Best Way to Attach Dashboard RBAC Roles Automatically in Superset

[user1500177]

I’m currently working on a Superset deployment where I need to automatically attach specific roles (e.g., Gamma) to all dashboards. The goal is to ensure that every dashboard has predefined roles assigned for RBAC (Role-Based Access Control). I’ve explored a few approaches, but I’d like to get feedback from the community on the best and most maintainable way to achieve this.

-- Assign 'Gamma' role to all dashboards
WITH role_cte AS (
SELECT id AS role_id
FROM ab_role
WHERE name = 'Gamma'
)
INSERT INTO dashboard_roles (dashboard_id, role_id)
SELECT d.id, r.role_id
FROM dashboards d
CROSS JOIN role_cte r
LEFT JOIN dashboard_roles dr ON d.id = dr.dashboard_id AND dr.role_id = r.role_id
WHERE dr.dashboard_id IS NULL;

How to add this role to all the dashboards
How to uploaded ONLY to specific dashboards or to the dashboards that are going to be uploaded in future

CAN I DO THIS VIA superset_config.py , Which is the best way to automate this ?
I have already added the Flag for this DASHBOARD_RBAC

[dosubot[bot]]

You can't automate dashboard role assignment via superset_config.py—it's only for configuration, not for programmatic role or permission management. The best and most maintainable way to assign roles like "Gamma" to all dashboards is to use a backend Python script with the Superset app context and ORM. For example:

from superset import create_app
from superset.models.dashboard import Dashboard
from flask_appbuilder.security.sqla.models import Role
from superset.extensions import db

app = create_app()
with app.app_context():
    gamma_role = db.session.query(Role).filter_by(name="Gamma").first()
    dashboards = db.session.query(Dashboard).all()
    for dash in dashboards:
        if gamma_role not in dash.roles:
            dash.roles.append(gamma_role)
    db.session.commit()

To assign a role to only specific dashboards, filter the dashboards in your script by slug, title, or owner before appending the role.

For future dashboards, there’s no built-in automatic assignment. You’d need to run a scheduled job or write a custom plugin/monkey-patch to hook into dashboard creation logic and assign the role programmatically.

If you’re on Superset 5.x+, you can also automate this via the REST API by enabling FAB_ADD_SECURITY_API = True in superset_config.py and using the dashboard API endpoints to set the roles field when creating or updating dashboards.

Direct SQL on the dashboard_roles table works but is not recommended—using the ORM or API is safer and more maintainable, as it respects application logic and future upgrades.

For more details and community examples, see this discussion and this thread.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[RyanAccuWebCloud]

Hey, great question. Automatically assigning the Gamma role to all dashboards in Apache Superset isn’t something Superset does natively without some scripting, but there’s a clean, config-driven approach that keeps things maintainable and upgrade-safe.

The first thing I’d look at is enabling Dashboard RBAC. You can do this directly in your superset_config.py by setting the DASHBOARD_RBAC flag to True under the FEATURE_FLAGS dictionary. This tells Superset to respect role assignments at the dashboard level instead of just globally. Once that’s in place, your role management becomes more flexible and controlled through configuration rather than code.

Next, make use of the superset init command. It’s mainly designed to sync roles and permissions...especially useful after upgrades...but it’s also handy for keeping your RBAC setup consistent across environments. If you integrate this step into your deployment or automation pipeline, it ensures roles like Gamma always have the correct permissions without manual reconfiguration.

If you’re running Superset in a managed environment like AccuWeb Cloud, it’s even easier to manage these configs. You just point the SUPERSET_CONFIG_PATH environment variable to your custom config file, and your feature flags and security settings get picked up automatically on deployment. That means less manual tweaking and more predictable behavior across instances.

One thing to keep in mind: the Gamma role is intentionally limited for security reasons. Granting it access to all dashboards is a big permission jump, and those users will still need access to the underlying datasets for dashboards to display data properly. So, be mindful of what you’re opening up.

Does this align with how you’re currently managing your Superset roles and permissions?

[user1500177]

@dosu Could you explain the way if i enable the FAB_ADD_SECURITY_API = True?? , and HOW to use it to attach the role "Gamma" to all those dashboards? (Could you give the endpoints to which i have to make requests ? and the detailed STEPS for that method, will the access_token and the csrf_token be needed in such a case too- I suppose YES)

@RyanAccuWebCloud , I had enabled the RLS feature also , the user gets the permission based on that for the datasets , but i have actually stripped of some permissions of the gamma role and actually made a new role based on that -so as to make such a user not able to edit or upload dashboards etc. But i need that user to be able to see all the dashboards for that i Think that the dashboards should be tagged with the role name in the edit properties of dashboard, Which is why i am doing this. Please feel free to correct me if i am wrong , And if you have an idea about adding a Specific role in the properties of the dashboard AUTOMATICALLY , otherwise the admin has to do this for all the dashboard each time. By what dosu said i find that the API method would be nice to have (But i need additional info on how to do this also - Any help would be appreciated.)

[dosubot[bot]]

You've reached the anonymous usage limit of 10 interactions per month. Your usage will reset on 2025-11-01. If you'd like to use Dosu before then, please register to increase your limit to 100 interactions per month for free.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[RyanAccuWebCloud]

yep, your understanding is spot on. When you’ve got RLS already managing dataset-level access, tagging dashboards with a specific role is exactly how to make them visible to that role without broadening permissions elsewhere.

You’re right that the admin usually has to do this manually in the dashboard’s properties, which is why automating it makes sense. The API route with FAB_ADD_SECURITY_API = True will work well for that — you can hit the /api/v1/dashboard/ endpoint and attach your custom role automatically.

If you’re scripting it, just remember:

You’ll need both the access token and CSRF token.
Use a simple loop to update dashboards as they’re created (either scheduled or triggered on deployment).
Avoid DB-level inserts; the ORM/API method will survive version upgrades much better.