GitHub user dosubot[bot] added a comment to the discussion: Multi-Tenant User management
<!-- Answer --> The /api/v1/security/* endpoints (like /api/v1/security/roles/) are always present in the codebase, but whether they are actually accessible depends on the FAB_ADD_SECURITY_API flag. When this flag is set to True, these endpoints become active and accessible (with proper permissions), and they also appear in Swagger if FAB_API_SWAGGER_UI is enabled. If the flag is not set or is False, the endpoints still exist in the code, but access is restricted or forbidden—they won’t be usable or visible in Swagger, even though the implementation is the same underneath. The difference is not in the code path or logic of the endpoints themselves, but in whether the API is exposed and permission checks are enforced at a deeper layer, likely within Flask AppBuilder or the permission system. This is confirmed by both the code and integration tests, which use the flag to control endpoint accessibility, not their implementation logic. You need to restart Superset and run superset init after changin g this flag for the change to take effect. Only trusted users should have access to these sensitive endpoints. [Source 1](https://github.com/apache/superset/blob/308007f909b5a3c1cdd6fc5632ef27ca7eb97ce0/superset/security/api.py) | [Source 2](https://github.com/apache/superset/issues/33925) <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/c714c589-43a6-4957-88f0-90f1be8897c9?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/c714c589-43a6-4957-88f0-90f1be8897c9?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/c714c589-43a6-4957-88f0-90f1be8897c9?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/c714c589-43a6-4957-88f0-90f1be8897c9?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/c714c589-43a6-4957-88f0-90f1be8897c9?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/c714c589-43a6-4957-88f0-90f1be8897c9?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/c714c589-43a6-4957-88f0-90f1be8897c9?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/33877) GitHub link: https://github.com/apache/superset/discussions/33877#discussioncomment-13635919 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
