Apache Superset Roles and Permissions Explained 2026

Understand Admin, Alpha, Gamma, Public, Granter roles in Apache Superset. Permissions, SSO mapping, best practices.

9 May 2026 · Tuvalu Tech OÜ

Understanding the roles and permissions of Apache Superset is essential to build a secure and productive instance. The system is based on Flask-AppBuilder (FAB) and offers great flexibility, provided you properly identify native roles and their respective rights. This guide untangles everything in 2026.

1. The 5 native roles

Role	Level	Use case
Admin	Full power	Superset administrators
Alpha	Dataset and dashboard creation	Data analysts, data engineers
Gamma	Read + create slices/dashboards limited to authorized datasets	Business users
Public	Anonymous, no login	Public dashboards (use with caution)
Granter	Can grant permissions on databases they own	Database owners

If you want an instance with pre-configured roles, TVL Managed Superset offers role templates for multi-tenant SaaS.

2. Admin details

Admin has all rights:

Create/delete users and roles;
Configure databases;
Create/modify/delete datasets, charts, dashboards;
Access SQL Lab;
View logs.

Limit to 2-3 people maximum in an organization.

3. Alpha details

Alpha can:

Create datasets on databases they have access to;
Create charts and dashboards;
Access SQL Lab;
Modify datasets they own.

But cannot create users or configure databases.

4. Gamma details

Gamma is the role for business users:

View datasets, charts, dashboards they explicitly have access to;
Create charts from these datasets;
No SQL Lab access by default;
No modification of datasets.

The most-used role in practice. Important: a Gamma without an assigned dataset sees nothing — this is by design.

5. The Public role (use with caution)

Activatable via PUBLIC_ROLE_LIKE = "Gamma" in superset_config.py, it allows anonymous access to public dashboards. NEVER activate if dashboards contain sensitive data. See Superset public dashboards.

6. Create a custom role

UI → Settings → List Roles → + Role;
Name (e.g., SalesFR);
Select individual permissions:
- can_read on Dashboard, Chart, Dataset;
- menu_access on necessary screens;
- database_access on relevant databases;
- schema_access on schemas (Postgres / BigQuery).
Save.

This configuration is applied by default on TVL Managed Superset, which follows community best practices.

7. Role mapping via SSO OIDC

AUTH_ROLES_MAPPING = {
    "superset_admin":   ["Admin"],
    "superset_alpha":   ["Alpha"],
    "superset_sales":   ["Gamma", "SalesFR"],
    "superset_finance": ["Gamma", "Finance"],
}
AUTH_ROLES_SYNC_AT_LOGIN = True

See SSO OIDC for full configuration.

8. Permissions per database and per schema

Beyond roles, control:

database_access[mydb]: access to a connected database;
schema_access[mydb.public]: access to a specific schema;
datasource_access[mydb.public.orders]: access to a specific dataset.

9. Common pitfalls

Gamma without explicit permissions: sees nothing, doesn't know why;
Too many Admins: compromises security;
Public enabled without isolation: massive leak;
Forgotten Role Public Like Gamma: all visitors see everything;
Roles not reviewed after 6 months: accumulated permissions.

10. Best practices

2 to 3 Admins maximum, auditable access;
Mandatory SSO in production;
RLS as complement for multi-tenant (see RLS);
Explicit business roles: Marketing, Finance, Sales rather than technical roles;
Quarterly review of roles and permissions.

11. Conclusion

Apache Superset's role system is powerful and flexible but requires a few hours to master. Once well configured, it secures and industrializes access, especially when coupled with SSO and RLS.

Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France).

For more: Row Level Security, SSO OIDC, security hardening.