Security

Spotrix Security

Roles

Security in Spotrix is handled by Flask AppBuilder (FAB), an application development framework built on top of Flask. FAB provides authentication, user management, permissions, and roles. Please read its Security Documentation.

Provided Roles

Spotrix ships with a set of roles that are handled by Spotrix itself. You can assume that these roles will stay up-up-date as Spotrix evolves (and as you update Spotrix versions).

Even though Admin users have the ability, we don't recommend alerting the permissions associated with each role (e.g. by removing or adding permissions to them). The permissions associated with each role will be re-synchronized to their original values when you run the spotrix init command.

Permissions

Roles are composed of a set of permissions, and Spotrix has many categories of permissions. Here are the different categories of permissions:

• Model & Action: Models are entities like Dashboard, Slice, or User. Each model has a fixed set of permissions, like cat_edit, can_show, can_delete, can_list, can_add, and so on. For Example, you can allow a user to delete dashboards by adding can_delete on the Dashboard entity to a role and granting this user that role.

• Views: Views are individual web pages, like the Explore view of the SQL-Lab view. When granted to a user, they will see that view in its menu items, and be able to load that page.

• Data Source: For each data source , a permission is created. If the user does not have the all_datasource_access permission granted, the user will only be able to see Slices or Explore the data source that are granted to them.

• Database: Granting access to a database allows the user to access all data sources within the database and will enable the user to query that database in SQL-Lab, provided that the SQL-Lab specific permission have been granted to the user.

Restricting Access to a Subset of Data Sources

We recommend giving a user the Gamma role plus any other roles that would add access to specific data sources. We recommend that you create individual roles for each access profile. For example, the users on the Finance team might have access to a set of databases and data sources; these permissions can be consolidated in a single role. Users with this profile then need to be assigned the Gamma role as a foundation to the models and views they can access, and that Finance role that is a collection of permissions to data objects.

A user can have multiple roles associated with them. For example, an executive on the Finance team could be granted Gamma, Finance, and the Executive roles. The Executive role could provide access to a set of data sources and dashboards made available only to executives. In the Dashboards view, a user can only see the ones they have access to based on the roles and permissions that were attributed.