Skip to main content
Version: 1.1

Dataspaces in Superset

To configure the dataspace model of the platform in Superset, users are assigned dataspace-specific roles in Superset. This ensures that data access and manipulation are tightly controlled through role-based permissions, allowing users to interact only with the data and visualizations relevant to dataspaces they have access to.

Apache Superset manages access to data visualizations, dashboards, and datasources using Roles, Users, Permissions, Datasources, and Dashboards. In the platform, each Dataspace represents a thematic area containing specific data and visualizations. In Superset, this concept is implemented by creating roles and permissions that control access to resources (such as dashboards and charts) within a dataspace.

How the Platform's Dataspace Concept maps to Superset

  • User: A person or system entity that accesses Superset to view or manage dashboards and datasources. Users are assigned roles that define what actions they can perform within a dataspace.
  • Role: A collection of permissions in Superset that defines what a user can do within a specific dataspace. For example, a role might allow a user to view, edit, or manage dashboards and datasources within a certain thematic area (dataspace).
  • Permission: A specific right or authorization to perform actions such as viewing, editing, or deleting resources in Superset. Permissions can be configured for specific datasources or dashboards, allowing fine-grained control over what users can do.
  • Datasource: A collection of data (e.g., tables, databases, or datasets) that users access to create visualizations and dashboards. Datasources are part of a dataspace and define the scope of the data available for that dataspace.
  • Dashboard: A visual representation of data from a specific dataspace. Dashboards allow users to explore, analyze, and interact with data from the associated datasources.

In Superset, Roles and Permissions are used to manage user access to datasources and dashboards. For each Dataspace, we implement a custom set of roles and permissions to enforce the platform’s dataspace concept. This ensures that users are given access only to the specific resources within a dataspace that they are allowed to interact with.

Example for Keycloak and Superset

The following settings describe the dataspaces named "baumkataster" and "denkmalschutz" defined in Keycloak and Superset:

  • Keycloak client "dashboards":
    • Group for dataspace "baumkataster": baumkataster
    • Group for dataspace "denkmalschutz": denkmalschutz
  • Keycloak user "Max Mustermann" (max@mustermann.de)
    • User-Group-Assignments: baumkataster, denkmalschutz
  • Superset roles: baumkataster, denkmalschutz

If Max requests resource from Superset and therefore logs into Superset (via Keycloak),

  • Keycloak sends an access_token: (user: max@mustermann.de, groups: [baumkataster, denkmalschutz])
  • Superset creates a User: max@mustermann.de (if not already existing)
  • Based on the groups, the user is assigned the corresponding roles in Superset (baumkataster, denkmalschutz)
  • Permissions are manually assigned to roles in Superset

Mapping illustrated

This mapping is illustrated in the following image by using the same color for matching objects. Superset-Entities

Setting up Dataspaces in Superset

To configure the platform’s dataspace concept in Superset, assign permissions to each dataspace's role. Roles must have specific permissions to allow actions on resources (like dashboards or datasources). Permissions may vary depending on the role and the dataspace.

For detailed instructions on how to configure roles, define permissions, and assign them to users in Superset, refer to the Admin Guide.