Managing Permissions for Questions stemming from saved questions and allow filters

Hello guys, I don't understand the Permission logics behind Metabase in my specific case.

I have a table "SALES_MOVEMENTS" in "DB|PROD" database. This table contains all the sales accounting movements from 3 different companies.
In Metabase I have 4 groups:

  • Admin (Default)
  • Company_1
  • Company_2
  • Company_3
  • Company_4

I organized the folder hierarchy in the following way:

I would like to create a "SALES_MOVEMENTS" table for each group with their own data starting from a common table, and from this output table create questions that users can explore and interact with. The groups can't read each other's data.

My solution (that doesn't work) is: for each company folder (Company_X), I create a Question that queries the table "SALES_MOVEMENTS" and retrieves the data of the correct company, and the result is saved in the folder as "SALES_MOVEMENTS_FILTERED". For that folder (Company_X) I give to the corresponding Company group the "View" pemission. In this way they can see their "SALES_MOVEMENTS" data and can't edit the filter applied by me (Admin).

Inside "Company_X" I create another folder called "QRY" to which I give the "Curate" permission (so users can interact with questions inside the folder). Now I can create questions with "SALES_MOVEMENTS_FILTERED" as input. A new question could be "SALES_MOVEMENTS_COUNTRY" for example.
I attach the tree's image:

The point is the following: the table "SALES_MOVEMENTS_COUNTRY" reads data correctly, but users can't filter fields (which I added during the question composition, in particular the "MONTH" and "YEAR" filters).
If I give the group the "Granular" permission for the "SALES_MOVEMENTS" table (the DB starting table), users can filter the table "SALES_MOVEMENTS_COUNTRY". But it is a problem, because they can create new questions having as input the "SALES_MOVEMENTS" without any filter, and read the other companies' data.

How can i manage the permissions correctly to get the expected result?

I think you are after Sandboxing:

1 Like

Thanks @TonyC for the answer.
The sandboxes are interesting, but are available only with the Pro or Enterprise version in Metabase Cloud.
I'm working with the open source version.

I managed the problem with a workaround.

After the creation of the table "SALES_MOVEMENTS_FILTERED" in the folder with the "View" permission to the Group, and after setting the "Curate" permission for the "QRY" folder for the Group, a group user can Create a Question that query the "SALES_MOVEMENTS_FILTERED" setting the filters that he wants and save the question for the other users.

This solution have a limitation: the filter don't suggest you the list of selectable values, you have to know the values of the columns. By default you have a text-box filter type

I hope it can be helpful!

1 Like