Best Practices for Postgres Database Permissions

Hi there, just doing our initial setup with Metabase.
We will be connecting/querying a Postgres 13 database.
What is the recommended minimum set of permissions that Metabase needs to function correctly?
Note: this is our company database we are referring to, not the Metabase backend.
I read in various posts that just a readonly "select" role may not be enough (temp tables needed?)

-Postgres 13.1 company database we will be querying
-Metabase .40.3.1 using JAR installation, selfhosted, opensource version
-Postgres 13.1 backend database
-Ubuntu 20.04 server
-Chrome client browser


Hi @bamboo
select is enough for most, but temporary is needed for some, and execute and usage for few.
Basically; it depends on your data and structure.

Thank you. If I start with with just select, will I see any obvious errors or indications if further permissions are needed at some point?
We don't use stored procedures or other obscure functions and all our queries will be fairly simple.

@bamboo Yes, you should see errors showing in case you're missing privileges. Those errors can though be slightly hidden for some tasks like sync, which is happening in the background. The debug log on Postgres can sometimes be very helpful to also better understand what is being queried sometimes.

Just reading up here, I see I'll actually need those three additional permissions.
If I recall CTEs will sometimes create a temp table, and we use a bunch of those.

Will the error for further permissions be shown to the end-user at query-time or only show up in the Metabase logs for admin?

@bamboo The short error from Postgres is shown to users in questions. The more detailed stacktrace is available in Admin > Troubleshooting > Logs.

1 Like