Skip to main content

Database users, roles, and privileges

For Metabase to connect, query, and optionally write to your database, you need to create a dedicated database user with the appropriate privileges. This guide explains how to set up database users and roles following security best practices. We recommend creating a dedicated metabase database user with read-only access to the schemas and tables you want to analyze.
Creating dedicated users and roles for Metabase makes it easier to manage permissions, audit usage, and troubleshoot issues without affecting other systems.

Role-based privilege structure

Organize privileges into roles based on use cases:

Analytics role

Read-only access for querying and analysis

Transforms role

Write access to schema for transforms

Uploads role

Write access to schema for CSV uploads

Actions role

Write access to tables for actions and editable data

Model persistence role

Write access to schema for persisted models

Benefits of role-based permissions

Easier maintenance:
  • Grant or revoke privileges by adding/removing roles
  • No need to modify individual user permissions
Reusability:
  • Use the same analytics role for other BI tools
  • Share common privilege sets across multiple users
Granular control:
  • Revoke write access for one feature without affecting others
  • Example: Disable model persistence without affecting actions
Better security:
  • Clear separation between read and write operations
  • Easier to audit who has which privileges
On Metabase Pro and Enterprise plans, use separate writeable connections for operations that require write access.

Minimum database privileges

To query your data in Metabase, the database user needs:
  • CONNECT privilege to your database
  • SELECT privilege on schemas or tables you want to use

Setting up read-only access

Here’s how to create a properly configured read-only user (PostgreSQL example):

Create analytics role and user

Follow these steps as a database administrator:1. Create an analytics role
CREATE ROLE analytics WITH LOGIN;
2. Grant connection privilege
GRANT CONNECT ON DATABASE "your_database" TO analytics;
3. Create Metabase user
CREATE USER metabase WITH PASSWORD "your_password";
4. Add user to role
GRANT analytics TO metabase;
5. Grant query privileges (choose one option)

Query privilege options

Choose the appropriate privilege level based on your security requirements:
Recommended for: Development environments, full analytics access
-- Grant read access to all data in the database
GRANT pg_read_all_data TO analytics;
The pg_read_all_data role is only available in PostgreSQL 14 or higher. See Predefined Roles in PostgreSQL documentation.
Recommended for: Access to all schemas in a specific database
-- Grant access to all schemas in the database
GRANT USAGE ON SCHEMA "your_schema" TO analytics;
GRANT SELECT ON ALL TABLES IN SCHEMA "your_schema" TO analytics;
Recommended for: Production environments with isolated analytics schema
-- Grant access to a specific schema
GRANT USAGE ON SCHEMA "your_schema" TO analytics;
GRANT SELECT ON ALL TABLES IN SCHEMA "your_schema" TO analytics;

-- Automatically grant SELECT on new tables in the schema
ALTER DEFAULT PRIVILEGES IN SCHEMA "your_schema"
  GRANT SELECT ON TABLES TO analytics;
The ALTER DEFAULT PRIVILEGES statement ensures that new tables automatically inherit the SELECT privilege.
Recommended for: Maximum security with explicit table access
-- Grant access to specific tables only
GRANT USAGE ON SCHEMA "your_schema" TO analytics;
GRANT SELECT ON "your_schema"."your_table" TO analytics;
GRANT SELECT ON "your_schema"."another_table" TO analytics;

Additional optional privileges

Depending on your Metabase usage, you may also need:

TEMPORARY privilege

Some complex queries create temporary tables during execution.
GRANT TEMPORARY ON DATABASE "your_database" TO analytics;

Grant all database privileges

Granting all privileges is not recommended for production environments. Only use this approach for local development or testing.
For development or testing environments, you can give the Metabase user full access: 
-- Create a database user named "metabase"
CREATE USER metabase WITH PASSWORD "your_password";

-- Give the user read and write privileges to anything in the database
GRANT ALL PRIVILEGES ON DATABASE "your_database" TO metabase;

Privileges to enable actions and editable table data

Both actions and editable table data allow Metabase to write data back to specific tables.

When you need write access

Enable write access if you want to:
  • Create, update, or delete records through Metabase
  • Use action buttons in dashboards
  • Allow users to edit data directly in tables
Consider using a writeable connection (Pro/Enterprise) to separate read and write operations.

Privileges to enable model persistence

Model persistence saves query results to a dedicated schema in your database to improve performance.

What you need

  • CREATE privilege on the database (to set up the schema)
  • INSERT, UPDATE, DELETE privileges on the persistence schema
  • A dedicated schema for storing persisted models
If you prefer not to grant CREATE privileges, manually create the schema before enabling model persistence.

Privileges to enable transforms

Transforms let Metabase write query results back to your database in dedicated tables.

What you need

  • CREATE TABLE privilege on the transforms schema
  • ALTER privilege to modify transform tables
  • DROP privilege to remove old transforms
  • Optionally, CREATE SCHEMA privilege
We strongly recommend creating a dedicated schema for transforms, separate from your source data.

Privileges to enable uploads

You can upload CSVs to supported databases for analysis in Metabase.

What you need

  • A schema to store uploaded data
  • INSERT, UPDATE, DELETE privileges on the uploads schema
  • Configure the schema in Metabase settings
Create or designate a schema for uploads before configuring this feature in Metabase.

