Good day,
I have a scenario where a group of Metabase users need to operate a financial dashboard limited only to their department’s financial data, and then download the filtered results to .xlsx file, BUT they should not have access to the ‘ask question’ or ‘browse data’ options as this will open the whole source table including financial data of other departments.
From the dashboard permissions side, I think I’m OK in limiting the data to only their department. I’m doing a bit of a workaround by running a question-on-a-question. Their question (which is in their collection) is what they with see on their dashboard, but it’s based on another question outside of their collection which is where the data is limited to their department only. Hence the users can open the question card from the dashboard in order to get to the ‘download results’ button, but are not able to see (or therefore remove) the filters which limit the data to their department only.
However, from the data permissions side, I’m running into an issue. I obviously have to provide access to the relevant tables in order to be able to export the data, but as soon as the data permissions are granted in Admin settings, then the ‘ask a question’ and ‘browse data’ buttons will always be glaring at the users from the top of the screen.
Is there any way to remove these buttons for a user group, or otherwise to limit the data to the specific department at the ‘data permissions’ stage, while still allowing download of data to .xlsx file?
Any comments / suggestions will be most welcome.
Regards,
chrisKH
Hi @chrisKH
You are essentially trying to make your own row-level-access permissions, which is part of the Enterprise Edition as Sandboxes: https://www.metabase.com/docs/latest/enterprise-guide/data-sandboxes.html
If you don’t want the users to be able to create their own questions, then remove Data permissions, while still giving view-access to the Collection.
For reference:
https://www.metabase.com/docs/latest/administration-guide/05-setting-permissions.html
https://www.metabase.com/docs/latest/administration-guide/06-collections.html
Thank you @flamber,
If you don’t want the users to be able to create their own questions, then remove Data permissions, while still giving view-access to the Collection.
I did try this. The 'ask a question' and 'browse data' buttons no longer show, but then the user also cannot open the question and therefore cannot download results to a file.
Thanks for informing about the row-level access feature of Sandboxes. We might consider Enterprise at some point but in the meantime I will probably have to limit the data of the source table itself in order to be safe.
Thanks for your quick response as always,
Regards,
chrisKH
@chrisKH
Post “Diagnostic Info” from Admin > Troubleshooting.
And check the log for errors, Admin > Troubleshooting > Logs.
here is the diagnostic info,
BTW, should it be possible to download results to a file if all Data permission are removed?
{
“browser-info”: {
“language”: “en-US”,
“platform”: “Win32”,
“userAgent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0”,
“vendor”: “”
},
“system-info”: {
“file.encoding”: “Cp1252”,
“java.runtime.name”: “OpenJDK Runtime Environment”,
“java.runtime.version”: “11.0.7+10”,
“java.vendor”: “AdoptOpenJDK”,
“java.vendor.url”: “https://adoptopenjdk.net/”,
“java.version”: “11.0.7”,
“java.vm.name”: “OpenJDK 64-Bit Server VM”,
“java.vm.version”: “11.0.7+10”,
“os.name”: “Windows Server 2012 R2”,
“os.version”: “6.3”,
“user.language”: “en”,
“user.timezone”: “Asia/Muscat”
},
“metabase-info”: {
“databases”: [
“h2”,
“sqlserver”,
“oracle”
],
“hosting-env”: “unknown”,
“application-database”: “mysql”,
“application-database-details”: {
“database”: {
“name”: “MySQL”,
“version”: “8.0.18”
},
“jdbc-driver”: {
“name”: “MariaDB Connector/J”,
“version”: “2.5.1”
}
},
“run-mode”: “prod”,
“version”: {
“date”: “2020-05-28”,
“tag”: “v0.35.4”,
“branch”: “release-0.35.x”,
“hash”: “b3080fa”
},
“settings”: {
“report-timezone”: “Asia/Muscat”
}
}
}
@chrisKH Upgrade to 0.36.4 - the permission error with Saved Questions was fixed in 0.36.0
Latest release is 0.36.5.1, but there’s a regression with Custom Columns in that, so that’s why I’m not recommending upgrading to latest.
Hello @flamber,
Sorry I’m not sure what issue 0.36.4 is supposed to fix.
I tried it out in test environment and the behaviour of downloading to file is still the same i.e.:
- with data permissions set, users can run filters on the dashboard, open the question card, and download results to a file, but can still access unfiltered data via ask-a-question or browse-data
- with data permissions removed, no more ask-a-question or browse-data, users can run filters on the dashboard, but can NOT open the question card, and hence can not download
- …however, just noticed that with data permissions removed, and if user does NOT use any dashboard filters, then the user CAN open the question card and do a download (which will then be the complete data set, unfiltered)
Now I’m really confused…
@chrisKH If you set Data permissions, then the user can filter and summarize questions that are in view-only Collection.
