Hello guys, I don't understand the Permission logics behind Metabase in my specific case.
I have a table "SALES_MOVEMENTS" in "DB|PROD" database. This table contains all the sales accounting movements from 3 different companies.
In Metabase I have 4 groups:
- Admin (Default)
- Company_1
- Company_2
- Company_3
- Company_4
I organized the folder hierarchy in the following way:
I would like to create a "SALES_MOVEMENTS" table for each group with their own data starting from a common table, and from this output table create questions that users can explore and interact with. The groups can't read each other's data.
My solution (that doesn't work) is: for each company folder (Company_X), I create a Question that queries the table "SALES_MOVEMENTS" and retrieves the data of the correct company, and the result is saved in the folder as "SALES_MOVEMENTS_FILTERED". For that folder (Company_X) I give to the corresponding Company group the "View" pemission. In this way they can see their "SALES_MOVEMENTS" data and can't edit the filter applied by me (Admin).
Inside "Company_X" I create another folder called "QRY" to which I give the "Curate" permission (so users can interact with questions inside the folder). Now I can create questions with "SALES_MOVEMENTS_FILTERED" as input. A new question could be "SALES_MOVEMENTS_COUNTRY" for example.
I attach the tree's image:
The point is the following: the table "SALES_MOVEMENTS_COUNTRY" reads data correctly, but users can't filter fields (which I added during the question composition, in particular the "MONTH" and "YEAR" filters).
If I give the group the "Granular" permission for the "SALES_MOVEMENTS" table (the DB starting table), users can filter the table "SALES_MOVEMENTS_COUNTRY". But it is a problem, because they can create new questions having as input the "SALES_MOVEMENTS" without any filter, and read the other companies' data.
How can i manage the permissions correctly to get the expected result?