sfirke commented on code in PR #36548: URL: https://github.com/apache/superset/pull/36548#discussion_r2635286587
########## docs/docs/security/security.mdx: ########## @@ -46,12 +46,47 @@ to all databases by default, both **Alpha** and **Gamma** users need to be given ### Public -To allow logged-out users to access some Superset features, you can use the `PUBLIC_ROLE_LIKE` config setting and assign it to another role whose permissions you want passed to this role. +The **Public** role is the most restrictive built-in role, designed specifically for anonymous/unauthenticated +users who need to view dashboards. It provides minimal read-only access for: -For example, by setting `PUBLIC_ROLE_LIKE = "Gamma"` in your `superset_config.py` file, you grant -public role the same set of permissions as for the **Gamma** role. This is useful if one -wants to enable anonymous users to view dashboards. Explicit grant on specific datasets is -still required, meaning that you need to edit the **Public** role and add the public data sources to the role manually. +- Viewing dashboards and charts +- Using interactive dashboard filters +- Accessing dashboard and chart permalinks +- Reading embedded dashboards +- Viewing annotations on charts + +The Public role explicitly excludes: +- Any write permissions on dashboards, charts, or datasets +- SQL Lab access +- Share functionality +- User profile or admin features +- Menu access to most Superset features + +To enable anonymous access with the built-in Public role, set `PUBLIC_ROLE_LIKE` in your config: Review Comment: I like that we can tell Superset to use a role for anonymous users, but should this be the role defined in `PUBLIC_ROLE_LIKE` and not hard-coded to "Public" - especially if there's now a stock role and people might want to point it to a customized other one? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
