Schema level of permission

Hello again everyone,

I'm back with another question about permission on schema level.
I have this permission setup.

These schemas above are under a database called Production-Redshift.

I want to update the data access for production_pii to no self service. But when I do, all Native query editing for all schemas become No

and when I see it one level above, the Native query editing becomes No as well which makes the user can't query using this database

Is this normal behavior in Metabase? What should I do if I want that user to be only unable to access production_pii?

Thanks in advance

Hi @abed

If you hover the "No", then you'll see this tooltip (Native query editor access requires full data access):

You have to create another database connection, where you limit the privileges on the database, so Metabase doesn't even have access to the schema you want restricted.

I would recommend reading this:

I see.
Thank you for your suggestion!
I'll try and let us know the result.

Oh, I think what I was trying to achieve and your suggestion doesn't match.
I'm sorry for not being clear.
The user here is the user in Metabase, not the database user.
Say, I have 2 users, OPS and BI.
OPS is allowed to see data in schema production_pii while BI is not allowed to.
However, BI still needs access to create question/query in Metabase using other schemas.
Unfortunately, when I tried the steps above, it's not possible.
Do you have any solution for this @flamber?

@abed That's exactly what I recommended. Create a user on the database that doesn't have privileges to the schema and create a new database connection in Admin > Databases, which BI should have access to.

You cannot give SQL permissions without giving access to everything what the database credentials has privileges to. Metabase currently doesn't support parsing the SQL: - upvote by clicking :+1: on the first post

Ah I got it now

It's just this that made me confused. But now I understand what you mean.
Really thanks!