The core of Redash's permissions model are Groups.

Users are members of groups, while Data Sources are associated with groups.

Group membership by a user defines the actions they can perform, and the Data Sources they can access.

Each DataSource can be associated with one or more groups.

Currently, there are two types of relations between a DataSource and a group:

• Full Access: Members of this group can create and run new queries, as well as existing ones
• Read Only Access: Members of this group can only view existing queries and existing results

Each user can be a member of one or more Groups.

There is a default group, which was created with the installation of Redash, called Default.

Upon creation, every user becomes a member of the Default group. It's a good practice to associate the commonly used Data Sources with the Default group.

When creating a dashboard, you can mix whatever Data Sources you wish into queries, as long as you (the creating user) have access to them.

When a user who doesn't have access to some datasource (and hence to the visualization of that query), a dashboard will open with the restricted element – they will see only the placeholder, but won't be able to see its details.

For example, if you want to restrict a user to a single table within a datasource, you need to do the following:

1. Create a separate user in that datasource, who only has access to the table you wish them to view.
2. Create a datasource in Redash, which uses the restricted user you've just created.
3. Create a new group and associate the datasource from step #2 with this group.
4. Add the user you wish to restrict to the group from step #3.