Attributes vs groups in JWT authentication

rickgoud · February 18, 2021, 7:18pm

Hi all,

we want to authenticate users with JWT. This article neatly described thats:
https://www.metabase.com/docs/latest/enterprise-guide/authenticating-with-jwt.html. The beginning is clear, however the groups area is somewhat unclear. Can there be only one group? multiple in a list? and my question is how to use the groups as the next article on sandboxing talks about attributes and not groups: https://www.metabase.com/docs/latest/enterprise-guide/data-sandboxes.html.

My use case: determine from JWT to which organization someone belongs based on a property (and connect to different database based on organization) and based on an organizational Unit name property and role (e.g. user, manager, admin) limit access to specific parts of a table with Sandboxing.

Any tips on how this really works would be awesome!

flamber · February 18, 2021, 7:51pm

Hi @rickgoud
You should be using the support email, when using the Enterprise Edition - also in trial.
Any other properties you include in the JWT should be synced to core_user.login_attributes, which are accessible via sandboxing.
Sandboxing uses attributes from the user to limit the data at row/column level. You use groups to limit access to specific databases/tables.
It’s some of the most complicated parts you’re playing with, so fair enough if it is a little confusing

rickgoud · February 19, 2021, 7:40am

Thanks! Will give it a go. Thanks for the great speed again @flamber!