feat: introduce Subject model and entity editors/viewers

[villebro]

SUMMARY

This PR introduces a new Subject model, which can represent either a User, Group or Role, and replaces the owners property on models with a new editors property. In addition, a new feature flag ENABLE_VIEWERS is introduced, which makes it possible to expose dashboards or charts to explicit subjects, similarly to how the DASHBOARD_RBAC feature works. To complement this, a new config flag VIEWER_PROMISCUOUS_MODE is introduced (disabled by default), which makes it possible to bypass regular datasource RBAC, similar to how DASHBOARD_RBAC previously worked.

As the new ENABLE_VIEWERS FF and VIEWER_PROMISCUOUS_MODE config flags are a superset of DASHBOARD_RBAC, DASHBOARD_RBAC is deprecated and set for removal in the next major version.

To avoid introducing a breaking change, the owners property will be present on APIs, and will function as a partial and deprecated representation of the editors property. In the next major version, the owners property is completely removed.

Motivation

The current access model ties ownership and edit permissions directly to individual users via the owners relationship. The DASHBOARD_RBAC feature flag added role-based dashboard access but as a separate, parallel system. This PR unifies both into a single model where editors (who can modify) and viewers (who can see) are expressed as subjects — any combination of users, roles, and groups.

Data Model

A new subjects table stores unified references to FAB users, roles, and groups:

Field	Description
label	Primary display name ("Alice Smith", "Alpha", "Data Engineering")
secondary_label	Secondary detail (email for users, group name for groups, null for roles)
type	1=User, 2=Role, 3=Group
user_id / role_id / group_id	FK to the source FAB model

Junction tables (dashboard_editors, dashboard_viewers, chart_editors, chart_viewers, sqlatable_editors, report_schedule_editors) link subjects to resources.

An explicit table is introduced to ensure maximum performance/minimal latency on related model queries, as they would otherwise need to query over a triple union covering user, role and group tables.

Legacy Table Removal

The migration drops the following legacy junction tables after seeding the new editor/viewer tables:

Dropped table	Seeded from
dashboard_user	dashboard_editors (user-type)
slice_user	chart_editors (user-type)
sqlatable_user	sqlatable_editors (user-type)
report_schedule_user	report_schedule_editors (user-type)
dashboard_roles	dashboard_viewers (role-type)
rls_filter_roles	rls_filter_subjects (role-type)

On downgrade, all tables are recreated and repopulated from the editor/viewer/subject tables.

The owners and roles properties on models are now computed @property methods that derive their values from editors and viewers/subjects respectively.

Backwards Compatibility

• owners still works: Setting owners in API payloads propagates into editors — existing integrations and scripts continue to function without changes
• DASHBOARD_RBAC auto-migrates: When enabled, it sets ENABLE_VIEWERS + VIEWER_PROMISCUOUS_MODE for backwards compatibility. The flag is no longer referenced in frontend code.
• Migration seeds from existing data: All existing owners are converted to user-type editor subjects; dashboard_roles entries become viewer subjects
• All response schemas include both owners and editors: Consumers can migrate at their own pace

Feature Flags

Flag	Purpose
ENABLE_VIEWERS	Gates the viewers dropdown and viewer-based access filtering. When off, only editors are used (replacing owners).

New config flags

Flag	Purpose
VIEWER_PROMISCUOUS_MODE	When set to true, viewers can access datasources without explicit dataset permissions (mirrors old DASHBOARD_RBAC behavior)
SUBJECTS_RELATED_TYPES	Global config list controlling which subject types appear in pickers (default: all types)
SUBJECTS_RELATED_TYPES_DASHBOARDS	Per-entity override for dashboard editor/viewer pickers (intersected with global)
SUBJECTS_RELATED_TYPES_CHARTS	Per-entity override for chart editor/viewer pickers (intersected with global)
SUBJECTS_RELATED_TYPES_RLS	Per-entity override for RLS subject picker (intersected with global)
SUBJECTS_RELATED_TYPES_ALERT_REPORTS	Per-entity override for alert/report editor picker (intersected with global)
EXTRA_RELATED_QUERY_FILTERS	Extended with group key alongside existing user and role keys for custom group filtering, especially in multi-tenant deployments

