Apache Superset How to Restrict Dataset Access to Specific Roles in Superset?

Bug description

Hello Superset Community,

I am trying to configure access control for a specific dataset in Apache Superset. My goal is to restrict access to this dataset so that only a specific role (e.g., power_user) can view and use it, while other roles (e.g., Admin, Gamma) should not have any access.

Here are the steps I tried so far:

Removed all_datasource_access from all roles except power_user. Configured Row Level Security (RLS): Created an RLS rule for the dataset with a clause like:

{{ current_role() }} = 'power_user' Tested restricting database-level access and adjusting permissions via roles (can read, can write). Unfortunately, none of these approaches successfully restricted dataset access to only the power_user role. Other roles can still access the dataset, which breaks the intended security.

Questions: Is there a built-in or recommended way to restrict access to a dataset for specific roles only? Does RLS support filtering access based on roles directly? If this is not possible via the UI or configurations, is there a way to achieve this through custom development or database modifications? Any guidance or solutions would be greatly appreciated.

Thank you in advance for your help!

Screenshots/recordings

No response

Superset version

4.1.1

Python version

3.9

Node version

Browser

Chrome

Additional context

No response

Checklist

[X] I have searched Superset docs and Slack and didn't find a solution to my problem.
[X] I have searched the GitHub issue tracker and didn't find a similar bug report.
[X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

To restrict dataset access to a specific role, such as power_user, in Apache Superset, while ensuring that other roles like Admin and Gamma cannot access it, you can follow these steps:

Create a New Role: First, create a new role named power_user by navigating to Menu -> Security -> List Roles and clicking the + sign.
Assign Permissions: In the new role creation window, give this new role a name (power_user), attribute it to users, and select the specific tables or datasets in the Permissions dropdown that you want this role to have access to.
Restrict Access for Other Roles: Ensure that the Admin and Gamma roles do not have permissions to access the specific datasets. Since Admin users have all possible rights by default, you may need to manage this by ensuring that only users with the power_user role are assigned to access the specific datasets.
Confirm Access: Verify that users assigned to the power_user role can see the objects (dashboards and slices) associated with the datasets you have extended to them, and that users with Admin and Gamma roles do not have access to these datasets.

This approach leverages the role-based access control system in Superset to manage dataset access effectively ^[1].

Regarding Row Level Security (RLS), it can be used to apply filters to queries based on user roles, but it is not typically used to restrict access to entire datasets based on roles. Instead, RLS is more suited for filtering data within a dataset based on conditions related to roles ^[2].

To continue talking to Dosu, mention @dosu.

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

Comment From: rahmedrbx

Wondering how this got resolved. Did you remove the default all access on Admin and individually added back other Datasets? It would be nice if there was a "Deny" rule that can be applied to restrict access to individual Datasets while allowing others by default.