Hello everyone,
We are evaluating Metabase Pro for a dual-use case: internal reporting and external customer analytics. We need to provide dashboards to hundreds of external users, and wonder if we’d need a seat for each of them…
The Requirement:
-
Power Users: only a few internal users who build and manage dashboards (standard seats).
-
External Customers: Hundreds of users who need to view their own data securely inside our app.
-
Internal Customers: People to consume dashboards, slicing/dicint/drill-through capabilities.
-
Security: High-stakes multitenancy. Customer A must never be able to access Customer B’s data via URL manipulation or session hijacking.
Questions:
-
Signed Embedding for Customers: Is Signed Embedding (JWT) the standard way to handle external customers on the Pro tier without buying a seat for every customer?
-
Multitenancy & Locked Parameters: To isolate data, I plan to use Locked Parameters (e.g., external_customer_id) passed via the JWT. Can anyone confirm that thats the way to go and these are truly secure? Specifically, if a customer tries to modify the iframe source or the JWT, will Metabase reject the request entirely?
-
The "Drill-Through" Trade-off: My understanding is that Signed Embedding is "static" (no drilling into raw data). If our customers (internals as external) require interactive exploration/drilling, does that automatically force us into buying more seats or is there a middle ground on Pro?
I’m curious if anyone else is using Pro to serve a large external user base and if you’ve run into any "gotchas" regarding licensing, security or performance at scale.
Thanks!
I’ll answer what I can, this is unpaid land out here so I can’t speak to the full extent of Paid features or costs. Those are better directed to Metabase sales.
The terminology for embedding changed radically in the most recent Metabase release.
The cheapest, easiest way is what is now called “Guest Embedding,” where your app generates a JWT with locked parameters, including the external customer ID in your case. You display the resultant question/dashboard/etc. in your website or app. There is no Metabase user account involved (“guest”) and thus no additional cost. However, there are little to no interactivity features, though dashboard filters are available, if enabled for the embed.
Once you get past Guest Embedding into Modular, then Row Level Security becomes available, which will let users explore more freely, but still only see their data.
The JWT is cryptographically signed, including the locked parameters, and is not modifiable in any way. Metabase validates the JWT on the server side, so no modification of its contents are possible without cracking the secret key. Offering a bad/invalid JWT results in an error being displayed.
According to this page, Modular SSO users are considered users for licensing purposes and thus are charged accordingly. If you anticipate offering drill-thru to a large number of users, contact Metabase sales and see what they can do for you.
Also, how strict is the “session hijacking” requirement? What sort of attack do you envision? Are we talking about resisting it in the face of having access to the victim’s browser cookies? I’m not sure ANY website can promise that without requiring extreme measures.