Implicit Datasource Access for Dashboard RBAC

[dl-lim]

Hi all, I have done some reading on Dashboard Access Control and I can conclude from what I gather, that Dashboard access can now be automatically added to roles based on what you set in the UI, courtesy of #12680

It is noted that [SIP-51] is closed via #12680, addressing half of the issue.

However, this does not yet address the datasource/dataset access control with respect to Dashboard Access. I found this comment by @amitmiran137

#12680 (comment)

we plan in a follow-up PR that user will be given temporary read access to all of the datasets within a dashboard as was mentioned in the development milestones in #10408

Is there an issue/PR for this yet? Please point me to it if there is already one! :)

Use Case:

• Create a user role that has read-only access to dashboards, without access to the individual records in the underlying data (i.e. nothing shows up on Datasets menu)
• Successful implementation would look like this: a user role could be set to have ONLY access to Dashboards, and not any datasets in the menu, yet dashboard is still able to render charts without permission errors.
• This limits the user to accessing only what is set up for them via the Dashboard.
• Filtering access should still be available.

As mentioned in #10408 (comment)

Airbnb and probably other orgs are fully dependent on dataset level access - they would not handle an extra dashboard level permission
In our org we will have hundreds of dashboards that will be based on the same dataset
Therefore there is no way to manage dashboard access for specific dashboards for specific users

Related issues:
[SIP-51]: #10408

#11198
#12910
#1799
#4127
#14260
etc.

[nytai]

Pretty sure this is implemented already. Have you tried enabling the feature flag DASHBOARD_RBAC?

#13992

[nytai]

You can find all the PRs related to this feature here: https://github.com/apache/superset/pulls?q=is%3Apr++dashboard_rbac

[amitmiran137]

Yes , this is implemented as mentioned here
Just try out the DASHBOARD_RBAC feature flag

[dl-lim]

Thank you, that works like a charm!

Also, what are the minimum required permissions for this to work without the access to explore other datasets or edit the charts? Tried Gamma, but that's more perms than needed.

Before I close, can I ask where is the best, latest source of documentation for superset? I'd prefer referring to that in future, instead of trawling through the issue section or opening a ticket here unnecessarily :)

Can this DASHBOARD_RBAC feature flag (and others like these) be found here: https://superset.apache.org/docs/intro ? I wasn't able to locate it.

[nytai]

Documentation for this feature can be found here: https://superset.apache.org/docs/creating-charts-dashboards/first-dashboard#manage-access-to-dashboards

info about the various feature flags can be found here: https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md

[MM-Lehmann]

Unfortunately, this feature breaks my dataset-based access. I can either use dashboard level OR dataset level. I've ran a db upgrade after setting the FF as well. What went wrong? (I am on 1.4.1)

[AndyBarakat]

Same here! I cannot have dataset level and dashboard level. I got a Forbidden Access if both are set up