aminghadersohi opened a new pull request, #38367: URL: https://github.com/apache/superset/pull/38367
## SUMMARY When a viewer user asks the AI assistant to create charts or dashboards, the assistant suggests creating datasets even though the viewer lacks permissions. This happens because the MCP service does not expose the user's roles, so the LLM has no way to know the user's permission level. ### Changes: - **Add `roles` field to `UserInfo` schema** — the LLM now receives role names (e.g., `["Viewer"]`, `["Admin"]`) in the `get_instance_info` response - **Populate roles from `user.roles`** in the `get_instance_info` tool - **Add "Permission Awareness" section to `DEFAULT_INSTRUCTIONS`** — guides the LLM to check user roles before suggesting write operations and provides appropriate alternatives for read-only users ### Before LLM receives `current_user` with only `id`, `username`, `first_name`, `last_name`, `email` — no role info. When `list_datasets` returns 0 results for a Viewer, the LLM suggests "create a dataset" which the user cannot do. ### After LLM receives `current_user.roles = ["Viewer"]` and instructions tell it to check roles before suggesting write operations. For read-only users with empty results, it explains access limitations and suggests asking an admin for help. ## BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — backend-only change to MCP service tool responses and instructions. ## TESTING INSTRUCTIONS 1. Connect to the MCP service as a Viewer user 2. Call `get_instance_info` — verify `current_user.roles` is populated with the user's role names 3. Ask the assistant to create a chart when no datasets are accessible — verify it explains the permission limitation instead of suggesting "create a dataset" ## ADDITIONAL INFORMATION - [ ] Has associated issue — [sc-100265](https://app.shortcut.com/preset/story/100265) - [ ] Required feature flags — none - [ ] Changes UI — no - [ ] Includes DB Migration — no - [ ] Introduces new feature or API — adds `roles` field to existing `UserInfo` schema - [ ] Removes existing feature or API — no -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
