GitHub user dosubot[bot] added a comment to the discussion: Public role is too
strong by default
<!-- Answer -->
To achieve a true "read-only" behavior for anonymous users in Apache Superset,
you should create a custom role with minimal permissions and use it as a
reference for the "public" role. Here are the steps and permissions you need to
configure:
1. **Create a Custom Role**:
Define a custom role with the necessary permissions.
2. **Assign Minimal Permissions**:
Assign the following permissions to the custom role:
- `can dashboard permalink on Superset`
- `can read on Chart`
- `can read on Dashboard`
- `can dashboard on Superset`
- `can explore json on Superset`
- `can read on DashboardPermalinkRestApi`
- `can write on DashboardPermalinkRestApi`
- `can time range on Api`
- `datasource access on` (specific datasets)
3. **Set the Custom Role for Public Access**:
Update the `superset_config.py` to use the custom role for the public role.
Here is an example of how to configure this:
```python
# superset_config.py
PUBLIC_ROLE_LIKE = "ReadOnly"
DEFAULT_FEATURE_FLAGS = {
"DASHBOARD_RBAC": True,
"ENABLE_TEMPLATE_PROCESSING": True,
"DASHBOARD_NATIVE_FILTERS": True,
"DASHBOARD_CROSS_FILTERS": True
}
```
4. **Programmatically Create and Assign Permissions**:
Use the following script to create the custom role and assign the necessary
permissions:
```python
from superset import app, security_manager
from superset.models.core import PermissionView
# Initialize the app context
with app.app_context():
# Create a new role
role_name = "ReadOnly"
read_only_role = security_manager.add_role(role_name)
# Define the permissions to assign
permissions_to_assign = [
("can_dashboard_permalink", "Superset"),
("can_read", "Chart"),
("can_read", "Dashboard"),
("can_dashboard", "Superset"),
("can_explore_json", "Superset"),
("can_read", "DashboardPermalinkRestApi"),
("can_write", "DashboardPermalinkRestApi"),
("can_time_range", "Api"),
("datasource_access", "YourDatasetName") # Replace with your dataset
name
]
# Find and assign the permissions to the role
for perm_name, view_name in permissions_to_assign:
perm_view = security_manager.find_permission_view_menu(perm_name,
view_name)
if perm_view:
read_only_role.permissions.append(perm_view)
# Commit the changes to the database
security_manager.get_session.commit()
```
By following these steps, you can ensure that anonymous users have a
"read-only" experience, restricting them to viewing dashboards and generating
permalinks without the ability to edit or save charts
<sup>[[1]](https://github.com/apache/superset/discussions/25299)</sup><sup>[[2]](https://github.com/apache/superset/blob/master/superset/security/manager.py)</sup>.
<!-- Dosu Comment Footer -->
*To continue talking to [Dosu](https://dosu.dev), mention @dosu.*
GitHub link:
https://github.com/apache/superset/discussions/33125#discussioncomment-12832657
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
