-
Alex Yarosh authored
* docs: change paid to pro/enterprise * Apply suggestions from code review Co-authored-by:
Jeff Bruemmer <jeff.bruemmer@gmail.com> --------- Co-authored-by:
Alex Yarosh authored* docs: change paid to pro/enterprise * Apply suggestions from code review Co-authored-by:
title: Collection permissions
redirect_from:
- /docs/latest/administration-guide/06-collectionsCollection permissions
You can use collections to organize questions, dashboards, models, timelines, and other collections. You can set permissions on those collections to determine which groups of people can view and curate collections' items.
Metabase starts out with a default top-level collection which is called Our analytics, which every other collection is saved inside of.
Collection permission levels
There are three permission levels for collections:
| Action | Curate Access | View Access | No Access |
|---|---|---|---|
| View items | |||
| Edit items' title and descriptions | |||
| Move items | |||
| Archive items | |||
| Pin items | |||
| View events and timelines | |||
| Edit events and timelines |
Curate access
The group can view, edit, move, archive, and pin items saved in this collection, and can save or move new items into it. The group can also create new sub-collections within this collection. The group can also create and edit events and timelines.
View access
The group can see all the questions, dashboards, and models in the collection, as well as events and timelines.
No access
The group won't see this collection listed, and they'll lack access to any of the items saved within it.
Collection vs data permissions
Collection permissions only apply to viewing and curating existing questions, models, and dashboards. Changing the query on an existing question, or creating a new question, requires that the group have data permissions for the underlying data.
There is one, important exception: when a group has their data permission set to Block for a database or table, the group won't be able to view questions based on that data, even if they have curate access to the collection where those questions are saved.
Dashboards with questions from multiple collections
If a dashboard includes questions saved to other collections, the group will need view or curate access to all of those collections in order to view those questions. If not, Metabase will apologize and tell you that you lack permissions to see the cards saved to the other collections.
In general, it's easier to manage permissions when keeping all of a dashboard's questions in the same collection.
Setting permissions for collections
You can set permissions on collections by clicking on the lock icon in the top-right of the screen while viewing the collection and clicking on Edit permissions. Only Administrators can edit collection permissions. Each user group can have either View, Curate, or No access to a collection:
If you want to see the bigger picture of what permissions your user groups have for all your collections, just click the link that says See all collection permissions, which takes you to the Admin Panel. You'll see a list of your collections down along the left, and clicking on any of those will bring up a list of each group's permission settings for that collection.
Just like with data access permissions, collection permissions are additive, meaning that if a user belongs to more than one group, if one of their groups has a more restrictive setting for a collection than another one of their groups, they'll be given the more permissive setting. This is especially important to remember when dealing with the All Users group: since all users are members of this group, if you give the All Users group Curate access to a collection, then all users will be given Curate access for that collection, even if they also belong to a group with less access than that.
Permissions and sub-collections
A group can be given access to a collection located somewhere within one or more sub-collections without having to have access to every collection "above" it. For example, if a group had access to the "Super Secret Collection" that's saved several layers deep within a "Marketing" collection that the group lacks access to, the "Super Secret Collection" would show up at the top-most level that the group does have access to.