dosubot[bot] commented on issue #34587: URL: https://github.com/apache/superset/issues/34587#issuecomment-3168344989
<!-- Answer --> Yes, you can create a readonly role in Superset that prevents users from editing, deleting, or adding dashboards, databases, charts, etc. To avoid "Access Denied" toasts on the welcome page, make sure your role has at least these permissions: `can_read` (and/or `can_list`/`can_show`) on Dashboard, Chart, SavedQuery, Dataset, Database, and Log resources. Also include `can dashboard on Superset`, `can explore json on Superset`, and `datasource access on` for each dataset the user should see. These cover all the API calls the welcome page makes for listing and viewing objects [[source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/pages/Home/index.tsx)]. Do not grant any write, edit, or delete permissions (like `can write`, `can delete`, `can add`, or `set_embedded`) on these resources. This will block all modification actions [[source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/charts/api.py)]. However, UI elements like "+ CHART" or "+ DASHBOARD" buttons will still appear and trigger access denied toasts if clicked, because they try to POST to endpoints your role can't access. Superset does not hide these buttons for readonly users by default—you'd need custom frontend tweaks to fully suppress those toasts [[source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/features/home/ChartTable.tsx)]. If you want to be sure you've covered all cases, check Superset's backend logs when a toast appears—the logs will show which permission was missing for that action [[source](https://github.com/apache/superset/discussions/34353)]. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/22884102-b23e-4287-88cd-7633bc4b60d6?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/34587) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
