Bug description
We've created a custom role in Superset called "readonly" with assigned permissions to allow view-only access. But the users assigned this role frequently encounter "Access Denied" toaster notifications while navigating through the Superset UI — even when performing actions that should be permitted.
Allowed Permissions (for readonly Role):
[can list on SavedQuery, can read on SavedQuery, can read on CssTemplate, can read on ReportSchedule, can read on Chart, can read on Annotation, can read on Dataset, can recent activity on Log, can read on Log, can drill on Dashboard, can read on Dashboard, can read on Database, can read on Query, can show on MyUserOAuthModelView, can userinfo on MyUserOAuthModelView, can list on MyUserOAuthModelView, can show on RoleModelView, can list on RoleModelView, can show on RegisterUserModelView, can list on RegisterUserModelView, can get on OpenApi, can show on SwaggerView, can get on MenuApi, can this form get on DashboardModelView1, can this form post on DashboardModelView1, can list on AsyncEventsRestApi, can read on AdvancedDataType, can read on AvailableDomains, can write on DashboardFilterStateRestApi, can read on DashboardFilterStateRestApi, can read on DashboardPermalinkRestApi, can read on Explore, can read on ExploreFormDataRestApi, can read on ExplorePermalinkRestApi, menu access on Row Level Security, can read on Row Level Security, can read on Tag, can time range on Api, can dashboard on Superset, can explore json on Superset, menu access on Tags, can read on SecurityRestApi, can read on RowLevelSecurity, menu access on Security, menu access on List Users, menu access on List Roles, menu access on User Registrations, menu access on Action Log, menu access on Home, menu access on Data, menu access on Databases, menu access on Dashboards, menu access on Charts, menu access on Datasets, menu access on Manage, menu access on Plugins, menu access on CSS Templates, menu access on Alerts & Report, menu access on Annotation Layers].
Screenshots/recordings
Superset version
4.1.3
Python version
3.10
Node version
18 or greater
Browser
Chrome
Additional context
No response
Checklist
- [ ] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [ ] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
This is a common challenge with custom readonly roles in Superset. The "Access Denied" toasts usually happen because some UI actions (like "+ CHART" or "VIEW ALL") trigger backend API calls that require permissions not included in a minimal readonly role—sometimes even for actions that seem read-only. For example, viewing dashboards and charts reliably requires permissions like can dashboard on Superset, can dashboard permalink on Superset, can explore json on Superset, can read on Chart, can read on Dashboard, and can read on DashboardPermalinkRestApi, plus datasource access on for each dataset you want users to see. Missing any of these can cause random "Access Denied" toasts, even if most things work as expected [discussion].
Some UI elements (like "+ CHART") may try to POST or access endpoints that require write permissions, which your readonly role intentionally lacks—so clicking them will always show an error. This is expected unless you hide or disable those buttons for readonly users [code reference].
To refine your role, check the Superset backend logs when a toast appears; the logs will usually specify which permission was missing for the denied action [discussion]. After updating permissions, restart Superset to ensure changes take effect, as caching can cause stale permission states [issue].
There’s no official minimal readonly role, but community-tested lists suggest starting with the permissions above and iteratively adding any others reported in the logs as missing. Avoid granting write or edit permissions to keep the role truly readonly [discussion].
If you want to avoid these toasts entirely, consider hiding or disabling UI elements that trigger actions your role cannot perform. This usually requires custom frontend tweaks, as Superset does not currently hide all such buttons for readonly users by default.
To reply, just mention @dosu.
How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other 
