amitNielsen opened a new issue #10408: URL: https://github.com/apache/incubator-superset/issues/10408
## [SIP] Proposal for Dashboard Access Permissions ### Motivation As a dashboard provider in an organisation with many subgroups inside I need the ability manage user access to dashboards and different levels of permissions(Viewer,Editor) ### Proposed Change Create permissions for each dashboard with the format "dashboard (viewer/editor) access on dashboard_title [dashboard_id]" The name of the permission is updated if the dashboard title is changed. Add a dashboard permission to a role via the Edit Role form, or, for convenience, add a role to a dashboard via the Edit Dashboard form. The permissions "all_dashboard_viewer_access" and "all_dashboard_editor_access" is added to Admin, Alpha, and Gamma roles. To allow private dashboards, remove "all_dashboard_access" from a role. This role will then only have access to the dashboards specified. Add a dashboard's permission to a role to "publish" it. Note that these permissions do not apply to slices. To make the data in a dashboard truly private, use dashboard permissions with a read only role that has no slice/explore access. ####**FAB permission view mechanism** Use **FAB permission view** mechanism to have new permissions named **dashboard read/edit access** and for every dashboard there would be a matching **view_menu** instance that can be used a permission_view and be assigned into Roles: [](https://mermaid-js.github.io/mermaid-live-editor/#/edit/eyJjb2RlIjoiZ3JhcGggVERcblx0QVtkYXNoYm9hcmQgaW5zdGFuY2VdIC0tPnxoYXMgYSBtYXRjaGluZ3wgQihhYl92aWV3X21lbnUpXG5cdEIgLS0-IHxmb3JtIHRvZ3RoZXJ8IEN7cGVybWlzc2lvbl92aWV3fVxuICAgIERBW2Rhc2hib2FyZCByZWFkIGFjY2Vzc10tLT58aW5zdGFuY2Ugb2Z8IGFiX3Blcm1pc3Npb25cblx0REVBW2Rhc2hib2FyZCBlZGl0IGFjY2Vzc10tLT58aW5zdGFuY2Ugb2Z8IGFiX3Blcm1pc3Npb25cbiAgICBhYl9wZXJtaXNzaW9uIC0tPiB8Zm9ybSB0b2d0aGVyfCBDe2FiX3Blcm1pc3Npb25fdmlld 31cblx0QyAtLT58dXNlZCBpbnwgRFthYl9wZXJtaXNzaW9uX3ZpZXdfcm9sZV0iLCJtZXJtYWlkIjp7InRoZW1lIjoiZGVmYXVsdCJ9fQ) Users will be validated with the necessary permissions when fetching dashboards(specific or list) and will be rejected if they don't have them #### dashboard edit access (UI & BE)  *edit dashboard button* will be hidden if user doesn't have edit access for the requested dashboard save dashboard endpoints will also validate for permissions ### New or Changed Public Interfaces #### the following endpoints logic will need to validate dashboard viewer/editor access BaseSupersetView <-- Dashboard endpoints: GET dashboard/new/ - create new empty dashboard SupersetModelView <-- DashboardModelView endpoints: GET /dashboard/list, get all dashboards BaseSupersetView <-- Superset endpoints: POST dashboad/save_dash/{} , POST GET /dashboard/{}/published GET /dashboard/{} - get specific dashboard BaseSupersetModelRestApi <-- DashboardResetApi endpoints POST,PUT,DELETE,GET /api/v1/dashboard/ ### New dependencies none ### Migration Plan and Compatibility create relevant permissions for all existing dashboards assign "all_dashboard_viewer_access" and "all_dashboard_editor_access" to Admin, Alpha, and Gamma roles ### Rejected Alternatives none ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
