GitHub user dosubot[bot] added a comment to the discussion: Superset Embedded SDK
<!-- Answer --> Guest tokens in Superset Embedded SDK don't map directly to tenant-wise roles. Instead, you control access by specifying which dashboards (and optional row-level security rules) are included in the guest token payload. When a guest token is used, Superset creates an anonymous user assigned to the role set by `GUEST_ROLE_NAME` (default is "Public"), not your custom tenant roles. To implement tenant-wise access, generate guest tokens that only include the dashboards and RLS rules appropriate for each tenant. You can also add custom user attributes (like `tenant_id`) to the token, which can be used in Jinja templates or RLS clauses for fine-grained filtering. If you need to enforce that tokens always include tenant-specific restrictions, use the `GUEST_TOKEN_VALIDATOR_HOOK` config to validate token payloads before they're issued [see details](https://github.com/apache/superset/blob/master/superset-embedded-sdk/README.md), [API details](https://github.com/apache/superset/blob/master/superset/security/api.py), [custom attributes example](https://github.com/apache/superset/issues/33922). So, guest tokens let you implement tenant-based access, but you do it by controlling the dashboards and RLS rules in the token—not by mapping to Superset roles. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/ba99b66a-e641-4e01-8283-4772de2cdcd9?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/ba99b66a-e641-4e01-8283-4772de2cdcd9?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/ba99b66a-e641-4e01-8283-4772de2cdcd9?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/ba99b66a-e641-4e01-8283-4772de2cdcd9?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/ba99b66a-e641-4e01-8283-4772de2cdcd9?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/ba99b66a-e641-4e01-8283-4772de2cdcd9?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/ba99b66a-e641-4e01-8283-4772de2cdcd9?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Guest%20tokens%20in%20Superset%20Embedded%20SDK%20don%27t%20map%20directly%20to%20tenant-wise%20roles.%20Instead%2C%20you%20control%20access%20by%20specifying%20which%20dashboards%20%28and%20optional%20row-level%20security%20rules%29%20are%20included%20in%20the%20guest%20token%20payload.%20When%20a%20guest%20token%20is%20used%2C%20Superset%20creates%20an%20anonymous%20user%20assigned%20to%20the%20role%20set%20by%20%60GUEST_ROLE_NAME%60%20%28default%20is%20%22Public%22%29%2C%20not%20your%20custom%20tenant%20roles.%20%0A%0ATo%20implement%20tenant-wise%20access%2C%20generate%20guest%20tokens%20that%20only%20include%20the%20dashboards%20and%20RLS%20rules%20appropriate%20for%20each%20tenant.%20You%20can%20also%20add%20custom%20user%20attributes%20%28like%2 0%60tenant_id%60%29%20to%20the%20token%2C%20which%20can%20be%20used%20in%20Jinja%20templates%20or%20RLS%20clauses%20for%20fine-grained%20filtering.%20If%20you%20need%20to%20enforce%20that%20tokens%20always%20include%20tenant-specific%20restrictions%2C%20use%20the%20%60GUEST_TOKEN_VALIDATOR_HOOK%60%20config%20to%20validate%20token%20payloads%20before%20they%27re%20issued%20%5Bsee%20details%5D%28https%3A//github.com/apache/superset/blob/master/superset-embedded-sdk/README.md%29%2C%20%5BAPI%20details%5D%28https%3A//github.com/apache/superset/blob/master/superset/security/api.py%29%2C%20%5Bcustom%20attributes%20example%5D%28https%3A//github.com/apache/superset/issues/33922%29.%0A%0ASo%2C%20guest%20tokens%20let%20you%20implement%20tenant-based%20access%2C%20but%20you%20do%20it%20by%20controlling%20the%20dashboards%20and%20RLS%20rules%20in%20the%20token%E2%80%94not%20by%20mapping%20to%20Superset%20roles.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36975) GitHub link: https://github.com/apache/superset/discussions/36975#discussioncomment-15471956 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
