Make Card non clickable

Get Help
1

Hi

Is there a way to make the card not clickable on the dashboard. Intention is to provide users only access to view the dashboard and prevent them from actually going into the question and making changes. Also this will indirectly help us prevent the downloading of the data

2

Hi @jiwnaiakbar
You can make the users part of a group that doesn’t have permissions to change elements in the collection, which means they cannot edit anything (dashboard/question):
https://www.metabase.com/docs/latest/administration-guide/05-setting-permissions.html
Or use Public sharing or Embedding instead, which doesn’t have drill-through:
https://www.metabase.com/docs/latest/administration-guide/12-public-links.html
https://www.metabase.com/docs/latest/administration-guide/13-embedding.html

3

I tried that but not sure why it is not working.

Here are the steps.

  1. I created a new User Group -TestGroup and a new user ‘testuser@test.com’
  2. I removed all the access to ‘All Users’ Group. i.e changed Data Access to ‘X’ and SQL Queries to ‘X’
  3. I also removed all the access to ‘TestGroup’ exactly as above.
  4. In Collection permissions I gave both ‘All Users’ and ‘TestGroup’ only ‘Can View Access’

Still when I login with test user I am able to view the dashboard, I can click on the card, it takes me to the question and allows me to download. Only thing which seemed to have worked is, there is no option to edit the dashboard.

What am I doing wrong? do I need to restart the server to make the settings work?

4

@jiwnaiakbar If you don’t want the users to be able to go to a question, then use Public or Embedding.

5

Hi @Flamber,

I remember with this setting I was able to restrict the access. I.e. when user was clicking on the card they use to see error message with lock keys image saying Sorry you dont have permission to see that’. Is that option removed?
Just to clarify I am looking to do following:

  1. Members of a specific group should be able to view the dashboard but not edit
  2. When they click on the card, they should get the message like above.
    And I know this worked before in another application I had created.
6

image

7

@jiwnaiakbar

  1. That’s already possible through the Admin > Permissions > Collections
  2. That is currently not possible. Either a user has access to a card or they don’t. The only workaround is Public or Embedding, which doesn’t have drill-through, but Embedding has download functionality, so you should use Public sharing in this context.
8

Hi @flamber

Thanks for the reply but I am confused.

Please can you help me understand what happens when I revoke entire database access for a user group? Shouldn’t it completely stop user from view anything related that table?. Right now I have completely revoked access for TestUser group and AllUsers user group. Still when I login with id which belongs to TestUser group, I can view the dashboard and I can click the card.

9

Here are the screenshots:

image
image1887×387 23 KB

image
image1888×374 22.2 KB

image
image1224×112 7.16 KB

image

10

In the above setting, if am logging in with test@gmail.com, I can still do everything below:

  1. View the dashboard
  2. Click the cards on the dashboard
  3. Download the data.
  4. It restricts -Edit dasbhoard & edit question.

Based on documentation and what you have mentioned above, one of the following should have happened:

  1. None of the card values should have been visible to the user
  2. When user clicks on the card, he should get a error ‘You dont have access’

I just verified in another system and this is exactly how it works. In the log i can actually see the error “You don’t have permissions to do that.”.

What am I missing?

11

@jiwnaiakbar
When you revoke data permissions, then the group cannot create new queries.
When you revoke collection permissions, then the group does not have access to anything inside of that collection.
Yeah, the documentation needs updating.

12

Oh… Does it mean the behaviour has changed in new version? :frowning: If I want that functionality, then I need to switch to older version?

13

@jiwnaiakbar That was a bug - actually several, across multiple different version. There has been no change to how the intended behavior works.
https://github.com/metabase/metabase/issues?q=is%3Aissue+"You+don’t+have+permissions+to+do+that"+

14

:slight_smile: vow bug actually was a nice feature for us. Because that way were allowing user to view the data in dashboard but restricting them from actually downloading it when the clicked on the card :frowning:

So now I am restricted to 2 options

  1. Create a public link. This means that anyone with the link can view the data. I can’t do this it becomes too shareable
  2. Embed in applications. This will require me to create a new application with separate user authentication and use the embed feature. I do not have skill to do these. By any chance is there a open source application which does this so that i can directly use it?
15

@jiwnaiakbar
You can block the block requests to /api/card/:card-id/query/:export-format via a reverse-proxy, which prevents downloads.
Any visualizations are downloaded in JSON format to be shown visually, so unless you have more than 10,000/2,000 results, then the user would be able to “download” that data through their browser developer console.

16

This will then be applicable to all the users right?

17

Yes. I agree to second point. However, most of our users wont have skills to go to that level. If there is download option, they will click and download if there isn’t any then they probably wont go extra step to figure out other options

18

@jiwnaiakbar It would apply to everyone accessing through that reverse-proxy. There’s a lot of advanced stuff that can be done, so it only applies in specific situations, but to keep it simple: Yes, it applies to everyone.

19

Any sample code for Ubuntu? may be put in condition

Also any sample application to use embedding option?

20

@jiwnaiakbar There’s plenty of web servers that can be setup as reverse-proxies - it doesn’t have anything to do with Ubuntu: Nginx, Caddy, Apache, HaProxy, etc.
Use the power of the internet to find the one you prefer and lookup it’s documentation.

There’s examples of embedding here:
https://www.metabase.com/docs/latest/administration-guide/13-embedding.html#reference-applications