GitHub user dosubot[bot] added a comment to the discussion: How to restrict visible users and roles in dashboard ownership/visibility dropdowns for specific custom roles?
<!-- Answer --> Superset's recommended way to restrict which users and roles appear in the dashboard ownership and visibility dropdowns is to use the `EXTRA_RELATED_QUERY_FILTERS` config in your `superset_config.py`. This lets you define custom SQLAlchemy query filters for both users and roles, so you can enforce tenant or role-based visibility in the UI dropdowns for dashboard editing. The dropdowns are populated via backend API endpoints (`/api/v1/dashboard/related/owners` and `/api/v1/dashboard/related/roles`), and your filters will directly control what appears there [[source]](https://github.com/apache/superset/blob/master/superset/config.py). **How to implement:** In your `superset_config.py`, you can do something like: ```python from flask import g from superset import security_manager def user_filter(query, *args, **kwargs): # Only show users with the same custom role as the current user user_model = security_manager.user_model current_user = g.user # Find the role name(s) you want to match (e.g., "ExternalTenant") role_names = [role.name for role in security_manager.get_user_roles(current_user)] # Adjust this logic to match your tenant/grouping scheme return query.join(user_model.roles).filter(user_model.roles.any(name.in_(role_names))) def role_filter(query, *args, **kwargs): # Only show base roles and the user's own custom role from superset import security_manager base_roles = ["Gamma", "sql_lab"] current_user = g.user user_roles = [role.name for role in security_manager.get_user_roles(current_user)] allowed_roles = set(base_roles) | set(user_roles) role_model = security_manager.role_model return query.filter(role_model.name.in_(allowed_roles)) EXTRA_RELATED_QUERY_FILTERS = { "user": user_filter, "role": role_filter, } ``` This will ensure that, for users with your custom external role, the dashboard edit UI will only show users and roles relevant to their tenant/group [[source]](https://github.com/apache/superset/blob/master/superset/config.py). If you need more advanced logic (e.g., tenant info stored in user attributes or a custom SecurityManager), you can access those attributes in your filter functions. For multi-tenant setups, it's common to store a tenant/group identifier on the user model or in a custom role naming convention. **Best practice:** Use `EXTRA_RELATED_QUERY_FILTERS` for most cases. If you need even more control, you can subclass and override the backend filter classes (`BaseFilterRelatedUsers`, `BaseFilterRelatedRoles`) used in the dashboards API, but for most multi-tenant filtering, the config approach is sufficient and upgrade-safe [[source]](https://github.com/apache/superset/discussions/33877) [[source]](https://github.com/apache/superset/pull/29287). No feature flag or built-in config does this out of the box—`EXTRA_RELATED_QUERY_FILTERS` is the documented and supported extension point. The frontend will always reflect the backend filter results, so your changes will be immediately visible in the dropdowns. Let me know if you want a more detailed example based on your user/role/tenant schema! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/b0745d6d-decc-46cb-a636-b55046d9ac30?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/b0745d6d-decc-46cb-a636-b55046d9ac30?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/b0745d6d-decc-46cb-a636-b55046d9ac30?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/b0745d6d-decc-46cb-a636-b55046d9ac30?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/b0745d6d-decc-46cb-a636-b55046d9ac30?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/b0745d6d-decc-46cb-a636-b55046d9ac30?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/b0745d6d-decc-46cb-a636-b55046d9ac30?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Superset%27s%20recommended%20way%20to%20restrict%20which%20users%20and%20roles%20appear%20in%20the%20dashboard%20ownership%20and%20visibility%20dropdowns%20is%20to%20use%20the%20%60EXTRA_RELATED_QUERY_FILTERS%60%20config%20in%20your%20%60superset_config.py%60.