Set up Superset end-user account

[michaelkohn]

This is exploratory so it doesn't have to be exactly like this, but here's an example of what we might want users to be able to do.

• Log in and ideally the first screen they are brought to is the EBS Dashboard
• How do we give users access to dashboards or a set of dashboards
• Should not have access to any admin-y tabs (Security, Manage, Sources, etc....) or be able to edit things
• Ideally they would have access to "Explore Chart" but not be able save an edited chart
• I'd like to see if there is a way to limit which facilities a certain user can see. For example... User ABC should only have access to data for the Iganga facility. Is there a way in Superset to prevent them from seeing other facilities? I'm not sure if it's related, but when setting up different users we have to specify a database username. The description of the field says Username valid for authentication on DB or LDAP, unused for OID auth. Technically we could set up roles in PostgreSQL so that queries for certain users only bring back data that meet certain criteria, but it's unclear to me if the Superset datasources are run per user or system wide.
• Is there 'chart' level security? For example... a user has access to a dashboard but not a specific chart on that dashboard.

[tsengtammy]

Have started tinkering around but haven't implemented the roles fully yet. At a high level this is what we can do:

• Log in and ideally the first screen they are brought to is the EBS Dashboard Not sure if we can do this

• How do we give users access to dashboards or a set of dashboards Can configure this through User Roles (link)

• Should not have access to any admin-y tabs (Security, Manage, Sources, etc....) or be able to edit things Can configure this through User Roles (link)

• Ideally they would have access to "Explore Chart" but not be able save an edited chart Can configure this through User Roles (link)

• I'd like to see if there is a way to limit which facilities a certain user can see. For example... User ABC should only have access to data for the Iganga facility. Is there a way in Superset to prevent them from seeing other facilities? I'm not sure if it's related, but when setting up different users we have to specify a database username. The description of the field says Username valid for authentication on DB or LDAP, unused for OID auth. Technically we could set up roles in PostgreSQL so that queries for certain users only bring back data that meet certain criteria, but it's unclear to me if the Superset datasources are run per user or system wide. Can configure this through Row-Level Security, (link) but we may need to look into our Superset config to figure out why this ability is not loading for us. (https://github.com/apache/incubator-superset/issues/8644)

• Is there 'chart' level security? For example... a user has access to a dashboard but not a specific chart on that dashboard. Might not be able to configure this - looks like we can give datasource level access, but it’s all or nothing (can’t exclude one chart/dash that uses that source)