Permissions to limit user list for 'Owner', 'Created by' dropdown - Filters and Search #18299
Replies: 8 comments 5 replies
-
the issue here is that permissions are not at the row level. So a user either has a permission to fetch a list of users or not. You might be able to achieve what you need using row level security |
Beta Was this translation helpful? Give feedback.
-
Thanks for the suggestion @nytai. I actually did try that approach but it did not work. The user information is stored in the ab_user table and I'm not able to access it for RLS filter. I'm logged in as admin. |
Beta Was this translation helpful? Give feedback.
-
Just wanted to check if 1.2 addresses this. |
Beta Was this translation helpful? Give feedback.
-
This behavior is indeed the same in 1.2 - the dropdowns here expose all users to any other user that visits the dashboards list. This lack of control is unfortunate, as it prevents this feature (and features like it #15066) from being usable in a multi-tenant context (without forking/workarounds), where some groups of users and datasources should not be exposed to each other. |
Beta Was this translation helpful? Give feedback.
-
Thanks @russmatney. I was hoping it was addressed and the upgrade will be less painful. I know there were front end changes from 1.1.0 to 1.2 so I won't be able to just overwrite files that I had to update in 1.1.0. :/ |
Beta Was this translation helpful? Give feedback.
-
Hi @etadelta222 Have you figured this out? |
Beta Was this translation helpful? Give feedback.
-
I would like resurrect this thread if possible - we are running into the same issue. Has there been any progress on supporting this since 2021 or would creating our own fork be the only option as of now? |
Beta Was this translation helpful? Give feedback.
-
I think you are looking for the EXTRA_RELATED_QUERY_FILTERS option. Have a look at the summary of this PR #29287 for an example on how to configure this. |
Beta Was this translation helpful? Give feedback.
-
Our organization has external users who have access to dashboards specifically designed for them. We are running an older version of superset and upgrading to the 1.1.0. In the new version the UI has filter and search capabilities on the dashboard page (referenced here).
Even though user accessing the dashboard only has access to their dashboard, the dropdown list for 'Owners' and 'Created By' display ALL users. This is an issue since we don't want external users to be able to see other users.
Since we are restricting the user access to specific dashboards using roles and permissions, a new permission to hide the filters altogether would be ideal.
Current options:
The values are being populated by calling the /dashboard/related/[column_name] API. We would have to pass in query parameter to only show current user OR based on user/role only show 'All' as default value OR hide 'Owners' and 'Created By'.
superset/superset-frontend/src/views/CRUD/dashboard/DashboardList.tsx
Line 386 in 74473e2
I've asked about this in the Apache Superset Slack workspace and have not had any luck. Please let me know if I can provide any additional information.
Beta Was this translation helpful? Give feedback.
All reactions