GitHub user dosubot[bot] added a comment to the discussion: Overriding can_access_datasource to block access to sensitive tables
<!-- Answer --> Superset doesn't have a built-in way to generally grant access to all datasources while blacklisting specific tables or charts for certain roles. The permission model is designed around granting access, not denying it, so you have to explicitly manage permissions for each datasource if you want to avoid global access—there's no native "deny" or blacklist mechanism that scales automatically as new datasources are created ([discussion](https://github.com/apache/superset/issues/31637), [discussion](https://github.com/apache/superset/discussions/32338)). Overriding `can_access_datasource` is the right extension point for custom logic, but Superset enforces access through several layers: `raise_for_access` is called throughout the backend for datasources, charts, and dashboards, and it checks for broad permissions like `all_database_access` and `all_datasource_access`, as well as ownership, schema, and dashboard RBAC ([source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py#L553-L2456)). If users have these global permissions (as with the Alpha role), your custom logic in `can_access_datasource` will be bypassed. If you want to block access to specific tables or charts, you must remove these global permissions from user roles and manage access at the datasource level. This does mean you'll need to grant permissions for new datasources as they're created. There is no built-in automation for this, but you can script permission assignments or use backend hooks to help. Recent changes have introduced field-level permission middleware for multi-tenant setups, including dataset field restrictions by schema and table name ([PR #35877](https://github.com/apache/superset/pull/35877)). If you are on a recent version, you may be able to leverage this for more granular control, but it still requires explicit configuration. The dual-connection approach (privileged/unprivileged) doesn't natively solve the problem of restricting chart/datasource visibility—if a privileged user creates a datasource from a sensitive table and shares it, unprivileged users can still see it if they have broad permissions. You'd need to enforce your blacklist logic everywhere access is checked, which is essentially what `raise_for_access` and `can_access_datasource` do. In summary: to enforce exceptions for sensitive tables or charts, you must (1) remove global access permissions from user roles, (2) manage datasource permissions explicitly, and (3) extend your custom logic in both `can_access_datasource` and, if needed, `raise_for_access`. There is no built-in scalable blacklist mechanism, but recent field-level permission features may help if you are able to configure them for your use case. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/45aa12e3-7085-47d5-9e56-4558e034d5ef?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/45aa12e3-7085-47d5-9e56-4558e034d5ef?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/45aa12e3-7085-47d5-9e56-4558e034d5ef?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/45aa12e3-7085-47d5-9e56-4558e034d5ef?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/45aa12e3-7085-47d5-9e56-4558e034d5ef?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/45aa12e3-7085-47d5-9e56-4558e034d5ef?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/45aa12e3-7085-47d5-9e56-4558e034d5ef?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35932) GitHub link: https://github.com/apache/superset/discussions/35932#discussioncomment-14844041 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
