docs - created troubleshooting permissions (#19234)

* Created troubleshooting - permissions * Additional links and reorg to troubleshooting

docs - created troubleshooting permissions (#19234)
411e69e4 · frannietrempe · GitHub · befec53d · 411e69e4 · 411e69e4
Unverified Commit 411e69e4 authored 3 years ago by frannietrempe Committed by GitHub 3 years ago
--- a/docs/troubleshooting-guide/index.md
+++ b/docs/troubleshooting-guide/index.md
@@ -6,39 +6,48 @@ This page collects resources for getting you unstuck.

 Problems, their causes, how to detect them, and how to fix them.

-### Using Metabase
+### Installation

- [People can't log in to Metabase][login].
+- [Running the Metabase JAR][running].

- [Saving questions or dashboards][proxies].
+- [Running Metabase on Docker][docker].

- [My dashboard is slow][slow-dashboard].
+- [Using or migrating from an H2 application database][appdb].

- [My dashboard filters don't work][filters].
+### Authentication

- [My dashboard's linked filters don't work][linked-filters].
+- [Setting up LDAP][ldap].

-### Setup and administration
+- [People can't log in to Metabase][login].

- [Running the Metabase JAR][running].
+### Permissions
+- [Fixing permissions issues][permissions].

- [Running Metabase on Docker][docker].
+- [Managing data sandboxing][sandbox].
+
+### Data Sources

 - [Connecting to data warehouses with Metabase][datawarehouse].

- [Setting up LDAP][ldap].
+- [I can't see my tables][cant-see-tables].

- [Metabase isn't sending email][not-sending-email].
+- [Fixing missing or out-of-sync tables and columns][sync-fingerprint-scan].

- [Using or migrating from an H2 application database][appdb].
+### Questions and dashboards
+
+- [Saving questions or dashboards][proxies].
+
+- [My dashboard is slow][slow-dashboard].

 - [The dates and times in my questions and charts are wrong][incorrect-times].

- [I can't see my tables][cant-see-tables].
+- [My dashboard filters don't work][filters].

- [Managing data sandboxing][sandbox].
+- [My dashboard's linked filters don't work][linked-filters].

- [Fixing missing or out-of-sync tables and columns][sync-fingerprint-scan].
+### Email and alerts
+
+- [Metabase isn't sending email][not-sending-email].

 ## Think you found a bug?

@@ -91,6 +100,7 @@ Metabase adds new features and squashes bugs with each release. [Upgrading to th
 [linked-filters]: ./linked-filters.html
 [login]: ./cant-log-in.html
 [not-sending-email]: ./cant-send-email.html
+[permissions]: ./permissions.html
 [proxies]: ./proxies.html
 [releases]: https://github.com/metabase/metabase/releases
 [running]: ./running.html

--- a/docs/troubleshooting-guide/permissions.md
+++ b/docs/troubleshooting-guide/permissions.md
+# Fixing permissions issues
+This troubleshooting guide has you covered if you've [connected your database][connecting-database] to Metabase, set up [groups][groups] for new people, and granted [data permissions][data-permissions] and [collection permissions][setting-collection-permissions] to those groups, but:
+
+  - [A person in multiple groups can access a table that you want to restrict](#a-person-in-multiple-groups-can-access-a-table-that-you-want-to-restrict)
+  - [A person who needs to access the SQL editor can't](#a-person-who-needs-to-access-the-sql-editor-cant)
+  - [A person can view collections that reference data you want to restrict](#a-person-can-view-collections-that-reference-data-you-want-to-restrict)
+
+## A person in multiple groups can access a table that you want to restrict
+
+**Root cause:** This person is a member of multiple [groups][groups], in which case Metabase grants the *most permissive* level of access across all the groups in which they're a member.
+
+If they're a member of two groups — one which grants [Unrestricted][unrestricted] access to a database or table and another that grants [No self-service][no-self-service] access — that person will have full unrestricted access.
+
+**Steps to take:**
+
+1. In the **People tab** of the **Admin Panel**, take a look at which groups the person is in.
+2. Either remove the person from the group with wider permissions, or adjust that group's data permissions to grant them no-self service access to the table you want restricted.
+
+Remember that everyone is a member of the **All Users** group; this is why we recommend you revoke permissions from the **All users** group, and create new groups to selectively apply permissions to your data sources.
+
+## A person who needs to access the SQL editor can't
+
+**Root cause:** The person currently has either **No self-service** or [Granular][granular] access to a database. To give someone access to the [native SQL editor][native-query-editing], you must grant **Unrestricted** access to the database as a whole. 
+
+**Steps to take**:
+
+1. In the **Admin Panel**'s **Permissions tab**, change the group's permissions to **Unrestricted** at the database level.
+
+## A person can view collections that reference data you want to restrict
+
+{% include plans-blockquote.html %}
+
+**Root cause:** Since Metabase operates with two types of permissions — data permissions and collection permissions — even if you've granted a user group no self-service access to a database or table, they can still view saved questions and dashboards that draw on that database, as long as those questions and dashboards live in a collection they have access to. Unless a user group's access to a given database is set to “block," they’ll be able to view any saved question based on that data if they have access to the collection it’s saved in.
+
+**Steps to take:**
+
+1. If you're running [Metabase Pro or Enterprise Edition](https://www.metabase.com/pricing), you can block group access to an entire database. This means that if you've blocked a group's access to a database, members of that group will not ever seen any data from this database, regardless of their permissions at the Collection level. 
+2. In the **Admin Panel**'s **Permissions tab**, change data permissions for your user group to **Block** and save your changes.
+3. Using an incognito window, log in as the person in question to confirm that they can no longer view saved questions or dashboards that include information from the blocked database.
+
+Keep in mind that if a person belongs to another group that does have data access, that setting will take precedence, and their access will not be blocked.
+
+## Further reading
+
+- [Setting permissions in Metabase][admin-permissions].
+- [Collection permissions][collection-permissions].
+- [Permissions track][learn-permissions] in Learn Metabase.
+- [Troubleshooting data sandboxing][sandboxing].
+
+[admin-permissions]: ../administration-guide/05-setting-permissions.html
+[collection-permissions]: ../administration-guide/06-collections.html
+[connecting-database]: ../administration-guide/01-managing-databases.html
+[data-browser]: /learn/getting-started/data-browser.html
+[data-model]: ../administration-guide/03-metadata-editing.html
+[data-permissions]: ../administration-guide/data-permissions.html
+[granular]: ../administration-guide/data-permissions.html#granular-access
+[groups]: ../administration-guide/05-setting-permissions.html#groups
+[learn-permissions]: /learn/permissions/index.html
+[native-query-editing]: ../administration-guide/data-permissions.html#native-query-editing
+[no-self-service]: ../administration-guide/data-permissions.html#no-self-service-access
+[sandboxing]: ./sandboxing.html
+[setting-collection-permissions]: ../administration-guide/06-collections.html#setting-permissions-for-collections
+[unrestricted]: ../administration-guide/data-permissions.html#unrestricted-access