GitHub user dosubot[bot] added a comment to the discussion: How to create a sub-admin role that can manage users and roles but only see specific datasets?
<!-- Answer --> You can create a sub-admin role in Superset that manages users and roles but only sees specific datasets by customizing role permissions. Superset’s RBAC system lets you assign user/role management permissions (like "List Users", "List Roles", "update_roles_users", "can_update_role") to a custom role, but these are tightly coupled with admin-only permissions and view menus by default. To restrict data access, assign only the necessary "database_access", "schema_access", or "datasource_access" permissions for the datasets you want the sub-admin to see. This way, the sub-admin can manage users and roles but will only be able to view or modify explicitly authorized datasets, not others or dashboards owned by full admins ([source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py)). For more granular control (like limiting which users/roles appear in dropdowns or can be assigned), you may need to extend SupersetSecurityManager via the CUSTOM_SECURITY_MANAGER config option or use EXTRA_RELATED_QUERY_FILTERS in `superset_config.py` to filter users and roles in the UI ([discussion](https://github.com/apache/superset/discussions/33877)). Be aware that you might need to customize both backend and frontend logic to fully enforce these restrictions. In summary: create a custom role, assign it the admin-only permissions for user/role management, and only the data access permissions for the specific datasets you want visible. This achieves a restricted administrator profile as described. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/776241ed-43ae-43de-9f0c-4f1563915ed9?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/776241ed-43ae-43de-9f0c-4f1563915ed9?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/776241ed-43ae-43de-9f0c-4f1563915ed9?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/776241ed-43ae-43de-9f0c-4f1563915ed9?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/776241ed-43ae-43de-9f0c-4f1563915ed9?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/776241ed-43ae-43de-9f0c-4f1563915ed9?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/776241ed-43ae-43de-9f0c-4f1563915ed9?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35772) GitHub link: https://github.com/apache/superset/discussions/35772#discussioncomment-14740402 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
