownership in the dbt Catalog
The dbt Catalog provides visibility into model ownership, access levels, and dependencies.
Within the Catalog, users can:
- View model owners
- Filter by access level
- Explore group information
- See associated models
- Understand data lineage
This transparency improves governance and helps teams understand data responsibilities.
Referencing Public Models from Consumer Projects
Consumer projects can reference public models from producer projects using cross-project references.
These models appear in the development environment and lineage graph as external dependencies. However, consumer teams cannot build or modify them. The producer team retains full ownership.
This separation provides:
- Clear responsibility boundaries
- Reduced operational risk
- Reliable shared data products
- Improved collaboration
Understanding Lineage Graphs and Dependencies
The lineage graph provides a visual representation of how models relate to one another across projects.
It helps teams:
- Track upstream and downstream dependencies
- Understand data flow
- Identify external data sources
- Analyze impact of changes
- Improve system reliability
For cross-project references, the lineage graph clearly shows the project and environment where external models originate.
Benefits of Model Access Control in dbt
Implementing structured model access provides significant advantages:
- Strong data governance
- Clear ownership structure
- Secure data sharing
- Scalable collaboration
- Support for data mesh architecture
- Reduced risk of breaking changes
- Improved transparency
These capabilities help organizations scale their analytics operations effectively.
Best Practices for Managing Model Access
To maximize the benefits of dbt model access, organizations should follow these practices:
- Define clear ownership groups
- Use private models for internal logic
- Expose only necessary data through public models
- Validate models before sharing
- Monitor dependencies using lineage graphs
- Document access rules consistently
Following these guidelines helps maintain a reliable and scalable data ecosystem.
Conclusion
Model access in dbt Cloud enables organizations to control data visibility, manage ownership, and support cross-team collaboration. By configuring groups and defining access levels such as private, protected, and public, teams can build secure and scalable data architectures.
When combined with Catalog visibility and lineage tracking, these features provide a strong foundation for data governance and modern analytics workflows.
As data platforms continue to grow in complexity, structured access control becomes essential for ensuring trust, reliability, and collaboration across the organization.
Watch the Video
Meet the Speaker
Dmytro Polishchuk
Senior BI Consultant
Dmytro Polishchuk has 7 years of experience in business intelligence and works as a Senior BI Consultant for Scalefree. Dmytro is a proven Data Vault 2.0 expert and has excellent knowledge of various (cloud) architectures, data modeling, and the implementation of automation frameworks. Dmytro excels in team integration and structured project work. Dmytro has a bachelor’s degree in Finance and Financial Management.
