dosubot[bot] commented on issue #35795: URL: https://github.com/apache/superset/issues/35795#issuecomment-3432073337
<!-- Answer --> The "all database access on all_database_access" permission is a special global permission in Superset that grants access to all databases and, by extension, all datasets, charts, and dashboards connected to those databases. This permission is assigned by default to the Admin and Alpha roles, and acts as an override—if a user or role has it, Superset treats them as having universal access, bypassing granular per-object or per-database grants. That's why your custom role with only granular permissions couldn't read assets, but adding "all database access" worked—it short-circuits all database-level RBAC checks and unlocks all assets for browsing, uploading, or managing in Superset [STANDARD_ROLES.md](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/RESOURCES/STANDARD_ROLES.md) [manager.py](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py). To view which roles have this permission in Superset 5.0, go to Settings > Security > List Roles in the UI, select a role (like Alpha or Admin), and check for "all database access on all_database_access" in the permissions list. If you want to compare, you can also check the [full permission matrix](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/RESOURCES/STANDARD_ROLES.md) to see which granular and global permissions are assigned to each standard role. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/a85349a2-af07-4d37-89d0-2743e952fe39?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/a85349a2-af07-4d37-89d0-2743e952fe39?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/a85349a2-af07-4d37-89d0-2743e952fe39?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/a85349a2-af07-4d37-89d0-2743e952fe39?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/a85349a2-af07-4d37-89d0-2743e952fe39?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/a85349a2-af07-4d37-89d0-2743e952fe39?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/a85349a2-af07-4d37-89d0-2743e952fe39?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/35795) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
