In dbt Cloud, go to your project's Semantic Layer settings and add multiple credentials, each corresponding to a warehouse role or user with appropriate data access (e.g., a finance-read role and a marketing-read role)
Navigate to Account Settings > Service Tokens and create one service token per team, assigning the Semantic Layer Only permission set
In the project Semantic Layer settings, link each service token to the appropriate credential; each token may be linked to only one credential per project
Distribute service tokens to the respective teams for use in their BI tool JDBC or GraphQL connections
Validate access by running a metric query with each token and confirming that row-level or object-level warehouse permissions are enforced correctly at the warehouse layer
Known gotchas
The Semantic Layer enforces warehouse-level access through the linked credential; dbt itself does not perform row-level filtering — all access control beyond metric availability must be implemented as warehouse roles or row access policies
A single service token cannot be linked to more than one credential per project, so if a team needs access across multiple warehouse environments, create separate tokens
If you rotate a warehouse credential password, you must update the corresponding dbt Cloud credential; existing service tokens using the old credential will fail queries until the credential is refreshed
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp