Menu Close Get Metabase

Guide to data permissions

Nov 6, 2020 by The Metabase Team

In Metabase, data permissions let us specify which databases and tables groups of people can view and query.

In this article, we’ll walk through how admins can configure data permissions by setting up permissions on the Sample Dataset included with Metabase for our Marketing and Accounting teams. We’ll:

  • Learn a bit about our data permission options.
  • Create our Accounting and Marketing groups.
  • Set their permissions.
  • Show how different permissions affect people’s experience.

You can follow along by downloading a new Metabase instance.

Default data permission settings

Let’s first get a lay of the permissions land in a fresh Metabase instance. From any Metabase page, we can click on the gears icon in the upper right corner and select Admin to open up the Admin panel. Next, we’ll click on the Permissions tab, which defaults to data permissions (we’ll cover collection permissions in a separate article). Figure 1 shows the default database, Sample Dataset, and the two default groups: Administrators and All Users.

<em>Fig. 1.</em> The data settings page for the Sample Dataset before any changes are made.
Fig. 1. The data settings page for the Sample Dataset before any changes are made.

We can also select the View tables button on the left to set permissions by group on individual tables within the Sample Dataset database: the Orders, People, Products, and Reviews tables.

<em>Fig. 2.</em> The data settings page for the Sample Dataset before any changes are made.
Fig. 2. The data settings page for the Sample Dataset before any changes are made.

When we create additional groups, Metabase will list them to the right of All Users. You can add people to as many groups as you like.

Let’s walk through an example to show how permissions work in practice.

Our goal

We want to set up data permissions so that:

  • Accounting can only access the Orders table.
  • Marketing only has access to the People and Products tables.

Starting with a clean slate

We’ll first want to revoke the All Users group’s access to the Sample Dataset by clicking on the green checkmark in the data access column and selecting Revoke access (figure 3).

<em>Fig. 3.</em> Revoking access to the Sample Dataset from the All Users group.
Fig. 3. Revoking access to the Sample Dataset from the All Users group.

Revoking access to a table prevents users from seeing that table in the data browser and from asking a new question about that table.

Revoking access to this table also changes the database level access this group has from Unrestricted to Limited. A side effect of this change is that the group will lose access to the SQL editor, as the editor requires Unrestricted access to a database. You can also restrict access to the SQL editor directly at the database level, as shown in figure 3 above.

The reason we want to revoke access from All Users is because Metabase grants the most permissive level of access across all the groups a user belongs to. And since everyone belongs to the All Users group, it doesn’t matter if they’re in another group that doesn’t have access to the Sample Dataset; their membership in the All Users group grants them unrestricted access to the Sample Dataset.

As a safeguard, if we restrict a group’s access to a data source available to All Users, Metabase will helpfully warn us that All Users has a higher level of access.

<em>Fig. 4.</em> Example of groups with conflicting permissions. Hovering over the grey caution symbol reveals a warning: 'All Users has a higher level of permissions than the current group.'
Fig. 4. Example of groups with conflicting permissions. Hovering over the grey caution symbol reveals a warning: 'All Users has a higher level of permissions than the current group.'

Creating the Marketing and Accounting groups

Let’s create our two new groups by clicking on the People tab in the Admin Panel, selecting groups, and clicking on Create group.

See our documentation to learn more about creating groups.

Setting permissions on groups

When we return to the Data permissions tab, we see our new groups:

<em>Fig. 5.</em> The <strong>data permissions</strong> page with our newly added Accounting and Marketing groups.
Fig. 5. The data permissions page with our newly added Accounting and Marketing groups.

As we can tell by the red Xs, new groups default to having no access to any of our databases - which is good. This lets us selectively add permissions to these groups.

When people don’t have access to any data, they won’t even see the Ask a question, Browse data or Write SQL buttons in the nav bar (figure 6).

<em>Fig. 6.</em> What people see (or don't see) when they don't have access to any database. They can view collections, but not ask questions, browse data, or write SQL queries.
Fig. 6. What people see (or don't see) when they don't have access to any database. They can view collections, but not ask questions, browse data, or write SQL queries.

Setting permissions on the Accounting group

We’d like our Accounting group to only have access to the Orders table, so let’s return to the Permissions tab in the Admin Panel.

In Accounting’s data access column, if we click on the cell for the Sample Dataset and select Limit access, Metabase will open up a grid for us to set permissions for each table in the database. All we need to do is grant unrestricted access to the Orders table and click Save changes. Metabase will pop up a modal summarizing the changes we made and we’ll click Yes to confirm.

<em>Fig. 7.</em> Granting the Accounting group access to the Orders table.
Fig. 7. Granting the Accounting group access to the Orders table.

Now Metabase will display a half-filled-in yellow circle at the database permission level to show that the Accounting team has limited access to the Sample Dataset.

<em>Fig. 8.</em> Granting the Accounting group access to the Orders table.
Fig. 8. Granting the Accounting group access to the Orders table.

With our permissions set, we can now add people to our groups, either by adding them manually, or via single sign on (SSO).

What will people in both Marketing and Accounting groups see?

For example, Mr. Wolff is part of the both the Marketing and Accounting groups — what happens if we grant the Marketing group different levels of data access?

Let’s grant the Marketing group access to the People and Products tables in the Sample Dataset (figure 9).

<em>Fig. 9.</em> The <strong>data permissions</strong> page after the Marketing group has been granted access to the People and Products tables.
Fig. 9. The data permissions page after the Marketing group has been granted access to the People and Products tables.

Since Mr. Wolff is a member of both Accounting and Marketing, he’ll have access to every table except the Reviews table, as Metabase grants people the most permissive level of access for a given table based on the set of groups they’re in. In other words, if any of Mr. Wolff’s groups can see a data source, then he can see the data source, even if every other group he belongs to doesn’t have access.

<em>Fig. 10.</em> Mr. Wolff, a member of both the Marketing and Accounting groups, sees tables available to both groups.
Fig. 10. Mr. Wolff, a member of both the Marketing and Accounting groups, sees tables available to both groups.

Mr. Wolff is also unable to see which groups he belongs to. Only admins have access to group information.

How data permissions interact with questions and dashboards

Let’s say none of the groups Mr. Wolff belongs to have access to the Reviews table. Mr. Wolff would still be able to view questions and dashboards that query data from the Reviews table, provided he has permission to view the collection that houses those questions and dashboards.

We’ll cover collection permissions in an upcoming article.

Data permissions cheat sheet

Here’s a quick recap of the important parts:

  • Metabase sets data permissions based on groups, not individual users. Default groups include Administrators and All Users.
  • Admins always have unrestricted access to everything.
  • If you plan on locking down access to data in your Metabase instance, we recommend revoking access from the All Users group for each database you connect before adding new users.
  • As we invite users to Metabase, we can add them to groups with specific data permissions.
  • In the Open Source Edition of Metabase, Admins can set data permissions at the database level or table level. Enterprise Edition provides even more granular control with data sandboxing.
  • Access to the SQL query editor requires Unrestricted access on the database.
  • When people are members of multiple groups, Metabase grants them the most permissive level of access to a table or database. If any one of the groups they belong to has access to the data source, they’ll have access to it, even if every other group they belong to doesn’t have access.
  • People can still view questions and dashboards that use data from sources they don’t have access to, provided those questions and dashboards are in a collection the person has access to.

Read More

Stay tuned for articles on collection permissions and data sandboxing!

In the meantime, check out: