What Are Access Groups?
Access groups let you control exactly which databases, tables, and columns each team member can query. Instead of giving everyone access to everything, you create groups with specific data permissions and assign members to them.
Access group restrictions do not apply to admins — admins always have full access to all data regardless of group membership.
Creating a Group
Navigate to Workspace → Access Groups in the sidebar and click + Add a group. Give the group a name (e.g. "Sales Team", "Analytics") and click Create.
Each group has two tabs:
Members — Add or remove team members. You can search for specific members by name or email.
Database access — Configure which databases, schemas, tables, and columns this group can access.
Permission Hierarchy
Permissions follow a top-down hierarchy: Database → Schema → Table → Column. Granting access at a higher level automatically includes everything below it. Revoking access at a higher level removes access to everything beneath.
The left panel lists all connected databases. Use the checkbox next to each database to grant or revoke access for the group. When you select a database, the right panel shows a tree of its schemas, tables, and columns.
Table Access Levels
Each table in the permission tree can have one of three access levels:
Full access — All columns in the table are accessible. The group can query any data in this table.
Partial access — Only specific columns are accessible. Use this to hide sensitive columns (e.g. salary, SSN, personal email) while still allowing queries on the rest of the table.
No access — The table is completely hidden from the group. Members cannot query it or see it in the schema browser.
Setting column-level restrictions
To configure partial access, expand a table in the tree and uncheck individual columns you want to restrict. The table's checkbox will change to a dash to indicate partial access. Only checked columns will be queryable by group members.
Tri-State Checkboxes
The permission tree uses tri-state checkboxes to show the current access level at a glance:
Checked (✓) — Full access to the item and everything below it.
Dash (—) — Partial access. Some child items are enabled and some are not. For example, a table shows a dash when only some of its columns are checked.
Empty — No access.
Clicking a checkbox cycles through these states. You can also use the search bar to quickly find specific tables or columns within a large schema.
Permission Merging Across Groups
When a member belongs to multiple access groups, their effective permissions are the union of all group permissions — the most permissive setting wins.
For example, if Group A grants access to the "orders" table but not the "customers" table, and Group B grants access to "customers" but not "orders", a member in both groups can access both tables. Similarly, if Group A allows columns A, B, C on a table and Group B allows columns B, C, D, the member can access columns A, B, C, and D.
Dashboard Viewers & Access Groups
Members with the Dashboard Viewer role can only view dashboards — they cannot use Blaze Chat or query data directly. However, access groups still control which data appears in their dashboards. If a Dashboard Viewer is in a group that restricts access to certain tables, those tables' data will not appear in any dashboard the viewer opens.
When No Groups Exist
If your workspace has no access groups, database access is configured directly during the invite process. You select which databases the invitee can access from a dropdown in the invite dialog. Once you create your first access group, database access shifts to being managed through groups instead.