diff --git a/superset/security/manager.py b/superset/security/manager.py
index 33cbc814d49..450265ccb98 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -330,6 +330,8 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         ("menu_access", "SQL Editor"),
         ("menu_access", "Saved Queries"),
         ("menu_access", "Query Search"),
+        ("can_read", "SqlLabPermalinkRestApi"),
+        ("can_write", "SqlLabPermalinkRestApi"),
     }
 
     SQLLAB_EXTRA_PERMISSION_VIEWS = {
diff --git a/tests/integration_tests/security_tests.py b/tests/integration_tests/security_tests.py
index f148f9418e8..a89bb47af78 100644
--- a/tests/integration_tests/security_tests.py
+++ b/tests/integration_tests/security_tests.py
@@ -1488,6 +1488,8 @@ class TestRolePermission(SupersetTestCase):
             ("menu_access", "Saved Queries"),
             ("menu_access", "SQL Editor"),
             ("menu_access", "SQL Lab"),
+            ("can_read", "SqlLabPermalinkRestApi"),
+            ("can_write", "SqlLabPermalinkRestApi"),
         }
 
         self.assert_cannot_alpha(sql_lab_set)
diff --git a/tests/integration_tests/sql_lab/permalink/api_tests.py b/tests/integration_tests/sql_lab/permalink/api_tests.py
index 7d515b796f8..a67d78989f0 100644
--- a/tests/integration_tests/sql_lab/permalink/api_tests.py
+++ b/tests/integration_tests/sql_lab/permalink/api_tests.py
@@ -58,6 +58,28 @@ def permalink_salt(app_context) -> Iterator[str]:
     db.session.commit()
 
 
+def test_sqllab_user_can_access_shared_query(
+    tab_state_data: dict[str, Any], permalink_salt: str, test_client, login_as
+):
+    login_as(GAMMA_SQLLAB_USERNAME)
+
+    resp = test_client.post("api/v1/sqllab/permalink", json=tab_state_data)
+    assert resp.status_code == 201, "Failed to create permalink"
+
+    data = resp.json
+    key = data["key"]
+
+    resp = test_client.get(f"api/v1/sqllab/permalink/{key}")
+    assert resp.status_code == 200, "SQL Lab user access expected"
+
+    result = json.loads(resp.data.decode("utf-8"))
+    assert result == tab_state_data, "Query data mismatch"
+
+    id_ = decode_permalink_id(key, permalink_salt)
+    db.session.query(KeyValueEntry).filter_by(id=id_).delete()
+    db.session.commit()
+
+
 def test_post(
     tab_state_data: dict[str, Any], permalink_salt: str, test_client, login_as
 ):