Row Level Security (RLS) is the most important security feature of Apache Superset for multi-tenant. It automatically filters visible rows based on the connected user's role, without having to duplicate datasets and dashboards. This guide explains how to configure RLS properly in 2026.
1. Why RLS is critical
Without RLS, a Gamma user can potentially see other tenants' data via SQL Lab or by modifying a dashboard. RLS automatically injects a WHERE in all Superset queries, ensuring isolation. It's the foundation of any multi-tenant architecture.
If you want pre-configured RLS for your embedded cases, TVL Managed Superset offers an RLS wizard on Pro+ instances.
2. How Superset RLS works
Three types of RLS filters:
- Regular: filter applied to relevant roles;
- Base: filter applied to all except excluded roles;
- Tenant-aware (template): filter dynamically parameterized per user.
3. Create a regular RLS filter
- UI → Settings → Row Level Security;
- Click + Rule;
- Type: Regular;
- Datasets: select relevant datasets (e.g.,
orders); - Roles:
SalesFR; - SQL clause:
country = 'FR'; - Save.
Now, a SalesFR user only sees French orders.
4. Tenant-aware filter (dynamic RLS)
For a multi-tenant SaaS, the clause must be dynamic. Use Jinja templating:
tenant_id = '{{ current_user_id() }}'
Or via a lookup table:
tenant_id = (
SELECT tenant_id FROM dim_users
WHERE user_id = '{{ current_user_id() }}'
)
This configuration is applied by default on TVL Managed Superset, which follows community best practices.
5. RLS via Custom Function
For complex rules, write a Python function in superset_config.py:
from superset.security import SupersetSecurityManager
class CustomSecurityManager(SupersetSecurityManager):
def get_rls_filters(self, table):
filters = super().get_rls_filters(table)
if "tenant_id" in [c.name for c in table.columns]:
user = self.current_user
if user and not user.is_anonymous:
tenant = user.extra.get("tenant_id")
if tenant:
filters.append(f"tenant_id = '{tenant}'")
return filters
CUSTOM_SECURITY_MANAGER = CustomSecurityManager
6. RLS in embedding
For dashboards embedded via SDK, RLS is passed in the guest token:
POST /api/v1/security/guest_token/
{
"user": { "username": "tenant42_user" },
"resources": [{ "type": "dashboard", "id": "abc-123" }],
"rls": [{ "clause": "tenant_id = '42'" }]
}
The filter applies only to this token, for the embedded session duration. See embedded dashboards.
7. Test RLS
- Log in as a restricted role user;
- Go to the dashboard;
- Verify that only expected rows are visible;
- Go to SQL Lab and try a query
SELECT * FROM orders— RLS must also apply.
8. Common pitfalls
- RLS bypassed by SQL Lab: harden with a read-only DB account and SQL Lab restriction for Gamma;
- RLS clause on nonexistent column: query crashes in SQL;
- Performance degraded: without index on RLS column, full scan on every query;
- False sense of security: RLS doesn't protect if the user can modify the dataset or create their own charts. Couple with strict permissions;
- Untested multi-clauses: multiple RLS filters on the same dataset can generate conflicts.
9. Best practices
- Database index on RLS column (tenant_id, country, region);
- Audit log enabled to trace each access to sensitive datasets;
- Automated tests of RLS in CI;
- Documentation of RLS rules at the dataset level.
10. Conclusion
Row Level Security is the backbone of multi-tenant in Apache Superset. Properly configured, it simplifies the architecture and guarantees isolation. Misconfigured, it gives a false sense of security. A few hours of initial investment, regular tests, and RLS becomes invisible to users.
Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France).
For more: roles and permissions, embedded dashboards, multi-tenant architecture.