Roles and Permissions

This documentation is for Dash Enterprise.
Dash Enterprise is the fastest way to write & deploy Dash apps and
Jupyter notebooks.
10% of the Fortune 500 uses Dash Enterprise to productionize AI and
data science apps. Find out if your company is using Dash Enterprise.

What users can do in Dash Enterprise is determined by:

About Admin Actions and the admin Role

The admin role that administrators can assign in Keycloak grants access to the Admin section of Dash Enterprise.

This Admin section contains some settings that administrators can configure directly in Dash Enterprise, as well as links to other services intended for administrators:

These services have separate authentication and require different credentials than what you use to log in to Dash Enterprise as an administrator.

The credentials were obtained by the administrator who performed your Dash Enterprise installation and stored according to your organization’s best practices. Keycloak and the Keycloak IdP setup wizard both use
one set of credentials, and the KOTS Admin Console uses a different set.

We sometimes refer to actions performed in Keycloak and the KOTS Admin Console as administrator-only, but they do not rely on the Dash Enterprise admin role like other actions detailed in Permissions below.

Assigning Roles

You can assign roles to users in Keycloak. If you’re unfamiliar with Keycloak, make sure you’ve read Using Keycloak.

For help determining the roles your users need or troubleshooting user-reported permission issues, see Permissions below.

Roles for Dash Enterprise are considered client roles in Keycloak. Roles can be assigned directly or inherited.

By default, the viewer role is added to all users as an inherited role, so you only need to assign licensed_user and admin roles. Assign licensed_user to members of your organization
who need license seats, and admin to those who administer Dash Enterprise.

Roles that you assign directly to a user become assigned roles, and roles that a user obtains through group membership become inherited roles. You can’t directly remove inherited roles from users in
their role mappings—instead, remove the user from the group or change the group’s role mappings.

User roles appear in the Dash Enterprise Users menu.

<img>

This list displays the same role information you see in Keycloak when selecting a user’s role mappings, but can be more convenient when you want to see multiple users’ roles at a glance.

If a user hasn’t logged in to Dash Enterprise yet, their role information may not be available in Dash Enterprise. Go to Keycloak to see the user’s roles.

Users can see their own roles by selecting their username.

<img>

They are also available in each user’s Personal Settings, in the User Profile section.

Assigning a Role to a Single User

You can directly assign a role to a single user by editing the user’s role mappings. This is the recommended way to assign the licensed_user role.

To assign a role to a single user:

  1. Go to Keycloak at https://auth-&lt;your-dash-enterprise-server&gt;.
  2. In the realm list, select dash.

<img>

  1. Go to Users.
  2. Find the user you want to assign a role to.

Tip: If you have integrated a user federation provider, Keycloak does not display the user list when you go to Users. Find the user by searching.

  1. Select the user; then go to Role mapping.
  2. Select Assign role.
  3. Change the filter to Filter by clients.

<img>

  1. Find and select the role you want to assign (you may need to navigate to the next pages). Only those roles labelled with the dash client have any effect in Dash Enterprise.

<img>

  1. Select Assign.
  2. Log the user out of Dash Enterprise:
    1. Go to Sessions.
    2. Select Log out all sessions.

Role changes take effect the next time the user logs in to Dash Enterprise.

Important: Be careful when making role changes to users with the licensed_user role. If you remove the licensed_user role from a user who owns or co-owns apps in Dash Enterprise,
they will lose ownership of those apps. Learn how to transfer ownerless apps to new owners.

Assigning a Role to a Group

You can assign a role to all the members of a group at once by mapping the group to the role.

If you don’t have any groups yet, create groups natively in Keycloak or
map groups from your identity provider.

Important: Mapping the licensed_user role to a group is not recommended because it causes updates to license seat information in Dash Enterprise to be delayed.

To map a group to a role:

  1. Go to Keycloak at https://auth-&lt;your-dash-enterprise-server&gt;.
  2. In the realm list, select dash.

<img>

  1. Go to Groups.
  2. Select the group that you want to map.
  3. Go to Role mapping.
  4. Select Assign role.
  5. Change the filter to Filter by clients.

<img>

  1. Find and select the role you want to assign (you may need to navigate to the next pages). Only those roles labelled with the dash client have any effect in Dash Enterprise.

<img>

All group members now have the role as an inherited role.

  1. Log the group members out of Dash Enterprise:
    * Go to Users. For each group member, select the user; then go to Sessions and select Log out all sessions.
    * Alternatively, you can log all Dash Enterprise users out at once by going to Sessions and then selecting Logout all sessions. Note that it takes up to a few minutes for all users to be logged out.

Role changes take effect the next time the group members log in to Dash Enterprise.

Important: Be careful when making membership or role changes to groups mapped to the licensed_user role. If you remove the licensed_user role from a member of the group who owns or co-owns apps in Dash Enterprise
(by removing the user from the group or removing the role mapping from the group), they will lose ownership of those apps.