"Can Write Raw Queries" but limited to certain Collections?

Hi there,

This is a basic question about permissions. Excuse me if I have missed or misunderstood something in the documentation here but I can’t find a clear answer here.

I have a colleague for whom I want to grant “Can Write Raw Queries” access.
However I do not want them to be able to accidentally edit SQL in existing collections.
Basically I would like them to have a playground where they can write their own queries, learn more about SQL and our data model, but not break anything in the process.

I set their access, and All Users access to View on all collections except the specified collection.

However the user is still able to edit and save over existing questions in other collections.

Is this expected?
If so, is there another way I can get the desired behaviour?

Thank you! :slight_smile:

Hi @Simon1
Which version of Metabase?
But your colleague, which group(s) are they members of? If they’re Admin, then that’s why they have write access everywhere.
If they are a regular user (and you haven’t created any groups), then they’re automatically part of “All Users”, and if you set collection access to “View” for “All Users”, then they’ll only have view-access (but they will still have write-access to their own “Personal Collection”).

Hi @flamber,
Thanks for the reply.
Our version is v0.32.8.
The user has access to All Users (Collections limited to View) and has Full curate access to another collection (as well as their private one) and also has write access for SQL in general.
However it seems taht they are able to edit SQL in other collections and save.

I would recommend you upgrade to at least 0.32.10, since there were a ton of various fixes between those versions. While the latest version is, it might be difficult for you to upgrade easily, since the query browser changed a lot.

When I try to reproduce with the details you have given, then I get a “Sorry, you don’t have permission to see that.” if I try to save to a collection, where I only have view rights.

Can you provide steps-to-reproduce details, if you’re saying that users can write to view-only collections?