Dear team, I would like to understand the concept of metrics x permissions better. From the thread of Luis Carrico above I understood, we have created metrics that unintentionally breached data permissions. I am quite concerned that a permissions which in our case can only be controlled by the implementation of a brick, can be breached by a user with permissions to create a metric. (I know we can deny permissions to edit metrics) Can you please explain this?

Hi Hans, From what I understand your users have a data permission applied, but when they are creating some metrics they are still seeing some data that should be restricted for them correct? As a user, you can use an advanced OVER … TO clause to specify the data access by data itself. Sometimes, users write data permissions without this clause and they see data from related datasets which they believe should have already been excluded. More information on this can be found here: https://help.gooddata.com/doc/growth/en/workspace-and-user-administration/managing-wo[…]ce-data-and-data-access/advanced-data-permissions-use-cases/ However, this shouldn't relate to how a user creates a metric in the UI. If they create a metric and their permissions has excluded the correct data, then they shouldn't see any of the data based on their permission. If this seems to be an ongoing issue, our support team can certainly look directly into the workspace and check the users permissions and see if they have not been set correctly.

Thanks for replying Joseph. Yes indeed, I've seen the ability to use the TO... OVER to set specific boundaries to data availability. However, my assumption was that by default, a user/admin not using this clause cannot breach the permissions that were set by a brick. Because that is what is happening right now. We are executing a simple SELECT SUM() and it shows data it should not.

I will reach out in a ticket