Menu Close Log in Get started

Lesson

Guide to data permissions

Learn about how Metabase handles data permissions by walking through setting up permissions on the Sample Dataset included with Metabase.

In Metabase, data permissions let us specify which databases and tables groups of people can view and query. In this article, we’ll walk through how admins can configure data permissions by setting up permissions on the Sample Dataset included with Metabase for our Marketing and Accounting teams. We’ll:

  • Learn a bit about our data permission options.
  • Create our Accounting and Marketing groups.
  • Set their permissions.
  • Show how different permissions affect people’s experience.

Default data permission settings

Let’s first get a lay of the permissions land in a fresh Metabase instance. From any Metabase page, we can click on the gears icon in the upper right corner open the Admin panel. Next, we’ll click on the Permissions tab, which by default displays data permissions. (We cover collection permissions here). Figure 1 shows the default database, the Sample Dataset, and the two default groups: Administrators and All Users.

<em>Fig. 1</em>. The data settings page for the Sample Dataset before any changes are made.
Fig. 1. The data settings page for the Sample Dataset before any changes are made.

We can also select a table on the left to set permissions by group on the Orders, People, Products, and Reviews tables in the Sample Dataset.

When we create additional groups, Metabase will display them alphabetically in this view under Group Name. You can add people to as many groups as you like.

Let’s walk through an example to show how permissions work in practice. We want to set up data permissions so that:

  • Accounting can only access the Orders table.
  • Marketing only has access to the People and Products tables.

Starting with a clean slate

First, we want to revoke the All Users group’s access to the Sample Dataset by clicking on the green checkmark in the data access column and selecting No self-service (figure 2). Granting no self-service access to a table prevents people from seeing that table in the data browser and from asking a new question about that table.

<em>Fig. 2</em>. Grant no self-service access to the Sample Dataset from the All Users group.
Fig. 2. Grant no self-service access to the Sample Dataset from the All Users group.

No self-service access to this table also changes the database level access this group has, since this group no longer has Unrestricted access. A side effect of this change is that the group will lose access to the SQL Editor, as the editor requires unrestricted access to a database. You can also restrict access to the SQL Editor directly at the database level, as shown in figure 2 above.

The reason we want to revoke access from All Users is because Metabase grants the most permissive level of access across all the groups a person belongs to. And since everyone belongs to the All Users group, it doesn’t matter if they’re in another group that doesn’t have access to the Sample Dataset; their membership in the All Users group grants them unrestricted access to the Sample Dataset.

As a safeguard, if we restrict a group’s access to a data source available to All Users, Metabase will helpfully warn us that All Users has a higher level of access.

<em>Fig. 3</em>. Example of groups with conflicting permissions. Hovering over the grey caution symbol reveals a warning: 'The All Users group has a higher level of access than this, which will override this setting.'
Fig. 3. Example of groups with conflicting permissions. Hovering over the grey caution symbol reveals a warning: 'The All Users group has a higher level of access than this, which will override this setting.'

Creating the Marketing and Accounting groups

Let’s create our two new groups by clicking on the People tab in the Admin Panel, selecting the Groups tab, and clicking on Create a group. (See our documentation to learn more about creating groups.)

Setting permissions on groups

When we return to the Permissions tab and view permissions for the the Sample Dataset, we see our new groups:

<em>Fig. 4</em>. The <strong>data permissions</strong> page with our newly added Accounting and Marketing groups.
Fig. 4. The data permissions page with our newly added Accounting and Marketing groups.

As you can tell, new groups default to having no self-service permissions. This lets us selectively add permissions to these groups.

When people don’t have access to any data, they won’t even see the Ask a Question, Browse Data, or Write SQL buttons in the nav bar (figure 5).

<em>Fig. 5</em>. What people see (or don't see) when they don't have access to any database. They can view collections, but not ask questions, browse data, or write SQL queries.
Fig. 5. What people see (or don't see) when they don't have access to any database. They can view collections, but not ask questions, browse data, or write SQL queries.

Setting permissions on the Accounting group

We’d like our Accounting group to only have access to the Orders table, so let’s return to the Permissions tab in the Admin Panel.

In the Data permissions tab, select the Orders table on the lefthand sidebar and click on the dropdown menu in Accounting’s data access column. All we need to do is grant unrestricted access to the Orders table and click Save Changes. Metabase will pop up a modal summarizing the changes we made and we’ll click Change to confirm.

<em>Fig. 6</em>. Granting the Accounting group access to the Orders table.
Fig. 6. Granting the Accounting group access to the Orders table.

As figure 7 shows, now Metabase will display a half-filled-in yellow circle in the Data Permissions tab to show that the Accounting team has granular access to the Sample Dataset.

<em>Fig. 7</em>. The Accounting group now has granular access to the Sample Dataset.
Fig. 7. The Accounting group now has granular access to the Sample Dataset.

With our permissions set, we can now add people to our groups, either by adding them manually, or via single sign-on (SSO).

What will people in both the Marketing and Accounting groups see?

Suppose Mr. Wolff is part of the both the Marketing and Accounting groups—what happens if we grant the Marketing group different levels of data access? Let’s grant the Marketing group access to the People and Products tables in the Sample Dataset (figure 8).

<em>Fig. 8</em>. The <strong>data permissions</strong> page after the Marketing group has been granted access to the People and Products tables.
Fig. 8. The data permissions page after the Marketing group has been granted access to the People and Products tables.

Since Mr. Wolff is a member of both Accounting and Marketing, he’ll have access to every table except the Reviews table, as Metabase grants people the most permissive level of access for a given table based on the set of groups they’re in. In other words, if any of Mr. Wolff’s groups can see a data source, then he can see the data source, even if every other group he belongs to doesn’t have access.

<em>Fig. 9</em>. Mr. Wolff, a member of both the Marketing and Accounting groups, sees tables available to both groups.
Fig. 9. Mr. Wolff, a member of both the Marketing and Accounting groups, sees tables available to both groups.

Mr. Wolff is also unable to see which groups he belongs to. Only admins have access to group information.

How data permissions interact with questions and dashboards

Let’s say none of the groups Mr. Wolff belongs to have access to the Reviews table. Mr. Wolff would still be able to view questions and dashboards that query data from the Reviews table, provided he has permission to view the collection that houses those questions and dashboards. We cover collection permissions here.

Reading

To learn more, please check out:

Thanks for your feedback!

Get articles like this one in your inbox every month