Lesson

Guide to data permissions

Learn about how Metabase handles data permissions by setting up permissions on the Sample Database included with Metabase.

Data permissions specify how different groups of people can interact with tables and databases. In this article, we’ll walk through an example of how to give people permission to view, edit, or query tables from the Sample Database.

Introducing data permissions

Let’s start by navigating to Admin > Permissions, and selecting Databases > Sample Database. This will take us to the data permissions page at the database level. If you want to configure permissions for each table in the Sample Database, you can click on the table name at the left.

<em>Fig. 1</em>. The data permissions page for the Sample Database before any changes are made.
Fig. 1. The data permissions page for the Sample Database before any changes are made.

Data permissions must be configured for groups. Metabase comes with two default groups: Administrators and All Users. We’ll create two new sample groups called Canoes and Sailboats, and set up data permissions to:

  • Adjust the default permission settings for All Users.
  • Give the Canoes group permission access the Orders table only.
  • Give the Sailboats group permission to access the People and Products tables only.

Here, “access to a table” means that we’ll allow the group to create questions from the notebook editor using the data from a given table.

If you want to allow people to create questions using the native query (SQL) editor, you’ll need to configure a different set of data permissions.

Configuring permissions for the All Users group

First, we’ll revoke Unrestricted access to the database for All Users, because Metabase grants the most permissive level of access across all the groups that someone belongs to.

You can’t remove anyone from the All Users group, so if you give All Users Unrestricted permissions to the Sample Database, then that’ll always be the most permissive setting for everyone who uses your Metabase, regardless of any other group that you put people in.

  1. Go to Admin > Permissions > Database > Sample Database.
  2. Click on the dropdown menu at the All Users row and Data access column (figure 2).
  3. Select No self-service.
  4. Click Save changes in the banner that appears at the top.
<em>Fig. 2</em>. Selecting the No self-service permission for the All Users group to the Sample Database.
Fig. 2. Selecting the No self-service permission for the All Users group to the Sample Database.

Selecting No self-service for All Users to the Sample Database will:

  • Prevent All Users from seeing any data from the Sample Database in the data browser.

  • Prevent All Users from using the notebook editor to create questions using data from the Sample Database.

  • Continue to allow All Users to view the results (but not access the underlying data) from questions and dashboards that use Sample Database tables, as long as these questions and dashboards are saved in collections that match the collection permissions for your All Users group.

Configuring native query editing permissions

Changing All Users’ data permissions from Unrestricted to No self-service (at the database level) will also revoke All Users’ native query editing permissions to every table in that database. Revoking native query editing permissions will:

  • Prevent everyone from creating questions using the native query editor (also known as the SQL editor).
  • Continue to allow everyone to view the results of questions created with SQL or other query languages, as long as people are also in groups with the correct collection permissions.

Here, “native query editing permissions” means that we’ll allow groups to use the native query editor like a database IDE. People with native query editing permissions will be allowed to query all of the data that your Metabase has access to read from your database (which is defined by the role that Metabase uses to connect to your database).

The best way to selectively grant native query editing permissions is to create a separate group (like “SQL Users”). This group will need Unrestricted access to the Sample Database, with the Native query editing permission set to “Yes”. For more information, see Native query editing permissions.

Creating user groups

Let’s create two new groups, and call them Canoes and Sailboats. Go to Admin > People. Select the Groups tab, and click Create a group. For more details, see Creating groups.

Reviewing default data permissions

Go to Admin > Permissions > Databases and select the Sample Database to see our new groups:

<em>Fig. 3</em>. The <strong>data permissions</strong> page with our newly added Canoes and Sailboats groups.
Fig. 3. The data permissions page with our newly added Canoes and Sailboats groups.

New groups default to No self-service permissions. This lets us selectively add permissions to each group.

For the Canoes and Sailboats groups, No self-service data permissions will:

  • Prevent people in Canoes and Sailboats from viewing any Sample Database tables in the data browser.

  • Prevent people in Canoes and Sailboats from using the notebook editor to create questions on top of Sample Database tables.

  • Continue to allow people in Canoes and Sailboats to view the results of questions that are built on tables from the Sample Database, as long as these questions are saved in collections that match a given group’s collection permissions.

Configuring permissions for a user group

To give the Canoes group permission to access the Orders table only:

  1. Go to Admin > Permissions > Groups.
  2. Select the Canoes group.
  3. Click Sample Database.
  4. Select Unrestricted from the dropdown menu at the Orders row and Data access column (figure 4).
  5. Click Save Changes.
  6. In the modal that appears, review the effects of your permission changes, then click Change to confirm.
<em>Fig. 4</em>. Granting the Canoes group permission to access the Orders table.
Fig. 4. Granting the Canoes group permission to access the Orders table.

If you click into Canoes group under the “Permissions for the Canoes group” header, you’ll be taken to the data permissions page at the group level. From there, you’ll see that Metabase auto-populates the yellow Granular permission under the Data access column for the Sample Database. The Granular permission indicates that the Canoes group now has access to some, but not all of the tables in the Sample Database (figure 5).

<em>Fig. 5</em>. The Canoes group now has granular access to the Sample Database.
Fig. 5. The Canoes group now has granular access to the Sample Database.

Configuring permissions for a user in multiple groups

Let’s configure another set of data permissions to give the Sailboats group Unrestricted permissions to the People and Products tables in the Sample Database (figure 6):

<em>Fig. 6</em>. The <strong>data permissions</strong> page after the Sailboats group has been granted access to the People and Products tables.
Fig. 6. The data permissions page after the Sailboats group has been granted access to the People and Products tables.

Here’s what our current data permissions do:

  • Prevent people in the Sailboats group from creating their own questions using the Orders table.
  • Prevent people in the Canoes group from creating their own questions using the People or Products tables.
  • Allow everyone (via the All Users group) to view the results of questions that use the Orders, People, or Products tables, given that they have the correct collection permissions.

Suppose Mr. Captain belongs to both the Canoes and Sailboats groups, so that he has three sets of permissions that are being applied from three different groups:

  • No self-service permissions to the Sample Database from the All Users group.
  • Unrestricted permissions to the Orders table from the Canoes group.
  • Unrestricted permissions to the People and Products tables from the Sailboats group.

Since Metabase applies the most permissive settings across all groups, Mr. Captain will have Unrestricted permissions to the Orders, People, and Products tables. Unrestricted permissions to these three tables means that Mr. Captain will be able to:

  • Create questions with the notebook editor using any combination of Orders, People, or Products.
  • Drill down and manipulate other people’s notebook editor questions that use Orders, People, or Products, as long those questions are saved in collections that match his collection permissions.

Mr. Captain doesn’t belong to any groups with Unrestricted permissions to the Reviews table or the Sample Database, which will:

  • Prevent him from creating questions using the Reviews table.
  • Prevent him from interacting with the native query editor at all (e.g., viewing, editing, or writing SQL queries).

Since Mr. Captain is also part of the All Users group with No self-service permissions to the Sample Database, he’ll still be able to view the results of questions that are built using the Reviews table or the native query editor, as long as he has the right collection permissions.

More data permission options

* Only available on paid plans.

Further reading

Thanks for your feedback!

Get articles like this one in your inbox every month