Menu Close Log in Get started

Lesson

Guide to data permissions

Learn about how Metabase handles data permissions by walking through setting up permissions on the Sample Database included with Metabase.

In Metabase, data permissions let us specify which databases and tables groups of people can view and query. In this article, we’ll walk through how admins can configure data permissions by setting up permissions on the Sample Database included with Metabase for our Sailboats and Canoes teams. We’ll:

  • Learn a bit about our data permission options.
  • Create our Canoes and Sailboats groups.
  • Set their permissions.
  • Show how different permissions affect people’s experience of reality.

Default data permission settings

Let’s first get a lay of the permissions land in a fresh, newborn Metabase. We can click on the gears icon at the bottom of the navigation sidebar and select Admin settings > Permissions, which by default displays data permissions. We’ll select Databases and Sample Database (the default database). Figure 1 shows the two default groups: Administrators and All Users.

<em>Fig. 1</em>. The data settings page for the Sample Database before any changes are made.
Fig. 1. The data settings page for the Sample Database before any changes are made.

We can also select a table on the left to set permissions by group on the Orders, People, Products, and Reviews tables in the Sample Database.

When we create additional groups, Metabase will display them alphabetically in this view under Group Name. You can add people to as many groups as you like.

Let’s walk through an example to show how permissions work in practice. We want to set up data permissions with two different groups that we’ll create in Metabase, which we’ll call Sailboats and Canoes. Here’s what we want to do:

  • Canoes can only access the Orders table.
  • Sailboats can only access the People and Products tables.

Set the All Users group’s access to “No self-service”

First, we want to revoke the All Users group’s access to the Sample Database by clicking on the green checkmark in the data access column and selecting No self-service (figure 2). Granting no self-service access to a table prevents people in the group from seeing that table in the data browser and from asking a new question about that table.

<em>Fig. 2</em>. Setting the All Users group's access to the Sample Database to No self-service.
Fig. 2. Setting the All Users group's access to the Sample Database to No self-service.

A side effect of this change is that the group will lose access to the SQL Editor, as the editor requires unrestricted access to a database. You can also restrict access to the SQL Editor directly at the database level, as shown in figure 2 above.

The reason we want to revoke access from All Users is because Metabase grants the most permissive level of access across all the groups a person belongs to. And since everyone belongs to the All Users group, it doesn’t matter if they’re in another group that lacks access to the Sample Database; their membership in the All Users group grants them unrestricted access to the Sample Database.

On some plans (like in figure 2), you’ll also see an option to block access, which makes it so people won’t even be able to view questions with data from that data source.

Creating the Sailboats and Canoes groups

Let’s create our two new groups, Sailboats and Canoes. We’ll click on the gear in the navigation sidebar and select Admin settings > People. selecting the Groups tab, and clicking on Create a group. (See our documentation to learn more about creating groups.)

Setting permissions on groups

Go to the Permissions tab and view permissions for the Sample Database, we see our new groups, Sailboats and Canoes:

<em>Fig. 3</em>. The <strong>data permissions</strong> page with our newly added Canoes and Sailboats groups.
Fig. 3. The data permissions page with our newly added Canoes and Sailboats groups.

New groups default to having no self-service permissions. This lets us selectively add permissions to these groups.

When people don’t have access to any data, they:

  • Won’t see the Browse Data button in the navigation sidebar.
  • Can’t create a new question or native query.

Setting permissions on the Canoes group

We’d like our Canoes group to only have access to the Orders table, so let’s return to Admin settings > Permissions.

In the Data tab, select the Orders table in the sidebar and click on the dropdown menu in Canoes’ data access column. All we need to do is grant unrestricted access to the Orders table and click Save Changes. Metabase will pop up a modal summarizing the changes we made and we’ll click Change to confirm.

<em>Fig. 4</em>. Granting the Canoes group access to the Orders table.
Fig. 4. Granting the Canoes group access to the Orders table.

As figure 5 shows, now Metabase will display a half-filled-in yellow circle in the Data Permissions tab to show that the Canoes team has granular access to the Sample Database.

<em>Fig. 5</em>. The Canoes group now has granular access to the Sample Database.
Fig. 5. The Canoes group now has granular access to the Sample Database.

With our permissions set, we can now add people to our groups, either by adding them manually, or via single sign-on (SS0).

What will people in both the Sailboats and Canoes groups see?

Suppose Mr. Captain is part of the both the Sailboats and Canoes groups—what happens if we grant the Sailboats group different levels of data access? Let’s grant the Sailboats group access to the People and Products tables in the Sample Database (figure 6).

<em>Fig. 6</em>. The <strong>data permissions</strong> page after the Sailboats group has been granted access to the People and Products tables.
Fig. 6. The data permissions page after the Sailboats group has been granted access to the People and Products tables.

Since Mr. Captain is a member of both Canoes and Sailboats, he’ll have access to every table except the Reviews table, as Metabase grants people the most permissive level of access for a given table based on the set of groups they’re in. In other words, if any of Mr. Captain’s groups can see a data source, then he can see the data source, even if every other group he belongs to lacks access.

<em>Fig. 7</em>. Mr. Captain, a member of both the Sailboats and Canoes groups, sees tables available to both groups.
Fig. 7. Mr. Captain, a member of both the Sailboats and Canoes groups, sees tables available to both groups.

Note that people don’t know about groups. Mr. Captain is also unable to see which groups he belongs to. Only admins have access to group information. On some plans, however, you can promote people in groups to group managers, which allow them to determine who is in their group.

How data permissions interact with questions and dashboards

Let’s say none of the groups Mr. Captain belongs to have access to the Reviews table. Mr. Captain would still be able to view questions and dashboards that query data from the Reviews table, provided he has permission to view the collection that houses those questions and dashboards. Collection permissions.

More data permission options

You can also set permissions on:

  • Native query editing.
  • Downloading results*.
  • Managing the data model*. See Editing metadata.
  • Managing the database*. See managing databases (though only admins can delete databases).

* Only available on paid plans.

Further reading

Thanks for your feedback!

Get articles like this one in your inbox every month