GitHub user dosubot[bot] added a comment to the discussion: Multi-Tenant User
management
<!-- Answer -->
To restrict the roles listed in the add/edit user modal so that a user with the
"Tenant-manager" role only sees the "Tenant-user" role, you need to override
the REST API endpoint that serves roles. In recent Superset versions, this is
implemented in the `RoleRestAPI` class in `superset/security/api.py` (not
`SupersetRoleApi`, which is for the FAB UI). You should subclass `RoleRestAPI`,
override the `get_list` method, and filter the roles based on the current
user's roles.
Here's a pattern you can use:
```python
# In your custom module, e.g., custom_role_api.py
from flask import g
from superset.security.api import RoleRestAPI
from superset.extensions import security_manager
from superset.models.core import db
from sqlalchemy.orm import joinedload
class TenantRoleRestAPI(RoleRestAPI):
def get_list(self, **kwargs):
# Get current user's roles
user_roles = [role.name for role in
security_manager.get_user_roles(g.user)]
query = db.session.query(self.datamodel.obj).options(
joinedload("permissions"), joinedload("user")
)
# If user is a Tenant-manager, restrict to Tenant-user role
if "Tenant-manager" in user_roles:
query = query.filter(self.datamodel.obj.name == "Tenant-user")
# You can add more logic for multi-tenant scenarios here
# Continue with the original logic (pagination, etc.)
# ... (copy the rest of RoleRestAPI.get_list logic here)
return super().get_list(**kwargs)
```
To activate your override, register your custom API instead of the default one.
The cleanest way is to monkey-patch the registration in your
`superset_config.py` using the `FLASK_APP_MUTATOR` config, or by editing the
`SupersetAppInitializer.init_views` to use your class instead of `RoleRestAPI`
([see registration
pattern](https://github.com/apache/superset/blob/308007f909b5a3c1cdd6fc5632ef27ca7eb97ce0/superset/initialization/__init__.py#L180-L200)).
Access the current user with `g.user` and their roles with
`security_manager.get_user_roles(g.user)`
([reference](https://github.com/apache/superset/blob/308007f909b5a3c1cdd6fc5632ef27ca7eb97ce0/superset/security/manager.py#L1230-L1237)).
This ensures only the allowed roles are returned to the frontend, regardless
of what the UI requests.
After making these changes, restart Superset and verify by logging in as a
Tenant-manager and opening the add/edit user modal—the dropdown should only
show the Tenant-user role.
Keep in mind: you’ll need to maintain this override across upgrades, and you
should test thoroughly to ensure no privilege escalation is possible. If you
want to restrict the old FAB UI as well, you’d also subclass `SupersetRoleApi`
in `superset/security/manager.py` and register it in your custom security
manager.
<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/dd3f15f5-b5f8-4846-966c-e765e73e4a70?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/dd3f15f5-b5f8-4846-966c-e765e73e4a70?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/dd3f15f5-b5f8-4846-966c-e765e73e4a70?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/dd3f15f5-b5f8-4846-966c-e765e73e4a70?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/dd3f15f5-b5f8-4846-966c-e765e73e4a70?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/dd3f15f5-b5f8-4846-966c-e765e73e4a70?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/dd3f15f5-b5f8-4846-966c-e765e73e4a70?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/33877)
GitHub link:
https://github.com/apache/superset/discussions/33877#discussioncomment-13636687
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
