Hi @mesquest,
No problem - just ask away (we all start out from scratch here)
Per my understanding (and I didn’t have any hands on this part - yet) you’re close, but it’s not exactly username/password being handed between the embedding application and the dashboard or question of Metabase you embed. It’s just being signed using a secret token from Metabase used by your application.
The signature handed over from your embedding app can include parameters though and those can include a locked parameter that maps to a e.g. user or group id or anything that you use to filter/restrict what that given user logged into your embedding application will see. It’s entirely up to you and your embedding application to define that mapping logic based on user identity in you embedding app - so not directly linked to Metabase UN/PW - but an access besides that.
I think you found many of the right links. Key to the whole restriction of access is quite well captured in the last Q&A in Embedd cards/dashboard in other applications - #4 by romain
Groups of users with common permissions can all see the same signed embed, is that correct?
Yes as long as you are only referring to groups of users on your embedding applications side of the fence? It has nothing to do with users and groups defined to log directly into the Metabase application - those are separate concepts.