We are using Metabase to share data with 3 teams, each one has their own data, questions and dashboards. In order to avoid a team seeing anyone else’s data, we created groups and assigned permissions accordingly.
We would like to enable these 3 teams to embed their questions in their own applications. We are facing an issue, though:
Since there is only 1 secret key, team A can brute-force question/dashboard ids and eventually be able to see team B or C’s data (if they have some embed-active).
We did not test this, but I believe it will work like so. A practical example:
- Team A has activated embedding for a dashboard with id 1.
- Team B has activated embedding for a dashboard with id 2.
- Team A does not have permissions to see dashboard-2 but since it has access to the embedding secret key, it can access it.
Is there any way that I can avoid team A from accessing the embeddable dashboard with id 2?
Thanks for your attention!
If they share the question with a public link, you get a guid, not the dashboard ID.
Here’s one of mine with the server name muddled:
Much harder to guess.
Do you need to embed, or would sharing be enough?
Hi Andrew, thanks for your reply!
Yes, indeed I noticed the same - by sharing publicly, I get a UUID for the dashboard, which would have been good enough.
However, our teams need embedding for being able to lock filters and sign requests (using the secret key).
Might there be a workaround?
Is there something in the Enterprise edition? I know there’s more embedding stuff, but not something I have experience of.
Only other way I can think of would be to have multiple instances.
Multiple instances would be a solution - but we’d rather just look after 1 instance.
I believe that the enterprise edition allows for removing the “Powered by Metabase” tag. But it does not allow for creating multiple keys.
I guess that would be a cool new feature for us
Feel free to reach out to sales if there’s specific functionality you are looking for in Enterprise Edition:
I would think that you can likely get far with Sandboxing: