GitHub user dosubot[bot] added a comment to the discussion: how to use superset user as guest user in order to hide queries
<!-- Answer --> Superset supports guest users via guest tokens, mainly for embedded dashboards. When you use a guest token to authenticate a user, Superset treats them as a guest user with restricted permissions. Starting with Superset 4.1, the system automatically removes the SQL `query` field from the `/chart/data` API response for guest users, so they can't see the underlying queries or table names behind charts and dashboards ([discussion](https://github.com/apache/superset/discussions/32765), [PR #30858](https://github.com/apache/superset/pull/34217)). To set this up, generate a guest token by POSTing to `/security/guest_token` with the user info, resources (like dashboard IDs), and optional row-level security (RLS) rules. The guest user will default to the "Public" role unless you configure `GUEST_ROLE_NAME` ([embedded SDK docs](https://github.com/apache/superset/blob/master/superset-embedded-sdk/README.md)). You can further restrict what data the guest user sees by using RLS rules. Superset's security manager enforces that guest users can't modify chart payloads or queries, and only allows access to dashboards and charts explicitly listed in the guest token. Any attempt to tamper with the request or access unauthorized resources is blocked ([security manager code](https://github.com/apache/superset/blob/master/superset/security/manager.py), [unit tests](https://github.com/apache/superset/blob/master/tests/unit_tests/security/manager_test.py)). If you want to filter data based on guest user attributes, you can use the `get_guest_user_attribute()` Jinja macro in your SQL queries ([issue #33922](https://github.com/apache/superset/issues/33922)). For more details, check the [embedded SDK README](https://github.com/apache/superset/blob/master/superset-embedded-sdk/README.md) and the [security manager implementation](https://github.com/apache/superset/blob/master/superset/security/manager.py). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/f9c85583-40e5-4b83-8894-af2661c44b95?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/f9c85583-40e5-4b83-8894-af2661c44b95?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/f9c85583-40e5-4b83-8894-af2661c44b95?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/f9c85583-40e5-4b83-8894-af2661c44b95?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/f9c85583-40e5-4b83-8894-af2661c44b95?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/f9c85583-40e5-4b83-8894-af2661c44b95?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/f9c85583-40e5-4b83-8894-af2661c44b95?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35943) GitHub link: https://github.com/apache/superset/discussions/35943#discussioncomment-14852712 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