The user can always export as long as they have view-only Collection or more permissions.
When you say that they cannot open a card, what does that mean? Do you see an error? If so, then check the log for more details.
@flamber,
If I'm on the Dashboard and I apply a filter, then I cannot open the Question if the Data permissions are not set.
I have a Dashboard with date filters and displaying one Question. This Dashboard and Question are the only items in the Collection. It is view-only Collection.
Normal operation is, user opens the Dashboard, selects a date range in the filters, and then they need to download the results. To do this, they will open the Question (click on it's title in the top-left of it's frame in the Dashboard), this will take them to the Question's view where there is a download button at bottom-right of the screen.
CMIIW, they cannot download results directly from the Dashboard ... they first have to open the Question view before seeing a button to download?
Now, Data permissions ...
- with Data permissions set, the users can do everything in the normal operation above, right up to downloading the results, so actually it works fine ... only thing is, the risk of the browse-data and ask-a-question buttons at the top whereby users could potentially see the whole data set (all other departments) if they clicked around
- with NO Data permissions set, then:
-- browse-data and ask-a-question buttons are gone (which is what I want in this case)
-- the user can operate the Dashboard (pick a date range and see the updated results)
-- but when opening the Question it will say "Sorry, you don't have permissions to see that.", and then download is impossible
-- the exception to the above point is if NO filters are selected in the Dashboard, then the user CAN open the Question and download the data (of course it will be without any date filter)
Just want to know if the above-described operation is expected?
Also when you said,
The user can always export as long as they have view-only Collection or more permissions.
... then in the case of view-only Collection + no Data permission, is it correct to say the user can export but only if no filters are applied?
Regards,
chrisKH
@chrisKH You’re seeing this issue:
https://github.com/metabase/metabase/issues/12720 - upvote by clicking 
on the first post
Ah, yes that’s the same issue, thanks. I’ll keep an eye on that to see if it gets resolved.
On another note, earlier you mentioned upgrading to 0.36.4, which is probably a good idea in any case.
Some time ago I migrated from H2 to mySQL. So, what would be the process for upgrading Metabase which is running on mySQL?
Please advise,
Regards,
chrisKH
@chrisKH There’s no difference in upgrading, not matter which application database you’re using.
Just make sure you have backups before doing anything major like upgrading, since you’ll have to revert to backups if you want to downgrade:
https://www.metabase.com/docs/latest/operations-guide/upgrading-metabase.html
Hi @flamber,
Thank you, I managed to do an upgrade of Metabase and not break anything
In the process I tested a behaviour with the ‘hidden’ property of tables in the Admin settings.
For the dashboard I first configured the collection and data permissions, and then as the last step I changed the property of the concerned tables from ‘queryable’ to ‘hidden’. As a result, the users can still use the dashboard normally up to and including download of results, and while the ‘browse data’ and ‘ask a question’ buttons are still there, if they click either of them then the tables are not seen.
So this could very well be the workaround I’m looking for until issue 12720 is resolved.
Just want to check with you, if this is an expected behaviour and not some kind of bug I’ve stumbled on?
Regards,
chrisKH
@chrisKH No, that’s expected behavior, but you’ll likely run into some other problems, since hiding tables will also mean that they are not scanned.
OK, thanks for the heads-up.
In the meantime, is there a way that I can do a manual scan?
@chrisKH Manual sync+scan will still respect hiding and skip those. You can do it through Admin > Databases > (your-db)
For reference:
https://www.metabase.com/docs/latest/administration-guide/01-managing-databases.html#database-sync-and-analysis
OK so should I un-hide the table, then go to Admin > Databases > (my db), do ‘Sync databse schema now’, and then hide again?
@chrisKH Yes. Or you can create a MySQL user that doesn’t even see the unwanted tables, then Metabase will never see them either.
OK cool. I take it I should wait some time for syncing to complete, before hiding the table again?
... sorry, I'm lost ... what will this do?
@chrisKH Correct. The sync+scan process has to finish. You can follow the progress in the log - Admin > Troubleshooting > Logs.
It probably won’t work in your case, but for anyone reading this, who is trying to just hide tables completely, then it’s better to remove privileges to those tables, so they don’t show up in Metabase at all.