GitHub user dosubot[bot] added a comment to the discussion: Integration of graphs to website based on user roles
<!-- Greeting --> Hi @bpatra-ai! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> The issue is likely caused by how the guest token is generated and how the frontend integration sends chart requests. Superset enforces access control for embedded dashboards using guest tokens, which should only grant access to specific dashboards and charts. If the guest token is too permissive (for example, granting access to all datasets or charts), or if the frontend does not include the correct `dashboardId` in each chart's `form_data`, users may see charts they shouldn't have access to—even if Superset itself blocks them in the main UI. To fix this: - Make sure the guest token is scoped only to the dashboard (not to datasets or charts directly) and is generated based on the user's role. - Ensure the frontend integration always sends the correct `dashboardId` in every chart's `form_data` when requesting chart data. This is critical for Superset to enforce dataset-level permissions and show an "Access Denied" overlay for unauthorized charts, rather than exposing data ([source](https://github.com/apache/superset/issues/33698)). - Double-check that the guest role used for embedding does not have `all_datasource_access` or explicit access to restricted datasets ([source](https://github.com/apache/superset/issues/33698)). - If you want even finer control, you can use Superset's role-based access control (RBAC) features and, if needed, set `GUEST_ROLE_NAME` to a custom role (like `EmbedGuest`) for embedded users ([source](https://github.com/apache/superset/discussions/33674)). If you follow these steps, Superset should enforce the same access restrictions in embedded dashboards as it does in the main UI. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/609ecb7e-b5f7-4839-9d36-653ad4a82300?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/609ecb7e-b5f7-4839-9d36-653ad4a82300?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/609ecb7e-b5f7-4839-9d36-653ad4a82300?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/609ecb7e-b5f7-4839-9d36-653ad4a82300?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/609ecb7e-b5f7-4839-9d36-653ad4a82300?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/609ecb7e-b5f7-4839-9d36-653ad4a82300?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/609ecb7e-b5f7-4839-9d36-653ad4a82300?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=The%20issue%20is%20likely%20caused%20by%20how%20the%20guest%20token%20is%20generated%20and%20how%20the%20frontend%20integration%20sends%20chart%20requests.%20Superset%20enforces%20access%20control%20for%20embedded%20dashboards%20using%20guest%20tokens%2C%20which%20should%20only%20grant%20access%20to%20specific%20dashboards%20and%20charts.%20If%20the%20guest%20token%20is%20too%20permissive%20%28for%20example%2C%20granting%20access%20to%20all%20datasets%20or%20charts%29%2C%20or%20if%20the%20frontend%20does%20not%20include%20the%20correct%20%60dashboardId%60%20in%20each%20chart%27s%20%60form_data%60%2C%20users%20may%20see%20charts%20they%20shouldn%27t%20have%20access%20to%E2%80%94even%20if%20Superset%20itself%20blocks%20them%20in%20the%20main%20UI.%0A%0A To%20fix%20this%3A%0A%0A-%20Make%20sure%20the%20guest%20token%20is%20scoped%20only%20to%20the%20dashboard%20%28not%20to%20datasets%20or%20charts%20directly%29%20and%20is%20generated%20based%20on%20the%20user%27s%20role.%0A-%20Ensure%20the%20frontend%20integration%20always%20sends%20the%20correct%20%60dashboardId%60%20in%20every%20chart%27s%20%60form_data%60%20when%20requesting%20chart%20data.%20This%20is%20critical%20for%20Superset%20to%20enforce%20dataset-level%20permissions%20and%20show%20an%20%22Access%20Denied%22%20overlay%20for%20unauthorized%20charts%2C%20rather%20than%20exposing%20data%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/issues/33698%29%29.%0A-%20Double-check%20that%20the%20guest%20role%20used%20for%20embedding%20does%20not%20have%20%60all_datasource_access%60%20or%20explicit%20access%20to%20restricted%20datasets%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/issues/33698%29%29.%0A-%20If%20you%20want%20even%20finer%20control%2C%20you%20can %20use%20Superset%27s%20role-based%20access%20control%20%28RBAC%29%20features%20and%2C%20if%20needed%2C%20set%20%60GUEST_ROLE_NAME%60%20to%20a%20custom%20role%20%28like%20%60EmbedGuest%60%29%20for%20embedded%20users%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/33674%29%29.%0A%0AIf%20you%20follow%20these%20steps%2C%20Superset%20should%20enforce%20the%20same%20access%20restrictions%20in%20embedded%20dashboards%20as%20it%20does%20in%20the%20main%20UI.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36322) GitHub link: https://github.com/apache/superset/discussions/36322#discussioncomment-15103268 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
