dosubot[bot] commented on issue #34587: URL: https://github.com/apache/superset/issues/34587#issuecomment-3173792850
<!-- Answer --> The "Access Denied" toasts for your readonly role are almost always caused by missing critical read permissions or by UI elements (like "+ CHART" or "VIEW ALL") that trigger backend API calls requiring write permissions, which your role intentionally lacks. Even with RLS and dashboard property edits, you must ensure the role has all necessary read/list/show permissions for dashboards, charts, datasets, saved queries, and logs. Missing any of these (especially `can_read` or `datasource access on` for datasets) will cause denied toasts, even for actions that seem read-only [[source](https://github.com/apache/superset/issues/34587)]. The welcome page and dashboard list require: `can_read` (and/or `can_list`/`can_show`) on Dashboard, Chart, SavedQuery, Dataset, Database, and Log, plus `can dashboard on Superset`, `can explore json on Superset`, and `datasource access on` for each dataset the user should see [[source](https://github.com/apache/superset-frontend/src/pages/Home/index.tsx)]. Do not grant any write, edit, or delete permissions. UI elements like "+ CHART" will always show "Access Denied" if clicked by a readonly user, because they POST to endpoints your role can't access. Superset does not hide these buttons by default—you'd need custom frontend tweaks to fully suppress those toasts [[source](https://github.com/apache/superset/issues/32183)]. To refine your role, check the backend logs when a toast appears—the logs will specify which permission was missing for the denied action. Iteratively add only the missing read permissions, and restart Superset to clear any permission cache [[source](https://github.com/apache/superset/discussions/34353)]. RLS only filters data within datasets; it doesn't override missing object-level permissions. If you want to avoid these toasts entirely, the only way is to hide or disable UI elements that trigger actions your role cannot perform. This requires frontend customization. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/1c719822-7e41-44aa-a60c-51f66d47fb0e?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/1c719822-7e41-44aa-a60c-51f66d47fb0e?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/1c719822-7e41-44aa-a60c-51f66d47fb0e?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/1c719822-7e41-44aa-a60c-51f66d47fb0e?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/1c719822-7e41-44aa-a60c-51f66d47fb0e?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/1c719822-7e41-44aa-a60c-51f66d47fb0e?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/1c719822-7e41-44aa-a60c-51f66d47fb0e?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/34587) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
