This documentation is for Dash Enterprise.
Dash Enterprise is the fastest way to write & deploy Dash apps and
Jupyter notebooks.
10% of the Fortune 500 uses Dash Enterprise to productionize AI and
data science apps. Find out if your company is using Dash Enterprise.
What users can do in Dash Enterprise is determined by:
viewerlicensed_useradminThe admin role that administrators can assign in Keycloak grants access to the Admin section of Dash Enterprise.
This Admin section contains some settings that administrators can configure directly in Dash Enterprise, as well as links to other services intended for administrators:
https://auth-<your-dash-enterprise-server>)https://auth-<your-dash-enterprise-server>/auth/realms/dash/wizard)These services have separate authentication and require different credentials than what you use to log in to Dash Enterprise as an administrator.
The credentials were obtained by the administrator who performed your Dash Enterprise installation and stored according to your organization’s best practices. Keycloak and the Keycloak IdP setup wizard both use
the same set of credentials.
We sometimes refer to actions performed in Keycloak as administrator-only, but they do not rely on the Dash Enterprise admin role like other actions detailed in Permissions below.
You can assign roles to users in Keycloak. If you’re unfamiliar with Keycloak, make sure you’ve read Using Keycloak.
For help determining the roles your users need or troubleshooting user-reported permission issues, see Permissions below.
Roles for Dash Enterprise are considered client roles in Keycloak. Roles can be assigned directly or inherited.
By default, the viewer role is added to all users as an inherited role, so you only need to assign licensed_user and admin roles. Assign licensed_user to members of your organization
who need license seats, and admin to those who administer Dash Enterprise.
Roles that you assign directly to a user become assigned roles, and roles that a user obtains through group membership become inherited roles. You can’t directly remove inherited roles from users in
their role mappings—instead, remove the user from the group or change the group’s role mappings.
User roles appear in the Dash Enterprise Users menu.
<img>
This list displays the same role information you see in Keycloak when selecting a user’s role mappings, but can be more convenient when you want to see multiple users’ roles at a glance.
If a user hasn’t logged in to Dash Enterprise yet, their role information may not be available in Dash Enterprise. Go to Keycloak to see the user’s roles.
Users can see their own roles by selecting their username.
<img>
They are also available in each user’s Personal Settings, in the User Profile section.
You can directly assign a role to a single user by editing the user’s role mappings. This is the recommended way to assign the licensed_user role.
To assign a role to a single user:
https://auth-<your-dash-enterprise-server>.<img>
Tip: If you have integrated a user federation provider, Keycloak does not display the user list when you go to Users. Find the user by searching.
<img>
dash client have any effect in Dash Enterprise.<img>
Role changes take effect the next time the user logs in to Dash Enterprise.
Important: Be careful when making role changes to users with the
licensed_userrole. If you remove thelicensed_userrole from a user who owns or co-owns apps in Dash Enterprise,
they will lose ownership of those apps. Learn how to transfer ownerless apps to new owners.
You can assign a role to all the members of a group at once by mapping the group to the role.
If you don’t have any groups yet, create groups natively in Keycloak or
map groups from your identity provider.
Important: Mapping the licensed_user role to a group is not recommended because it causes updates to license seat information in Dash Enterprise to be delayed.
To map a group to a role:
https://auth-<your-dash-enterprise-server>.<img>
<img>
dash client have any effect in Dash Enterprise.<img>
All group members now have the role as an inherited role.
Role changes take effect the next time the group members log in to Dash Enterprise.
Important: Be careful when making membership or role changes to groups mapped to the
licensed_userrole. If you remove thelicensed_userrole from a member of the group who owns or co-owns apps in Dash Enterprise
(by removing the user from the group or removing the role mapping from the group), they will lose ownership of those apps. Learn how to transfer ownerless apps to new owners.
viewer |
licensed_user |
admin |
|
|---|---|---|---|
| Initialize an app | ✓ | ||
| View the App Manager | ✓ | ✓ (1) | ✓ |
| View the Portal | ✓ (2) | ✓ (2) | ✓ |
| Customize the Portal | ✓ | ||
| Add SSH public keys | ✓ | ✓ | ✓ |
| View documentation | ✓ (3) | ||
| Use the App Catalog | ✓ | ||
| Use the Dash Enterprise CLI | ✓ (4) | ✓ (4) | ✓ (4) |
| View license seat information | ✓ | ||
| View users and user activity | ✓ | ||
| Transfer apps between users | ✓ | ||
| Edit the default memory limit for processes, workspaces, and services | ✓ | ||
| View and edit system limits | ✓ | ||
| View system information on the Monitoring page | ✓ | ✓ | |
| Configure the app viewer access policy | ✓ | ||
| Add data sources | ✓ | ✓ | |
| View data sources | ✓ (5) | ✓ | |
| Edit data sources | ✓ (6) | ✓ |
(1) Users only see apps that they own or co-own at https://<your-dash-enterprise-server>/apps.
