TVL Managed Superset
Get started

Manage Users and Teams in Superset 2026

Apache Superset user management: provisioning, invitations, teams, deprovisioning, audit.

· Tuvalu Tech OÜ

Managing users and teams in Apache Superset at scale requires clear processes: provisioning, permission updates, deprovisioning, audit. This guide details the best practices for 2026.

1. Superset user model

  • Account: username, email, first name, last name;
  • Roles: a user can accumulate multiple roles;
  • Groups via SSO (mapped to roles);
  • Activity: last_login, dashboards viewed.

If you want auto provisioning, TVL Managed Superset Pro+ offers SCIM auto-provisioning from the IdP.

2. Manual creation

  1. UI → Settings → List Users → + User;
  2. Username, email, first name, last name;
  3. Assign one or more roles;
  4. Password (if no SSO).

3. Automatic creation via SSO

With AUTH_USER_REGISTRATION = True, a user is created automatically on their first login:

AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Gamma"
AUTH_ROLES_SYNC_AT_LOGIN = True

Combined with AUTH_ROLES_MAPPING, roles are synchronized from IdP groups at each login.

4. Bulk provisioning via API

curl -X POST https://superset.example.com/api/v1/security/users/ \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "username": "alice.smith",
    "email": "alice@example.com",
    "first_name": "Alice",
    "last_name": "Smith",
    "roles": [3, 5]
  }'

5. Team concept

Superset doesn't natively have a "team" concept but emulates it via business roles. Examples:

  • Role Marketing: sees marketing datasets;
  • Role Sales: sees sales datasets;
  • Role Finance: sees finance datasets.

See advanced RBAC for the design.

This configuration is applied by default on TVL Managed Superset, which follows community best practices.

6. Deprovisioning

When a user leaves the organization:

  1. Disable the account on IdP side (SSO refuses → user blocked);
  2. Optional: delete the user from Superset via UI or CLI;
  3. Reassign the dashboards owned by this user to a service account;
  4. Log the event in the audit trail.

SCIM (System for Cross-domain Identity Management) automates this flow from Okta/Azure.

7. CLI

# List users
superset fab list-users

# Create an admin
superset fab create-admin --username alice --email alice@... ...

# Reset password
superset fab reset-password --username alice

# Delete
superset fab delete-user --username alice

8. User audit

  • List of inactive accounts > 90 days;
  • Accounts with Admin role (quarterly review);
  • Recent login failures;
  • Per-user activity (dashboards viewed).

9. Best practices

  • Mandatory SSO in production;
  • Automatic provisioning via SCIM or SSO mapping;
  • Quarterly review of permissions;
  • Auto deletion of inactive accounts > 90 days;
  • Business roles clearly named.

10. Conclusion

Managing Superset users at scale relies on automation via SSO and respect for the principle of least privilege. At 100+ users, manual management becomes unmanageable. Setting up SSO + SSO mapping + quarterly review is a near-mandatory investment.

Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France).

For more: roles and permissions, SSO OIDC, advanced RBAC.