GitHub user DafaWiratama created a discussion: Granular Dataset-Level User
Sharing
**Is your feature request related to a problem? Please describe.**
Currently, Superset’s RBAC security model creates friction when a user simply
wants to share a specific dataset with a specific colleague. An admin has to
create a custom role just for that dataset and assign it to the target user,
which doesn't scale well for ad-hoc sharing.
**The Enterprise Use Case:**
In large enterprise environments, there is often a massive gap between a small
central admin/IT team and thousands of business users. When a data domain owner
creates a curated dataset, they need to share it directly with specific
analysts to promote self-serve data analytics.
Because dataset sharing currently requires a centralized admin to create and
assign custom FAB roles, a severe bottleneck forms. This friction often leads
to negative workarounds: either admins over-permission users (e.g., granting
access to entire databases just to share one table), or users export data to
CSVs to share offline (creating shadow IT and breaking data governance).
Granular, in-platform data sharing is required to keep exploration secure,
decentralized, and moving at the speed of the business without overwhelming the
admin team.
**Describe the solution you'd like**
I have built a working prototype for **Dataset-Level Sharing**. This feature
allows users with appropriate permissions to share a dataset directly with
specific users via the UI.
**Implementation Details:**
The implementation spans the frontend, backend APIs, and the Flask-AppBuilder
(FAB) security manager:
1. **Frontend UI & Components:** * Adds a new "Share" action to the Dataset
`ListView`.
* Introduces a `DatasetShareModal` that allows selecting users via asynchronous
search with `Can View` (read-only) or `Can Share` (read and share) access
levels.
* Adds an "Exposure" tab (`RoleTable`) to visualize exactly which users and
roles currently have access to the dataset.
* Enhances `ListView` filter components to support `required` props and
`initialFilters`.
2. **Backend API & Business Logic:** * Adds new RESTful endpoints: `GET` and
`PUT` to `/api/v1/dataset/<pk>/share`.
* Encapsulates the business logic inside new command objects
(`ShareDatasetCommand` and `GetDatasetShareCommand`) to adhere to Superset's
backend architecture.
3. **Security Manager & FAB Integration:** * Introduces a new
`can_share_dataset` base permission.
* Adds `dataset_share` to the `OBJECT_SPEC_PERMISSIONS`.
* **User-to-Dataset Mapping:** To achieve 1:1 user sharing without altering the
database schema, the logic dynamically provisions targeted FAB roles (e.g.,
`.user-role-binding-{user.id}`).
* It assigns the dataset's `datasource_access` (for Viewers) and
`dataset_share` (for Sharers) Permission View Menus (PVMs) to these specific
roles.
* Hooks into SQLAlchemy events (`after_insert`, `after_update`, `after_delete`)
to keep the PVMs perfectly in sync with dataset lifecycle changes.
**Describe alternatives you've considered**
Relying entirely on standard RBAC for everything, but as mentioned in the
enterprise use case, this requires admin intervention for every ad-hoc dataset
share, which slows down collaboration and encourages risky data-exporting
behaviors.
**Next Steps**
I have the frontend UI, API structure, and security layer ready and working
locally. I would love to contribute this feature upstream! Let me know if the
core team is open to this functionality, and I would be happy to open a Pull
Request for review.
GitHub link: https://github.com/apache/superset/discussions/40337
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
