Metabase, initially developed as an internal analytics system at Expa, has evolved its approach to permissions and access controls over time, balancing the need for transparency with stringent security measures. Initially employing a generic permissions model, Metabase transitioned to hard partitions, separating user accounts and data across virtual machines to accommodate various companies with differing security needs. With its open-source release, feedback highlighted the need for more sophisticated access controls, prompting Metabase to develop a new permissions framework in version 0.20 that assigns users to groups, granting specific data access and focusing on data accessibility rather than merely controlling dashboard visibility. This approach aims to maintain a balance between security and enabling end-users to engage in data-driven discovery, reducing the dependence on analysts for ad hoc reports while allowing teams to focus on more strategic tasks. Future releases are expected to enhance this framework further by introducing more robust permission tools and options for specific artifact control, although the emphasis will remain on promoting user autonomy in data exploration.