RBAC DB migration

[thabofletcher]

Ticket: N/A - Internal infrastructure for RBAC system

Description Of Changes

Adds database migrations and SQLAlchemy models to support the new dynamic Role-Based Access Control (RBAC) system. This creates the foundational database schema that enables:

• Dynamic Roles: Create, modify, and delete roles at runtime (vs. hardcoded roles)
• Fine-grained Permissions: Map permissions to roles with granular control
• Role Hierarchy: Parent-child role relationships for permission inheritance
• Resource Scoping: Assign roles with optional resource-level restrictions
• Temporal Validity: Time-bounded role assignments (valid_from/valid_until)
• Separation of Duties: Constraints preventing conflicting role combinations

Important: These migrations only CREATE new tables - no existing tables are modified.

Code Changes

New Database Tables (5):

• rbac_role - Dynamic role definitions with hierarchy support
• rbac_permission - Permission definitions (seeded from SCOPE_REGISTRY)
• rbac_role_permission - Role to permission mapping (many-to-many)
• rbac_user_role - User role assignments with resource scoping + temporal validity
• rbac_role_constraint - Separation of duties constraints

Migrations (3):

1. d9ee4ea46797_add_rbac_tables.py - Creates all 5 RBAC tables with indexes
2. f5f526cbc35a_seed_rbac_defaults.py - Seeds permissions from SCOPE_REGISTRY and creates system roles
3. 9f6555f12ad1_add_rbac_management_scopes.py - Adds RBAC management scopes (idempotent)

SQLAlchemy Models:

• src/fides/api/models/rbac/ - New model package with all RBAC entities
• Updated sql_models.py to import RBAC models

Steps to Confirm

1. Run migrations: alembic upgrade head
2. Verify tables created: \dt rbac_* in psql
3. Verify permissions seeded: SELECT COUNT(*) FROM rbac_permission; (should be ~135)
4. Verify roles seeded: SELECT * FROM rbac_role; (should have 7 system roles)
5. Test downgrade: alembic downgrade -1 (repeat 3x), verify tables removed

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Feb 6, 2026 9:07pm
fides-privacy-center	Ignored		Feb 6, 2026 9:07pm

[greptile-apps]

Greptile Overview

Greptile Summary

This PR introduces the initial database schema and ORM models for a dynamic RBAC system, including Alembic migrations to create RBAC tables and seed permissions/roles, plus unit tests covering basic model behavior (roles, permissions, assignments, and constraints). The RBAC models are wired into the existing SQLAlchemy model registry via src/fides/api/models/sql_models.py.

Key issues to address before merging:

• The first RBAC migration’s revision metadata appears inconsistent (Revises in the docstring does not match down_revision), which can create an unintended branch in the Alembic graph.
• The ORM definition of rbac_role_permission does not match the table created by migrations (PK/id-column mismatch). This is likely to cause runtime failures when the ORM interacts with the real table.

After those are fixed, consider aligning server_default usage (SQL expressions vs strings) and making time-dependent tests deterministic.

Confidence Score: 2/5

• Not safe to merge until migration graph and ORM/schema mismatches are resolved.
• Score is low because there are two likely runtime-breaking issues: (1) Alembic down_revision mismatch can create multiple heads/incorrect ordering, and (2) rbac_role_permission ORM mapping does not match the table created/seeded by migrations. The remaining items are consistency/flakiness concerns.
• src/fides/api/alembic/migrations/versions/xx_2026_01_31_1000_d9ee4ea46797_add_rbac_tables.py and src/fides/api/models/rbac/rbac_role_permission.py (plus migrations that insert into rbac_role_permission).

Important Files Changed

Filename	Overview
changelog/7285.yaml	Adds a changelog entry for the RBAC DB migration work.
src/fides/api/alembic/migrations/versions/xx_2026_01_31_1000_d9ee4ea46797_add_rbac_tables.py	Creates 5 RBAC tables; migration header Revises docstring does not match down_revision, and uses string server_default literals.
src/fides/api/alembic/migrations/versions/xx_2026_01_31_1100_f5f526cbc35a_seed_rbac_defaults.py	Seeds RBAC permissions/roles and role-permission mappings; inserts into rbac_role_permission by id and defines a helper inside upgrade().
src/fides/api/alembic/migrations/versions/xx_2026_02_01_0900_9f6555f12ad1_add_rbac_management_scopes.py	Adds RBAC management scopes and assigns them to Owner; inserts into rbac_role_permission by id which conflicts with the ORM model PK definition.
src/fides/api/alembic/migrations/versions/xx_2026_02_01_1000_a8b9c0d1e2f3_seed_fidesplus_scopes.py	Seeds fidesplus scopes and assigns to roles; also inserts into rbac_role_permission by id.
src/fides/api/models/rbac/init.py	Exports RBAC model classes for package import.
src/fides/api/models/rbac/rbac_permission.py	Defines RBACPermission model with relationship to roles via rbac_role_permission.
src/fides/api/models/rbac/rbac_role.py	Defines RBACRole model with hierarchy and permission aggregation helpers.
src/fides/api/models/rbac/rbac_role_constraint.py	Defines RBACRoleConstraint model and helper methods for constraint type checks.
src/fides/api/models/rbac/rbac_role_permission.py	Defines RBACRolePermission junction model with composite PK, but migrations create an id PK column (schema mismatch).
src/fides/api/models/rbac/rbac_user_role.py	Defines RBACUserRole assignment model; valid_from uses server_default="now()" as a string rather than a SQL expression.
src/fides/api/models/sql_models.py	Imports RBAC models and adds them to sql_model_map.
tests/api/models/test_rbac.py	Adds unit tests for RBAC models; time-based assertions could be made deterministic with freezegun.

[greptile-apps]

_{13 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}