Bug description

A end-user should be able to drill-by/drill-to with 2 permissons:

  • can read on Explore
  • can samples on Datasource

Currently can explore is mandatory but it gives too many privileges ( see query, open chart,...)

How to reproduce the bug

Create a user have only the permissions: - can read on Explore - can samples on Datasource

this user can't drill down.

Screenshots/recordings

No response

Superset version

3.1.2

Python version

3.10

Node version

16

Browser

Not applicable

Additional context

No response

Checklist

  • [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: chakri0215

Hi Guys,

Any update on this?

Comment From: tsator

I have the same problem, the end user cannot see the drill options without the can explore on superset permission

Comment From: marianysilva

I have the same problem here: I can enable drill to detail by adding the can read on Explore and can samples on Datasource permissions. However, it's noted that the can explore permission is currently mandatory but gives too many privileges.

menu (In red what I don't need) Screenshot 2024-07-31 at 10 05 53

drill to detail Screenshot 2024-07-31 at 09 56 52

Cannot use drill-by/drill-to without can explore on Superset permission #27900 chore: Add granular permissions for actions in Dashboard #27029 Slack thread

Comment From: rusackas

Hmm... pinging @michael-s-molina in case he has any input here. Maybe we need to migrate to a more explicit permission?

Comment From: sfirke

This remains a pain point. I want to give the Gamma user permission to drill-by and drill-to-detail. Right now in 4.0.2 I'm giving them: - can explore on Superset - can samples on Datasource - can write on DashboardFilterStateRestApi - can write on ExploreFormDataRestAPI <-- this one was necessary for drill-by, specifically - all datasource access on all_datasource_access <-- without this, things work but there are error messages both as toast and in the drill to detail view - This seems to have done it. As others note, can explore on Superset is too broad as it lets the user see the query and edit the chart. And all datasource access on all_datasource_access seems like overkill too, especially because I believe it's only getting rid of error messages and there's no reason it's really needed?

My ideal fixes would be: - break the can explore on Superset permission into a more granular package - if those error messages are misleading or erroneous, squash them so we don't need to invoke all datasource access

Comment From: lugitpl

I have this basic permission set up for just a viewing user:

  • can read on CssTemplate
  • can read on Chart
  • can read on Dataset
  • can read on Dashboard
  • can read on Database
  • can read on Query
  • can userinfo on UserDBModelView
  • can invalidate on CacheRestApi
  • can read on DashboardFilterStateRestApi
  • can read on Explore
  • can read on Tag
  • can time range on Api
  • can fetch datasource metadata on Superset
  • can explore json on Superset
  • can log on Superset
  • can dashboard on Superset
  • can warm up cache on Superset
  • can recent activity on Log
  • can grant guest token on SecurityRestApi
  • can csv on Superset

and just for drilling to be able I use:

  • can drill on Dashboard
  • can samples on Datasource
  • can write on ExploreFormDataRestApi

datasource access on [...] I put in a separate role for specific dataset in dashboard. It works all fine for me and I don't use can explore on superset.

Comment From: tsator

I have this basic permission set up for just a viewing user:

  • can read on CssTemplate
  • can read on Chart
  • can read on Dataset
  • can read on Dashboard
  • can read on Database
  • can read on Query
  • can userinfo on UserDBModelView
  • can invalidate on CacheRestApi
  • can read on DashboardFilterStateRestApi
  • can read on Explore
  • can read on Tag
  • can time range on Api
  • can fetch datasource metadata on Superset
  • can explore json on Superset
  • can log on Superset
  • can dashboard on Superset
  • can warm up cache on Superset
  • can recent activity on Log
  • can grant guest token on SecurityRestApi
  • can csv on Superset

and just for drilling to be able I use:

  • can drill on Dashboard
  • can samples on Datasource
  • can write on ExploreFormDataRestApi

datasource access on [...] I put in a separate role for specific dataset in dashboard. It works all fine for me and I don't use can explore on superset.

What version of superset are you testing this solution on?

Comment From: lugitpl

4.1

Comment From: rusackas

Safe to say, we're still open to PR submissions here.