robdiciuccio commented on a change in pull request #11978: URL: https://github.com/apache/incubator-superset/pull/11978#discussion_r541160067
########## File path: docs/src/pages/docs/security-page.mdx ########## @@ -4,19 +4,149 @@ title: Security route: /docs/security --- -## Security +### Roles + +Security in Superset is handled by Flask AppBuilder (FAB), an application development framework +built on top of Flask.”. FAB provides authentication, user management, permissions and roles. +Please read its [Security documentation](https://flask-appbuilder.readthedocs.io/en/latest/security.html). + +### Provided Roles + +Superset ships with a set of roles that are handled by Superset itself. You can assume +that these roles will stay up-to-date as Superset evolves (and as you update Superset versions). + +Even though **Admin** users have the ability, we don't recommend that altering the +permissions associated with each role (e.g. by removing or adding permissions to them). The permissions +associated with each role will be re-synchronized to their original values when you run +the **superset init** command (often done between Superset versions). + +### Admin + +Admins have all possible rights, including granting or revoking rights from other +users and altering other people’s slices and dashboards. + +### Alpha + +Alpha users have access to all data sources, but they cannot grant or revoke access +from other users. They are also limited to altering the objects that they own. Alpha users can add and alter data sources. + +### Gamma + +Gamma users have limited access. They can only consume data coming from data sources +they have been given access to through another complementary role. They only have access to +view the slices and dashboards made from data sources that they have access to. Currently Gamma +users are not able to alter or add data sources. We assume that they are mostly content consumers, though they can create slices and dashboards. + +Also note that when Gamma users look at the dashboards and slices list view, they will +only see the objects that they have access to. + +### sql_lab + +The **sql_lab** role grants access to SQL Lab. Note that while **Admin** users have access +to all databases by default, both **Alpha** and **Gamma** users need to be given access on a per database basis. + +### Public + +Using this role, you can allow logged-out users to access some Superset features. + +By setting `PUBLIC_ROLE_LIKE_GAMMA = True` in your `superset_config.py` file, you grant +public role the same set of permissions as for the **Gamma** role. This is useful if one +wants to enable anonymous users to view dashboards. Explicit grant on specific datasets is +still required, meaning that you need to edit the **Public** role and add the public data sources to the role manually. + +### Managing Data Source Access for Gamma Roles + +Here’s how to provide users access to only specific datasets. First make sure the users with +limited access have [only] the Gamma role assigned to them. Second, create a new role (Menu -> Security -> List Roles) and click the + sign. + +This new window allows you to give this new role a name, attribute it to users and select the +tables in the **Permissions** dropdown. To select the data sources you want to associate with this role, simply click on the dropdown and use the typeahead to search for your table names. + +You can then confirm with users assigned to the **Gamma** role that they see the +objects (dashboards and slices) associated with the tables you just extended them. + +### Customizing Permissions + +The permissions exposed by FAB are very granular and allow for a great level of +customization. FAB creates many permissions automagically for each model that is +created (can_add, can_delete, can_show, can_edit, …) as well as for each view. +On top of that, Superset can expose more granular permissions like **all_datasource_access**. + +**We do not recommend altering the 3 base roles as there are a set of assumptions that +Superset is built upon**. It is possible though for you to create your own roles, and union them to existing ones. + +### Permissions + +Roles are composed of a set of permissions, and Superset has many categories of +permissions. Here are the different categories of permissions: + +- Model & Action: models are entities like Dashboard, Slice, or User. Each model has +a fixed set of permissions, like **can_edit**, **can_show**, **can_delete**, **can_list**, **can_add**, +and so on. For example, you can allow a user to delete dasdhboards by adding **can_delete** on Review comment: Typo: dasdhboards ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
