Bug description
With Superset in version 4.0.2 : An Alpha user can create a filter by simply selecting a value from a filter's drop-down list. A Gamma user cannot. He can only enter a value manually.
The list has values if 'can get column values on datasource' permission is present in the role
I don't understand the purpose of this permission, Any user editing a chart should be able to use the drop-down list to define the filter.
Removing it would make the situation simpler.
Screenshots/recordings
No response
Superset version
master / latest-dev
Python version
3.9
Node version
16
Browser
Chrome
Additional context
No response
Checklist
- [ ] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [ ] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
The 'can get column values on datasource' permission controls whether a user can fetch distinct values for a column, which is what powers the filter drop-down lists in Superset. If a user (like Gamma) lacks this permission or access to the datasource, the API returns a 403 error and the dropdown can't be populated—users can only enter values manually. This is intentional and part of Superset's security model, designed to limit data exposure and control access to potentially sensitive metadata or large data scans for performance reasons. The frontend simply tries to fetch values; if the API call fails due to missing permissions, it falls back to manual entry.
If you want Gamma users to use filter dropdowns, you can safely grant them the 'can get column values on datasource' permission and ensure they have access to the relevant datasources. Removing this permission requirement is not recommended, as it's a deliberate part of Superset's granular role-based access control. More details are in the code and tests that enforce this behavior (API implementation, permission tests).
To reply, just mention @dosu.
How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other 
Comment From: rusackas
The bot is quite correct, this is by design. You can, of course, change the permissions associated with these roles, if you wish, but the design is that people without this permission can't surface PII or other sensitive info, or bog down the DB if filteres are configured poorly.
Closing as resolved, but happy to revisit if you think there's more to unfurl.