In our clusters we don't allow any users to be Admin, so we use the Op, User and Viewer roles. It turns out that these roles are missing the can_dagrun_success and can_dagrun_failure permissions.
Fixing this for new installs is easy, but due to
AIRFLOW-3271 (https://github.com/apache/airflow/pull/4118) we won't alter the roles if they already exist, so having some mechanism for adding permissions to roles via migrations might be useful.
As a palyground I started working on https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure if this is too complex or not. (It's also not a complete solution yet)