Menu Close Log in Get started

Lesson

Working with collection permissions

Learn about setting collection permissions, how collection permissions work with data permissions, and best practices for managing collections.

Collections help keep questions, dashboards, and pulses organized and easy to find. It’s helpful to think of collections as folders where we store our items. We can also set permissions on these collections to hide them from groups who don’t have view access.

To learn about how collections permissions work, we’ll walk through an example scenario using the Sample Dataset that’s included with Metabase. Let’s say we want to add the California Marketers team to our Metabase instance. Our goal is to set up permissions so that:

  • The California Marketers can edit their own California Marketing collection.
  • Marketing teams, including the California Marketers, can view (but not edit) questions and dashboards in the parent Marketing collection and it’s sub-collections.

Viewing our current collection permissions

Before we set up the permissions for the California Marketers group, let’s take a look at the current settings.

We’ll navigate to Permissions by clicking on the gears icon, going to the Admin Panel, clicking on Permissions, and then opening the Collection Permissions tab.

<em>Fig. 1</em>. Navigating to the <strong>Collection Permissions tab</strong>.
Fig. 1. Navigating to the Collection Permissions tab.

Metabase has two default groups: Administrators and All Users. Our Analytics is the default root collection. The green checkmark shows that both default groups have access to the default Our Analytics collection.

<em>Fig. 2</em>. The original settings for the collection permissions---<code>Admin</code> and <code>All Users</code> have curate collection access.
Fig. 2. The original settings for the collection permissions---Admin and All Users have curate collection access.

Metabase also gives each person their own personal collection where they can store questions, dashboards, and pulses. These collections operate a little differently: we can’t change permissions on them, but the only users who can view and edit a personal collection are its owner and administrators.

Starting with a clean slate

Let’s start by revoking access from the Our Analytics collection so that we can selectively add permissions for specific collections and groups.

Clicking on the green checkmark in the Our Analytics cell under All Users will show us our options:

  • Curate collection (green checkmark): allows people to view, add, edit, move, or archive items.
  • View collection (yellow eye): allows people to view items currently saved to the collection.
  • Revoke access (red X): prevents people from viewing the collection.
<em>Fig. 3</em>. Dropdown menu of the <strong>Collection Permissions tab</strong>.
Fig. 3. Dropdown menu of the Collection Permissions tab.

We’ll select Revoke access and save our changes.

Creating a group and collection for the California team

Before we can assign the correct permissions to our new marketing team, we need a group for the users to join, and a collection that can house their marketing questions, dashboards, and pulses. In the Admin Panel, we’ll click on the People tab and create a group titled California Marketers.

<em>Fig. 4</em>. Creating a group called California Marketers.
Fig. 4. Creating a group called California Marketers.

Next, we’ll need to create the California Marketing collection, which we’ll place in our existing United States Marketing collection. From the Metabase home page, in the Our Analytics section, click Browse all items to visit the Our Analytics collection page. On the left, under the list of collections, we’ll click on + New collection, name our collection California Marketing, and save it to the United States Marketing collection.

<em>Fig. 5</em>. Nesting the California Marketing collection in the United States Marketing collection.
Fig. 5. Nesting the California Marketing collection in the United States Marketing collection.

Setting permissions for the California team

Now that we’ve created the California Marketing collection, we’ll need to make sure our California Marketers can:

  • View, add, and remove dashboards and questions in their California Marketing collection.
  • View questions and dashboards in the Marketing collection.

When we revoked access from All Users, we used the Collection Permissions tab, but as admins we can also edit collection permissions directly from the collection’s page.

On the California Marketing collection page, we’ll click the black lock to open the collection permissions modal.

<em>Fig. 6</em>. Hovering over lock to edit the collections of the permissions.
Fig. 6. Hovering over lock to edit the collections of the permissions.

