I have needed some time to wrap my head around how does Metabase's permission system work. For future me, here is my understanding, that might complete the current documentation.
2 permissions domains
Metabase manages permissions on 2 separate domains:
- data access: i.e. whether a user can query against a certain data set (a given database, or a table thereof);
- collection access: i.e. whether a user can access a given "folder" (= collection) where questions and dashboards are saved.
3 permission levels (per domain)
Both of these domains have 3 levels each:
- data access:
- can run simple, custom questions, and SQL queries against the dataset;
- can only run simple and custom questions against the dataset
- cannot access the dataset (and doesn't even see it exists)
- collection access:
- can access the folder (= collection) and both view and modify (move or delete (= archive)) the questions and dashboards saved in it — similar to a Read/Write access.
- can access the folder and only view the questions and dashboards saved in it — similar to a Read access.
- cannot access the folder (and don't see what is in it).
What permissions does a given user have?
Metabase defines permissions at user group level. In other words, it details what permissions (priviledges) do members of a given user Group have.
A given user has a given priviledge/permission if they are member of at least one group that has been granted this permission. (Think of an "OR" boolean operation, or "outer" SQL join.)
Note that Admin users are almighty and have both "Curate collection" priviledge on all collections and "SQL queries" priviledge on all Databases and tables.
Combining permission domains
What happens when a questions about data you cannot access is saved in a folder you can access?
For questions
Because the data access is different from the question access, you could end up in the situation above (of course, most of the time, you might save questions about data you can access in folders you can access, and questions about data you cannot access will be in folders you cannot access).
Say that you, Alice, save a question about some Data, in a given Collection. The question is "how can Bob interact with Alice's question?".
The answer depends on Bob's priviledges on the Data and the Collection used by Alice, as follows:
The only not-so-straighforward bit is when Bob has "Collection access but no Data access": Bob can see the graph and the aggregated data, but cannot go further (neither edit the question, nor access the raw/un-aggregated data). See how the "edit" buttons (
) are missing in the following question about Data that the current user cannot access, but saved in a Collection they can access:
Note that the "personnal collection" (kind of your "home folder") works slightly differently than other collections: only you (and Admin, because they are almighty) can curate this collection. All other non-admin users have no access to it.
For dashboards
But we could tweak thing even further! What about a dashboard (created by Alice) saved in a folder that Bob can access, but including a question that is saved in a folder Bob cannot access?
Well, Metabase is quite clever: Bob would see this (the question he doesn't have access to is the top-left one):
