QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-05-08 09:25:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
752ebd47cb038007602e101f48027802c4126cb4
superset2/docs/versioned_docs/version-6.1.0/security/granular-export-controls.mdx
Superset Dev 752ebd47cb docs: cut 6.1.0 versions for docs, admin_docs, developer_docs, components 
- Snapshot all four versioned docs sections at v6.1.0; master continues to
  serve as "Next" (lastVersion: current, banner: unreleased) so editing
  master keeps updating the canonical URLs
- Enable the previously-disabled components plugin and version it
- Rename stale "developer_portal" references to "developer_docs" across
  package.json scripts, manage-versions.mjs, theme files (DocVersionBadge,
  DocVersionBanner), DOCS_CLAUDE.md, and README.md (URL backward-compat
  redirect /developer_portal/* preserved)
- Add admin_docs version scripts; drop dead "tutorials" plugin id from
  the version badge
- Generalize fixVersionedImports in manage-versions.mjs to walk every
  section's snapshot and rewrite ../../src/ and ../../data/ imports,
  catching admin_docs and components files that previous version cuts
  would have broken
- Remove orphan files: developer_portal_versions.json,
  tutorials_versions.json, and stray empty versions.json files inside
  components/ and developer_docs/ content directories
2026-05-02 11:53:56 -07:00

79 lines
3.3 KiB
Plaintext
Raw Blame History

---
title: Granular Export Controls
sidebar_position: 4
---
# Granular Export Controls
Superset provides granular, permission-based controls for data export, image export, and clipboard operations. These replace the legacy `can_csv` permission with three fine-grained permissions that can be assigned independently to roles.
## Feature Flag
Granular export controls are gated behind the `GRANULAR_EXPORT_CONTROLS` feature flag. When the flag is disabled, the legacy `can_csv` permission behavior is preserved.
```python
FEATURE_FLAGS = {
"GRANULAR_EXPORT_CONTROLS": True,
}
```
## Permissions
| Permission | Resource | Controls |
| -------------------- | ---------- | ---------------------------------------------------------------------- |
| `can_export_data` | `Superset` | CSV, Excel, and JSON data exports from charts, dashboards, and SQL Lab |
| `can_export_image` | `Superset` | Screenshot (JPEG/PNG) and PDF exports from charts and dashboards |
| `can_copy_clipboard` | `Superset` | Copy-to-clipboard operations in SQL Lab and the Explore data pane |
## Default Role Assignments
The migration grants all three new permissions (`can_export_data`, `can_export_image`, `can_copy_clipboard`) to every role that currently has `can_csv`. This preserves existing behavior — no role loses access during the upgrade.
After the migration, admins can selectively revoke individual export permissions from any role to restrict access. For example, to prevent Gamma users from exporting data or images while still allowing clipboard operations, revoke `can_export_data` and `can_export_image` from the Gamma role.
## Configuration Steps
1. **Enable the feature flag** in `superset_config.py`:
```python
FEATURE_FLAGS = {
"GRANULAR_EXPORT_CONTROLS": True,
}
```
2. **Run the database migration** to register the new permissions:
```bash
superset db upgrade
```
3. **Initialize permissions** so roles are populated:
```bash
superset init
```
4. **Verify role assignments** in **Settings > List Roles**. Confirm that each role has the expected permissions from the table above.
5. **Customize as needed**: Grant or revoke individual export permissions on any role through the role editor.
## User Experience
When a user lacks a required export permission:
- **Menu items** (CSV, Excel, JSON, screenshot) appear **disabled** with an info tooltip icon explaining the restriction
- **Buttons** (SQL Lab download, clipboard copy) appear **disabled** with a tooltip on hover
- **API endpoints** return **403 Forbidden** when the corresponding permission is missing
## API Enforcement
The following API endpoints enforce granular export permissions when the feature flag is enabled:
| Endpoint | Required Permission |
| --------------------------------------------------------- | ------------------- |
| `GET /api/v1/chart/{id}/data/` (CSV/Excel format) | `can_export_data` |
| `GET /api/v1/chart/{id}/cache_screenshot/` | `can_export_image` |
| `POST /api/v1/dashboard/{id}/cache_dashboard_screenshot/` | `can_export_image` |
| `GET /api/v1/sqllab/export/{client_id}/` | `can_export_data` |
| `POST /api/v1/sqllab/export_streaming/` | `can_export_data` |
Reference in New Issue View Git Blame Copy Permalink