Defining RBACs in Superset

Describes role-based access controls (RBACs) with respect to Superset in HPE Ezmeral Unified Analytics Software and how to define RBACs to permit access to Superset dashboards.

Role-based access controls (RBACs) are an authorization system based on policies, user roles, and bindings between the roles and policies that protect resources. With the introduction of RBAC, HPE Ezmeral Unified Analytics Software maps the HPE Ezmeral Unified Analytics Software admin and member roles to Superset Admin and Alpha roles respectively.

The following user role mapping is defined in the Superset HELM chart (YAML file):

TIP

You cannot edit the role mappings in the HELM chart.

User Type	Mapping Parameter
Admin	AUH_ROLE_ADMIN = 'Admin'
Member	AUTH_USER_REGISTRATION_ROLE = "Alpha"

Admin Role (Admin)

The following list describes admin access and the admin-related tasks that impact users in Superset:

Admins can edit (add or remove) roles in the Superset UI.
Admins can change a member's role in HPE Ezmeral Unified Analytics Software to admin.
Admins can view all user activity and data, including all dashboards created by all users, as well as all of the data in the dashboards.
Admins can access the security settings in Superset, such as viewing user profiles, including user roles and access controls.
Admins can edit a user in Superset and change the user's roles.

Member Role (Alpha)

The following list describes Superset access for members (Alpha):

Members can create their own database connections in Superset.
Members can view charts and datasets created by other users, but cannot view dashboards unless explicitly permitted to do so.
Members can access dashboards they create (as owner) and dashboards that other users have shared with them (added to dashboard owner list).
NOTE
Access to a dashboard does not grant access to data. The user must have permission on the data itself to view the data in a dashboard. If the user does not have access to certain data, that data does not display in their view of the dashboard.
Members cannot see the Superset security settings, such as user roles and access permissions.

CAUTION

HPE only supports user role changes made through the HPE Ezmeral Unified Analytics Software UI. Role changes made in HPE Ezmeral Unified Analytics Software are automatically propagated to Superset. HPE does not support role changes made directly in Superset because the changes do not propagate back to HPE Ezmeral Unified Analytics Software, which can cause unexpected system behaviors.

System and Application Notes

Note the following system and application behaviors:

Users (members and admins) do not appear in the Superset user list until they sign in to Superset. If a user has not signed in to Superset, other users cannot share anything with that user, such as dashboards.
When a user is removed from the HPE Ezmeral Unified Analytics Software platform, the user's Superset profile remains. Apache Superset recommends deactivating the user instead of removing the user from Superset.
If a user was removed and then added back to the HPE Ezmeral Unified Analytics Software platform (registered with the same username and email), the user's Superset access is automatically restored to the user's original Superset profile and all related resources.

Supported Access Controls

HPE Ezmeral Unified Analytics Software supports the following access controls in Superset:

Admin
Public
Alpha
Gamma
granter
sql_lab

Sharing Dashboards

To share a dashboard:

Sign in to HPE Ezmeral Unified Analytics Software.
In the left navigation bar, go to Tools & Frameworks.
On the Data Engineering tab, click Open in the Superset tile.
Click the Dashboards tab.
In the Actions column of the dashboard you want to share, select Edit (pencil icon).
Under Access, click into the field and select the roles you want to assign the user. Alternatively, you can also remove roles from the user.

Viewing Role Descriptions

To see the access a role permits:

Sign in to HPE Ezmeral Unified Analytics Software.
In the left navigation bar, go to Tools & Frameworks.
On the Data Engineering tab, click Open in the Superset tile.
Go to Settings and select List Roles.
Click Show record (magnifying glass icon) next to a role to view the role description.

Viewing and Editing Access Controls on Users

To view the access controls on a user or edit access controls on a user:

Sign in to HPE Ezmeral Unified Analytics Software.
In the left navigation bar, go to Tools & Frameworks.
On the Data Engineering tab, click Open in the Superset tile.
Go to Settings and select List Users.
(Optional) To edit the user's role(s), click the edit icon next to the username and then add or remove roles using the dropdown menu in the Role field.

HPE Ezmeral Unified Analytics Software 1.5 Documentation
Abstract	HPE Ezmeral Unified Analytics Software is a usage-based Software-as-a-Service (SaaS) model that operationalizes hybrid and multi-cloud modern analytical workloads through a simple user interface, easily installed and deployed in minutes. HPE Ezmeral Unified Analytics Software separates compute and storage for flexible, cost-efficient scalability to securely access data stored in multiple data platforms, enabling you to run traditional and advanced analytics workloads with open-source tools.
Published	November 2024
Edition	1.5.0