GitHub user wai52168 created a discussion: Add Separate Permission for Dashboard List to Improve DASHBOARD_RBAC Security
Hello Superset Team, I would like to propose a permission enhancement related to dashboard sharing when using DASHBOARD_RBAC + AUTH_ROLE_PUBLIC. Current Challenge We are using: DASHBOARD_RBAC AUTH_ROLE_PUBLIC to share private dashboards via direct links. This approach works well for controlled dashboard access. However, even when users only need access to specific dashboards, they can still navigate to: /dashboard/list and view all dashboards that their role has access to. In some use cases, this behavior is not desired. We would like users to access dashboards only via direct links, without being able to browse the dashboard list. Proposed Improvement It would be helpful to introduce a separate granular permission, such as: can list on Dashboard so that: can read on Dashboard → allows viewing a specific dashboard can list on Dashboard → controls visibility of the dashboard list page This would allow administrators to: Enable direct-link access Disable dashboard browsing Improve security for external sharing scenarios Better support public or semi-public dashboard use cases Why This Is Important In enterprise environments, it is common to: Share dashboards via controlled links Avoid exposing the full dashboard catalog Restrict browsing capabilities Maintain strict role-based access control Having a dedicated "list" permission would make DASHBOARD_RBAC much more flexible and secure. Thank you for considering this enhancement. Best regards, josh GitHub link: https://github.com/apache/superset/discussions/38624 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
