Users can see all other users in the system

I just discovered that all users can see all other users in the system, regardless of group association. Users’ can’t see other’s unpublished queries or dashboards. Is this normal? I would have expected that only Admins can see all users. Seems like a huge security issue.

Sorry about the surprise, but Redash is designed to be an internal system. With this context, I think it’s no surprise that the user list is available to everyone.

There is a way to tweak group permissions (in the database) to disallow listing users, but this functionality wasn’t used or tested in a long time, so I’m not even sure how functioning it is.

As we are planning on revisiting permissions, I’m happy to discuss your use case to understand the need better.

1 Like

Right, and for internal use that makes sense. Perhaps we’ll see the reworked permissions in version 8. Any ETA on next release?

I played around with the REDASH_MULTI_ORG thinking maybe needed to create a second Organization, but document is light in the on-prem version so haven’t been able to get it to work. Do you have any info on how to create Organizations in ReDash 7?