Multi-tenant permissions

For multi-tenant setups where customers need SQL access, create one database connection per customer.
Security benefits:
  • Each customer connects with their own database user
  • Row-level security enforced at the database level
  • Clear separation between customer data
Access control:
  • Grant access only to customer-specific schemas
  • Different privilege levels per customer
  • Easy to audit and revoke access
See: Granting customers native SQL access

Example: Multi-tenant setup

Let’s say you have two customers: Tangerine and Lemon. 
-- Create one database user per customer
CREATE USER metabase_tangerine WITH PASSWORD "orange";
CREATE USER metabase_lemon WITH PASSWORD "yellow";

-- Create a role to bundle privileges for all customers
CREATE ROLE customer_facing_analytics;
GRANT CONNECT ON DATABASE "citrus" TO customer_facing_analytics;
GRANT customer_facing_analytics TO metabase_tangerine, metabase_lemon;

-- Create a role to bundle analytics read access for customer Tangerine
CREATE ROLE tangerine_queries;
GRANT USAGE ON SCHEMA "tangerine" TO tangerine_queries;
GRANT SELECT, EXECUTE ON ALL TABLES IN SCHEMA "tangerine" TO tangerine_queries;
GRANT tangerine_queries TO metabase_tangerine;

-- Create a role to bundle analytics read access for customer Lemon
CREATE ROLE lemon_queries;
GRANT USAGE ON SCHEMA "lemon" TO lemon_queries;
GRANT SELECT ON ALL TABLES IN SCHEMA "lemon" TO lemon_queries;
GRANT lemon_queries TO metabase_lemon;

-- Create a role to bundle privileges for Metabase actions for customer Lemon
CREATE ROLE lemon_actions;
GRANT INSERT, UPDATE, DELETE ON TABLE "lemon"."lemonade" TO lemon_actions;
GRANT lemon_actions TO metabase_lemon;

Advantages of role-based multi-tenancy

Reusability:
  • Use tangerine_queries for other analytics tools
  • Share common privileges across multiple connections
Granular control:
  • Revoke lemon_actions without affecting lemon_queries
  • Easy to add or remove specific capabilities
Maintainability:
  • Add new customers by creating new users and roles
  • Update privileges by modifying roles, not individual users
Security:
  • Each customer can only access their own schema
  • Clear audit trail of who accessed what

Database-specific considerations

PostgreSQL-specific notes

Predefined roles (PostgreSQL 14+):
  • pg_read_all_data: Read access to all tables
  • pg_write_all_data: Write access to all tables
Default privileges:
ALTER DEFAULT PRIVILEGES IN SCHEMA "your_schema"
  GRANT SELECT ON TABLES TO analytics;
Schema search path: Consider setting a default schema search path for the Metabase user.

MySQL-specific notes

Grant syntax:
GRANT SELECT ON database.* TO 'metabase'@'%';
Host specification:
  • Use '%' for any host
  • Use specific IP for production: 'metabase'@'192.168.1.100'
Flush privileges:
FLUSH PRIVILEGES;
MySQL 8+ authentication:
ALTER USER 'metabase'@'%' IDENTIFIED WITH mysql_native_password BY 'password';

BigQuery-specific notes

BigQuery uses IAM roles instead of database users:Required roles:
  • BigQuery Data Viewer
  • BigQuery Metadata Viewer
  • BigQuery Job User
Service account:
  • Create a service account in Google Cloud Console
  • Download JSON key file
  • Upload to Metabase
See: BigQuery connection guide

Snowflake-specific notes

Role hierarchy:
-- Create role
CREATE ROLE metabase_role;

-- Grant privileges
GRANT USAGE ON WAREHOUSE "compute_wh" TO ROLE metabase_role;
GRANT USAGE ON DATABASE "your_db" TO ROLE metabase_role;
GRANT USAGE ON SCHEMA "your_schema" TO ROLE metabase_role;
GRANT SELECT ON ALL TABLES IN SCHEMA "your_schema" TO ROLE metabase_role;

-- Create user and assign role
CREATE USER metabase PASSWORD='password';
GRANT ROLE metabase_role TO USER metabase;
Warehouse access: Metabase needs USAGE privilege on at least one warehouse to run queries.

Verifying privileges

After setting up privileges, verify the Metabase user has correct access: 
-- Check role membership
SELECT r.rolname, m.rolname as member
FROM pg_roles r
JOIN pg_auth_members am ON r.oid = am.roleid
JOIN pg_roles m ON am.member = m.oid
WHERE m.rolname = 'metabase';

-- Check table privileges
SELECT table_schema, table_name, privilege_type
FROM information_schema.table_privileges
WHERE grantee = 'analytics';

Security best practices

Use strong passwords

Generate long, random passwords for database users

Principle of least privilege

Only grant the minimum necessary permissions

Separate read and write

Use different users for read-only and write operations

Regular audits

Periodically review and update user privileges

Use SSL connections

Always encrypt database connections in production

Restrict network access

Use firewall rules to limit database access

Monitor access

Log and review database access patterns

Rotate credentials

Regularly update passwords and service account keys

Further reading

Writeable connections

Separate write operations from read operations (Pro/Enterprise)

Permissions strategies

Learn permission strategies for your organization

Permissions introduction

Overview of Metabase permissions

People overview

Managing users and groups in Metabase

Build docs developers (and LLMs) love

Get started for freeTalk to us