shawnzhu opened a new issue #16557: URL: https://github.com/apache/superset/issues/16557
*Please make sure you are familiar with the SIP process documented* (here)[https://github.com/apache/superset/issues/5602]. The SIP number should be the next number after the latest SIP listed [here](https://github.com/apache/superset/issues?q=is%3Aissue+label%3Asip). ## [SIP-72] Proposal for dataset RBAC ### Motivation When bringing either department level databases or Trino into Superset, it's hard to share the database itself to any role contains user out of that department (e.g., 100+ users want to use a dataset via superset, but they can not get database access at all). which means it will push any dataset owner to share dashboard (Thanks to `DASHBOARD_RBAC`) only without exposing underneath dataset or chart. ### Proposed Change Creates a new feature flag `DATASET_RBAC` similar to the feature flag `DASHBOARD_RBAC`, it will enable a dataset creator/owner to grant read-only access to roles via dataset properties dialog. When a dataset is granted to role `Gamma`, any user belongs to this role will be able to see this dataset from the dataset list view. ### New or Changed Public Interfaces It will add a new dropdown box named _ACCESS_ to the _SETTINGS_ tab of the dialog _Edit dataset_ dialog, where it allows dataset owner to select roles who have read-only access to this dataset. ### New dependencies None. ### Migration Plan and Compatibility It will need a new model named `dataset_roles`, and it supports backward compatibility via the feature flag `DATASET_RBAC`. ### Rejected Alternatives 1. It can ask user to request for database access within superset, so that they can get access to all datasets out of this database. but usually it's not feasible since database level access means a user can explore any table/schema of this database under stored database access. 2. Ask database admin to create user access individually or enable impersonation rules like that in Trino. This is not feasible if existing database doesn't support such process, or a superset user needs to create their own database connection in superset, which brings even more work to a superset admin who needs to create roles to grant database access individually. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
