Since Metabase might be configured to access OpenMRS DB or Mart DB, containing personal, sensitive, medical information, it is imperative to ensure you have permissions & restrictions in place that ensure people can only access the data they are supposed to access.
Metabase has options to control who can access which data, collection, tables, etc. In general, you would set defaults to restricted, and then only allow certain groups to have specific permissions. Then add users to appropriate groups so they get the correct access. A user can be added to more than one group in metabase.
Users (belong to) → Groups (which have) → Permissions (which control access to functionality)