Api/User shows list of all users

When running the metabase instance, i've noticed that even as a non-admin user, running the /api/user returns a list of all users including the admins. Is it possible to prevent this? Either enforcing an access control policy that prevent admin users from showing up in the list or block non-admins from accessing this api


Hi @Antony
The endpoint is used for making it easy to create subscriptions to other people in the company.
You would have to block the endpoint, but that would also block admins from using Admin > People.

1 Like

Thanks flamber - is there any documentation that can help me understand how to block the endpoints and API calls?

@Antony You would have to use other tools like a WAF like Cloudflare or reverse-proxy like Nginx. Those tools will allow you to block URLs.