cube-js · ovr · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026
diff --git a/DEPRECATION.md b/DEPRECATION.md
@@ -68,7 +68,7 @@ features:
 | Deprecated | [Node.js 20](#nodejs-20)                                                                                                          | v1.3.0    |           |
 | Deprecated | [`renewQuery` parameter of the `/v1/load` endpoint](#renewquery-parameter-of-the-v1load-endpoint)                                 | v1.3.73   |           |
 | Removed    | [Elasticsearch driver](#elasticsearch-driver)                                                                                     | v1.6.0     | v1.7.0    |
-| Deprecated | [`context_to_roles`](#context-to-roles)                                                                                           | v1.6.4     |           |
+| Removed    | [`context_to_roles`](#context-to-roles)                                                                                           | v1.6.4     | v1.7.0    |
 
 ### Node.js 8
 
@@ -439,5 +439,7 @@ The Elasticsearch driver has been removed.
 
 **Deprecated in Release: v1.6.4**
 
-The `context_to_roles` configuration option is deprecated and will be removed in a future
-release. Please use `context_to_groups` instead.
+**Removed in Release: v1.7.0**
+
+The `context_to_roles` configuration option has been removed. Please use `context_to_groups` instead.
+
@@ -773,7 +773,6 @@ cube(`orders`, {
 [ref-mls-public]: /docs/data-modeling/access-control/member-level-security#managing-member-level-access
 [ref-sec-ctx]: /docs/data-modeling/access-control/context
 [ref-ref-dap]: /reference/data-modeling/data-access-policies
-[ref-ref-dap-role]: /reference/data-modeling/data-access-policies#role
 [ref-ref-dap-masking]: /reference/data-modeling/data-access-policies#member-masking
 [ref-ref-mask-dim]: /reference/data-modeling/dimensions#mask
 [ref-core-data-apis]: /reference/core-data-apis
@@ -1515,40 +1515,6 @@ Usually used for [multitenancy][ref-multitenancy].
 If not defined, Cube will lookup for environment variable
 [`CUBEJS_DB_TYPE`](/reference/configuration/environment-variables#cubejs_db_type) to resolve the data source type.
 
-### `context_to_roles`
-
-<Warning>
-
-`context_to_roles` is deprecated and will be removed in a future release.
-Use [`context_to_groups`](#context_to_groups) instead.
-
-</Warning>
-
-Used by [access policies][ref-dap]. This option is used to derive a list of
-[data access roles][ref-dap-roles] from the [security context][ref-sec-ctx].
-
-<CodeGroup>
-
-```python title="Python"
-from cube import config
-
-@config('context_to_roles')
-def context_to_roles(ctx: dict) -> list[str]:
-  return ctx['securityContext'].get('roles', ['default'])
-```
-
-```javascript title="JavaScript"
-
-module.exports = {
-  contextToRoles: ({ securityContext }) => {
-    return securityContext.roles || ['default']
-  }
-}
-```
-
-</CodeGroup>
-
-
 [gh-jsonwebtoken-algs]:
   https://github.com/auth0/node-jsonwebtoken#algorithms-supported
 [link-express-cors-opts]:

diff --git a/docs/content/product/auth/data-access-policies.mdx b/docs/content/product/auth/data-access-policies.mdx
@@ -569,7 +569,6 @@ cube(`orders`, {
 [ref-mls-public]: /product/auth/member-level-security#managing-member-level-access
 [ref-sec-ctx]: /product/auth/context
 [ref-ref-dap]: /product/data-modeling/reference/data-access-policies
-[ref-ref-dap-role]: /product/data-modeling/reference/data-access-policies#role
 [ref-ref-dap-masking]: /product/data-modeling/reference/data-access-policies#member-masking
 [ref-ref-mask-dim]: /product/data-modeling/reference/dimensions#mask
 [ref-core-data-apis]: /product/apis-integrations/core-data-apis
diff --git a/docs/content/product/configuration/reference/config.mdx b/docs/content/product/configuration/reference/config.mdx
@@ -1474,40 +1474,6 @@ Usually used for [multitenancy][ref-multitenancy].
 If not defined, Cube will lookup for environment variable
 <EnvVar>CUBEJS_DB_TYPE</EnvVar> to resolve the data source type.
 
-### `context_to_roles`
-
-<WarningBox>
-
-`context_to_roles` is deprecated and will be removed in a future release.
-Use [`context_to_groups`](#context_to_groups) instead.
-
-</WarningBox>
-
-Used by [access policies][ref-dap]. This option is used to derive a list of
-[data access roles][ref-dap-roles] from the [security context][ref-sec-ctx].
-
-<CodeTabs>
-
-```python
-from cube import config
-
-@config('context_to_roles')
-def context_to_roles(ctx: dict) -> list[str]:
-  return ctx['securityContext'].get('roles', ['default'])
-```
-
-```javascript
-
-module.exports = {
-  contextToRoles: ({ securityContext }) => {
-    return securityContext.roles || ['default']
-  }
-}
-```
-
-</CodeTabs>
-
-
 [gh-jsonwebtoken-algs]:
   https://github.com/auth0/node-jsonwebtoken#algorithms-supported
 [link-express-cors-opts]:

@@ -95,14 +95,6 @@ async def logger(msg, params):
     pass
 
 
-@config
-async def context_to_roles(ctx):
-    # Removed print statements for benchmarking
-    return [
-        "admin",
-    ]
-
-
 @config
 async def context_to_groups(ctx):
     # Removed print statements for benchmarking

