How to see the permissions granted to all database access on all_database_access.

[Devika7733]

Bug description

Hi , I am using permissions can read datasets, can read databses, can read dashboard, can read charts,can write datasets, can write databases, can write dashboard, can write charts on a custom user for uploading dashboards. With above permissions I was not able to read assets from superset. Whereas it is working with " all database access on all_database_access". Please let me know permissions assigned to thi.

Screenshots/recordings

No response

Superset version

5.0.0

Python version

3.11

Node version

18 or greater

Browser

Chrome

Additional context

No response

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot[bot]]

The "all database access on all_database_access" permission is a special global permission in Superset that grants access to all databases and, by extension, all datasets, charts, and dashboards connected to those databases. This permission is assigned by default to the Admin and Alpha roles, and acts as an override—if a user or role has it, Superset treats them as having universal access, bypassing granular per-object or per-database grants. That's why your custom role with only granular permissions couldn't read assets, but adding "all database access" worked—it short-circuits all database-level RBAC checks and unlocks all assets for browsing, uploading, or managing in Superset STANDARD_ROLES.md manager.py.

To view which roles have this permission in Superset 5.0, go to Settings > Security > List Roles in the UI, select a role (like Alpha or Admin), and check for "all database access on all_database_access" in the permissions list. If you want to compare, you can also check the full permission matrix to see which granular and global permissions are assigned to each standard role.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[Devika7733]

Hi @dosu, What permission I can use to list the dashbords, Charts, datasets and databases using API.

[dosubot[bot]]

To list dashboards, charts, datasets, and databases using the Superset API, your role needs the following permissions:

• Dashboards: can_read (or can_list/can_show) on Dashboard
• Charts: can_read (or can_list/can_show) on Chart, plus datasource access on the underlying dataset
• Datasets: datasource_access on the dataset, or all_datasource_access/all_database_access for broader access
• Databases: database_access on the database, or all_database_access/all_datasource_access for global access

These permissions apply to both the API and the UI—there are no special API-only permissions. If your custom role only has granular "can read" permissions but not datasource_access or database_access, you may not see assets in API responses. The all_database_access permission grants universal access and bypasses these granular checks, which is why it works when others do not. You can manage these permissions in Settings > Roles in the Superset UI. If you still see empty results, check for ownership, tags, or filters that might restrict visibility (source, source).

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[Devika7733]

Hi @dosu, Do the roles all_datasource_access/all_database_access and all_database_access/all_datasource_access provide read-only access rights, not write access?

[dosubot[bot]]

The permissions all_datasource_access and all_database_access grant broad access to all data sources and databases in Superset, and they include both read and write capabilities—not just read-only access. These permissions are assigned to the Admin and Alpha roles, which can view, create, edit, and delete datasets, charts, dashboards, and databases. For example, Alpha users can add and alter data sources, confirming that these permissions allow write actions as well as read actions docs permission matrix. If you want a strictly read-only role, you should avoid granting these global permissions and instead assign only the specific can_read (or can_list/can_show) permissions for each asset type.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[rusackas]

Moving this to a Discussion, since it's not a bug per se but happy to move it back if you do find a bug to tackle here :D

[Devika7733]

This has been fixed