In any business intelligence tool, security and access control play a critical role, especially when multiple users are involved. Apache Superset is no different. When you move from personal usage to a team-based environment, you need a structured way to decide:
· Who can view dashboards?
· Who can create reports or charts?
· Who can manage data sources and system settings?
This is where Users, Roles, and Groups come into play.
In this post, we will understand these three concepts in a very simple way so that even beginners can confidently set up access control in Superset for real world use cases.
1. Why Access Control Matters in Apache Superset
When you install Apache Superset, you typically start with an admin user who has full control over everything. This is fine for learning or setup, but in real organizations, not everyone should have full access.
For example:
· A data analyst may only need to build dashboards
· A business user may only need to view dashboards
· A data engineer may manage datasets and connections
· An admin manages the entire system
Without proper access control, users might accidentally modify or delete important data or configurations. That’s why Superset provides a structured security system.
2. Core Security Concepts in Superset
Apache Superset security is built around three key concepts:
2.1 Users
A user is an individual person who logs into Superset.
Each user has:
· A username
· A password
· A profile
· Assigned roles and groups
Think of a user as a single account for a person.
How to Navigate to Users Screen?
Click on Settings -> List Users, it takes you to the Users listing page.
At the moment, only the admin user is configured, so this view shows only the admin details.
How to Add a New User?
Click on Create User button (+ User) available at top right corner. You will be taken to ‘Add User’ form.
Fill all the necessary details and click on Save button. For example I created a user named krishna.
I gave the roles as Public and sql_lab. We can discuss more about roles in next section.
Upon successfully saving the new user, you can see the details in User listing page.
3. Understanding Roles in Apache Superset
Roles are the foundation of access control in Apache Superset. If users are people, then roles define what those people are allowed to do.
Think of roles like job descriptions inside Superset:
· Viewer
· Dashboard Creator
· Admin
Each role is simply a collection of permissions.
3.1 Superset Built-in roles
Superset comes with built-in roles that are automatically maintained by the system. These roles are kept up-to-date internally
If you manually change their permissions, your changes may be overwritten when you run the comamnd 'superset init'.
This usually happens during:
· Upgrades
· Environment setup
· Configuration refresh
I would suggest to NOT modify built-in roles directly. Instead, create custom roles if you need changes.
There are 5 built-in roles available in Apache Superset.
· Admin Role
· Alpha Role (Power Users)
· Gamma Role (Read-Heavy Users)
· SQL Lab Role (Query Access)
· Public Role (Anonymous Access)
a. Admin Role
The Admin role is the most powerful role in Superset. Admins can:
· Access everything
· Create, edit, and delete dashboards
· Manage users, roles, and permissions
· Configure databases and datasets
· Modify dashboards created by others
· Change system-level settings
In Security Perspective, Admins are considered fully trusted users. That means:
· They can change how Superset behaves
· They can inject custom CSS or templates
· They can override security configurations
As a Guideline, assign Admin role very carefully and limit it to system owners or platform engineers.
b. Alpha Role (Power Users)
The Alpha role is designed for advanced users or analysts.
Alpha users can:
· Access all data sources
· Create and edit dashboards and charts
· Create and modify datasets
· Use most features of Superset
But they cannot:
· Manage users or roles
· Grant or revoke permissions
· Modify content owned by others (in some cases)
Think of Alpha users as "People who build analytics, but don’t manage the system"
c. Gamma Role (Read-Heavy Users)
The Gamma role is much more restricted. Gamma users can:
· View dashboards and charts
· Create their own charts (limited)
· Interact with filters
But they cannot:
· Access all datasets automatically
· Modify datasets
· Manage system configurations
Gamma users can only see the Dashboards built on datasets they have access to.
d. SQL Lab Role (Query Access)
The sql_lab role provides access to SQL Lab, which is Superset's SQL editor. With this role, users can:
· Write SQL queries
· Explore data
· Save queries
· Create virtual datasets
But here’s a key point, Access to SQL Lab ≠ access to all databases. Users still need explicit database permissions.
e. Public Role (Anonymous Access)
The Public role is designed for unauthenticated users (users who are not logged in).
This is commonly used for:
· Embedded dashboards
· Public dashboards
· External sharing
What Public Users Can Do:
· View dashboards
· Interact with filters
· Open shared links (permalinks)
· View chart annotations
What They Cannot Do:
· Create or edit anything
· Access SQL Lab
· Manage users or settings
· See most menus
3.2 How to Create a Custom Role in Apache Superset
Creating custom roles allows you to define exactly what users can and cannot do, instead of relying only on built-in roles.
Step-by-Step Guide
Go to Settings → List Roles.
This will open the page where all existing roles are listed.
Click on the "+ Role" (Create Role) button in the top-right corner. The Add Role form will appear, enter a Role Name, Select the required permissions (based on what access you want to give) and click on Save button.
For example, I created new role 'Data_Source_Manager' with the permissions related to datasources.
Upon saving the new role successfully, you can see the newly created role in Roles listing page.
4. Groups
A group is a collection of users. Instead of assigning roles to each user one by one, you assign roles to a group and then add users to that group.
This makes management much easier in large teams.
Example
· Analytics Team Group
· Role: Dashboard Creator
· Users: Alice, Bob, Charlie
Now, when a new analyst joins, you just add them to the group, no need to configure roles again.
How to create a New Group?
Settings -> List Groups
It takes you to the Groups listing page.
Click on +Group (Create Group) button available at top right corner to create new Group. It opens 'Add Group' form.
Give the Group Name as DataSource-Managers, attach some roles to it and click on Save button.
Upon saving the new group, you can see that the group listed in listing page.
5. How These Components Work Together (Users → Groups → Roles → Permissions)?
At first glance, Users, Groups, and Roles may feel like separate pieces—but in Apache Superset they are designed to work as a chain. Understanding this chain is the key to managing access cleanly and at scale.
The Relationship in Simple Terms
· A User belongs to one or more Groups
· A Group is assigned one or more Roles
· A Role contains Permissions
So the flow becomes: Users → Groups → Roles → Permissions, each layer adds structure and control.
In summary, Managing users, roles, and groups is a core part of using Apache Superset effectively in any real-world setup. Once you understand how these pieces fit together, you gain the ability to:
· Secure your dashboards so only the right people can view or edit them
· Control data access with precision, avoiding overexposure
· Scale easily as your team grows, without complex reconfiguration
· Reduce risks by following structured access control instead of ad-hoc permissions
In short, a well-designed access model transforms Superset from just a visualization tool into a secure, scalable, and enterprise ready analytics platform.
Previous Next Home
No comments:
Post a Comment