Skip to content
Snippets Groups Projects
Unverified Commit b253da02 authored by Jeff Bruemmer's avatar Jeff Bruemmer Committed by GitHub
Browse files

docs - general permissions (#21596)

parent bf818536
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
docs/README.md
+ 1
0
View file @ b253da02
......@@ -83,6 +83,7 @@
- [Permissions overview](./administration-guide/05-setting-permissions.md)
- [Data permissions](./administration-guide/data-permissions.md)
- [Collection permissions](./administration-guide/06-collections.md)
- [General permissions](./administration-guide/general-permissions.md)
- [Sandboxing data based on user attributes](./enterprise-guide/data-sandboxes.md)
- [SQL snippets folder permissions](./enterprise-guide/sql-snippets.md)
......
docs/administration-guide/05-setting-permissions.md
+ 1
0
View file @ b253da02
......@@ -12,6 +12,7 @@ You can set permissions on:
- [Tables and schemas in those databases][table-permissions]
- [Rows and columns of a table][data-sandboxing] (only on some plans)
- [Collections of questions, dashboards, and models][collections]
- [General settings](general-permissions.md) (only on some plans)
For plans that include [SQL Snippet Folders][sql-snippet-folders], you can also set permissions on those folders.
......
docs/administration-guide/data-permissions.md
+ 33
16
View file @ b253da02
......@@ -6,9 +6,9 @@ This page covers permissions for databases and tables. If you haven't already, c
Now that you have some groups, you’ll want to control their data access by going to the **Permissions** section of the Admin Panel. You’ll see an interactive table that displays all of your databases and all of your groups, and the level of access your groups have for each database.
![Permissions view](images/permissions.png)
## Data access
You can click on any cell in the table to change a group’s access level. When you’re done making your changes, just click the `save changes` button in the top-right, and you’ll see a confirmation dialog summarizing the changes.
You can click on any cell in the permissions table to change a group’s access level. When you’re done making your changes, just click the **Save changes** button in the top-right, and you’ll see a confirmation dialog summarizing the changes.
### Unrestricted access
......@@ -16,28 +16,54 @@ Members of the group can access data from all tables (within all namespaces/sche
### Granular access
__Granular access__ allows administrators to explicitly set access to tables or schemas within a database. In practice, this means that:
**Granular access** allows administrators to explicitly set access to tables or schemas within a database. In practice, this means that:
- Admins can set the groups access to individual tables to either __Unrestricted__, __No self-service__, or __Sandboxed__ access.
- Admins can set the groups access to individual tables to either **Unrestricted**, **No self-service**, or **Sandboxed** access.
- If a new table gets added to this database in the future, the group won't get access to that new table. An administrator would need to explicitly grant access to that table.
### No self-service access
__No self-service__ prevents people in a group from creating new ad hoc queries or questions based on this data, or from seeing this data in the Browse Data screen. Groups with this level of access can still see saved questions and charts based on this data in Collections they have access to.
**No self-service** prevents people in a group from creating new ad hoc queries or questions based on this data, or from seeing this data in the Browse Data screen. Groups with this level of access can still see saved questions and charts based on this data in Collections they have access to.
### Block access
{% include plans-blockquote.html feature="Block access" %}
__Block__ ensures people can’t ever see the data from this database, regardless of their permissions at the Collection level. So if they want to see a question in a collection that have access to, but that question uses data from a database that's been blocked for that person's group, then they won't be able to see that question.
**Block** ensures people can’t ever see the data from this database, regardless of their permissions at the Collection level. So if they want to see a question in a collection that have access to, but that question uses data from a database that's been blocked for that person's group, then they won't be able to see that question.
Keep in mind people can be in multiple groups. If a person belongs to _another_ group that _does_ have access to that database, that more privileged access will take precedence (overruling the block), and they'll be able to view that question.
