Advanced RBAC on Apache Superset: Role Design 2026

Design advanced RBAC on Apache Superset: business roles, fine permissions, separation of concerns.

9 May 2026 · Tuvalu Tech OÜ

Beyond the 5 native roles, Apache Superset allows building advanced RBAC with business roles, fine permissions, and separation of concerns. This guide explains how to design RBAC that scales for 100+ users in 2026.

1. Native role limits

Admin/Alpha/Gamma roles are insufficient at scale:

Too broad: Alpha gives too many rights to a business analyst;
Not business-oriented: no pre-made "Marketing" or "Finance" role;
Not hierarchical: everything is flat;
No dynamic RBAC per dataset.

If you want pre-designed RBAC, TVL Managed Superset offers business RBAC templates on Pro+ instances.

2. Recommended pattern

Mix technical roles and business roles:

Technical role	+ Business role
Gamma	+ Marketing → sees marketing datasets
Gamma	+ Finance → sees finance datasets
Alpha	+ Data Eng → all datasets
Admin	(no complement)

3. Create a "Marketing" business role

UI → Settings → List Roles → + Role;
Name: Marketing;
Permissions:
- can read on Database (warehouse);
- schema_access on marketing.*;
- datasource_access on ad-hoc datasets.
Save.

4. Available fine permissions

Permission	Effect
`can_read on Dashboard`	View dashboards
`can_write on Dashboard`	Create/edit dashboards
`can_export on Dashboard`	PDF/PNG export
`can_sql_json on Superset`	SQL Lab access
`database_access[mydb]`	Specific DB connection
`schema_access[mydb.public]`	Specific schema
`datasource_access[ds_id]`	Specific dataset
`menu_access on Settings`	Settings menu access

This configuration is applied by default on TVL Managed Superset, which follows community best practices.

5. Separation of concerns

Admin: 2-3 people max;
Data Engineering: creates datasets, models in dbt;
Data Analysts: creates charts/dashboards from ready datasets;
Business: consumes dashboards, can create simple slices.

6. RBAC on sensitive datasets

For HR, finance, salary data:

Separate datasets with restricted datasource_access;
RLS as complement (cf. RLS);
Audit log viewable only by compliance.

7. SSO mapping

Synchronize roles with the IdP:

AUTH_ROLES_MAPPING = {
    "ad_marketing": ["Gamma", "Marketing"],
    "ad_finance":   ["Gamma", "Finance"],
    "ad_data_eng":  ["Alpha", "Data Engineering"],
    "ad_admins":    ["Admin"],
}
AUTH_ROLES_SYNC_AT_LOGIN = True

8. Audit and governance

Quarterly review of assigned roles;
Auto deletion of inactive accounts > 90 days;
Audit log of role changes;
Documentation of RBAC rules in Confluence/Notion.

9. Common pitfalls

Too many roles (50+) → unmanageable;
Permissions accumulated over time without review;
Public role forgotten → leak;
RBAC without RLS → a user sees all tenants via SQL Lab;
No naming convention making mapping incomprehensible.

10. Conclusion

A well-designed Apache Superset RBAC combines technical roles (Admin/Alpha/Gamma) and business roles (Marketing/Finance/Sales) with automatic SSO mapping. At scale (100+ users), it's the only way to keep control without saturating admins.

Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France).

For more: roles and permissions, RLS, audit trail.