Lesson

Working with collection permissions

Walk through setting up and permissioning collections, and learn how collection permissions work with data permissions.

Collections keep questions, dashboards, and models organized and easy to find. It’s helpful to think of collections as folders where we store our items. We can also set permissions on these collections to hide them from groups.

We’ll walk through an example scenario using the Sample Database that’s included with Metabase. Let’s say we’re a company of boats. And we want to add a new boat team to our Metabase, the Canoes team. Our goal is to set up permissions so that:

  • All Boats, including the Canoes, can view (but not edit) questions and dashboards in the parent Boats collection and its sub-collections.
  • The Canoes can edit their own Canoes collection.

Viewing our current collection permissions

Before we set up the permissions for the Canoes group, let’s take a look at the current settings. In a fresh, brand new Metabase, we’ll click on the gears icon in the navigation sidebar and select Admin settings > Permissions > Collections.

Here’s our starting point. Metabase has two default groups: Administrators and All Users. Our Analytics is the default root collection. The checkmarks show that both default groups have access to the default Our Analytics collection.

Metabase also gives each person their own personal collection where they can store questions, dashboards, and models. These collections operate a little differently: we can’t change their permissions, but the only people who can view and edit a personal collection are its owner and your Metabase administrators.

Selectively add permissions for specific collections

Let’s start by revoking access from the Our Analytics collection. That way, we can selectively add permissions for specific groups to specific collections.

Clicking on the green checkmark for the All Users group in the Collection Permissions will show us our options:

  • Curate collection (green checkmark): allows people to view, add, edit, move, or archive items.
  • View collection (yellow eye): allows people to view items currently saved to the collection.
  • No access (red X): prevents people from viewing the collection.
<em>Fig. 1</em>. Revoking access to the Our Analytics collection and its sub-collections.
Fig. 1. Revoking access to the Our Analytics collection and its sub-collections.

We’ll select No access and Also change sub-collections, so that our collection permissions apply to collections nested within Our Analytics (until we say otherwise).

Creating a Canoes group and some collections

Next, we’ll create a new group, Canoes, to add people to. We’ll go to Admin settings > People > create group, and call the group “Canoes.”

Then we’ll click on + New > Collection and create a collection called Boats, which will house our collections for each type of boat, canoes, sailboats, and so on. Then we’ll create another collection in the Boats collection, which we’ll call “Canoes”.

Setting permissions for the Canoes team

Now that we’ve created the “Canoes” collection, we’ll need to make sure people in our Canoes group can:

  • View, add, and remove dashboards, questions, and models in the Canoes collection.
  • View questions and dashboards in the Boats collection.

When we revoked access from All Users, we used the Collection Permissions tab, but as admins we can also edit collection permissions directly from the collection’s page.

On the “Canoes” collection page, we’ll click the lock to open the Collection Permissions modal.

<em>Fig. 2</em>. Hovering over lock to edit the collection's permissions.
Fig. 2. Hovering over lock to edit the collection's permissions.

We can change the settings for Canoes the same way we changed the All Users section earlier:

  • Click the red X next to Canoes.
  • Select Curate from the dropdown menu.
  • Set All Users to No Access.
  • Click the Save button.
<em>Fig. 3</em>. Setting curate collection permissions to the Canoes group for their Canoes collection.
Fig. 3. Setting curate collection permissions to the Canoes group for their Canoes collection.

Setting permissions for the parent collection

Next, we want the Canoes to be able to view (but not edit) the parent collection, Boats. As above, we’ll navigate to the Boats collection and click on the lock to change the permissions. This time, though, there are two differences about this parent collection’s permissions.

The first is the warning symbol next to our Canoes group. Hover over the warning triangle and Metabase will say, “This group has permission to view at least one sub-collection of this collection.”

This makes sense, given that we just granted the Canoes group curate access to the Canoes collection, which is a sub-collection of the Boats collection.

The second difference we’ll notice is that when we click on the red X to change our Canoe group’s permissions, a gray bar appears at the bottom of the popup with a toggle for cascading changes down to subcollections. Since we don’t want our Canoes to have access to data about other types of boats, we’ll toggle off the sub-collection option and select the View permission option instead.

And that’s all there is to it. The Canoes group now has their own collection to curate. Plus, they can view questions and dashboards in the parent Boats collection.

Scenarios

Just some scenarios to give you a feel about how these permissions work out in practice.

How data and collection permissions interact

The basic breakdown is this:

  • Data permissions determine which databases and tables we can ask questions of.
  • Collection permissions determine which saved questions, models, and dashboards we can view.

For example, let’s say in our Canoes collection, one of the questions uses data from the Orders table. If the Canoes group lacks access to the Orders table, they would be able to view the question, but they wouldn’t be able to edit or modify the question.

<em>Fig. 4</em>. A question someone has collection permissions, but not data permissions for. The user can't edit the question.
Fig. 4. A question someone has collection permissions, but not data permissions for. The user can't edit the question.

If we were to grant the Canoes group access to the Orders table, they would then be able to edit the question (note the Filter, Summarize, and notebook buttons in the top right of figure 5, as well as the link to the Orders table).

<em>Fig. 5</em>. The same question as the last figure, but the user has collection and data permissions for it.
Fig. 5. The same question as the last figure, but the user has collection and data permissions for it.

Dashboards with questions from multiple collections

If we create a dashboard that includes questions from multiple collections, people will only see the questions available to the collections they have view or curate access to.

Here’s a dashboard where the user has access to all the collections that the questions are stored in:

<em>Fig. 6</em>. Dashboard with visible cards.
Fig. 6. Dashboard with visible cards.

If someone lacks access to a collection that houses a question on a dashboard, even though they can see the dashboard, Metabase will display a set of keys on the card to show they don’t have access to the question’s collection.

<em>Fig. 7</em>. Dashboard viewed by a person whose groups lack view access to one of the question's collection. Instead of seeing the question, they'll see a card with keys on it to let them know they don't have permission.
Fig. 7. Dashboard viewed by a person whose groups lack view access to one of the question's collection. Instead of seeing the question, they'll see a card with keys on it to let them know they don't have permission.

One way to avoid locked cards is to group related questions and dashboards in a collection and build dashboards using only questions that live in that collection. Questions and dashboards can only live in one collection at time, but we can duplicate items and move the duplicate to another collection.

Further reading

Thanks for your feedback!

Get articles like this one in your inbox every month