GitHub user dosubot[bot] added a comment to the discussion: Access Denied toasts displaying Randomly for Custom "readonly" role
<!-- Answer --> To minimize "Access Denied" toasts for your readonly role, you should: - Remove any write, add, edit, or delete permissions. In your current list, specifically remove `can write on DashboardFilterStateRestApi`—this is a write permission and not needed for readonly access. Double-check for any other permissions that start with `can write`, `can add`, `can edit`, or `can delete` and remove those as well. - To block readonly users from accessing user/role listing pages (even via direct URL), remove `can list` and `can show` on `RoleModelView` and `MyUserOAuthModelView` (and any similar user/role views) from the readonly role. This will prevent backend access, not just hide the menu [[source](https://github.com/apache/superset/issues/34587#issuecomment-3177725759)]. - Keep only the necessary read/list/show permissions for Dashboard, Chart, SavedQuery, Dataset, Database, and Log, plus `can dashboard on Superset`, `can explore json on Superset`, and `datasource access on` for each dataset the user should see [[source](https://github.com/apache/superset/issues/34587)]. Even with these changes, UI elements like "+ CHART" will still show "Access Denied" if clicked, because they require write permissions. Superset does not hide these buttons for readonly users by default—removing them requires custom frontend tweaks [[source](https://github.com/apache/superset/issues/34587#issuecomment-3173792850)]. If you still see denied toasts after these changes, check the backend logs for the exact missing permission and adjust as needed. RLS only filters data; it does not override missing object-level permissions. Summary: - Remove: `can write on DashboardFilterStateRestApi`, all `can write`, `can add`, `can edit`, `can delete` permissions, and `can list`/`can show` on user/role views. - Keep: all necessary read/list/show permissions and `datasource access on` for datasets. - UI toasts from "+ CHART" and similar actions can only be fully suppressed with frontend customization. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/ad647b94-6361-499f-afbb-46e82e9d0458?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/34587) GitHub link: https://github.com/apache/superset/discussions/34779#discussioncomment-14170613 ---- This is an automatically sent email for notifications@superset.apache.org. To unsubscribe, please send an email to: notifications-unsubscr...@superset.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
