This documentation is for Dash Enterprise.
Dash Enterprise is the fastest way to write & deploy Dash apps and
10% of the Fortune 500 uses Dash Enterprise to productionize AI and
data science apps. Find out if your company is using Dash Enterprise.
What users can do in Dash Enterprise is determined by:
admin role that administrators can assign in Keycloak grants access to the Admin section of Dash Enterprise.
This Admin section contains some settings that administrators can configure directly in Dash Enterprise, as well as links to other services intended for administrators:
These services have separate authentication and require different credentials than what you use to log in to Dash Enterprise as an administrator.
The credentials were obtained by the administrator who performed your Dash Enterprise installation and stored according to your organization’s best practices. Keycloak and the Keycloak IdP setup wizard both use
one set of credentials, and the KOTS Admin Console uses a different set.
We sometimes refer to actions performed in Keycloak and the KOTS Admin Console as administrator-only, but they do not rely on the Dash Enterprise
admin role like other actions detailed in Permissions below.
You can assign roles to users in Keycloak. If you’re unfamiliar with Keycloak, make sure you’ve read Using Keycloak.
viewer role is assigned to all users by default, so you only need to assign
admin roles. Assign
licensed_user to members of your organization
who need license seats, and
admin to those who administer Dash Enterprise.
For help determining the roles your users need or troubleshooting user-reported permission issues, see Permissions below.
Roles for Dash Enterprise are considered Client Roles in Keycloak. The role mappings for a new user look like:
The Assigned Roles and Effective Roles represent the roles that a user has. In the example above, no roles have been assigned to the user yet, so the user only has the default
as an effective role.
Roles that you assign directly to a user become assigned roles, and roles that a user obtains through group membership become effective roles. You can’t directly remove effective roles from users in
their role mappings—instead, remove the user from the group or change the group’s role mappings.
User roles appear in the Dash Enterprise Users menu.
This list displays the same role information you see in Keycloak when selecting a user’s role mappings, but can be more convenient when you want to see multiple users’ roles at a glance.
If a user hasn’t logged in to Dash Enterprise yet, their role information may not be available in Dash Enterprise. Go to Keycloak to see the user’s roles.
Users can see their own roles by selecting their username.
They are also available in each user’s Personal Settings, in the User Profile section.
You can directly assign a role to a single user by editing the user’s role mappings. This is the recommended way to assign the
To assign a role to a single user:
The role change takes effect within a few seconds.
Important: Be careful when making role changes to users with the
licensed_userrole. If you remove the
licensed_userrole from a user who owns or co-owns apps in Dash Enterprise,
they will lose ownership of those apps. Learn more about app ownership in License Seats.
You can assign a role to all the members of a group at once by mapping the group to the role.
Important: Mapping the
licensed_user role to a group is not recommended because it causes updates to license seat information in Dash Enterprise to be delayed.
To map a group to a role:
The role change takes effect after the affected group members perform certain actions:
Consider logging the users out by selecting affected users individually and then going to Sessions > Log out all sessions. Alternatively, you can log all Dash Enterprise users out at once by going to Sessions and then selecting Logout all.
Important: Be careful when making membership or role changes to groups mapped to the
licensed_userrole. If you remove the
licensed_userrole from a member of the group who owns or co-owns apps in Dash Enterprise
(by removing the user from the group or removing the role mapping from the group), they will lose ownership of those apps. Learn more about app ownership in