GitHub user dosubot[bot] added a comment to the discussion: Multi-Tenant User
management
<!-- Answer -->
To override the roles dropdown (used in the add/edit user modal) for
tenant-based filtering—without disrupting other APIs and with
FAB_ADD_SECURITY_API enabled—subclass the RoleRestAPI and override its get_list
method. Register your subclass using FLASK_APP_MUTATOR so it only affects the
roles endpoint.
Here’s a pattern you can use (Superset 5.x):
```python
# In custom_role_api.py (do not import this at module level in
superset_config.py)
from flask import g
from superset.security.api import RoleRestAPI
from superset.extensions import security_manager
from superset.models.core import db
from sqlalchemy.orm import joinedload
class TenantRoleRestAPI(RoleRestAPI):
def get_list(self, **kwargs):
user_roles = [role.name for role in
security_manager.get_user_roles(g.user)]
query = db.session.query(self.datamodel.obj).options(
joinedload("permissions"), joinedload("user")
)
# Example: restrict to "Tenant-user" if current user is "Tenant-manager"
if "Tenant-manager" in user_roles:
query = query.filter(self.datamodel.obj.name == "Tenant-user")
# Continue with original pagination/filter logic
# ... (copy rest of RoleRestAPI.get_list logic here, using your
filtered query)
# Or call super() if you want to apply additional filters
return super().get_list(**kwargs)
```
Then, in your `superset_config.py`:
```python
def FLASK_APP_MUTATOR(app):
from custom_role_api import TenantRoleRestAPI
appbuilder = app.appbuilder
# Remove the default RoleRestAPI and register your override
appbuilder.add_view_no_menu(TenantRoleRestAPI)
```
Make sure all imports and registration happen inside FLASK_APP_MUTATOR, not at
the top level, to avoid Flask context errors. This pattern only overrides the
roles listing endpoint and leaves other APIs untouched. You can expand the
filtering logic for more complex multi-tenant scenarios as needed.
This approach is safe, modular, and upgrade-friendly as long as you keep your
override logic in sync with upstream changes to RoleRestAPI.
[Reference: RoleRestAPI and
registration](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/api.py)
| [App init
pattern](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/initialization/__init__.py)
<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/6286c92d-b1ba-44df-bd3c-fad1d984eb2b?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/6286c92d-b1ba-44df-bd3c-fad1d984eb2b?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/6286c92d-b1ba-44df-bd3c-fad1d984eb2b?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/6286c92d-b1ba-44df-bd3c-fad1d984eb2b?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/6286c92d-b1ba-44df-bd3c-fad1d984eb2b?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/6286c92d-b1ba-44df-bd3c-fad1d984eb2b?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/6286c92d-b1ba-44df-bd3c-fad1d984eb2b?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/33877)
GitHub link:
https://github.com/apache/superset/discussions/33877#discussioncomment-13679617
----
This is an automatically sent email for notifications@superset.apache.org.
To unsubscribe, please send an email to:
notifications-unsubscr...@superset.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org
