GitHub user dosubot[bot] added a comment to the discussion: How to define row-level permissions (RLS) based on the chart dimension?
<!-- Greeting --> Hi @hpugs! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> Superset enforces row-level security (RLS) at the dataset (table) level, not at the chart or dimension level. This means any RLS filter you define will apply to all charts using that dataset, regardless of the chart's dimensions or configuration. There is no built-in way to set different RLS rules for different charts on the same dashboard if they use the same dataset—RLS is always tied to the dataset and user roles, not to individual charts or chart dimensions [source](https://github.com/apache/superset/discussions/32338). If you need different data scopes for different charts, the main workarounds are: create separate datasets with distinct RLS rules for each chart, use dynamic user attributes in your dataset SQL (with Jinja macros) for user-specific filtering, or implement custom frontend logic to hide charts based on access errors. These approaches have trade-offs and are not robust or officially supported [source](https://github.com/apache/superset/issues/33698). There is an active proposal (SIP-126) to add explicit viewer permissions for dashboards and charts, which could allow more granular access control in the future, but this feature is not yet available [source](https://github.com/apache/superset/issues/33698). If you need strict per-chart visibility, the only current option is custom frontend logic to hide or remove charts when access is denied, but this is not a built-in solution. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/031dbf46-109d-42fd-bf9c-e400d431263d?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/031dbf46-109d-42fd-bf9c-e400d431263d?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/031dbf46-109d-42fd-bf9c-e400d431263d?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/031dbf46-109d-42fd-bf9c-e400d431263d?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/031dbf46-109d-42fd-bf9c-e400d431263d?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/031dbf46-109d-42fd-bf9c-e400d431263d?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/031dbf46-109d-42fd-bf9c-e400d431263d?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Superset%20enforces%20row-level%20security%20%28RLS%29%20at%20the%20dataset%20%28table%29%20level%2C%20not%20at%20the%20chart%20or%20dimension%20level.%20This%20means%20any%20RLS%20filter%20you%20define%20will%20apply%20to%20all%20charts%20using%20that%20dataset%2C%20regardless%20of%20the%20chart%27s%20dimensions%20or%20configuration.%20There%20is%20no%20built-in%20way%20to%20set%20different%20RLS%20rules%20for%20different%20charts%20on%20the%20same%20dashboard%20if%20they%20use%20the%20same%20dataset%E2%80%94RLS%20is%20always%20tied%20to%20the%20dataset%20and%20user%20roles%2C%20not%20to%20individual%20charts%20or%20chart%20dimensions%20%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/32338%29.%0A%0AIf%20you%20need%20different%20data%2 0scopes%20for%20different%20charts%2C%20the%20main%20workarounds%20are%3A%20create%20separate%20datasets%20with%20distinct%20RLS%20rules%20for%20each%20chart%2C%20use%20dynamic%20user%20attributes%20in%20your%20dataset%20SQL%20%28with%20Jinja%20macros%29%20for%20user-specific%20filtering%2C%20or%20implement%20custom%20frontend%20logic%20to%20hide%20charts%20based%20on%20access%20errors.%20These%20approaches%20have%20trade-offs%20and%20are%20not%20robust%20or%20officially%20supported%20%5Bsource%5D%28https%3A//github.com/apache/superset/issues/33698%29.%0A%0AThere%20is%20an%20active%20proposal%20%28SIP-126%29%20to%20add%20explicit%20viewer%20permissions%20for%20dashboards%20and%20charts%2C%20which%20could%20allow%20more%20granular%20access%20control%20in%20the%20future%2C%20but%20this%20feature%20is%20not%20yet%20available%20%5Bsource%5D%28https%3A//github.com/apache/superset/issues/33698%29.%0A%0AIf%20you%20need%20strict%20per-chart%20visibility%2C%20the%20only%20current%20option%20 is%20custom%20frontend%20logic%20to%20hide%20or%20remove%20charts%20when%20access%20is%20denied%2C%20but%20this%20is%20not%20a%20built-in%20solution.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36701) GitHub link: https://github.com/apache/superset/discussions/36701#discussioncomment-15276147 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
