GitHub user dosubot[bot] added a comment to the discussion: Apache Superset 6.0: Migration from Iframe Embedding to the Embedded SDK (@superset-ui/embedded-sdk)
<!-- Answer --> Great questions! Here are the best practices based on Superset's documentation and community experience: **1. Role Selection: Create a Custom Dedicated Role** The recommended approach is to create a custom "EmbedGuest" role via [`GUEST_ROLE_NAME`](https://github.com/apache/superset/discussions/33674#discussioncomment-13358282), not inherit from Gamma or Public: ```python GUEST_ROLE_NAME = "EmbedGuest" ``` Important: [Superset ignores any roles specified in the guest_token payload](https://github.com/apache/superset/discussions/35670#discussioncomment-14695540) and always uses the role from `GUEST_ROLE_NAME`. **2. Why NOT Gamma or Public?** - **Public**: [If `GUEST_ROLE_NAME` isn't set, both unauthenticated users and guest-token users share Public permissions](https://github.com/apache/superset/discussions/33674#discussioncomment-13358282)—a security risk. - **Gamma**: Contains excessive permissions (SQL Lab, export, editing) that embedded viewers shouldn't have. **3. Minimum Viable Permissions for Public Role: ZERO** For your Zero-Trust model, the Public role should have **no permissions**. The SDK bootstrap uses your custom guest role, not Public. [Manual changes to Public are overwritten on `superset init` or upgrade](https://github.com/apache/superset/discussions/37660#discussioncomment-15691832). For your **EmbedGuest** role, [grant only these permissions](https://github.com/apache/superset/issues/36377#issuecomment-3605175485): - `can_read`, `can_list`, `can_get` on Dashboard, Chart, Dataset, Database - `can dashboard`, `can explore json` on Superset - [`can log` on Superset](https://github.com/apache/superset/issues/36186) (often missed—required for `/superset/log`) - [`can time range` on Api](https://github.com/apache/superset/issues/35073#issuecomment-3271818494) (required for time filters) **4. Session Bleed: Known Limitation** Yes, this is a [known issue](https://github.com/apache/superset/discussions/35231#discussioncomment-15065066). [There's no built-in way to isolate session cookies by path for different auth flows under the same domain](https://github.com/apache/superset/discussions/35231#discussioncomment-15065066). **Workarounds:** - Use **separate subdomains** for admin UI vs embedded dashboards - Use separate browsers/incognito for testing - Pick one auth flow per browser context **Cookie settings for cross-origin embedding:** ```python SESSION_COOKIE_SAMESITE = "None" SESSION_COOKIE_SECURE = True # Required with SameSite=None SESSION_COOKIE_HTTPONLY = True ``` **Bonus tip for RLS**: In Superset 5.0+, [the `username` field in guest tokens MUST be non-empty](https://github.com/apache/superset/discussions/36494#discussioncomment-15222071)—empty usernames cause RLS rules to fail silently. Let me know if you'd like a complete production config example or help troubleshooting specific 403 errors! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/8da26480-cb63-4269-93a0-169290b7bfa9?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/8da26480-cb63-4269-93a0-169290b7bfa9?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/8da26480-cb63-4269-93a0-169290b7bfa9?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/8da26480-cb63-4269-93a0-169290b7bfa9?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/8da26480-cb63-4269-93a0-169290b7bfa9?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/8da26480-cb63-4269-93a0-169290b7bfa9?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/8da26480-cb63-4269-93a0-169290b7bfa9?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Great%20questions%21%20Here%20are%20the%20best%20practices%20based%20on%20Superset%27s%20documentation%20and%20community%20experience%3A%0A%0A%2A%2A1.