The overall metabase permission system is as follows:
- Cannot authorize a single person, only authorized by the group
- One person can belong to multiple groups
- The objects that can be authorized are divided into
- data:database/table
- collection (collection of dashboard and question)
data authorization points
- data access
- sql queries
Why sql queries come out separately is estimated to be related to enterprise's row-level-restrictions (row restrictions) and column-level-perms-check, especially column-level-perms-check currently does not support sql query mode.
The current restriction on sql queries (version 0.37.6) is not perfect. Users can still open the native query interface. At present, it is not possible to enter SQL after opening the native query interface.
To authorize, you can click view table to enter and authorize each table.
Note: Data authorization does not affect the authorization of dashboard and query in the collection, so some users can only use the permissions of the collection for data protection.
The collection itself is a tree structure, so the sub-collections can be authorized through the View sub-collections of the interface. The collection permissions are divided into
- No access
- View
- Curate: modify, add, delete, and move permissions.