(2) Users only see apps that are: * Set to Visible in Portal; and * Not Restricted, or Restricted and they were given access
(3) Documentation about Dash Enterprise libraries is only available to licensed users, but anyone can view the Dash Open Source documentation,
as well as information about some Dash Enterprise capabilities, by going to https://dash.plotly.com/.
(4) Users can only run commands that are allowed by their role and app ownership. Commands corresponding to actions that users
are unable to perform (empty cells in the permission tables on this page) return error messages.
(5) Users only see the data sources that they own, are shared with them, or are available to all logged in users.
(6) Users can only edit data sources that they own.
Only licensed users and administrators have access to an initialized app’s Info, where most actions related to development and configuration are performed.
Permissions are further broken down depending on whether the licensed user is the owner or co-owner of the app.
Users with the viewer role only cannot navigate to any app’s Info or workspace.
licensed_user (app owner) |
licensed_user (app co-owner) |
admin |
|
|---|---|---|---|
Deploy changes with git push |
✓ | ✓ | (1) |
Get the latest changes on your workstation with git pull or git clone |
✓ | ✓ | (1) |
| Access the App Info | ✓ | ✓ | ✓ |
| Rebuild & Deploy the app via the App Info | ✓ | ✓ | ✓ |
| Start and stop processes | ✓ | ✓ | ✓ |
| View build logs | ✓ | ✓ | ✓ |
| Edit app replicas | ✓ | ✓ | ✓ |
| Edit app memory limit | ✓ | ||
| Create a workspace | ✓ | ||
| Open the workspace IDE | ✓ | ✓ | |
| Make changes to the development app in the IDE and use the terminal | ✓ | ||
| Access the workspace development site | ✓ | ✓ | ✓ |
| Stop and restart the workspace | ✓ | ✓ | ✓ |
| Rebuild and update the workspace | ✓ | ||
| View workspace logs | ✓ | ✓ | ✓ |
| Edit workspace memory limit | ✓ | ||
| Delete the workspace | ✓ | ✓ | |
| Create managed databases | ✓ | ✓ | |
| Edit managed database memory limit | ✓ | ||
| Delete managed databases | ✓ | ✓ | ✓ |
| Enable and disable the persistent filesystem | ✓ | ✓ | ✓ |
| View app logs | ✓ | ✓ | ✓ |
| Configure viewer access | ✓ | ✓ | ✓ |
| Use Viewer Analytics | ✓ | ✓ | ✓ |
| Edit Portal settings | ✓ | ✓ | ✓ |
| Add and remove co-owners | ✓ | ✓ | ✓ |
| Add, edit, and delete app environment variables | ✓ (2) | ✓ (2) | ✓ (2) |
| Add, edit, and delete global environment variables | ✓ | ||
| Link and unlink data sources | ✓ | ✓ | ✓ |
| Manage the service accounts that the app can assume | ✓ | ✓ | ✓ |
| Set a default Python version for all newly created apps | ✓ | ||
| Override the default Python version for an app | ✓ | ✓ | ✓ |
| Delete the app | ✓ | ✓ | ✓ |
(1) Users with the admin role only cannot git push, git pull, or git clone apps. However, users with both the admin and licensed_user roles can run these commands against all apps.
(2) App environment variables that are automatically created by the system cannot be edited or deleted.
Users can view an app by going to its URL directly or by selecting it from the Portal (unless the app has Visible in Portal turned off). The permissions below apply to both methods.
App owners and co-owners can set their apps to Unauthenticated, Authenticated, or Restricted, as well as give specific users access to their Restricted apps.
Learn more about viewer access settings.
| | Unauthenticated user | viewer | licensed_user| licensed_user (app owner) | licensed_user (app co-owner) | admin |
| :— | :—: | :—: | :—: |
| View an Unauthenticated app | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| View an Authenticated app | | ✓ | ✓ | ✓ | ✓ | ✓ |
| View a Restricted app | | If given access | If given access | ✓ | ✓ | ✓ |