Documentation

• Alerts & Reports docs: Updated executor description to reference user-type editors instead of owners
• Caching docs: Added paragraph explaining ExecutorType.OWNER renders as the primary user-type editor (Role/Group editors aren't valid executors). This should also be renamed in the next major version.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

With this change, the dashboard, chart and dataset list views have Editors instead of Owners (notice the new SubjectPile component, that has a square avatar for Roles and hexagon for Groups):

When the feature flag ENABLE_VIEWERS is enabled, a Viewers column appears on Dashboard and Chart list views:

The Editors and Viewers sections on the Access tab on the Properties modal. Notice the description for the optional Viewers section, which is similar to that which DASHBOARD_RBAC had:

The Subject dropdown features Users, Groups and Roles:

When a user has been granted access to a dashboard, either directly or indirectly via a Role or Group, and VIEWER_PROMISCUOUS_MODE is not enabled, and they don't have dataset access, they will see this error:

However, when VIEWER_PROMISCUOUS_MODE = True, the dashboard renders correctly:

As Row Level Security also now uses Subjects, you can now also assign filters to Users or Groups:

Similarly, Alerts & Reports also uses Subjects:

TESTING INSTRUCTIONS

1. Run migration: superset db upgrade
2. Verify subjects table is populated: SELECT type, COUNT(*) FROM subjects GROUP BY type (should show users, roles, and groups)
3. Dashboard properties modal → Access section shows Editors picker (and Viewers if ENABLE_VIEWERS is on)
4. Add/remove editors → save → verify persistence
5. Non-editor cannot edit dashboard; admin always can
6. Chart properties modal → Editors picker present
7. Explore Save modal → Only dashboards the user is an editor of appear in the dashboard picker
8. Dashboard list → Editors column with avatar face pile
9. Enable ENABLE_VIEWERS → Viewers dropdown appears; viewer-only users can see published dashboards but not edit
10. Guest token access → verify owners/editors/viewers are stripped from API responses
11. RLS with subjects:
    • Create RLS rule via UI → Subjects picker shows users, roles, and groups
    • Assign rule to a user subject → verify filter applies for that user
    • Assign rule to a role subject → verify filter applies for users with that role
    • Base filter type: verify non-matching subjects get the base filter applied
12. RLS backwards compat: Create RLS rule via API with roles: [1, 2] → verify the rule is created with role-type subjects; GET the rule → both roles and subjects appear in response
13. Subject sync from UI:
    • Edit a user's first/last name → verify the corresponding Subject label updates
    • Create a new user → verify a Subject row is created
    • Rename a role → verify the Subject label updates
    • Create/rename a group → verify Subject sync
    • Delete a user/role/group → verify the Subject row is removed
14. Per-entity subject type filtering:
    • Set SUBJECTS_RELATED_TYPES = [1, 3] and SUBJECTS_RELATED_TYPES_RLS = [3]
    • Dashboard editors picker shows users + groups; RLS subjects picker shows only groups
    • Unset both → all types appear everywhere

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.50%. Comparing base (de40b58) to head (139eda3).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #38831      +/-   ##
==========================================
+ Coverage   64.42%   64.50%   +0.08%     
==========================================
  Files        2553     2558       +5     
  Lines      132588   132810     +222     
  Branches    30758    30638     -120     
==========================================
+ Hits        85416    85668     +252     
+ Misses      45686    45660      -26     
+ Partials     1486     1482       -4     

Flag	Coverage Δ
superset-extensions-cli	90.82% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	139eda3
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/69d97fae83688c00087d0d2e
😎 Deploy Preview	https://deploy-preview-38831--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.