@@ -95,14 +95,6 @@ def logger(msg, params):
     pass
 
 
-@config
-def context_to_roles(ctx):
-    # Removed print statements for benchmarking
-    return [
-        "admin",
-    ]
-
-
 @config
 def context_to_groups(ctx):
     # Removed print statements for benchmarking

@@ -535,7 +535,6 @@ export interface PyConfiguration {
   contextToApiScopes?: () => Promise<string[]>
   scheduledRefreshContexts?: (ctx: unknown) => Promise<string[]>
   scheduledRefreshTimeZones?: (ctx: unknown) => Promise<string[]>
-  contextToRoles?: (ctx: unknown) => Promise<string[]>
   contextToGroups?: (ctx: unknown) => Promise<string[]>
 }
 

@@ -77,7 +77,6 @@ class Configuration:
     semantic_layer_sync: Union[Dict, Callable[[], Dict]]
     pre_aggregations_schema: Union[Callable[[RequestContext], str], str]
     orchestrator_options: Union[Dict, Callable[[RequestContext], Dict]]
-    context_to_roles: Callable[[RequestContext], list[str]]
     context_to_groups: Callable[[RequestContext], list[str]]
     fast_reload: bool
 
@@ -128,7 +127,6 @@ def __init__(self):
         self.semantic_layer_sync = None
         self.pre_aggregations_schema = None
         self.orchestrator_options = None
-        self.context_to_roles = None
         self.context_to_groups = None
         self.fast_reload = None
 

@@ -51,7 +51,6 @@ impl CubeConfigPy {
             "context_to_app_id",
             "context_to_orchestrator_id",
             "context_to_cube_store_router_id",
-            "context_to_roles",
             "context_to_groups",
             "db_type",
             "driver_factory",

@@ -99,15 +99,6 @@ def logger(msg, params):
     print("[python] logger msg", msg, "params=", params)
 
 
-@config
-def context_to_roles(ctx):
-    print("[python] context_to_roles", ctx)
-
-    return [
-        "admin",
-    ]
-
-
 @config
 def context_to_groups(ctx):
     print("[python] context_to_groups", ctx)

@@ -79,12 +79,6 @@ def logger(msg, params):
 
 settings.logger = logger
 
-def context_to_roles(ctx):
-    print('[python] context_to_roles', ctx)
-    return ['admin']
-
-settings.context_to_roles = context_to_roles
-
 def context_to_groups(ctx):
     print('[python] context_to_groups', ctx)
     return ['dev', 'analytics']

@@ -68,7 +68,6 @@ suite('Python Config', () => {
       queryRewrite: expect.any(Function),
       repositoryFactory: expect.any(Function),
       schemaVersion: expect.any(Function),
-      contextToRoles: expect.any(Function),
       contextToGroups: expect.any(Function),
       scheduledRefreshContexts: expect.any(Function),
       scheduledRefreshTimeZones: expect.any(Function),
@@ -92,14 +91,6 @@ suite('Python Config', () => {
     });
   });
 
-  test('context_to_roles', async () => {
-    if (!config.contextToRoles) {
-      throw new Error('contextToRoles was not defined in config.py');
-    }
-
-    expect(await config.contextToRoles({})).toEqual(['admin']);
-  });
-
   test('context_to_groups', async () => {
     if (!config.contextToGroups) {
       throw new Error('contextToGroups was not defined in config.py');
@@ -251,7 +242,6 @@ darwinSuite('Old Python Config', () => {
       queryRewrite: expect.any(Function),
       repositoryFactory: expect.any(Function),
       schemaVersion: expect.any(Function),
-      contextToRoles: expect.any(Function),
       contextToGroups: expect.any(Function),
       scheduledRefreshContexts: expect.any(Function),
       scheduledRefreshTimeZones: expect.any(Function),

@@ -125,7 +125,6 @@ export type Filter =
     };
 
 export type AccessPolicyDefinition = {
-  role?: string;
   group?: string;
   groups?: string[];
   rowLevel?: {

@@ -1130,8 +1130,7 @@ const RowLevelPolicySchema = Joi.object().keys({
   allowAll: Joi.boolean().valid(true).strict(),
 }).xor('filters', 'allowAll');
 
-const RolePolicySchema = Joi.object().keys({
-  role: Joi.string(),
+const GroupPolicySchema = Joi.object().keys({
   group: Joi.string(),
   groups: Joi.array().items(Joi.string()),
   memberLevel: MemberLevelPolicySchema,
@@ -1142,9 +1141,7 @@ const RolePolicySchema = Joi.object().keys({
   })),
 })
   .nand('group', 'groups') // Cannot have both group and groups
-  .nand('role', 'group') // Cannot have both role and group
-  .nand('role', 'groups') // Cannot have both role and groups
-  .or('role', 'group', 'groups') // Must have at least one
+  .or('group', 'groups') // Must have at least one
   .with('memberMasking', 'memberLevel'); // memberMasking requires memberLevel
 
 /* *****************************
@@ -1199,7 +1196,7 @@ const baseSchema = {
   dimensions: DimensionsSchema,
   segments: SegmentsSchema,
   preAggregations: PreAggregationsAlternatives,
-  accessPolicy: Joi.array().items(RolePolicySchema.required()),
+  accessPolicy: Joi.array().items(GroupPolicySchema.required()),
   hierarchies: hierarchySchema,
 };