Row sandboxing and complex user access

michals · April 12, 2021, 2:03pm

Hi there, my company is considering Metabase Enterprise edition, but not sure if row-level sandboxing will fit our needs.

As far as I know, typically you compare an user attribute against a column to filter rows out. But we have a more complex set of permissions. I can write an SQL to return the primary keys of the rows a given user has access to. Or write an SQL to return the user ids that can access a given row.

But I am not sure how this can help with row checking, if the check only sees if a certain column is EQUAL to certain attributes - it seems a bit simplistic.

Any tips or ideas here?

flamber · April 12, 2021, 2:31pm

Hi @michals

You can use advanced sandboxes to create queries that sandboxed based on that saved question.

There are some examples here (which can also be used to limit some columns):
https://www.metabase.com/learn/organization/organization/data-sandboxing-column-permissions.html

But I would need to understand your structure better to be able give more direct advice.

michals · April 12, 2021, 3:43pm

I think I now understand how this advanced sandboxing would work. Sounds good, and I think it would solve the problem. Thank you!