I just discovered that all users can see all other users in the system, regardless of group association. Users’ can’t see other’s unpublished queries or dashboards. Is this normal? I would have expected that only Admins can see all users. Seems like a huge security issue.
Sorry about the surprise, but Redash is designed to be an internal system. With this context, I think it’s no surprise that the user list is available to everyone.
There is a way to tweak group permissions (in the database) to disallow listing users, but this functionality wasn’t used or tested in a long time, so I’m not even sure how functioning it is.
As we are planning on revisiting permissions, I’m happy to discuss your use case to understand the need better.
Right, and for internal use that makes sense. Perhaps we’ll see the reworked permissions in version 8. Any ETA on next release?
I played around with the REDASH_MULTI_ORG thinking maybe needed to create a second Organization, but document is light in the on-prem version so haven’t been able to get it to work. Do you have any info on how to create Organizations in ReDash 7?