Collections help keep questions, dashboards, and pulses organized and easy to find. It’s helpful to think of collections as folders where we store our items. We can also set permissions on these collections to hide them from groups who don’t have view access.
To learn about how collections permissions work, we’ll walk through an example scenario using the Sample Dataset that’s included with Metabase. Let’s say we want to add the California Marketers team to our Metabase instance. Our goal is to set up permissions so that:
- The California Marketers can edit their own California Marketing collection.
- Marketing teams, including the California Marketers, can view (but not edit) questions and dashboards in the parent Marketing collection and it’s sub-collections.
Viewing our current collection permissions
Before we set up the permissions for the California Marketers group, let’s take a look at the current settings.
We’ll navigate to the permissions setting page by clicking on the gears icon, selecting Admin to open the Admin panel, clicking on the Permissions page, and then opening the Collections tab.
Metabase has two default groups: Administrators and All Users. Our Analytics is the default root collection.
The green checkmark shows that both default groups have access to the default Our Analytics collection.
Metabase also gives each person their own personal collection where they can store questions, dashboards, and pulses. These collections operate a little differently: we can’t change permissions on them, but the only users who can view and edit a personal collection are its owner and administrators.
Starting with a clean slate
Let’s start by revoking access from the Our Analytics collection so that we can selectively add permissions for specific collections and groups.
Clicking on the green checkmark in the Our analytics cell under All Users will show us our options:
The three collection permission options are:
- Curate collection (green checkmark): allows people to view, add, edit, move, or archive items.
- View collection (yellow eye): allows people to view items currently saved to the collection.
- Revoke access (red X): prevents people from viewing the collection.
We’ll select revoke access and save our changes.
Creating a group and collection for the California team
Before we can assign the correct permissions to our new marketing team, we need a 1) group for the users to join, and 2) a collection that can house their marketing questions, dashboards, and pulses.
In the Admin Panel, we’ll click on the People tab and create a group titled California Marketers.
Next, we’ll need to create the California Marketing collection, which we’ll place in our existing United States Marketing collection.
From the Metabase home page, in the Our Analytics section, click Browse all items to visit the Our Analytics collection page. On the left, under the list of collections, we’ll click on + New collection, name our collection “California Marketing,” and save it to the United States Marketing collection.
Setting permissions for the California team
Now that we’ve created the California Marketing collection, we’ll need to make sure our California Marketers can:
- View, add, and remove dashboards and questions in their California Marketing collection.
- View questions and dashboards in the Marketing collection.
When we revoked access from All Users, we used the collection permissions page, but as Admins we can also edit collection permissions directly from the collection’s page.
On the California Marketing collection page, we’ll click the black lock to open the collection permissions modal.
We can change the settings for the California Marketers the same way we changed the All Users section earlier:
- Clicking the red X next to California Marketers.
- Selecting Curate collection from the dropdown menu.
- Clicking the blue Save button.
Setting permissions for a parent collection
Next, we want the California Marketers to be able to view (but not edit) the parent collection, Marketing Materials.
Same as above, we’ll navigate to the Marketing collection, and click on the black lock to change the permissions.
Though this time, we’ll notice two differences about this parent collection’s permissions.
The first is the warning symbol next to our California Marketers group. Hover over the exclamatory triangle and Metabase will say, “This group has permission to view at least one sub-collection of this collection.”
Which makes sense, given that we just granted curate access to the California Marketing group to the California Marketing collection, which is a sub-collection of the Marketing collection.
The second difference we’ll notice is that when we click on the red X to change our California group’s permissions, a gray bar appears at the bottom of the popup with a toggle for cascading changes down to sub-collections. Since we don’t want our California Marketers to have access to data about Marketing offices abroad and in other states, we’ll toggle off the sub-collection option and select the “View collection” permission option.
And that’s all there is to it. The California Marketers group now has their own collection to curate. Plus, they can view questions and dashboards in the parent Marketing collection.
All that’s left to do is discuss some scenarios to give you a better understanding of how these permissions work.
Dashboards with questions from multiple collections
If we create a dashboard that uses questions from multiple collections, people will only see the questions available to the collections they have view or curate access to.
Here’s a dashboard where the user has access to all the collections that the questions are stored in:
If someone doesn’t have access to a collection that houses a question on a dashboard, even though they can see the dashboard, Metabase will display a set of keys on the card to show they don’t have access to the question’s collection.
One way to avoid locked cards is to group related questions and dashboards in a collection and build dashboards using only questions that live in their collection. Questions and dashboards can only live in one collection at time, but we can duplicate items and move the duplicate to another collection.
How data and collection permissions interact
The basic breakdown is this:
- Data permissions determine which databases and tables we can ask questions of.
- Collection permissions determine which saved questions and dashboards we can view.
For example, let’s say in our California Marketing collection, one of the questions uses data from the Orders table. If the California Marketers group doesn’t have access to the Orders table, they would be able to view, but not edit or modify the question.
If we were to grant the California Marketers group access to the Orders table, they would then be able to edit the question (note the Filter, Summarize, and notebook buttons in the top right of figure 14, as well as the link to the Orders table).
- Collection permissions are based on groups.
- Admins can change a group’s permissions from the collection permissions page, or from inside the collection. If a collection has sub-collections, Metabase will present a toggle to allow us to choose whether we apply those changes to the sub-collections.
- When we create new collections, they default to the permission settings of their parent collection.
- The three collection permission settings are:
- Curate collection: group can view, add, edit, move, or archive items, and create new sub-collections.
- View collection: group can view items.
- No access: group isn’t even aware that this collection exists.
- Users can only see questions in a dashboard if they also have access to the collection containing each question. Try to keep a dashboard’s questions in the same collection as the dashboard to avoid locking people out of questions.
- If users have questions in their collection based on data they don’t have permissions to, they will still be able to see the question, but won’t be able to edit it.
Learn more about permissions by reading these articles:
- Guide to data permissions
- Setting data access permissions
- Creating collections for saved questions
- The Metabase approach to permissions