We are using Metabase to share data with 3 teams, each one has their own data, questions and dashboards. In order to avoid a team seeing anyone else’s data, we created groups and assigned permissions accordingly.
We would like to enable these 3 teams to embed their questions in their own applications. We are facing an issue, though:
Since there is only 1 secret key, team A can brute-force question/dashboard ids and eventually be able to see team B or C’s data (if they have some embed-active).
We did not test this, but I believe it will work like so. A practical example:
Team A has activated embedding for a dashboard with id 1.
Team B has activated embedding for a dashboard with id 2.
Team A does not have permissions to see dashboard-2 but since it has access to the embedding secret key, it can access it.
Is there any way that I can avoid team A from accessing the embeddable dashboard with id 2?
Is there something in the Enterprise edition? I know there’s more embedding stuff, but not something I have experience of.
Only other way I can think of would be to have multiple instances.