I just discovered that all users can see all other users in the system, regardless of group association. Users’ can’t see other’s unpublished queries or dashboards. Is this normal? I would have expected that only Admins can see all users. Seems like a huge security issue.
Sorry about the surprise, but Redash is designed to be an internal system. With this context, I think it’s no surprise that the user list is available to everyone.
There is a way to tweak group permissions (in the database) to disallow listing users, but this functionality wasn’t used or tested in a long time, so I’m not even sure how functioning it is.
As we are planning on revisiting permissions, I’m happy to discuss your use case to understand the need better.
Right, and for internal use that makes sense. Perhaps we’ll see the reworked permissions in version 8. Any ETA on next release?
I played around with the REDASH_MULTI_ORG thinking maybe needed to create a second Organization, but document is light in the on-prem version so haven’t been able to get it to work. Do you have any info on how to create Organizations in ReDash 7?
Hello, I have a similar problem and I was wondering if there have been any changes until now about group permissions that would disallow users to see other users in the system?
Any alternatives/suggestions to counter this problem?
There haven’t been any substantive changes to groups or permissions. This is still on the development radar and will be announced on the user forum when it becomes available.