User Permissions - access not enforced

Hi, I am currently testing the tool. I connected the tool to our PostgreSQL db. I’ve setup several users with a range of privileges in order to test the feature.
Issue I wish to clarify the following:

  1. If a user has limited access to certain tables (say table X) can they see Questions/Dashboards that were generated using tables X,Y,Z?

  2. I’ve read the documentation and search through the discussion board.
    Is it possible to embed dashboards/questions externally - say a company blog or what have you.

  3. Is it currently possible to automate sending of dashboards/questions to e-mail as is? So not in a Pulse, as Pulses for the most part alter the output to raw-data table format.

Thanks for you assistance!

1 Like

+1 to “If a user has limited access to certain tables (say table X) can they see Questions/Dashboards that were generated using tables X,Y,Z?”

Ideally I would be able to restrict access for a specific table to a user and then that user will not be allowed access the questions or dashboards which pull from that table.

Thanks for your input. I believe that is how it works, however, my post pertains to a whether a user will be able to view a Question that the user does not have access to all of the tables used to generate the Question. So a Question using Tables X,Y,Z where the user has only access to Table X.

Sorry for the confusion. Data permissions work differently for SQL/native-query questions vs. GUI/query-builder questions:

SQL Questions
Metabase currently does not parse your SQL, so we don’t know which schemas or tables it references, only which database it uses. Therefore, if you need to block a group’s access to a SQL question, they would need to have their access to the database the SQL question utilizes revoked. Alternatively, you can block a group from viewing all SQL-based questions for a given database in the permissions table in the Admin Panel (under the SQL Access column). We recognize these aren’t fine-grained enough controls, and are currently working hard on delivering a better solution for SQL card permissions.

GUI Questions
Permissions for questions created with the GUI interface are much simpler. If a group doesn’t have access to the table or database that the question uses, they can’t view that question. If that question is present in a dashboard that contains other questions that the user can view, then the restricted card will show a permissions warning instead of the data/chart. If a user doesn’t have access to any of the cards in a given dashboard, they will not see that dashboard in the list of dashboards at all.

So, to answer your numbered questions:

  1. This sounds like you’re referring to a SQL question rather than a GUI one, since GUI questions can only ever use data from a single table. SQL card permissions can only be set at the database level or with the broad on/off switch for all SQL cards.
  2. Not currently, but it’s one of our most-often requested features, so we’re actively discussing this. We’re also looking at providing public links to questions and dashboards that don’t require a Metabase account.
  3. Not currently, but we’d welcome a new GitHub issue if this is something you’d like to advocate for. :slight_smile:

I hope this helps!

1 Like