### Native query editing
## Native query editing
Members of a group with native query editing set to Yes can write new SQL/native queries using the native query editor. This access level requires the group to additionally have Unrestricted data access for the database in question, since SQL queries can circumvent table-level permissions.
Members in groups without native query editing access can't view, write, or edit SQL/native queries. People who are not in groups with native query editing permissions will still be able to view the results of questions created from SQL/native queries, but not the code itself. They also won't see the "View the SQL" button when composing custom questions in the notebook editor.
## Download results
{% include plans-blockquote.html feature="Download permissions" %}
You can set permissions on whether people in a group can download results (and how many rows) for a data source. Options are:
- No (they can't download results)
- Granular (set access for individual tables)
- 10 thousand rows
- 1 million rows
## Manage data model
{% include plans-blockquote.html feature="Data model permissions" %}
You can define whether a group can [edit metadata](03-metadata-editing.md). Options are:
- Granular (to set permissions specific to each table).
- Edit (meaning, they can edit metadata for that data source).
## Manage database
{% include plans-blockquote.html feature="Database management permissions" %}
This setting defines whether a person can edit the connection settings for the data source, as well as to sync and scan the database.
## Table permissions
When you select [Granular access](#granular-access) for a database, you'll be prompted to set permissions on the tables (or schemas) within that database. Here you'll have two or three options, depending on your Metabase plan.
......@@ -54,15 +80,6 @@ Groups with no self-service access to a table can’t access the table at all. T
Only available in paid plans, Sandboxed access to a table can restrict access to columns and rows of a table. Check out [data sandboxing][data-sandboxing].
## Permissions and dashboard subscriptions
You don't explicitly set permissions on [dashboards subscriptions][dashboard-subscriptions], as the subscriptions are a feature of a dashboard. If a person is in a group that has __Curate access__ to the collection containing the dashboard, they can view and edit all subscriptions for the dashboard, including subscriptions created by other people.
If a group has __read-only access__ to a dashboard (based on its collection permissions), they can view all subscriptions for that dashboard. They can also create subscriptions and edit ones that they’ve created, but they can’t edit ones that other users created. (That last point is enforced by the BE only, the FE still needs to be updated to show the subscriptions as read-only.)
If a group has no access to a dashboard, they can’t view any of its subscriptions, including ones that they may have created in the past, prior to having access revoked.
If you have read-only access to a dashboard, you can also unsubscribe yourself from a subscription that somebody else created via the new page in account settings.
## Further reading
- [Guide to data permissions](https://www.metabase.com/learn/organization/organization/data-permissions.html)
......
docs/administration-guide/general-permissions.md 0 → 100644
+ 26
0
View file @ b253da02
# General permissions
{% include plans-blockquote.html feature="General permissions" %}
- [General settings access](#general-settings-access)
- [Monitoring access](#monitoring-access)
- [Subscriptions and alerts](#subscriptions-and-alerts)
## General settings access
General settings access defines which groups can set permissions on all of the settings under General settings.
## Monitoring access
Monitoring access sets permissions on the following Admin tabs:
- [Tools](../enterprise-guide/tools.md)
- [Auditing](../enterprise-guide/audit.md)
- [Troubleshooting](../troubleshooting-guide/index.md)
## Subscriptions and alerts
This setting determines who can set up:
- [Dashboard subscriptions](../users-guide/dashboard-subscriptions.md)
- [Alerts](../users-guide/15-alerts.md)
docs/administration-guide/images/permissions.png deleted 100644 → 0
+ 0
0
View file @ bf818536
docs/administration-guide/images/permissions.png

223 KiB

docs/administration-guide/start.md
+ 3
1
View file @ b253da02
......@@ -35,8 +35,10 @@ See [how to install Metabase](../operations-guide/installing-metabase.md).
## Setting permissions and access
- [Setting data permissions](05-setting-permissions.md)
- [Permissions overview](05-setting-permissions.md)
- [Setting data permissions](data-permissions.md)
- [Creating and managing collections](06-collections.md)
- [General permissions](general-permissions.md)
## Embedding and sharing with public links
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment