Integration of graphs to website based on user roles

[bpatra-ai]

This button is generated based on handlebar chart and has the data which a user do not access to. I have two users one is Admin role and one is user role. User do not have access to the above handlebar chart but while integrating to front-end the chart is visible to all users. In apache superset it's not visible got a error not have a access to data source but on front-end integration user able to access it.

What is the possible solution?

            await embedDashboard({
                id: dashboardId,
                supersetDomain,
                mountPoint: mount,
                fetchGuestToken: async () => '<token generated by swagger guest_token API using Admin token and user info in body>',
                dashboardUiConfig: {
                    hideTitle: true,
                    hideChartControls: true,
                    filters: { visible: false },
                    urlParams: {
                        standalone: "1",
                        show_filters: "0",
                        show_native_filters: "0"
                    }
                }
            });

[dosubot[bot]]

Hi @bpatra-ai! I'm Dosu and I’m helping the superset team.

The issue is likely caused by how the guest token is generated and how the frontend integration sends chart requests. Superset enforces access control for embedded dashboards using guest tokens, which should only grant access to specific dashboards and charts. If the guest token is too permissive (for example, granting access to all datasets or charts), or if the frontend does not include the correct dashboardId in each chart's form_data, users may see charts they shouldn't have access to—even if Superset itself blocks them in the main UI.

To fix this:

• Make sure the guest token is scoped only to the dashboard (not to datasets or charts directly) and is generated based on the user's role.
• Ensure the frontend integration always sends the correct dashboardId in every chart's form_data when requesting chart data. This is critical for Superset to enforce dataset-level permissions and show an "Access Denied" overlay for unauthorized charts, rather than exposing data (source).
• Double-check that the guest role used for embedding does not have all_datasource_access or explicit access to restricted datasets (source).
• If you want even finer control, you can use Superset's role-based access control (RBAC) features and, if needed, set GUEST_ROLE_NAME to a custom role (like EmbedGuest) for embedded users (source).

If you follow these steps, Superset should enforce the same access restrictions in embedded dashboards as it does in the main UI.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[bpatra-ai]

@dosu how to fix the data source error message from dashboard that I got?

[dosubot[bot]]

The "data source error" in embedded Superset dashboards is usually caused by missing or incorrect permissions, or by the frontend not sending the right context for permission checks.

To fix it:

1. Check your frontend integration: Make sure every chart request includes the correct dashboardId in its form_data. If this is missing, Superset can't enforce dataset-level permissions and will return a data source error. In React, you can inject it like:

   const dashboardInfo = useSelector(state => state.dashboardInfo);
   formData.dashboardId = dashboardInfo.id;

   See details and fix

2. Review guest token scope: When generating the guest token, ensure it's scoped only to the dashboard (not datasets or charts directly). The token should reference the dashboard ID and user info, not grant broad access.

3. Lock down guest role permissions: The role assigned to embedded users (by default, "Public" unless you set GUEST_ROLE_NAME) should not have all_datasource_access or explicit access to restricted datasets. For tighter control, create a dedicated guest role (e.g., EmbedGuest), grant only minimal permissions, and set GUEST_ROLE_NAME = "EmbedGuest" in your config. Role setup guide

4. If you still see errors: Compare your guest role's permissions with the admin role in Superset's Security > List Roles, and ensure it has the necessary permissions for the relevant datasets and databases. Check Superset logs for permission-denied errors—they often specify exactly which permission is missing. Permission troubleshooting

5. Limitations: Superset's embedded dashboards grant access to all charts on the dashboard, so dataset-level restrictions aren't strictly enforced in embedded mode. Unauthorized charts will show an "Access Denied" overlay, but won't be hidden entirely. If you need to hide them, you'll need custom frontend logic to detect and remove charts that fail to load due to access errors. Known limitation

Let me know if you need help with a specific configuration or code snippet!

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[bpatra-ai]

@dosu
I created 2 types of user role in superset one is Admin will all permission and one with Gamma only read permission it could not export anything only dashboard view is possible. To integrate in front-end i generated guest-token for Admin as well as Gamma.
These are the steps I followed to generate the guest_token for Admin to integrate in Front-end:

1. Logged in into superset to get session token with Admin credentials.
2. GET the CSRF token from superset swagger GET API.
3. Then call the /guest_token/ POST API of superset to get the guest token and passed below payload to that API
   {
   "resources": [
   {
   "type": "dashboard",
   "id": ""
   }
   ],
   "rls":[],
   "user": {
   "first_name": "Admin fn",
   "last_name": "Admin ln",
   "username": "admin"
   }
   }
4. Got the token and able to integrate it with proper permission.

But for user follow the same step only the POST payload instead of Admin cred passed the user one but the permission is still there what admin has. It did not remove the permission for user.
Why so? How to fix this give steps for it?