Best strategy to password protect published dashboards?

I have a Metabase instance that has 3 types of users:

  • two types of super-users, who got credentials to log into Metabase:
    • regular super-users
    • admin super-users
  • viewers, who simply “read-only” published dashboards

However, published dashboards contains confidential data. So I want to protect “public” (i.e., published) dashboards with a password.

➥ what is the best way to implement such a password protection?

I have tried to use set up an authentication on my Apache server. However, I keep being prompted (mostly on Chromium, and not on Firefox) many times for the credentials when I access a dashboard — what is not very usable.
This behaviour seems to be due to Metabase sending 401 response to /api/user/current when I’m not logged in as a super-user.

I’d thus like to find another way. Any ideas?

Hi @ebosi
There’s no perfect solution, but I think there’s several ways to a solution.

  1. Using Embedding and creating your own access system.
  2. Using LDAP and add all “viewers” in a limited group.
  3. Making Apache return an empty 200 response from /api/user/current, when it tries to return 401

Thank you!

As you said, there is no perfect solution. I’m looking for how to implement your suggestion, but each of it has its downside (not your fault, though!).

It doesn’t seem possible to create Metabase accounts for user to only view dashboards — and not allowing them to ask questions or modify dashboards — neither, does it?

That’s correct. if a Metabase account has view rights to a database/table, then they can create questions based on that. And if a dashboard is part of the same collection, then they can modify that too.
Like you said - there’s downsides with all the solutions. If you want something that would fit almost entirely, then you should probably use the Embedding and program your own interface, but that’s a lot of work.

1 Like

Link to related feature request on GitHub.