diff --git a/UPDATING.md b/UPDATING.md
index f730ac1d86edc..b8dd5397d5da2 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -24,6 +24,8 @@ assists users migrating to a new version.
 
 ## Airflow Master
 
+### Viewer won't have edit permissions on DAG view.
+
 ### RedisPy dependency updated to v3 series
 
 If you are using the Redis Sensor or Hook you may have to update your code. See
diff --git a/airflow/www/security.py b/airflow/www/security.py
index 22ea7db5d1868..7bd5c75a5dd69 100644
--- a/airflow/www/security.py
+++ b/airflow/www/security.py
@@ -129,11 +129,16 @@
     'all_dags'
 }
 
-DAG_PERMS = {
-    'can_dag_read',
+WRITE_DAG_PERMS = {
     'can_dag_edit',
 }
 
+READ_DAG_PERMS = {
+    'can_dag_read',
+}
+
+DAG_PERMS = WRITE_DAG_PERMS | READ_DAG_PERMS
+
 ###########################################################################
 #                     DEFAULT ROLE CONFIGURATIONS
 ###########################################################################
@@ -141,7 +146,7 @@
 ROLE_CONFIGS = [
     {
         'role': 'Viewer',
-        'perms': VIEWER_PERMS | DAG_PERMS,
+        'perms': VIEWER_PERMS | READ_DAG_PERMS,
         'vms': VIEWER_VMS | DAG_VMS
     },
     {
diff --git a/tests/www/test_views.py b/tests/www/test_views.py
index e73b67e6517e6..c682c2c9beacb 100644
--- a/tests/www/test_views.py
+++ b/tests/www/test_views.py
@@ -1060,7 +1060,7 @@ def login(self, username=None, password=None):
                 role=role_user,
                 password='test_user')
 
-        role_viewer = self.appbuilder.sm.find_role('User')
+        role_viewer = self.appbuilder.sm.find_role('Viewer')
         test_viewer = self.appbuilder.sm.find_user(username='test_viewer')
         if not test_viewer:
             self.appbuilder.sm.add_user(
@@ -1566,6 +1566,14 @@ def test_tree_view_for_viewer(self):
         resp = self.client.get(url, follow_redirects=True)
         self.check_content_in_response('runme_1', resp)
 
+    def test_refresh_failure_for_viewer(self):
+        # viewer role can't refresh
+        self.logout()
+        self.login(username='test_viewer',
+                   password='test_viewer')
+        resp = self.client.get('refresh?dag_id=example_bash_operator')
+        self.check_content_in_response('Redirecting', resp, resp_code=302)
+
 
 class TestTaskInstanceView(TestBase):
     TI_ENDPOINT = '/taskinstance/list/?_flt_0_execution_date={}'