We can change the settings for California Marketers the same way we changed the All Users section earlier:

  • Click the red X next to California Marketers.
  • Select Curate collection from the dropdown menu.
  • Click the Save button.
<em>Fig. 7</em>. Setting <code>curate collection permissions</code> to the California Marketing group for their California Marketing collection.
Fig. 7. Setting curate collection permissions to the California Marketing group for their California Marketing collection.

Setting permissions for a parent collection

Next, we want the California Marketers to be able to view (but not edit) the parent collection, Marketing Materials. As above, we’ll navigate to the Marketing collection and click on the black lock to change the permissions. This time, though, there are two differences about this parent collection’s permissions.

The first is the warning symbol next to our California Marketers group. Hover over the warning triangle and Metabase will say, “This group has permission to view at least one sub-collection of this collection.”

<em>Fig. 8</em>. Hovering over warning symbol to display message: 'This group has permission to view at least one sub-collection of this collection.'
Fig. 8. Hovering over warning symbol to display message: 'This group has permission to view at least one sub-collection of this collection.'

This makes sense, given that we just granted the California Marketing group curate access to the California Marketing collection, which is a sub-collection of the Marketing collection.

The second difference we’ll notice is that when we click on the red X to change our California group’s permissions, a gray bar appears at the bottom of the popup with a toggle for cascading changes down to sub-collections. Since we don’t want our California Marketers to have access to data about Marketing offices abroad and in other states, we’ll toggle off the sub-collection option and select the View collection permission option.

<em>Fig. 9</em>. Changing the collection permissions of the Marketing Materials collections.
Fig. 9. Changing the collection permissions of the Marketing Materials collections.

And that’s all there is to it. The California Marketers group now has their own collection to curate. Plus, they can view questions and dashboards in the parent Marketing collection. All that’s left to do is discuss some scenarios to give you a better understanding of how these permissions work.

Dashboards with questions from multiple collections

If we create a dashboard that uses questions from multiple collections, people will only see the questions available to the collections they have view or curate access to.

Here’s a dashboard where the user has access to all the collections that the questions are stored in:

<em>Fig. 10</em>. The CA Marketing Dashboard from the perspective of a user in the Marketing Managers group. This user can see all the dashboard's cards.
Fig. 10. The CA Marketing Dashboard from the perspective of a user in the Marketing Managers group. This user can see all the dashboard's cards.

If someone doesn’t have access to a collection that houses a question on a dashboard, even though they can see the dashboard, Metabase will display a set of keys on the card to show they don’t have access to the question’s collection.

<em>Fig. 11</em>. The CA Marketing Dashboard from the perspective of a user in the regular Marketers group. This user can only see some of the dashboard's cards.
Fig. 11. The CA Marketing Dashboard from the perspective of a user in the regular Marketers group. This user can only see some of the dashboard's cards.

One way to avoid locked cards is to group related questions and dashboards in a collection and build dashboards using only questions that live in their collection. Questions and dashboards can only live in one collection at time, but we can duplicate items and move the duplicate to another collection.

How data and collection permissions interact

The basic breakdown is this:

  • Data permissions determine which databases and tables we can ask questions of.
  • Collection permissions determine which saved questions and dashboards we can view.

For example, let’s say in our California Marketing collection, one of the questions uses data from the Orders table. If the California Marketers group doesn’t have access to the Orders table, they would be able to view, but not edit or modify the question.

<em>Fig. 12</em>. A question someone has collection permissions, but not data permissions for. The user is not able to edit the question.
Fig. 12. A question someone has collection permissions, but not data permissions for. The user is not able to edit the question.

If we were to grant the California Marketers group access to the Orders table, they would then be able to edit the question (note the Filter, Summarize, and notebook buttons in the top right of figure 14, as well as the link to the Orders table).

<em>Fig. 13</em>. The same question as the last figure, but the user has collection and data permissions for it.
Fig. 13. The same question as the last figure, but the user has collection and data permissions for it.

Read more

You can learn more about permissions from these articles:

Thanks for your feedback!

Get articles like this one in your inbox every month