Menu Close Get Metabase

Working with collection permissions

Nov 11, 2020 by The Metabase Team

Collections help keep questions, dashboards, and pulses organized and easy to find. It’s helpful to think of collections as folders where we store our items. We can also set permissions on these collections to hide them from groups who don’t have view access.

To learn about how collections permissions work, we’ll walk through an example scenario using the Sample Dataset that’s included with Metabase. Let’s say we want to add the California Marketers team to our Metabase instance. Our goal is to set up permissions so that:

  • The California Marketers can edit their own California Marketing collection.
  • Marketing teams, including the California Marketers, can view (but not edit) questions and dashboards in the parent Marketing collection and it’s sub-collections.

Viewing our current collection permissions

Before we set up the permissions for the California Marketers group, let’s take a look at the current settings.

We’ll navigate to the permissions setting page by clicking on the gears icon, selecting Admin to open the Admin panel, clicking on the Permissions page, and then opening the Collections tab.

<em>Fig. 1</em>. Navigating to the <strong>collection permissions page</strong>.
Fig. 1. Navigating to the collection permissions page.

Metabase has two default groups: Administrators and All Users. Our Analytics is the default root collection.

<em>Fig. 2</em>. The original settings for the <strong>collection permissions</strong>; Admin and All Users have <strong>curate collection access</strong>.
Fig. 2. The original settings for the collection permissions; Admin and All Users have curate collection access.

The green checkmark shows that both default groups have access to the default Our Analytics collection.

Metabase also gives each person their own personal collection where they can store questions, dashboards, and pulses. These collections operate a little differently: we can’t change permissions on them, but the only users who can view and edit a personal collection are its owner and administrators.

Starting with a clean slate

Let’s start by revoking access from the Our Analytics collection so that we can selectively add permissions for specific collections and groups.

Clicking on the green checkmark in the Our analytics cell under All Users will show us our options:

The three collection permission options are:

  • Curate collection (green checkmark): allows people to view, add, edit, move, or archive items.
  • View collection (yellow eye): allows people to view items currently saved to the collection.
  • Revoke access (red X): prevents people from viewing the collection.
<em>Fig. 3.</em> Dropdown menu of the <strong>collection permission options</strong>.
Fig. 3. Dropdown menu of the collection permission options.

We’ll select revoke access and save our changes.

Creating a group and collection for the California team

Before we can assign the correct permissions to our new marketing team, we need a 1) group for the users to join, and 2) a collection that can house their marketing questions, dashboards, and pulses.

In the Admin Panel, we’ll click on the People tab and create a group titled California Marketers.

<em>Fig. 4.</em> Creating a group called California Marketers.
Fig. 4. Creating a group called California Marketers.

Next, we’ll need to create the California Marketing collection, which we’ll place in our existing United States Marketing collection.

From the Metabase home page, in the Our Analytics section, click Browse all items to visit the Our Analytics collection page. On the left, under the list of collections, we’ll click on + New collection, name our collection “California Marketing,” and save it to the United States Marketing collection.

<em>Fig. 5.</em> Nesting the California Marketing collection in the United States Marketing collection.
Fig. 5. Nesting the California Marketing collection in the United States Marketing collection.

Setting permissions for the California team

Now that we’ve created the California Marketing collection, we’ll need to make sure our California Marketers can:

  • View, add, and remove dashboards and questions in their California Marketing collection.
  • View questions and dashboards in the Marketing collection.

When we revoked access from All Users, we used the collection permissions page, but as Admins we can also edit collection permissions directly from the collection’s page.

On the California Marketing collection page, we’ll click the black lock to open the collection permissions modal.

<em>Fig. 6.</em> Hovering over lock to edit the collections of the permissions.
Fig. 6. Hovering over lock to edit the collections of the permissions.

We can change the settings for the California Marketers the same way we changed the All Users section earlier:

  • Clicking the red X next to California Marketers.
  • Selecting Curate collection from the dropdown menu.
  • Clicking the blue Save button.
<em>Fig. 7.</em> Setting <strong>curate collection permissions</strong> to the California Marketing group for their California Marketing collection.
Fig. 7. Setting curate collection permissions to the California Marketing group for their California Marketing collection.

Setting permissions for a parent collection

Next, we want the California Marketers to be able to view (but not edit) the parent collection, Marketing Materials.

