villebro commented on issue #10408: URL: https://github.com/apache/incubator-superset/issues/10408#issuecomment-742440029
> > > I partially misspoke earlier, currently there are no access controls explicitly at the dashboard level, it's merely a series of [rules](https://github.com/apache/incubator-superset/blob/e4ffaecc72afb706a31d66d626e3c15c94b3a995/superset/views/dashboard/filters.py#L33-L36). > > > I do think the community needs to collectively decide whether security should be at i) the datasource level (either Superset datasource or the underlying database, schema, etc.), the ii) chart/dashboard level, or iii) a combination of both (i) and (ii). Currently it's (i) (for right or wrong) and aspects of dashboard level access could be achieved by row level access and/or dashboard specific Superset datasources. There is additional overhead with this approach, however it's simpler to grok, the access patterns are likely more secure (people could exploit dashboard level access controls), and doesn't require additional logic or development of request/approval/management flow. > > > > > > there is a IV) option which is co-existing (i) or (ii) , depending whether the feature flag is off or on > > I'm a strong believer that feature flags should only be used for experimental features, not something we will support in the long term. If we find value in one way or the other, we should just make one of them the default and clean up the other. > > In this case, I don't see why we can't add the dashboard-level access on top of the dataset access control. The way I see it this will be implemented as a config flag, so one can choose to use datasource and/or dashboard access control, defaulting to the current datasource option. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
