Roles and Permissions

This documentation is for Dash Enterprise.
Dash Enterprise is the fastest way to write & deploy Dash apps and
Jupyter notebooks.
10% of the Fortune 500 uses Dash Enterprise to productionize AI and
data science apps. Find out if your company is using Dash Enterprise.

What users can do in Dash Enterprise is determined by:

Roles, which administrators can assign in Keycloak. They are:
viewer
licensed_user
admin
App ownership (app creators become owners and can add co-owners).
App viewer access settings, which app owners and co-owners can modify.

About Admin Actions and the admin Role

The admin role that administrators can assign in Keycloak grants access to the Admin section of Dash Enterprise.

This Admin section contains some settings that administrators can configure directly in Dash Enterprise, as well as links to other services intended for administrators:

Keycloak (https://auth-<your-dash-enterprise-server>)
The Keycloak IdP setup wizard (https://auth-<your-dash-enterprise-server>/auth/realms/dash/wizard)
The KOTS Admin Console (https://admin-<your-dash-enterprise-server>)

These services have separate authentication and require different credentials than what you use to log in to Dash Enterprise as an administrator.

The credentials were obtained by the administrator who performed your Dash Enterprise installation and stored according to your organization’s best practices. Keycloak and the Keycloak IdP setup wizard both use
one set of credentials, and the KOTS Admin Console uses a different set.

We sometimes refer to actions performed in Keycloak and the KOTS Admin Console as administrator-only, but they do not rely on the Dash Enterprise admin role like other actions detailed in Permissions below.

Assigning Roles

You can assign roles to users in Keycloak. If you’re unfamiliar with Keycloak, make sure you’ve read Using Keycloak.

The viewer role is assigned to all users by default, so you only need to assign licensed_user and admin roles. Assign licensed_user to members of your organization
who need license seats, and admin to those who administer Dash Enterprise.

For help determining the roles your users need or troubleshooting user-reported permission issues, see Permissions below.

Roles for Dash Enterprise are considered Client Roles in Keycloak. The role mappings for a new user look like:

<img>

The Assigned Roles and Effective Roles represent the roles that a user has. In the example above, no roles have been assigned to the user yet, so the user only has the default viewer role
as an effective role.

Roles that you assign directly to a user become assigned roles, and roles that a user obtains through group membership become effective roles. You can’t directly remove effective roles from users in
their role mappings—instead, remove the user from the group or change the group’s role mappings.

User roles appear in the Dash Enterprise Users menu.

<img>

This list displays the same role information you see in Keycloak when selecting a user’s role mappings, but can be more convenient when you want to see multiple users’ roles at a glance.

If a user hasn’t logged in to Dash Enterprise yet, their role information may not be available in Dash Enterprise. Go to Keycloak to see the user’s roles.

Users can see their own roles by selecting their username.

<img>

They are also available in each user’s Personal Settings, in the User Profile section.

Assigning a Role to a Single User

You can directly assign a role to a single user by editing the user’s role mappings. This is the recommended way to assign the licensed_user role.

To assign a role to a single user:

Go to Keycloak at https://auth-<your-dash-enterprise-server>.
Go to Users.
Find the user you want to assign a role to. You may need to select View all users to display the full list of users.
Select the user; then go to Role Mappings.
In Client Roles, select dash.
In Available Roles, select the role you want to assign; then select Add selected. The user now has the role as an assigned role.

The role change takes effect within a few seconds.

Important: Be careful when making role changes to users with the licensed_user role. If you remove the licensed_user role from a user who owns or co-owns apps in Dash Enterprise,
they will lose ownership of those apps. Learn more about app ownership in License Seats.

Assigning a Role to a Group

You can assign a role to all the members of a group at once by mapping the group to the role.

If you don’t have any groups yet, create groups natively in Keycloak or
map groups from your identity provider.

Important: Mapping the licensed_user role to a group is not recommended because it causes updates to license seat information in Dash Enterprise to be delayed.

To map a group to a role:

Go to Keycloak at https://auth-<your-dash-enterprise-server>.
Go to Groups.
Select the group you want to map; then select Edit.
Go to Role Mappings.
In Client Roles, select dash.
In Available Roles, select the role you want to map; then select Add selected. All group members now have the role as an effective role.

The role change takes effect after the affected group members perform certain actions:

If the group was natively created in Keycloak or synced from an LDAP IdP, the affected group members need to refresh Dash Enterprise or log out and back in.
If the group was imported from a SAML or OIDC IdP, the affected group members need to log out and back in to Dash Enterprise.

Consider logging the users out by selecting affected users individually and then going to Sessions > Log out all sessions. Alternatively, you can log all Dash Enterprise users out at once by going to Sessions and then selecting Logout all.

Important: Be careful when making membership or role changes to groups mapped to the licensed_user role. If you remove the licensed_user role from a member of the group who owns or co-owns apps in Dash Enterprise
(by removing the user from the group or removing the role mapping from the group), they will lose ownership of those apps. Learn more about app ownership in