Governance

D23 is built for organizations where data access controls are not optional. Governance is included in every plan, not an add-on.

Single sign-on (SSO)

Connect your identity provider so users log in with their company credentials. D23 supports:

• SAML 2.0 — Okta, Azure AD, Google Workspace, OneLogin, and any SAML-compliant IdP.
• OIDC / OAuth 2.0 — Google, GitHub, Okta, and custom providers.

SSO is configured per workspace. Users are provisioned on first login (JIT provisioning) and inherit roles based on IdP group membership.

Role-based access control (RBAC)

Superset's RBAC lets you define exactly what each role can see and do:

• Alpha — can create and edit dashboards and datasets.
• Gamma — read-only access to shared dashboards.
• Custom roles — mix and match permissions at the chart, dataset, or database level.

Assign roles manually or sync them from your IdP groups automatically.

Row-level security (RLS)

RLS applies data filters automatically based on the logged-in user's role or attributes. A single dashboard can serve every region, customer, or business unit — each user sees only their rows.

RLS rules are defined per dataset and per role. They are evaluated at query time and cannot be bypassed by users.

Audit logging

Every login, dashboard view, chart query, and schema change is written to an immutable audit log with:

• timestamp,
• user identity,
• action (view, edit, delete, query),
• target (dashboard, dataset, database), and
• query text for SQL Lab sessions.

Audit logs are retained for 90 days on managed plans and are exportable to your SIEM or S3 bucket.

SOC 2

D23 maintains SOC 2 Type II compliance. Request the report at [email protected].

Encryption

• In transit: all connections use TLS 1.2+.
• At rest: database credentials and secrets are encrypted with AES-256.
• Query results: cached results are encrypted in the query cache layer.