Superset's user management is defined using roles. Roles are templates of permission sets that can be applied on one or more users, and modified if required. They can be used to manage permissions for different types of Superset user. Data analysts might need permissions to build new charts and modify data sources, but some users might only need permissions to view specific dashboards. Separate user roles have to be applied to both types of user.

Alpha and gamma are the building blocks of user roles. With either of those templates, we can assign a custom set of permissions and save it as a new role. We can then create roles such as data analyst, DevOps engineer, business, and product manager and apply them to one or many users.

The superset init command that was executed to set up Superset synchronizes the definition of roles such as alpha...

Access to security features in Superset is available only to the admin user. It provides several tools for tracking every user action, login attempt, a list of users, and their permissions.

The user management system is built using the Flask-AppBuilder (fabmanager) framework. The list of permissions and views is inherited from the Flask-AppBuilder framework. Permissions and views are listed in the Views/Menus page of the Security section. A view represents many ways a user can interact with the web application. Each user has a specific set of permissions for actions that it can take when interacting with a web page or view. Viewing or deleting a dashboard are examples of actions.

Flask-AppBuilder supports many authentication protocols. The default database authentication protocol allows the creation of new users by the admin. When creating the user, the admin sets a default password and shares it with the users along with their username. However, this is quite a cumbersome way to onboard new collaborators to your Superset web app.

The OAuth protocol allows the use of external authorization services such as Google, Facebook, and Twitter. Once any of these OAuth services are put in place, users can register and sign in themselves, without requiring any action by the admin. We will change the default database-based authentication to Google OAuth.

In the superset_config.py file, we can whitelist a set of emails that can register and log in to the web app. Suffix patterns can be used to allow all email addresses with the same...

Admins have access to the Security section. As an admin, you will be able to access this page in the Security drop-down. It is a tool for editing permissions and roles assigned to any user. The admin has all the permissions, including the ability to alter users, data sources, charts, and dashboards. When new users register, they will appear on this page. Users with admin privileges can alter the permissions and roles for new users.

This page has a list of permissions that can be applied on a view or menu. The current user has the admin role so has all the permissions on all the Views/Menus items in the Superset web app. The admin role and gives permission to alter all charts, dashboards, data sources, and users. Gamma roles do not have permissions to alter any charts, dashboards, data sources, or users. But we can create customized roles that are assigned the gamma role with additional permissions on specific data sources. This will allow the new custom role to view charts on permitted data sources. They also have permission to create new charts on those data sources.

The alpha role gives permissions to view all charts and dashboards, alter all charts and dashboards, and alter data sources, but not to modify permissions for other users:

This page lists all Views/Menus available in the Superset web app. Admin users can assign permissions specific to each Views/Menus. In most production setups, fine-grained permissions for Views/Menus are not required:

This page lists permissions, with the Views/Menus on which they can be used. When it is necessary to assign finer-grained permissions in customized user roles, this is a useful page from which to look up permissions:

We will manage user permissions using alpha, gamma, and customized roles. In superset_config.py, only one email ID should be whitelisted for registration. We will need more Google accounts to register for testing different permissions. You can put in any regex pattern in the whitelist field. Suffixes such as @amino.com are commonly used to allow users from a specific email domain to register on the web app. If a Google account email address matches the pattern specified in whitelist, it will be able to register itself.

We will modify superset_config.py so that a Google account with any email can register. Moving forward, new users will be assigned a Gamma role with no default permissions on any data source. In order to do that, we will modify two lines in the file:

# Modification 1
# Assigns Gamma role for new registered...

This page shows the number of logins grouped by the registered username. This is a useful tool for admins to track usage. Administrators can use the filters in the following chart to see login counts for different sets of users:

This page lists the activity for all registered users. This is a useful tool for monitoring user activity. Logs can be filtered by User, Action, Dashboard Id, dttm, and other fields:

That's a wrap! We figured out how to allow new users to register on the Superset web app with their Google account. The OAuth configuration can be extended to provide users with Facebook, Twitter, or GitHub accounts to also register and sign in easily. We explored many security tools available to the administrator, such as activity logs and User Statistics. Our current setup will support user management for collaborators who will need Alpha roles and SQL Lab access, so that they can add or alter data sources, make new charts, and dashboards, or work in SQL Lab. Using the gamma role and data source access permissions, supports use cases for users who will only need to interpret charts and dashboards on specific data sources. For example, people in the finance team may only need the ability to view charts on finance-related data sources, while data analysts may need...