dosubot[bot] commented on issue #35960: URL: https://github.com/apache/superset/issues/35960#issuecomment-3481318897
<!-- Answer --> This 403 error is often caused by missing global permissions like `all_database_access` or `all_datasource_access`, even if granular permissions (like `can_external_metadata_by_name`) are present. Superset's permission model requires these global permissions for universal access to certain endpoints, including `/datasource/external_metadata_by_name/`—especially for admin-like actions and API calls. Double-check that your Admin role actually has `all database access on all_database_access` in the permissions list, not just the granular ones. If you recently changed role mappings or upgraded, run `superset init` to sync permissions in the database, then restart Superset to clear any stale permission state. With Okta OAuth, make sure `AUTH_ROLES_MAPPING` and `AUTH_ROLES_SYNC_AT_LOGIN` are assigning roles in the backend database, not just in the session. If the user object (`g.user`) is missing a fully loaded roles relationship (which can happen with some OAuth setups), permission checks may silently fail and return 403s even if the UI shows the correct roles. You may want to log or inspect `g.user.roles` after login to confirm the roles are loaded from the database as expected. More details on this permission model and common causes for silent 403s are discussed [here](https://github.com/apache/superset/issues/35795) and [here](https://github.com/apache/superset/issues/35939). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/a77bd561-7eb4-4235-8006-7c2f5c61b4ed?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/a77bd561-7eb4-4235-8006-7c2f5c61b4ed?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/a77bd561-7eb4-4235-8006-7c2f5c61b4ed?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/a77bd561-7eb4-4235-8006-7c2f5c61b4ed?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/a77bd561-7eb4-4235-8006-7c2f5c61b4ed?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/a77bd561-7eb4-4235-8006-7c2f5c61b4ed?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/a77bd561-7eb4-4235-8006-7c2f5c61b4ed?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/35960) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
