New role configuration for a reaonly role (with access to specific dashboards ONLY)

[user1500177]

Hi Superset community,

I have an existing Superset setup with ~15 dashboards and an already configured read-only role with a broad set of permissions. I now need to create a new, more restricted read-only role that:

Requirements

• ✅ Can only view and run 2 specific dashboards

My Current Setup

• Superset version: 6
• I have DASHBOARD_RBAC feature flag — enabled (update accordingly)
• Authentication via OAuth2 (Zitadel) with AUTH_ROLES_MAPPING mapped to the correct newly created role for specific zitadel users

With superset api i think its possible to attach the these two role to those two specifci dashboards RIGHT with the dashboard RBAC enabled right ?

what is the minimum set of permissions i have to give to a user so that he/she can just see and run these dashboards without any other issues "like no accesss is denied and other issues"

[dosubot[bot]]

Yes, with DASHBOARD_RBAC enabled, you can assign your new role to those two specific dashboards, and users with that role will only see those dashboards. Here's how it works:

How Dashboard RBAC works: When roles are assigned to a dashboard, it bypasses dataset-level permission checks and implicitly grants read access to all charts and associated datasets on that dashboard . If no roles are assigned to a dashboard, regular dataset-level permissions apply as a fallback [1].

Minimum permissions for your restricted read-only role:

• can read on Dashboard
• can read on Chart
• can read on CurrentUserRestApi ⚠️ Often missed — without it users get a black screen with "Something went wrong"
• can explore on Superset
• can explore_json on Superset
• can log on Superset
• can time range on Api (if dashboards use time filters)
• can read on Dataset
• can list on Dataset
• can get on Dataset
• can read on Database
• can list on Database
• can get on Database
• can read on Theme (if dashboards use themes — without it, users get 403 errors and infinite loading) [2]

[3]

Do NOT grant all_datasource_access — users access data through the dashboard context instead.

Steps to set it up:

1. Create the role with the permissions above
2. Make sure the two dashboards are marked as published (required for RBAC checks to work) [4]
3. In each dashboard's settings, assign your new role — this can indeed be done via the API (PUT /api/v1/dashboard/{id} with the roles field)
4. Map the role in your AUTH_ROLES_MAPPING for the relevant Zitadel users

Once the role is assigned to a dashboard, only users with that role (plus admins) will see it in the dashboard list and be able to access it.

To reply, just mention @dosu.

---

Share context across your team and agents. Try Dosu.