What Are Access Groups?
Access groups let you control exactly which databases, tables, and columns each team member can query. They can also be used to manage query and dashboard access efficiently.
Access group restrictions for database do not apply to admins — admins always have full access to all data regardless of group membership.
Creating a Group
Navigate to Workspace and click + Add a group in the sidebar. Give the group a name (e.g. "Sales Team", "Analytics") and click Create.
Each group has two tabs:
Members — Add or remove team members. You can search for specific members by name or email.
Database access — Configure which databases, schemas, tables, and columns this group can access.
Permission Hierarchy
Permissions follow a top-down hierarchy: Database → Schema → Table → Column. Granting access at a higher level automatically includes everything below it. Revoking access at a higher level removes access to everything beneath.
The left panel lists all connected databases. Use the checkbox next to each database to grant or revoke access for the group. When you select a database, the right panel shows a tree of its schemas, tables, and columns.
Table Access Levels
Each table in the permission tree can have one of three access levels:
Full access — All columns in the table are accessible. The group can query any data in this table.
Partial access — Only specific columns are accessible. Use this to hide sensitive columns (e.g. salary, SSN, personal email) while still allowing queries on the rest of the table.
No access — The table is completely hidden from the group. Members cannot query it or see it in the schema browser.
Setting column-level restrictions
To configure partial access, expand a table in the tree and uncheck individual columns you want to restrict. The table's checkbox will change to a dash to indicate partial access. Only checked columns will be queryable by group members in chats.
Tri-State Checkboxes
The permission tree uses tri-state checkboxes to show the current access level at a glance:
Checked (✓) — Full access to the item and everything below it.
Dash (—) — Partial access. Some child items are enabled and some are not. For example, a table shows a dash when only some of its columns are checked.
Empty — No access.
Clicking a checkbox cycles through these states. You can also use the search bar to quickly find specific tables or columns within a large schema.
Permission Merging Across Groups
When a member belongs to multiple access groups, their effective permissions are the union of all group permissions — the most permissive setting wins.
For example, if Group A grants access to the "orders" table but not the "customers" table, and Group B grants access to "customers" but not "orders", a member in both groups can access both tables. Similarly, if Group A allows columns A, B, C on a table and Group B allows columns B, C, D, the member can access columns A, B, C, and D.
Dashboard Viewers & Access Groups
Members with the Dashboard Viewer role can only view dashboards or saved queries — they cannot use Blaze Chat or query data directly. The table & column access only applies to the chat, so this tab does not affect them.
When No Groups Exist
If your workspace has no access groups, database access is configured directly during the invite process. You select which databases the invitee can access from a dropdown in the invite dialog. Once you create your first access group, database access shifts to being managed through groups instead.