GitHub user dosubot[bot] added a comment to the discussion: Access Denied toasts displaying Randomly for Custom "readonly" role
<!-- Answer --> Yes, you can create a readonly role in Superset that prevents users from editing, deleting, or adding dashboards, databases, charts, etc. To avoid "Access Denied" toasts on the welcome page, make sure your role has at least these permissions: `can_read` (and/or `can_list`/`can_show`) on Dashboard, Chart, SavedQuery, Dataset, Database, and Log resources. Also include `can dashboard on Superset`, `can explore json on Superset`, and `datasource access on` for each dataset the user should see. These cover all the API calls the welcome page makes for listing and viewing objects [[source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/pages/Home/index.tsx)]. Do not grant any write, edit, or delete permissions (like `can write`, `can delete`, `can add`, or `set_embedded`) on these resources. This will block all modification actions [[source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/charts/api.py)]. However, UI elements like "+ CHART" or "+ DASHBOARD" buttons will still appear and trigger access denied toasts if clicked, because they try to POST to endpoints your role can't access. Superset does not hide these buttons for readonly users by default—you'd need custom frontend tweaks to fully suppress those toasts [[source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/features/home/ChartTable.tsx)]. If you want to be sure you've covered all cases, check Superset's backend logs when a toast appears—the logs will show which permission was missing for that action [[source](https://github.com/apache/superset/discussions/34353)]. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/34587) GitHub link: https://github.com/apache/superset/discussions/34779#discussioncomment-14170605 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
