4

I am using the newest version of superset and it has the row-level security option in the UI. Can anyone help me and let me know or give a little walk through that how can I implement it in the UI and use it. There is hardly much documentation there.

TylerH
  • 20,799
  • 66
  • 75
  • 101
Aditya Verma
  • 201
  • 4
  • 14

3 Answers3

6

Row level security essentially works like a WHERE clause. Let's assume that we build a dashboard using table called tbl_org that look likes:

manager_name    department  agent
Jim             Sales       Agent 1
Jim             Sales       Agent 2
Jack            HR          Agent 3
Jack            HR          Agent 4

Say, we need to show Jim only the rows/records where he is a manager on the dashboard when he logs in. The same for Jack. This is when RLS is useful.

The Superset UI provides three fields that need to be filled.

  1. Table: The table on which we want to apply RLS. In this case would be tbl_org
  2. Roles: The role or roles to which you want this rule to apply to. Let's say we use the Gamma role.
  3. Clause: The SQL condition. The condition provided here gets applied to the where clause when the query is executed to fetch data for the dashboard. So for example, if you use the condition manager_name = Jim this will result in the query: SELECT * from tbl_org where manager_name = Jim

If you want dynamically filter the table based on the user who logs in you can use a jinja template:

manager_name = '{{current_username()}}'

For this, the usernames created in Superset need to match the manager_name column in tbl_org

steven
  • 644
  • 1
  • 11
  • 23
  • is the row filter will apply on the dataset result (fetch the whole data from database and filter on that result set) or it will append to the base query itself to fetch the data from database? – Abdul Rasheed Dec 16 '22 at 10:15
  • 1
    Superset pushes the query down to the DB and then fetches the result – steven Jan 25 '23 at 12:47
2

Row Level Security (RLS) allows an admin to force a WHERE predicate into the query SQL statement that is sent to the DB on the user's behalf.

This can be used to limit the query results to rows that explicitly meet or do not meet specific criteria, and as such, cause the list or rows returned to the user to be filtered. The criteria can be applied based on the target table(s) and user role(s).

TylerH
  • 20,799
  • 66
  • 75
  • 101
user13943320
  • 21
  • 1
2

if you want [manager_name = '{{current_username()}}'] make sense, you have to add ["ENABLE_TEMPLATE_PROCESSING": True] in the config.py.

TylerH
  • 20,799
  • 66
  • 75
  • 101
YihengLiu
  • 21
  • 1