Security for different users

I am just getting started on Metabase after many years on IBM Cognos. I love it! Question… I want to filter the data depending on the user. For example, I have a table like this:

Business Unit Product Amount
1 Widget A 100
2 Widget A 250

For User 1, I want every query to be filtered so that all they see is Business Unit 1. They cannot see any other Business Unit. This would go across several tables.

Is this possible?

1 Like

We don’t currently provide per-user filtering.

We’re rolling out our security/permissions model, with Stage 1 (https://github.com/metabase/metabase/issues/3362) coming in the 0.20 release, and Stage 2 (https://github.com/metabase/metabase/issues/3363) in v0.21.

What you’re describing, falls under https://github.com/metabase/metabase/issues/2824 (Row Level Security) which would happen after Stage 2 is released at the earliest.

In general, we’re optimizing for small groups at this stage, and slowly supporting larger more complicated scenarios. We’d love to hear specifics on your situation in any of the three above issues!

Thank you for the quick reply. I am building a cloud application that will have a common database among multiple customers. Each customer will have a unique id so I need every query to filter on the user’s company id

I LOVE Metabase from what I’ve seen so far. After working with IBM Cognos for over a decade, Metabase greatly simplifies the user interface and experience. I had it up and running in less than an hour including the download, and it is a perfect fit for what I need.

Is there a way that I could work with you on row based security in order to move the timeline up? The requirements for what I need are fairly simple and it would be a great use case to implement the feature in a very basic way until time allows for expansion.

I look forward to your thoughts.

Feel free to chime in on issue #2824 and detail how you’d like the per user restrictions specified.

The specifics get pretty gnarly pretty fast. Eg, is there a unified ID for users between MB users and the user ids (emails? autoincrementing integers? hashes?) in the records? Will you need a lookup table? Do you expect to SSO and use that id?

If you’re willing to roll up your sleeves, we can use all the help we can get on stages 1+2. We’re not really the kind of project that implements piecemeal features that are “ahead” of more fundamental needs we’re still working through. We take our UX very very seriously, and generally try to be very deliberate. Any help you can give us in eg, testing, writing tests or writing code would obviously speed things along =)

Thanks for the note, Sameer. I completely agree with your approach on the scheduled releases rather than feature releases, and the UX is very important. It’s part of what is very intriguing to me with Metabase. It’s very clean and simple.

My users will be filtered by one thing, and that is an organization ID. All users within one company can see all data where organization_id = xyz. Every table in the database relates to the organization, so we just need a simple filter that can be applied to each query where organization_id = %parameter%.

I think adding another level of security under Site Administration > Permissions would do the trick. Right now I can set Data Access and SQL Queries. If I had one that was Filters, and it always applied a specific filter to every query that was run by anyone in that group, that would do the trick.

For example, I have a group for Company A and a group for Company B. Everyone on the Company A group will access the same questions and dashboards with the exception that everyone in Company A will have a filter of "organization_id = ‘A’ " applied to every question / query that is run. When someone from Company B runs it, they will have a filter of "organization_id = ‘B’ " automatically applied. This way everyone regardless of their company can see the same information but filtered to ensure they do not get to see any other company’s info.

We can close this as it is very similar to Same question with different filters.

Does every table in your DB have an organization_id?

Hi @sameer. Yes, it does. If I could create a user group and have every query for people in that group add a filter of organization_id = {the organization id of that group} that would be perfect!