GitHub user dosubot[bot] added a comment to the discussion: Multi-Tenant User management
<!-- Answer --> When you enable `FAB_ADD_SECURITY_API`, Superset switches user listing to the Flask AppBuilder (FAB) Security REST API, which does not use any custom query restrictions or filters you set up in your custom `SupersetSecurityManager` user view. This means any tenant-based filtering you implemented for the UI is bypassed, and the API returns all users to anyone with access to the endpoint. This is by design: the FAB API is a separate code path and doesn't call your custom view logic or filters, so your restrictions are ignored in this mode [reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py). To enforce tenant-based user listing even when `FAB_ADD_SECURITY_API` is enabled, you need to subclass the relevant FAB API (usually `SupersetUserApi` or `UserApi`), override its list logic to apply your filters, and register your custom API using `FLASK_APP_MUTATOR` after app initialization. This ensures your restrictions apply to both the UI and the API. There are no built-in hooks for this—you must implement and maintain the override yourself [reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/views/users/api.py). Let me know if you want a code outline for this pattern. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/8f15d36f-7cac-4f23-bc2d-cee4b63c9117?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/8f15d36f-7cac-4f23-bc2d-cee4b63c9117?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/8f15d36f-7cac-4f23-bc2d-cee4b63c9117?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/8f15d36f-7cac-4f23-bc2d-cee4b63c9117?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/8f15d36f-7cac-4f23-bc2d-cee4b63c9117?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/8f15d36f-7cac-4f23-bc2d-cee4b63c9117?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/8f15d36f-7cac-4f23-bc2d-cee4b63c9117?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/33877) GitHub link: https://github.com/apache/superset/discussions/33877#discussioncomment-13679475 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
