Model Access in dbt
As dbt projects grow, so do the challenges around collaboration, ownership, and reuse. What starts as a small analytics codebase can quickly evolve into a complex ecosystem of models shared across teams, domains, and even projects. Without clear boundaries, it becomes difficult to understand who owns what, which models are safe to reuse, and how to scale analytics without breaking downstream consumers.
This is where model access and groups come into play. Together, they form a powerful governance mechanism in dbt that helps teams structure responsibility, control visibility, and safely enable cross-project data sharing.
In this article, we’ll break down what groups are, how model access works, and how these features support scalable analytics and data mesh architectures.
In this article:
What Are Groups in dbt?
A group in dbt is a named collection of nodes within a project. Groups provide a way to logically organize resources and define ownership, which becomes increasingly important as more people and teams contribute to the same dbt codebase.
Groups can include the following node types:
- Models
- Tests
- Seeds
- Snapshots
- Analyses
- Metrics
It’s important to note that sources and exposures are not included in groups.
There are a few key rules to understand:
- Each node can belong to only one group
- Every group must have a name
- Every group must have an owner
The owner definition requires at least a name and an email address. Typically, the owner represents a team rather than an individual, such as an Analytics or Finance team. This explicit ownership makes responsibilities visible and helps clarify who to contact when questions or issues arise.
Beyond organization, groups play a critical role in how dbt enforces model access rules. In fact, model access is defined and evaluated in the context of groups.
What Is Model Access in dbt?
Model access is a governance feature in dbt that controls how and where a model can be referenced. It works alongside other governance capabilities such as model contracts and model versions.
By assigning an access level to each model, teams can define which models are internal implementation details and which are intended for broader reuse.
dbt provides three access levels:
Private
Private models are the most restrictive. They can only be referenced by other models within the same group.
This is ideal for intermediate or helper models that support a specific team’s logic but are not meant to be consumed outside that context.
Protected
Protected is the default access level in dbt. Protected models can be referenced by any group within the same project, or by other projects if the project is installed as a package.
This level supports collaboration within a single dbt project while still preventing accidental exposure across project boundaries.
Public
Public models are designed to be consumed outside the project they are defined in. These models can be referenced from other dbt projects using cross-project references.
Public access is especially important for organizations adopting a data mesh approach, where teams expose trusted data products for others to consume.
One important limitation to keep in mind: models materialized as ephemeral cannot be public. Since ephemeral models are not materialized in the warehouse, they cannot be safely shared across projects.
Cross-project public access requires the Enterprise tier of dbt Cloud.
How Groups and Model Access Work Together
Groups and model access complement each other. While groups define ownership and responsibility, access modifiers define visibility and usage.
Consider the following example configuration:
groups:
- name: analytics
owner:
name: Analytics team
email: [email protected]
models:
- name: orders_per_supplier_country_customer
config:
access: private
group: analytics
- name: orders_per_customer
config:
access: protected
group: analytics
- name: orders_per_country
config:
access: public
group: analytics
In this setup, all models belong to the analytics group, but each has a different access level.
The private model can only be referenced within the analytics group. The protected model can be referenced anywhere inside the same project. The public model can be referenced by other projects entirely.
In the dbt DAG and lineage views, private and public models are visually marked, making it easier to understand boundaries at a glance.
This combination allows teams to clearly communicate intent:
- Which models are internal building blocks
- Which models are safe for internal reuse
- Which models are stable data products
Public Models and Cross-Project References
Public models enable collaboration across dbt projects. This is particularly valuable when different teams manage separate projects but still need to share data in a controlled way.
To make public models available to downstream projects, the upstream project must meet two conditions:
- An environment defined as PROD or STG
- At least one successful job run in that environment
These requirements ensure that dbt has generated the necessary metadata for downstream reference resolution.
In the downstream project, the upstream project is added as a dependency:
# dependencies.yml projects: - name: hub_speak_dmytro_base
Once declared, public models from the upstream project can be referenced using a two-argument ref() function:
{{ ref('hub_speak_dmytro_base', 'dim_customer') }}
This pattern allows downstream teams to consume only the models explicitly marked as public, while all internal logic remains private or protected in the upstream project.
Why Model Access Matters for Data Mesh
Model access is a foundational capability for implementing data mesh with dbt.
By treating public models as stable interfaces, teams can publish data products with clear contracts and ownership. Downstream consumers rely on these models without needing to understand or depend on upstream implementation details.
At the same time, teams retain full control over what they expose. Internal experimentation and refactoring can happen safely behind private and protected boundaries.
This approach enables autonomy without chaos — a key principle of data mesh.
Conclusion
As dbt projects scale, governance becomes essential. Groups and model access provide simple but powerful tools to define ownership, enforce boundaries, and enable safe reuse of analytics models.
By thoughtfully combining groups with private, protected, and public access levels, teams can scale collaboration, support cross-project data sharing, and build reliable data products without sacrificing flexibility.
In upcoming sessions, we’ll demonstrate these concepts hands-on in dbt Cloud, showing how producer and consumer projects interact and how these relationships appear in the Catalog and lineage views.
If you’re working toward a scalable analytics or data mesh architecture, mastering model access in dbt is a crucial step.
Watch the Video
Meet the Speaker
Dmytro Polishchuk
Senior BI Consultant
Dmytro Polishchuk has 7 years of experience in business intelligence and works as a Senior BI Consultant for Scalefree. Dmytro is a proven Data Vault 2.0 expert and has excellent knowledge of various (cloud) architectures, data modeling, and the implementation of automation frameworks. Dmytro excels in team integration and structured project work. Dmytro has a bachelor’s degree in Finance and Financial Management.
