Dashboard-level permissions

I’m trying to give someone permission under the new model to view a dashboard, but it appears that it is impossible to do so unless they also have permission to view and edit the underlying questions. It seems to me that this requirement defeats the purpose of having dashboard-level permissions, since if they can view and edit the underlying question, they can change the query to do whatever they’d like it to do – effectively giving them raw access to the underlying tables.

Am I missing something?

They only need to be able to view the questions, not curate.
My approach to security:

  1. Remove all rights from the Everyone group for every database and collection.
  2. Grant rights to View collection to other groups as necessary.
    I created a Sales group that had rights to view a collection of questions and dashboards. Sales was able to remove a question, but on trying to save:

If you revoke a group’s right to access a database, they’re still able to view questions that use that database, just not create any new questions.