Hello! I recently installed redash and so far like the tool a lot!

I would like to be able to create dashboards and allow users to view dashboards, but not allow users to run arbitrary queries. This does not seem to be possible.

I’ve set the data source as View Only, but I can still go from the query to Edit Source and enter ANY arbitrary SQL and Execute it. I get that I could set up a user with restricted permissions in the DB, but I’d like to remove the ability for a user to edit and run SQL completely. Is this possible?

1 Like

Welcome to the forum!

Redash can’t do it today. But this exact feature is under development now.

Because Redash is meant for internal SQL people, anyone who can see a query can make and run queries too. This was intentional.

Adding View Only users means redoing our whole permissions model. This won’t be ready in V9 (our forthcoming release). You can try working around it with shared dashboard links or user training. Otherwise, Redash might not meet your needs.

Thanks for the quick reply susodapop. When you say it’s under development now is that what you later describe as redoing the permissions models in post V9? Just trying to get a sense of timing.

I think one simple change I could make would be to disable the Execute button when the user has View Access only? I think that would effectively prevent them from running queries they shouldn’t. What do you think about that?

Thanks again!

Hi @james305,
am I wrong if I understand that you only want them to visit dashboards already created by you or another people ?
If not you could simply share dashboards with public link :

External users can see the dashboard widgets but will not be able to navigate within the Redash application or view the underlying queries.

1 Like

Yes, the permissions redo comes before view-only users.

That’s correct, but I believe by sharing the dashboard I lose authentication. In my case I’m using SAML for auth. If I could publish it and keep the auth this would be perfect.

Understood. Thank you for the reply.

Setting up a read-only group by modifying the group permissions might be a good solution. You can allow users to run queries, view dashboards, but not modify/create/delete dashboards and queries.

This is done via manage.py, for example:
manage groups change_permissions --help

Usage: manage.py groups change_permissions [OPTIONS] GROUP_ID

Options:
–permissions TEXT Comma separated list of permissions (‘create_dashboard’,
‘create_query’, ‘edit_dashboard’, ‘edit_query’,
‘view_query’, ‘view_source’, ‘execute_query’,
‘list_users’, ‘schedule_query’, ‘list_dashboards’,
‘list_alerts’, ‘list_data_sources’) (leave blank for
default).
–help Show this message and exit.

Using the manage groups list output to find the group id, I then applied all but the create/delete/modify and schedule_query to the group.