Default Airflow 2.0 RBAC unexpected behaviour #13511
Description
After having transitioned to Airflow 2.0 from previous versions where RBAC functioned fine, facing a new behaviour which I don't know if is expected.
When creating a new role instead of using VIEWER permissions as base, Airflow enforces same permissions as role USER, this results in not being able to set granular access control for specific DAGs. I did notice that the behaviour is tied closely with update_fab_perms and whether it's on true or false.
Additional attempts were done editing the VIEWER role to grant it access to dag_edit on specific DAGs but it doesn't work as well. Any other permission is too permissive and grants full access to running DAGs to the role. Could not find anything in the documentation that would mean something is done wrong.
How to reproduce:
simply run the official helm chart on the repository, try creating a new role and after some time it will sync creating all the permissions similar to USER. Or, just try granting granular dag_edit permissions on a specific DAG and note that permission is still denied.
Moreover, not quite sure if this is an intended behaviour to enforce that all new roles have a similar set of permissions as USER (or closely similar) but I think the approach of least amount of access should be applied for new roles. Note, in previous versions of Airflow this behaviour didn't happen and for some reason on the latest one it does.