Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/metabase/metabase/llms.txt

Use this file to discover all available pages before exploring further.

Users and groups are the foundation of permissions management in Metabase. Every person needs an account, and accounts can be members of multiple groups to control access to data and features.
These are accounts for logging into your Metabase instance. They’re distinct from Metabase store accounts used for managing paid plans.

Accessing user management

Access user and group management through either method:
1

Using command palette

Press Cmd/Ctrl + K and search for “People”, then select People settings
2

Using navigation

Click grid icon > Admin > People

Managing user accounts

Creating accounts

On Pro and Enterprise plans, all active accounts count toward your user total. Each person’s account counts separately even if one person has multiple accounts.
1

Navigate to People

Go to Admin > People tab
2

Invite someone

Click Invite someone in the upper right corner
3

Enter details

Provide their email address (required) and optionally first/last name
4

Create account

Click Create to activate the account immediately
If email is configured, Metabase sends an invitation automatically. Without email setup, you’ll receive a temporary password to share manually.
Important considerations:
  • Accounts become active immediately upon creation, even if the user never signs in
  • Active accounts count toward billing on paid plans
  • For SSO account creation, see authentication options

Editing accounts

Modify user information by clicking the three dots icon next to their name and selecting Edit user.
Changing an account’s email address changes their login credentials. The user must use the new email to sign in.

Adding user attributes

User attributes are available on Pro and Enterprise plans.
User attributes enable row and column security by storing metadata about each user.
1

Open user editor

Go to Admin > People, find the user, click menu, select Edit user
2

Add attribute

Click + Add an attribute
3

Set key-value pair

Enter the attribute name (e.g., “Department”) and value (e.g., “Engineering”)
4

Organize with groups

Optionally create a group to organize users with similar attributes
  • Row-level security: Filter data based on department, region, or customer ID
  • Database impersonation: Specify which database role Metabase should use per user
  • Multi-tenant analytics: Show each customer only their own data
  • SSO synchronization: Automatically sync attributes from identity providers

Deactivating accounts

Deactivating an account prevents login while preserving the user’s created content.
1

Select user

Find the user in Admin > People
2

Deactivate

Click the three dots icon and select Deactivate
3

Confirm action

The account is marked inactive and the user cannot log in
Deactivated accounts retain all questions, dashboards, and other content. The account can be reactivated later.
SSO considerations:
  • Deactivation in Metabase does not sync to your IdP
  • Deactivate accounts in both systems to fully block access

Reactivating accounts

1

View deactivated users

Click the Deactivated filter at the top of the People list
2

Reactivate

Click the icon on the far right of the user’s row

Deleting accounts

Metabase doesn’t support true account deletion. Instead:
1

Change account info

Update the name and email to placeholder values
2

Deactivate

Deactivate the account to prevent login
3

Create new account

If needed, create a new account with correct information
This approach preserves all content created by the account while freeing up the email address for a new account.

Password management

Resetting user passwords

Admin password resets depend on email configuration: With email configured:
  • User receives a password reset email
  • They can also use “forgot password” on the login screen
Without email configured:
  • Admin receives a temporary password
  • Admin must manually share the password with the user
1

Locate user

Find the user in Admin > People
2

Reset password

Click three dots icon and choose Reset Password
3

Share credentials

If email isn’t configured, manually share the temporary password

Resetting admin password

For Metabase Cloud, contact support. For self-hosted instances with server access:
1

Stop Metabase

Shut down the running Metabase application
2

Generate reset token

Run: java --add-opens java.base/java.nio=ALL-UNNAMED -jar metabase.jar reset-password admin@example.com
3

Restart Metabase

Start Metabase normally without the reset-password option
4

Use reset URL

Navigate to: https://your-metabase.com/auth/reset_password/TOKEN
5

Set new password

Enter your new password on the reset page

Groups

Groups are the primary way to manage permissions in Metabase. Assign permissions to groups, then add users to those groups.

Special default groups

Administrators

The Administrators group has complete access to:
  • All data in your Metabase
  • All admin panel settings
  • User and permission management
Be very careful who you add to the Administrators group. They have unrestricted access to everything.

All users

Every user automatically belongs to the All Users group.
Best practice: Use All Users to set default access levels for new users. This group should never have greater access than restricted groups, or the permissive setting will take precedence.

Data analysts

The Data Analysts group is available on Pro and Enterprise plans.
The Data Analysts group grants access to: You can assign additional permissions to this group as needed.

Creating groups

Organize users into groups that reflect your organizational structure.
1

Navigate to groups

Go to Admin > People > Groups
2

Add group

Click Add a group
3

Name the group

Choose a name that reflects its purpose (e.g., “Finance Team”, “Regional Managers”)
4

Set permissions

Configure data, collection, and application permissions for the group
Newly created groups have no access by default. You must explicitly grant permissions.
Recommended group structures:
  • Department-based: Engineering, Sales, Marketing, Finance
  • Role-based: Analysts, Managers, Executives
  • Location-based: EMEA, Americas, APAC
  • Project-based: Product Launch, Q4 Initiative

Managing group membership

1

Select group

Click into a group from Admin > People > Groups
2

Add members

Click Add members and select users
3

Remove members

Click the X next to a member to remove them
You can also add or remove users from groups using the Groups column dropdown in the main People list.

Group managers

Group managers are available on Pro and Enterprise plans.
Group managers have limited administrative capabilities for their group: Can do:
  • Add or remove existing users from their group
  • View all users in the People tab
  • Promote others to group manager or demote them to member
  • Rename their group
Cannot do:
  • Create new groups
  • Invite new people to Metabase
  • Access other admin settings
1

Navigate to group

Go to Admin > People > Groups and select the group
2

Find member

Locate the person you want to promote
3

Promote

Hover over their member type and click the up arrow to promote to manager

Additional account features

Checking authentication method

Identify how a user logs in by looking for icons next to their name:
  • Google icon: Logs in with Google credentials
  • No icon: Uses email and password stored in Metabase
The authentication type is set when the account is first created. If a user created their account in Metabase but later logs in via SSO, the icon will not appear.

Unsubscribe from all notifications

Remove a user from all subscriptions and alerts:
  1. Find the user in Admin > People
  2. Click the three dots menu
  3. Select Unsubscribe from all subscriptions and alerts
This action:
  • Deletes dashboard subscriptions and alerts they created
  • Removes them as recipients from others’ subscriptions and alerts
  • Does not affect external email distribution lists

Default system accounts

Metabase includes special system accounts for internal operations:
Purpose: Tracks anonymous views of public questions and dashboards
  • Name: External User
  • Email: null
  • Not billable
  • Cannot be logged into
  • Appears in usage analytics
Purpose: Loads internal content like Usage Analytics collection
These accounts are legitimate system accounts. You’re not charged for them, and they’re excluded from the People admin tab.

Best practices

1

Block All Users group first

Before setting specific permissions, block the All Users group from all databases to ensure no unintended access
2

Use groups for permissions

Always assign permissions to groups, not individual users, for easier management
3

Document group purposes

Maintain documentation of what each group is for and what access it has
4

Regular access reviews

Periodically audit group memberships to ensure users have appropriate access
5

Deactivate departing users

Promptly deactivate accounts when people leave your organization