Superset DB roles access filters

[inkerinmaa]

I configured role and granted access to 2 datasets. They appear in DB. Query I used:
SELECT abr.id AS role_id, abr.name AS role_name, rfr.rls_filter_id AS filter_id, rft.table_id AS table_id, t.table_name FROM public.ab_role abr JOIN public.rls_filter_roles rfr ON abr.id = rfr.role_id JOIN public.rls_filter_tables rft ON rfr.rls_filter_id = rft.rls_filter_id JOIN public.tables t ON rft.table_id = t.id
Next, I removed access for 1 dataset, checked - no access anymore to that dataset fro this role. But query still shows I have access. How to confirm there are no access, how to see this in db?

[dosubot[bot]]

The query you used checks row-level security filter associations, but Superset's actual dataset access for roles is managed through PermissionView and ViewMenu tables, which link roles to dataset permissions. After you remove access to a dataset for a role, you should confirm that the relevant PermissionView entries (and their associations in ab_permission_view_role) for that dataset and role are deleted—this is what truly removes access in the database. Your query may show outdated results if row-level security filter records weren't cleaned up or if they're not directly tied to permission removal. For accurate verification, check that the role no longer has a datasource_access PermissionView for the dataset in question, and that there are no ab_permission_view_role links between the role and that PermissionView. More details on this mechanism are in the Superset security manager code here.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}