Same as above, we’ll navigate to the Marketing collection, and click on the black lock to change the permissions.

Though this time, we’ll notice two differences about this parent collection’s permissions.

The first is the warning symbol next to our California Marketers group. Hover over the exclamatory triangle and Metabase will say, “This group has permission to view at least one sub-collection of this collection.”

<em>Fig. 8.</em> Hovering over warning symbol to display message: 'This group has permission to view at least one sub-collection of this collection.'
Fig. 8. Hovering over warning symbol to display message: 'This group has permission to view at least one sub-collection of this collection.'

Which makes sense, given that we just granted curate access to the California Marketing group to the California Marketing collection, which is a sub-collection of the Marketing collection.

The second difference we’ll notice is that when we click on the red X to change our California group’s permissions, a gray bar appears at the bottom of the popup with a toggle for cascading changes down to sub-collections. Since we don’t want our California Marketers to have access to data about Marketing offices abroad and in other states, we’ll toggle off the sub-collection option and select the “View collection” permission option.

<em>Fig. 10.</em> Changing the <strong>collection permissions</strong> of the Marketing Materials collections.
Fig. 10. Changing the collection permissions of the Marketing Materials collections.

And that’s all there is to it. The California Marketers group now has their own collection to curate. Plus, they can view questions and dashboards in the parent Marketing collection.

All that’s left to do is discuss some scenarios to give you a better understanding of how these permissions work.

Dashboards with questions from multiple collections

If we create a dashboard that uses questions from multiple collections, people will only see the questions available to the collections they have view or curate access to.

Here’s a dashboard where the user has access to all the collections that the questions are stored in:

<em>Fig. 11.</em> The CA Marketing Dashboard from the perspective of a user in the Marketing Managers group. This user can see all the dashboard's cards.
Fig. 11. The CA Marketing Dashboard from the perspective of a user in the Marketing Managers group. This user can see all the dashboard's cards.

If someone doesn’t have access to a collection that houses a question on a dashboard, even though they can see the dashboard, Metabase will display a set of keys on the card to show they don’t have access to the question’s collection.

<em>Fig. 12.</em> The CA Marketing Dashboard from the perspective of a user in the regular Marketers group. This user can only see some of the dashboard's cards.
Fig. 12. The CA Marketing Dashboard from the perspective of a user in the regular Marketers group. This user can only see some of the dashboard's cards.

One way to avoid locked cards is to group related questions and dashboards in a collection and build dashboards using only questions that live in their collection. Questions and dashboards can only live in one collection at time, but we can duplicate items and move the duplicate to another collection.

How data and collection permissions interact

The basic breakdown is this:

  • Data permissions determine which databases and tables we can ask questions of.
  • Collection permissions determine which saved questions and dashboards we can view.

For example, let’s say in our California Marketing collection, one of the questions uses data from the Orders table. If the California Marketers group doesn’t have access to the Orders table, they would be able to view, but not edit or modify the question.

<em>Fig. 13.</em> A question someone has collection permissions, but not data permissions for. The user is not able to edit the question.
Fig. 13. A question someone has collection permissions, but not data permissions for. The user is not able to edit the question.

If we were to grant the California Marketers group access to the Orders table, they would then be able to edit the question (note the Filter, Summarize, and notebook buttons in the top right of figure X, as well as the link to the Orders table).

<em>Fig. 14.</em> The same question as the last figure, but the user has collection and data permissions for it.
Fig. 14. The same question as the last figure, but the user has collection and data permissions for it.

Recap

  • Collection permissions are based on groups.
  • Admins can change a group’s permissions from the collection permissions page, or from inside the collection. If a collection has sub-collections, Metabase will present a toggle to allow us to choose whether we apply those changes to the sub-collections.
  • When we create new collections, they default to the permission settings of their parent collection.
  • The three collection permission settings are:
    • Curate collection: group can view, add, edit, move, or archive items, and create new sub-collections.
    • View collection: group can view items.
    • No access: group isn’t even aware that this collection exists.
  • Users can only see questions in a dashboard if they also have access to the collection containing each question. Try to keep a dashboard’s questions in the same collection as the dashboard to avoid locking people out of questions.
  • If users have questions in their collection based on data they don’t have permissions to, they will still be able to see the question, but won’t be able to edit it.

Read more

Learn more about permissions by reading these articles: