dosubot[bot] commented on issue #33698: URL: https://github.com/apache/superset/issues/33698#issuecomment-2944183351
<!-- Greeting --> Hi @chandug1991! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> This behavior is expected with the current Superset permissions model when `DASHBOARD_RBAC` is enabled. Granting a role access to a dashboard via dashboard roles bypasses dataset-level checks—so any user with access to the dashboard can see all charts and their underlying datasets, regardless of their dataset permissions. If you want dataset-level permissions to apply, you need to disable `DASHBOARD_RBAC` or avoid assigning dashboard roles; otherwise, dashboard access implicitly grants access to all datasets used in that dashboard. See the official documentation for more details on this interaction ["Manage access to Dashboards"](https://github.com/apache/superset/blob/a6af4f4d7ad8792a0bc136ef613fe5e74d477520/docs/docs/using-superset/creating-your-first-dashboard.mdx). There have been related issues and recent changes in this area, especially around embedded dashboards and guest tokens. Notably, guest tokens and embedded dashboards are designed to grant access to all charts on the dashboard they are created for, mirroring the `DASHBOARD_RBAC` behavior. This means dataset-level restrictions are not enforced in this scenario, which is a known limitation and has been discussed as a potential security concern in the project ["/api/v1/chart/{pk}/data does not respect Guest Token resource limitations"](https://github.com/apache/superset/issues/26201). If you need more granular control, consider using dataset permissions without dashboard roles, or keep an eye on ongoing changes in this area as the permission model continues to evolve. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/580d6b59-e68b-481f-8cef-0bb67fdf31a7?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/580d6b59-e68b-481f-8cef-0bb67fdf31a7?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/580d6b59-e68b-481f-8cef-0bb67fdf31a7?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/580d6b59-e68b-481f-8cef-0bb67fdf31a7?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/580d6b59-e68b-481f-8cef-0bb67fdf31a7?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/580d6b59-e68b-481f-8cef-0bb67fdf31a7?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/580d6b59-e68b-481f-8cef-0bb67fdf31a7?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [! [Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/33698) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
