GitHub user paulsonkevgit added a comment to the discussion: Access Denied toasts displaying Randomly for Custom "readonly" role
@dosu @rusackas I have added the permissions suggested by @dosu AND removed some permissions from readonly role (like menu access for roles, data security , manage etc because in settings drop down of readonly user i dont want to see those option ) UPDATED readonly permissions now <html> <body> <!--StartFragment--> [can list on SavedQuery, can read on SavedQuery, can read on CssTemplate, can read on ReportSchedule, can read on Chart, can read on Annotation, can read on Dataset, can recent activity on Log, can read on Log, can drill on Dashboard, can read on Dashboard, can read on Database, can read on Query, can show on MyUserOAuthModelView, can userinfo on MyUserOAuthModelView, can list on MyUserOAuthModelView, can show on RoleModelView, can list on RoleModelView, can show on RegisterUserModelView, can list on RegisterUserModelView, can get on OpenApi, can show on SwaggerView, can get on MenuApi, can this form get on DashboardModelView1, can this form post on DashboardModelView1, can list on AsyncEventsRestApi, can read on AdvancedDataType, can read on AvailableDomains, can write on DashboardFilterStateRestApi, can read on DashboardFilterStateRestApi, can read on DashboardPermalinkRestApi, can read on Explore, can read on ExploreFormDataRestApi, can read on ExplorePermalinkRestApi, can read on Row Level Security, can read on Tag, can time range on Api, can dashboard on Superset, can explore json on Superset, menu access on Tags, can read on SecurityRestApi, can read on RowLevelSecurity, menu access on Home, menu access on Dashboards, menu access on Charts, menu access on Datasets, menu access on Plugins] -- <!--EndFragment--> </body> </html> ------------------------------------------------------------------------------------------------------------------------------------------ The following are the permissions of the GAMMA user, gamma user WHO is not encountering the access denied toaster. <html> <body> <!--StartFragment--> Gamma -- [can show on SavedQuery, can add on SavedQuery, can delete on SavedQuery, can edit on SavedQuery, can list on SavedQuery, can tag on Chart, can export on Chart, can write on Chart, can read on Chart, can read on Dataset, can recent activity on Log, can tag on Dashboard, can drill on Dashboard, can view chart as table on Dashboard, can view query on Dashboard, can delete embedded on Dashboard, can export on Dashboard, can get embedded on Dashboard, can cache dashboard screenshot on Dashboard, can write on Dashboard, can read on Dashboard, can read on Database, can this form get on ResetMyPasswordView, can this form post on ResetMyPasswordView, userinfoedit on MyUserOAuthModelView, can show on MyUserOAuthModelView, can userinfo on MyUserOAuthModelView, can add on MyUserOAuthModelView, can delete on MyUserOAuthModelView, can edit on MyUserOAuthModelView, can list on MyUserOAuthModelView, can get on OpenApi, can show on SwaggerView, can get on MenuApi, can this form get on DashboardModel View1, can this form post on DashboardModelView1, can list on AsyncEventsRestApi, can read on AdvancedDataType, can read on AvailableDomains, can invalidate on CacheRestApi, can write on DashboardFilterStateRestApi, can read on DashboardFilterStateRestApi, can write on DashboardPermalinkRestApi, can read on DashboardPermalinkRestApi, can get on Datasource, can external metadata by name on Datasource, can external metadata on Datasource, can read on EmbeddedDashboard, can read on Explore, can write on ExploreFormDataRestApi, can read on ExploreFormDataRestApi, can write on ExplorePermalinkRestApi, can read on ExplorePermalinkRestApi, can write on Tag, can bulk create on Tag, can read on Tag, can estimate query cost on SQLLab, can format sql on SQLLab, can show on DynamicPlugin, can list on DynamicPlugin, can query form data on Api, can query on Api, can time range on Api, can get value on KV, can store on KV, can share chart on Superset, can share dashboard on Superset, can csv on Su perset, can dashboard on Superset, can dashboard permalink on Superset, can explore json on Superset, can slice on Superset, can log on Superset, can explore on Superset, can fetch datasource metadata on Superset, menu access on Tags, can list on Tags, can tags on TagView, can read on SecurityRestApi, can read on RowLevelSecurity, menu access on User Details, menu access on Home, menu access on Data, menu access on Databases, menu access on Dashboards, menu access on Charts, menu access on Datasets, menu access on Plugins] <!--EndFragment--> </body> </html> ------------------------------------------------------------------------------------------------------------------------------------------ Is Gamma users much more privilaged than the readonly user. Even with the updated permissions for read only user i encounter the Access is denied message for reaonly user at 4 places mainly 1)At welcome page <img width="531" height="1011" alt="Image" src="https://github.com/user-attachments/assets/fc333401-c73a-4fa0-8fe6-6ed3222ec134"; /> 2)After removing the menu access also the listing user names ,listing roles page(Even if menu access of that is hided - i can still go to the URL of roles and list user - Can i some way block those permissions for the readonly user also to visit those sites?) <img width="950" height="159" alt="Image" src="https://github.com/user-attachments/assets/4f170ecf-4e43-46b2-a7a6-116d39090339"; /> 3)When a specific dashboard is selected... <img width="1825" height="848" alt="Image" src="https://github.com/user-attachments/assets/3f3a49c2-d0e0-4e2d-924c-9a618882b9a7"; /> 4)After user has logged out (and reaches the login page) <img width="1907" height="930" alt="Image" src="https://github.com/user-attachments/assets/af953dd9-d004-4560-bd11-918755bed5ce"; /> GitHub link: https://github.com/apache/superset/discussions/34779#discussioncomment-14170610 ---- This is an automatically sent email for notifications@superset.apache.org. To unsubscribe, please send an email to: notifications-unsubscr...@superset.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
