Troubleshooting data permissions
If a person has the wrong level of access to the data that’s returned by a question or query, you’ll need to troubleshoot different levels of data permissions, starting from the most granular.
Row and column permissions
Native query (SQL) permissions
- A user group can’t access the SQL editor.
- A user group with SQL permissions isn’t being restricted by their data sandbox.
Table or schema permissions
- A user group has the wrong access to a table or schema.
- A user group can view collections that contain restricted data.
- Getting a “permission denied” error message.
- Checking someone’s access to a table or schema.
A user group can’t access the SQL editor
- Ensure scripts are loading by disabling browser extensions and refreshing the browser.
- Go to Admin > Permissions and select the relevant group.
- Find the database that you want to grant SQL access to.
- From the View data dropdown.elect Can view.
- From the Create queries dropdown, select Query builder and native.
- Check if the access problem is fixed.
For more information about the different types of database permissions, check out the section on data access in our permissions documentation.
A user group has the wrong access to a table or schema
- Go to Admin > People and check if the person is in more than one group with conflicting permissions.
- If the person is in multiple groups:
- Remove the person from the group with wider permissions, or
- Go to Admin > Permissions and change the Data access permission type.
- Check if the access problem is fixed.
Explanation
If a person is a member of multiple groups, Metabase will grant the most permissive level of access across all the groups in which they’re a member.
For example, if a person is a member of two groups — one which grants [View data] access of “Can view” to a database or table and another that grants “Blocked” access to that database — that person will be able to view the data.
Remember that everyone is a member of the All Users group. We recommend you revoke permissions from the All Users group, and create new groups to selectively apply permissions to your data sources.
A user group can view collections that contain restricted data
This feature is only available on Pro and Enterprise plans (both self-hosted and on Metabase Cloud).
- Go to Admin > Permissions and select the user group.
- Select the database or table that you want to restrict.
- Set View data permissions to Blocked and click Save.
- Check if the access problem is fixed.
Explanation
If you’ve granted a group View data access of “Can view” to a database or table, people can view saved questions and dashboards that draw on that database, as long as those questions and dashboards are stored in a collection that they have access to.
The Blocked data permission is available on Pro and Enterprise versions of Metabase. If you block a group’s access to a database, members of that group will not be able to see any data from this database, regardless of their collection permissions.
Getting a “permission denied” error message
If you get an error message that says something like “permission denied to <your table>”, you’ll need to check if the Metabase application has the correct permissions to query your database.
- Go to the SQL editor and run a basic query against the table or schema in question:
SELECT 1 FROM <your table>;
- Get the credentials that Metabase uses to connect to your database. If you’re not sure what those credentials are, ask your database admin.
- Using a different application (like your CLI or database IDE), connect to your database using the same credentials your Metabase uses to connect to that database, and run the query from step 1.
- If you cannot access the table or schema in both step 1 and 3, ask your database admin to:
- Grant database privileges to the role that Metabase is using to connect, or
- Provide a set of database credentials with the correct permissions.
- Check if the access problem is fixed.
Explanation
Your database has its own set of permissions that are configured for each person (or application) that logs in.
Database permissions apply at the level of your database connection, before your data and collection permissions are applied in Metabase.
This means that settings configured on the database side can prevent Metabase from connecting to certain schemas or tables, regardless of what you’ve set up on the Metabase side.
Checking someone’s access to a table or schema
- Open an incognito browser window.
- Log in to Metabase as the person in question.
- Run a question, dashboard, or native query to confirm that the person can see the data they’re supposed to.
Do you have a different problem?
- I can’t view or edit my question or dashboard.
- I can’t save my question or dashboard.
- I can’t see my tables.
Are you still stuck?
If you can’t solve your problem using the troubleshooting guides:
- Search or ask the Metabase community.
- Search for known bugs or limitations.
Read docs for other versions of Metabase.