%20Role%20Selection%3A%20Create%20a%20Custom%20Dedicated%20Role%2A%2A%0A%0AThe%20recommended%20approach%20is%20to%20create%20a%20custom%20%22EmbedGuest%22%20role%20via%20%5B%60GUEST_ROLE_NAME%60%5D%28https%3A//github.com/apache/superset/discussions/33674%23discussioncomment-13358282%29%2C%20not%20inherit%20from%20Gamma%20or%20Public%3A%0A%0A%60%60%60python%0AGUEST_ROLE_NAME%20%3D%20%22EmbedGuest%22%0A%60%60%60%0A%0AImportant%3A%20%5BSuperset%20ignores%20any%20roles%20specified%20in%20the%20guest_token%20payload%5D%28https%3A//github.com/apache/superset/discussions/35670%23discussioncomment-14695540%29%20 and%20always%20uses%20the%20role%20from%20%60GUEST_ROLE_NAME%60.%0A%0A%2A%2A2.%20Why%20NOT%20Gamma%20or%20Public%3F%2A%2A%0A%0A-%20%2A%2APublic%2A%2A%3A%20%5BIf%20%60GUEST_ROLE_NAME%60%20isn%27t%20set%2C%20both%20unauthenticated%20users%20and%20guest-token%20users%20share%20Public%20permissions%5D%28https%3A//github.com/apache/superset/discussions/33674%23discussioncomment-13358282%29%E2%80%94a%20security%20risk.%0A-%20%2A%2AGamma%2A%2A%3A%20Contains%20excessive%20permissions%20%28SQL%20Lab%2C%20export%2C%20editing%29%20that%20embedded%20viewers%20shouldn%27t%20have.%0A%0A%2A%2A3.%20Minimum%20Viable%20Permissions%20for%20Public%20Role%3A%20ZERO%2A%2A%0A%0AFor%20your%20Zero-Trust%20model%2C%20the%20Public%20role%20should%20have%20%2A%2Ano%20permissions%2A%2A.%20The%20SDK%20bootstrap%20uses%20your%20custom%20guest%20role%2C%20not%20Public.%20%5BManual%20changes%20to%20Public%20are%20overwritten%20on%20%60superset%20init%60%20or%20upgrade%5D%28https%3A//github.com/apache/superset/discu ssions/37660%23discussioncomment-15691832%29.%0A%0AFor%20your%20%2A%2AEmbedGuest%2A%2A%20role%2C%20%5Bgrant%20only%20these%20permissions%5D%28https%3A//github.com/apache/superset/issues/36377%23issuecomment-3605175485%29%3A%0A-%20%60can_read%60%2C%20%60can_list%60%2C%20%60can_get%60%20on%20Dashboard%2C%20Chart%2C%20Dataset%2C%20Database%0A-%20%60can%20dashboard%60%2C%20%60can%20explore%20json%60%20on%20Superset%0A-%20%5B%60can%20log%60%20on%20Superset%5D%28https%3A//github.com/apache/superset/issues/36186%29%20%28often%20missed%E2%80%94required%20for%20%60/superset/log%60%29%0A-%20%5B%60can%20time%20range%60%20on%20Api%5D%28https%3A//github.com/apache/superset/issues/35073%23issuecomment-3271818494%29%20%28required%20for%20time%20filters%29%0A%0A%2A%2A4.%20Session%20Bleed%3A%20Known%20Limitation%2A%2A%0A%0AYes%2C%20this%20is%20a%20%5Bknown%20issue%5D%28https%3A//github.com/apache/superset/discussions/35231%23discussioncomment-15065066%29.%20%5BThere%27s%20no%20built-in%20way%20to%20 isolate%20session%20cookies%20by%20path%20for%20different%20auth%20flows%20under%20the%20same%20domain%5D%28https%3A//github.com/apache/superset/discussions/35231%23discussioncomment-15065066%29.%0A%0A%2A%2AWorkarounds%3A%2A%2A%0A-%20Use%20%2A%2Aseparate%20subdomains%2A%2A%20for%20admin%20UI%20vs%20embedded%20dashboards%0A-%20Use%20separate%20browsers/incognito%20for%20testing%0A-%20Pick%20one%20auth%20flow%20per%20browser%20context%0A%0A%2A%2ACookie%20settings%20for%20cross-origin%20embedding%3A%2A%2A%0A%60%60%60python%0ASESSION_COOKIE_SAMESITE%20%3D%20%22None%22%0ASESSION_COOKIE_SECURE%20%3D%20True%20%20%23%20Required%20with%20SameSite%3DNone%0ASESSION_COOKIE_HTTPONLY%20%3D%20True%0A%60%60%60%0A%0A%2A%2ABonus%20tip%20for%20RLS%2A%2A%3A%20In%20Superset%205.0%2B%2C%20%5Bthe%20%60username%60%20field%20in%20guest%20tokens%20MUST%20be%20non-empty%5D%28https%3A//github.com/apache/superset/discussions/36494%23discussioncomment-15222071%29%E2%80%94empty%20usernames%20cause%20RLS%20rules%2 0to%20fail%20silently.%0A%0ALet%20me%20know%20if%20you%27d%20like%20a%20complete%20production%20config%20example%20or%20help%20troubleshooting%20specific%20403%20errors%21) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/38461) GitHub link: https://github.com/apache/superset/discussions/38461#discussioncomment-16019303 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
