Hi @daniel.lee
Metabase currently cannot parse SQL, so there's no way of enforcing the permissions defined in SQL.
You would have to create another database connection with limited privileges.
While we are working on ways to implement this, it will only be available in the Enterprise Edition: https://github.com/metabase/metabase/issues/10525
According to your explanation, as of now If I want to use native queries to make question in metabase, then the group always has all access for all tables in the database as well.
And then, as I understand it is not possible scenario that a user can make sql queries with "A" table but cannot with "B" table.
If I make another database connection, Is it possible with permission setting in metabase?
@daniel.lee You have to define privileges on the database user, which you then use for setting a database in Metabase, so Metabase has no way of accessing anything not defined in the database user.
In other word. Your database is the server, Metabase is just a client. Restrict the privileges on the database.
Do you mean once I restrict user's permission for specific table on the database which is connecting metabase, then the user also cannot see the table and cannot make native queries with the table in metabase?
@daniel.lee Correct. That's how privileges works on databases. If you restrict/grant access to specific tables, then whatever client you're using (in this case Metabase) will only be able to see what has been granted.
The thing makes me confuse is I already removed user's permission from table on the database, and I checked the user cannot read the table from the database, but the user still can read the table in metabase.
FYI, what I'm testing is to know if a table is not in "our data" for restriction of access, still possible to be used in native queries in metabase.
@daniel.lee Which database are you querying? If MySQL, then you need to flush the privileges for them to take effect.
Some databases only apply privileges to new connection, but Metabase (like many other clients) keep connections open, so you will need to restart the client or kill the connections on the database.
This has nothing to do with Metabase, so check the manual of your database.
@daniel.lee I think there are some misunderstandings here, so I would recommend that you consult your DBA.
You set privileges on your database (that's Presto in your case). Then the client (that's Metabase in your case) can only access what has been granted.
It has absolutely nothing to do with settings in Metabase (or the Metabase application database, which is MySQL in your case).
@daniel.lee I don't understand, but if you allow SQL access for users, then the only restrictions that apply are whatever the privileges are on the database.
In other words. You cannot use the Metabase > Admin > Permissions to restrict which tables a user can query in SQL.
Thanks for your kind help, I understand If I allow SQL access for any group in metabase, restrict permission from database is only way to block to access some table in metabase.