%20This%20lets%20you%20define%20custom%20SQLAlchemy%20query%20filters%20for%20both%20users%20and%20roles%2C%20so%20you%20can%20enforce%20tenant%20or%20role-based%20visibility%20in%20the%20UI%20dropdowns%20for%20dashboard%20editing.%20The%20dropdowns%20are%20populated%20via%20backend%20API%20endpoints%20%28%60/api/v1/dashboard/related/owners%60%20and%20%60/api/v1/dashboard/related/roles%60%29%2C%20and%20your%20filters%20will%20directly%20control%20what%20appears%20there%20%5B%5Bsource%5D%5D%28http s%3A//github.com/apache/superset/blob/master/superset/config.py%29.%0A%0A%2A%2AHow%20to%20implement%3A%2A%2A%0A%0AIn%20your%20%60superset_config.py%60%2C%20you%20can%20do%20something%20like%3A%0A%0A%60%60%60python%0Afrom%20flask%20import%20g%0Afrom%20superset%20import%20security_manager%0A%0Adef%20user_filter%28query%2C%20%2Aargs%2C%20%2A%2Akwargs%29%3A%0A%20%20%20%20%23%20Only%20show%20users%20with%20the%20same%20custom%20role%20as%20the%20current%20user%0A%20%20%20%20user_model%20%3D%20security_manager.user_model%0A%20%20%20%20current_user%20%3D%20g.user%0A%20%20%20%20%23%20Find%20the%20role%20name%28s%29%20you%20want%20to%20match%20%28e.g.%2C%20%22ExternalTenant%22%29%0A%20%20%20%20role_names%20%3D%20%5Brole.name%20for%20role%20in%20security_manager.get_user_roles%28current_user%29%5D%0A%20%20%20%20%23%20Adjust%20this%20logic%20to%20match%20your%20tenant/grouping%20scheme%0A%20%20%20%20return%20query.join%28user_model.roles%29.filter%28user_model.roles.any%28name.in_%28role_names %29%29%29%0A%0Adef%20role_filter%28query%2C%20%2Aargs%2C%20%2A%2Akwargs%29%3A%0A%20%20%20%20%23%20Only%20show%20base%20roles%20and%20the%20user%27s%20own%20custom%20role%0A%20%20%20%20from%20superset%20import%20security_manager%0A%20%20%20%20base_roles%20%3D%20%5B%22Gamma%22%2C%20%22sql_lab%22%5D%0A%20%20%20%20current_user%20%3D%20g.user%0A%20%20%20%20user_roles%20%3D%20%5Brole.name%20for%20role%20in%20security_manager.get_user_roles%28current_user%29%5D%0A%20%20%20%20allowed_roles%20%3D%20set%28base_roles%29%20%7C%20set%28user_roles%29%0A%20%20%20%20role_model%20%3D%20security_manager.role_model%0A%20%20%20%20return%20query.filter%28role_model.name.in_%28allowed_roles%29%29%0A%0AEXTRA_RELATED_QUERY_FILTERS%20%3D%20%7B%0A%20%20%20%20%22user%22%3A%20user_filter%2C%0A%20%20%20%20%22role%22%3A%20role_filter%2C%0A%7D%0A%60%60%60%0A%0AThis%20will%20ensure%20that%2C%20for%20users%20with%20your%20custom%20external%20role%2C%20the%20dashboard%20edit%20UI%20will%20only%20show%20users%20and%2 0roles%20relevant%20to%20their%20tenant/group%20%5B%5Bsource%5D%5D%28https%3A//github.com/apache/superset/blob/master/superset/config.py%29.%0A%0AIf%20you%20need%20more%20advanced%20logic%20%28e.g.%2C%20tenant%20info%20stored%20in%20user%20attributes%20or%20a%20custom%20SecurityManager%29%2C%20you%20can%20access%20those%20attributes%20in%20your%20filter%20functions.%20For%20multi-tenant%20setups%2C%20it%27s%20common%20to%20store%20a%20tenant/group%20identifier%20on%20the%20user%20model%20or%20in%20a%20custom%20role%20naming%20convention.%0A%0A%2A%2ABest%20practice%3A%2A%2A%20Use%20%60EXTRA_RELATED_QUERY_FILTERS%60%20for%20most%20cases.%20If%20you%20need%20even%20more%20control%2C%20you%20can%20subclass%20and%20override%20the%20backend%20filter%20classes%20%28%60BaseFilterRelatedUsers%60%2C%20%60BaseFilterRelatedRoles%60%29%20used%20in%20the%20dashboards%20API%2C%20but%20for%20most%20multi-tenant%20filtering%2C%20the%20config%20approach%20is%20sufficient%20and%20upgrade-safe%20%5B%5B source%5D%5D%28https%3A//github.com/apache/superset/discussions/33877%29%20%5B%5Bsource%5D%5D%28https%3A//github.com/apache/superset/pull/29287%29.%0A%0ANo%20feature%20flag%20or%20built-in%20config%20does%20this%20out%20of%20the%20box%E2%80%94%60EXTRA_RELATED_QUERY_FILTERS%60%20is%20the%20documented%20and%20supported%20extension%20point.%20The%20frontend%20will%20always%20reflect%20the%20backend%20filter%20results%2C%20so%20your%20changes%20will%20be%20immediately%20visible%20in%20the%20dropdowns.%0A%0ALet%20me%20know%20if%20you%20want%20a%20more%20detailed%20example%20based%20on%20your%20user/role/tenant%20schema%21) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/37133) GitHub link: https://github.com/apache/superset/discussions/37133#discussioncomment-15495258 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
