GitHub user dosubot[bot] added a comment to the discussion: Access Denied toasts displaying Randomly for Custom "readonly" role
<!-- Answer --> This is a common challenge with custom readonly roles in Superset. The "Access Denied" toasts usually happen because some UI actions (like "+ CHART" or "VIEW ALL") trigger backend API calls that require permissions not included in a minimal readonly role—sometimes even for actions that seem read-only. For example, viewing dashboards and charts reliably requires permissions like `can dashboard on Superset`, `can dashboard permalink on Superset`, `can explore json on Superset`, `can read on Chart`, `can read on Dashboard`, and `can read on DashboardPermalinkRestApi`, plus `datasource access on` for each dataset you want users to see. Missing any of these can cause random "Access Denied" toasts, even if most things work as expected [[discussion](https://github.com/apache/superset/discussions/33125)]. Some UI elements (like "+ CHART") may try to POST or access endpoints that require write permissions, which your readonly role intentionally lacks—so clicking them will always show an error. This is expected unless you hide or disable those buttons for readonly users [[code reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/dashboards/api.py)]. To refine your role, check the Superset backend logs when a toast appears; the logs will usually specify which permission was missing for the denied action [[discussion](https://github.com/apache/superset/discussions/34353)]. After updating permissions, restart Superset to ensure changes take effect, as caching can cause stale permission states [[issue](https://github.com/apache/superset/issues/31810)]. There’s no official minimal readonly role, but community-tested lists suggest starting with the permissions above and iteratively adding any others reported in the logs as missing. Avoid granting write or edit permissions to keep the role truly readonly [[discussion](https://github.com/apache/superset/discussions/33125)]. If you want to avoid these toasts entirely, consider hiding or disabling UI elements that trigger actions your role cannot perform. This usually requires custom frontend tweaks, as Superset does not currently hide all such buttons for readonly users by default. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/3d68b97e-530c-4249-b474-4737da878e7d?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/3d68b97e-530c-4249-b474-4737da878e7d?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/3d68b97e-530c-4249-b474-4737da878e7d?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/3d68b97e-530c-4249-b474-4737da878e7d?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/3d68b97e-530c-4249-b474-4737da878e7d?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/3d68b97e-530c-4249-b474-4737da878e7d?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/3d68b97e-530c-4249-b474-4737da878e7d?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/34587) GitHub link: https://github.com/apache/superset/discussions/34779#discussioncomment-14170603 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
