{"id":334,"date":"2022-05-12T00:00:00","date_gmt":"2022-05-12T00:00:00","guid":{"rendered":"https:\/\/tac.debuzzify.com\/?p=334"},"modified":"2023-06-28T00:12:53","modified_gmt":"2023-06-28T00:12:53","slug":"streamlit-advanced-authentication","status":"publish","type":"post","link":"https:\/\/www.the-analytics.club\/streamlit-advanced-authentication\/","title":{"rendered":"Control Who Could Access Your Streamlit Dashboards"},"content":{"rendered":"\n\n\n

Authentication may prevent outsiders, but we need an authorization flow to control who could see what.<\/p>\n\n\n\n

Steramlit<\/a> simplifies one of the grandest difficulties of Data Scientists \u2014 Building an app to interact with their machine-learning models. It provides a set of declarative methods to create web components.<\/p>\n\n\n\n

But security is a problem when you share Streamlit apps with others. Streamlit has a built-in solution to restrict access to users. But it\u2019s far from perfect.<\/p>\n\n\n\n

In a previous post, I shared how we can use Django\u2019s authentication framework<\/a> to improve the security of Streamlit apps.<\/p>\n\n\n\n

This post continues the previous one and covers more granular access control strategies for your Streamlit app<\/a>. I suggest you read the first one before diving into this.<\/p>\n\n\n\n

\n
\n
\n

Grab your aromatic coffee <\/a>(or tea<\/a>) and get ready…!<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n

Why do we need authorization control?<\/b><\/h2>\n\n\n\n

A login screen prevents unidentified people from accessing the system. We call it user authentication.<\/p>\n\n\n\n

Yet, authentication is only one, but an essential item on your security checklist. There are several ways you could improve this.<\/p>\n\n\n\n

For instance, you could put an IP restriction on your firewall<\/a>. But doing so put\u2019s a high-level rule on blocking a mass of people.<\/p>\n\n\n\n

What if you want a granular control?<\/p>\n\n\n\n

\n

Say you need to show employees only a specific part of the dashboard<\/a>. But you may decide to offer a team-level dashboard and individual ones to the team leads.<\/p>\n<\/blockquote>\n\n\n\n

The ability to do this is access control.<\/p>\n\n\n\n

We\u2019ve already discussed why Stramlit\u2019s suggested user authentication flow isn\u2019t good enough for production-grade apps. We\u2019ve used Django to bridge the gap.<\/p>\n\n\n\n

Streamlit also has no option for authorization. Let\u2019s go ahead and extend the Django authentication to handle permissions.<\/p>\n\n\n\n

Controlling dashboard permissions with Django.<\/b><\/h2>\n\n\n\n

The plan is simple.<\/p>\n\n\n\n

Assign users to specific groups. A user can be in multiple groups too. We can do this in the admin interface.<\/p>\n\n\n\n

Then in the Streamlit app<\/a>, we check for the group membership of the logged-in user.<\/p>\n\n\n\n

If this check is passed, we\u2019ll render the dashboard. Otherwise, we\u2019ll display a message saying, \u201cYou cannot view this dashboard.\u201d<\/p>\n\n\n\n

But don\u2019t we need the groups in the first place? Let\u2019s start there.<\/p>\n\n\n\n

Create user groups in the Django admin console.<\/b><\/h3>\n\n\n\n

If you\u2019re following the previous post, you\u2019d now have a Django app running, and you can access the admin portal.<\/p>\n\n\n\n

We\u2019ve also created users. In the same way, let\u2019s click the add button next to \u201cGroup\u201d and add the following groups.<\/p>\n\n\n\n