dosubot[bot] commented on issue #34587: URL: https://github.com/apache/superset/issues/34587#issuecomment-3183763567
<!-- Answer --> To minimize "Access Denied" toasts for your readonly role, you should: - Remove any write, add, edit, or delete permissions. In your current list, specifically remove `can write on DashboardFilterStateRestApi`—this is a write permission and not needed for readonly access. Double-check for any other permissions that start with `can write`, `can add`, `can edit`, or `can delete` and remove those as well. - To block readonly users from accessing user/role listing pages (even via direct URL), remove `can list` and `can show` on `RoleModelView` and `MyUserOAuthModelView` (and any similar user/role views) from the readonly role. This will prevent backend access, not just hide the menu [[source](https://github.com/apache/superset/issues/34587#issuecomment-3177725759)]. - Keep only the necessary read/list/show permissions for Dashboard, Chart, SavedQuery, Dataset, Database, and Log, plus `can dashboard on Superset`, `can explore json on Superset`, and `datasource access on` for each dataset the user should see [[source](https://github.com/apache/superset/issues/34587)]. Even with these changes, UI elements like "+ CHART" will still show "Access Denied" if clicked, because they require write permissions. Superset does not hide these buttons for readonly users by default—removing them requires custom frontend tweaks [[source](https://github.com/apache/superset/issues/34587#issuecomment-3173792850)]. If you still see denied toasts after these changes, check the backend logs for the exact missing permission and adjust as needed. RLS only filters data; it does not override missing object-level permissions. Summary: - Remove: `can write on DashboardFilterStateRestApi`, all `can write`, `can add`, `can edit`, `can delete` permissions, and `can list`/`can show` on user/role views. - Keep: all necessary read/list/show permissions and `datasource access on` for datasets. - UI toasts from "+ CHART" and similar actions can only be fully suppressed with frontend customization. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/34587) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
