GitHub user dosubot[bot] added a comment to the discussion: Use of Groups in version 6.0.0
<!-- Answer --> Superset 6.0.0 does not natively support a tenant admin role that can manage users only within their own group—user and group management is restricted to global admins in both the UI and API by default [source](https://github.com/apache/superset/blob/master/superset/security/manager.py) [source](https://github.com/apache/superset-frontend/src/pages/UsersList/index.tsx). However, there is a documented workaround: you can implement a custom RoleApi subclass that filters user and role management actions based on the current user's roles or groups, so tenant admins only see and manage users in their own group. This requires custom backend code and registration in superset_config.py using the FLASK_APP_MUTATOR hook. It only affects the `/api/v1/security/roles/` endpoint and requires `FAB_ADD_SECURITY_API` to be enabled [details & example](https://github.com/apache/superset/discussions/33877). UI access for tenant admins is not available out-of-the-box and would need further customization. Let me know if you want more details or code samples for the workaround. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/ec96b67b-4447-494a-9001-5a4dd3641547?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/ec96b67b-4447-494a-9001-5a4dd3641547?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/ec96b67b-4447-494a-9001-5a4dd3641547?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/ec96b67b-4447-494a-9001-5a4dd3641547?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/ec96b67b-4447-494a-9001-5a4dd3641547?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/ec96b67b-4447-494a-9001-5a4dd3641547?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/ec96b67b-4447-494a-9001-5a4dd3641547?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Superset%206.0.0%20does%20not%20natively%20support%20a%20tenant%20admin%20role%20that%20can%20manage%20users%20only%20within%20their%20own%20group%E2%80%94user%20and%20group%20management%20is%20restricted%20to%20global%20admins%20in%20both%20the%20UI%20and%20API%20by%20default%20%5Bsource%5D%28https%3A//github.com/apache/superset/blob/master/superset/security/manager.py%29%20%5Bsource%5D%28https%3A//github.com/apache/superset-frontend/src/pages/UsersList/index.tsx%29.%0A%0AHowever%2C%20there%20is%20a%20documented%20workaround%3A%20you%20can%20implement%20a%20custom%20RoleApi%20subclass%20that%20filters%20user%20and%20role%20management%20actions%20based%20on%20the%20current%20user%27s%20roles%20or%20groups%2C%20so%20tenant%20admins%20only%20see%20and%2 0manage%20users%20in%20their%20own%20group.%20This%20requires%20custom%20backend%20code%20and%20registration%20in%20superset_config.py%20using%20the%20FLASK_APP_MUTATOR%20hook.%20It%20only%20affects%20the%20%60/api/v1/security/roles/%60%20endpoint%20and%20requires%20%60FAB_ADD_SECURITY_API%60%20to%20be%20enabled%20%5Bdetails%20%26%20example%5D%28https%3A//github.com/apache/superset/discussions/33877%29.%0A%0AUI%20access%20for%20tenant%20admins%20is%20not%20available%20out-of-the-box%20and%20would%20need%20further%20customization.%20Let%20me%20know%20if%20you%20want%20more%20details%20or%20code%20samples%20for%20the%20workaround.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36947) GitHub link: https://github.com/apache/superset/discussions/36947#discussioncomment-15432188 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
