diff --git a/apps/emqx/test/emqx_common_test_http.erl b/apps/emqx/test/emqx_common_test_http.erl
index 1034e310f..83cf02019 100644
--- a/apps/emqx/test/emqx_common_test_http.erl
+++ b/apps/emqx/test/emqx_common_test_http.erl
@@ -17,7 +17,6 @@
 -module(emqx_common_test_http).
 
 -include_lib("common_test/include/ct.hrl").
--include_lib("emqx_dashboard/include/emqx_dashboard_rbac.hrl").
 
 -export([
     request_api/3,
@@ -34,6 +33,9 @@
 -define(DEFAULT_APP_ID, <<"default_appid">>).
 -define(DEFAULT_APP_SECRET, <<"default_app_secret">>).
 
+%% from emqx_dashboard/include/emqx_dashboard_rbac.hrl
+-define(ROLE_API_SUPERUSER, <<"api_administrator">>).
+
 request_api(Method, Url, Auth) ->
     request_api(Method, Url, [], Auth, []).
 
diff --git a/apps/emqx_dashboard/src/emqx_dashboard.erl b/apps/emqx_dashboard/src/emqx_dashboard.erl
index fbd801410..96ff3e167 100644
--- a/apps/emqx_dashboard/src/emqx_dashboard.erl
+++ b/apps/emqx_dashboard/src/emqx_dashboard.erl
@@ -212,7 +212,7 @@ listener_name(Protocol) ->
 
 -if(?EMQX_RELEASE_EDITION =/= ee).
 %% dialyzer complains about the `unauthorized_role' clause...
--dialyzer({no_match, [authorize/1]}).
+-dialyzer({no_match, [authorize/1, api_key_authorize/3]}).
 -endif.
 
 authorize(Req) ->
diff --git a/changes/ee/feat-11766.en.md b/changes/ee/feat-11766.en.md
new file mode 100644
index 000000000..80925c907
--- /dev/null
+++ b/changes/ee/feat-11766.en.md
@@ -0,0 +1,8 @@
+Implemented a preliminary Role-Based Access Control for the REST API.
+
+  In this version, there are three predefined roles:
+  - Administrator: This role could access all resources.
+
+  - Viewer: This role can only view resources and data, corresponding to all GET requests in the REST API.
+
+  - Publisher: This role is special for MQTT messages publish, it can only access publish-related endpoints.